Now that the 2013 legislative session in Hawai‘i is in full swing, let’s take a look at what new measures are in the pipeline to regulate Internet activity.  A chart of relevant information about each bill is available here.  Here’s a summary of the Internet-related proposals working their way through the legislature.

Social Media and Internet Account Passwords

A set of bills (SB207 and HB713) proposes to join other states in banning employers from asking employees or job applicants to disclose the passwords to their personal social media accounts.  Another set of proposals (HB1104 and HB1023) would extend the ban to educational institutions and their students or prospective students.

Privacy Policies

Two bills (HB39 and SB729) would make it a legal requirement for operators of a commercial website or online service to post a privacy policy on their website.

Cyberbullying

Three bills (HB1226, SB525, and HB397) would require the board of education to adopt various policies and programs to combat cyberbullying in public and charter schools.

Teacher/Student Interactions

Apparently responding to incidents in which teachers and students conducted inappropriate relationships online, HB678 would allow a teacher in a public or charter school to engage in electronic communication with a student (including cell phone calls) only on Department of Education networks and systems.

Identity Theft

SB325 would require businesses to implement a comprehensive, written policy and procedure to prevent identity theft and train all employees in implementation of the same.

Cybersecurity

HB462 would establish a statewide cybersecurity council to identify and assess critical computer infrastructure, identify cybersecurity “best practices,” recommend incentives for voluntary adoption of such best practices, evaluate the efficacy of such practices, and report annually to the legislature.

We’ll be tracking these bills, reporting on their status periodically, and posting revisions to the chart.  Stay tuned!

Discovery of Social Media Content Relevant to “Mental State”Reid v. Ingerman Smith LLP, 2012 WL 6720752 (E.D.N.Y. Dec. 27, 2012)

Plaintiff Karissa Reid sued her employer for damages resulting from alleged sexual harassment.  The defendants in the case requested discovery of information and documents relating to Reid’s social media accounts.  The defendants argued that the postings and photographs from the public portions of Reid’s Facebook account contradicted her claims of emotional distress due to her alleged sexual harassment and termination.  The defendants asked for discovery of the non-public portions of Reid’s Facebook account.

The court allowed discovery into the private portions of Reid’s Facebook account, finding that the publicly available portions of the account provided probative evidence of her mental and emotional state and could reveal the range of her activities—an important check against allegations that she no longer engaged in certain activities as a result of mental anguish.  Although disclosure of Reid’s personal social media account could raise privacy concerns, the court ruled that privacy alone does not justify shielding information from discovery.  The court cited the example of personal diaries, which are discoverable if they contain relevant information regarding contemporaneous mental states and impressions of parties.  By analogy, the fact that Reid used privacy settings to allow only certain Facebook friends to see her postings did not give her a justifiable expectation of privacy as to the content posted on her social media accounts.

The court stopped short of ordering disclosure of everything in Reid’s social media accounts.  The appropriate scope of discovery, according to the court, includes social media communications and photographs “that reveal, refer, or relate to any emotion, feeling, or mental state . . . [and] that reveal, refer, or relate to events that could reasonably expected to produce a significant emotion, feeling, or mental state.”

No First Amendment Protection for public school teacher’s comments on Facebook — In re O’Brien, 2013 WL 132508 (N.J. Super. App. Div. Jan 11, 2013)

We’ve seen a number of cases in which employees are fired for making comments on Facebook that they never thought would get around. (For a sampling, see my posts on Sutton v. Bailey, the BMW dealership decision, and Sumien v. Careflite.)  Put In re O’Brien in this category of cases, except add a twist: Here, the employer is a public school district.  Does the First Amendment (which applies only to government action) add a layer of protection to comments posted by a public employee on social media?  Not in this case.

Jennifer O’Brien was a first-grade schoolteacher.  O’Brien posted two statements on Facebook:

I’m not a teacher—I’m a warden for future criminals!

And the second:

They had a scared straight program in school—why couldn’t [I] bring [first] graders?

The Facebook comments were brought to the attention of the principal at O’Brien’s school (Ortiz).  Ortiz was “appalled” by the statements.  O’Brien’s Facebook comments also spread quickly throughout the school district, causing a well-publicized uproar.

The school district charged O’Brien with conduct unbecoming of a teacher.  An administrative law judge (ALJ) found support for the charge and recommended O’Brien’s removal from her tenured position, and the acting commissioner of the school district agreed.  The ALJ was particularly bothered by O’Brien’s lack of remorse in posting the comments.  A New Jersey court adopted with the reasoning of the ALJ on appeal.

Both at the administrative level and on appeal, O’Brien argued that the First Amendment protected her Facebook statements.  The court disagreed, applying the test stated in the Supreme Court’s decision in Pickering v. Board of Education that analyzes whether a public employee’s statements are protected by the First Amendment by balancing the employee’s interest, “as a citizen, in commenting on matters of public concern against the interest of the State, as an employer, in promoting the efficiency of the public services it performs through its employees.”

The court accepted the findings of the ALJ and Commissioner that O’Brien’s real motivation for making the statements was her dissatisfaction with her job and the conduct of some of her students, not a desire to comment on “matters of public concern.”  Even if the comments regarded a matter of public concern, O’Brien’s right to express those comments was outweighed by the school district’s interest in the efficient operation of its schools.  The court also rejected O’Brien’s arguments that there was insufficient evidence to support the charge against her, and that removal was an inappropriate penalty.

LegalTXTS Lesson: Public employers need to exercise more caution when disciplining employees for their activity on social media networks.  Unlike the private sector, public agencies are limited by the First Amendment when regulating expression of their employees.  But even public employees don’t have absolute freedom to say whatever they want.  As O’Brien reminds us, when public employees make comments of a personal nature, or their comments interfere with the delivery of government services, such expression is not protected by the First Amendment.

The steady flow of memos and decisions on social media from the NLRB in the last two years regarding social media has left many employers bewildered about the do’s and don’ts of social media policies.  The NLRB has been rather active in striking down social media policies for unlawfully restricting activity protected by Section 7 of the National Labor Relations Act (NLRA).  In the midst of this confusion, allow me to direct your attention to a little feature with a heroic name – the Savings Clause.  A Savings Clause is a statement that sets boundaries around a social media policy.  It’s basically a disclaimer.  It says something along the lines of, “this policy should not be interpreted to prohibit X,” and theoretically, that clarification should “save” a rule from being illegal. Pretty nifty, eh?

Now, before you think popping a Savings Clause into a social media policy will magically shield you from legal trouble, it’s a bit more complicated than that.  The NLRB has spoken on Savings Clauses in social media policies since its Office of the General Counsel (OGC) issued the third memo on social media on May 30, 2012.   The NLRB also weighed in on Savings Clauses in its September 18, 2012 decision striking down Costco’s social media policy (the first NRLB decision addressing social media issues); its September 25, 2012 decision striking down Echostar Technologies’ social media policy; and the OGC’s Advice Memorandum issued on October 19, 2012.  The fact that the NLRB has issued all this “guidance” should give employers pause about thinking that Savings Clauses are simple to write.  They’re not.  But NLRB guidance suggests that Savings Clauses can be effective if written well.

Here are some tips on using Savings Clauses drawn from NLRB decisions and memos.

1.  Having a Savings Clause is a good idea.

This might seem obvious, but it’s generally a good idea to include a Savings Clause in your social media policy.  The NLRB was critical of Costco’s social media policy for not including any type of disclaimer stating that the policy was not intended to interfere with the employees’ rights to engage in activity protected by the NLRA.  The NLRB did not go as far as to say that the policy’s other defects would have been cured by a Savings Clause, but the fact that it criticized a social media policy for not having any Savings Clause strongly suggests that having one could only help.

2.  Savings clauses don’t save rules that explicitly prohibit concerted, protected activity.

There are some policies even a Savings Clause can’t make better.  For example, the OGC’s May 30, 2012 Memo examined a policy that prohibited employees from posting information about employer shutdowns and work stoppages, and from speaking publicly about the workplace, work satisfaction or dissatisfaction, wages, hours, or work conditions.  The Savings Clause in the policy stated:

This policy will not be interpreted in a way that would interfere with the rights of employees to self organize, form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, or to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection or to refrain from engaging in such activities.

The NLRB said that an employee reading the policy would reasonably conclude that the policy prohibited protected activities despite what the Savings Clause said.  The lesson here is that a policy can’t forbid activity protected by the NLRA and then expect a Savings Clause to rescue the policy from being unlawful.

3.  Use terms your employees can understand. 

The Savings Clause in the policy we looked at in the last bullet point suffered from the additional problem of using the term “concerted activities.”  The NLRB criticized the clause for not explaining to a layperson what the right to engage in “concerted activity” entails.  Lawyers might understand what “concerted activity” or “protected activity” refer to, but employees without legal training might not.  Avoid using legal terminology in the Savings Clause.  Use plain English instead.

4.  Don’t be vague.

A Savings Clause can’t be too vague, or it won’t end up “saving” anything.  So what’s considered vague?

A Savings Clause stating that if the policy conflicts with law, “the appropriate law shall be applied and interpreted so as to make the policy lawful” is too vague, according to the NLRB’s Echostar decision.  A good Savings Clause must be specific enough to give employees an idea of how the social media policy will be interpreted.  A generic statement that the policy is intended to comply with the law means little unless the employer provides some context for the statement.

What if the Savings Clause made the policy subject to a specific law, like the NLRA?  That’s better, but still not good enough.  The OGC’s May 30, 2012 Memo disapproved of two Savings Clauses, one stating that the policy “will be administered in compliance with applicable laws and regulations (including Section 7 of the National Labor Relations Act),” and another stating that the policy “will not be construed or applied in a manner that improperly interferes with employees’ rights under the National Labor Relations Act.”  The NLRB found both Savings Clauses too vague to cure the policies from being overbroad.

So just how specific should a Savings Clause be?  That leads us to–

5.  Identify the kind of activity being “saved.” 

The OGC’s October 19, 2012 Advice Memo emphasized the importance of drafting rules that provide employees with context.  “[R]ules that clarify and restrict their scope by including examples of clearly illegal or unprotected conduct, so that they would not be reasonably construed to cover protected activity, are not unlawful,” the Advice Memo explained.  A Savings Clause can help provide the needed context.  The Advice Memo approved of Cox Communications, Inc.’s social media policy, which contained the following Savings Clause:

Nothing in Cox’s social media policy is designed to interfere with, restrain, or prevent employee communications regarding wages, hours, or other terms and conditions of employment.  Cox Employees have the right to engage in or refrain from such activities.

This Savings Clause specifically identified the kind of activity that is permitted—employee communications regarding wages, hours, or other terms and conditions of employment—so as to eliminate any doubt that other rules in the policy might prohibit activity that is protected by the NLRA.

In sum, I hope these tips will help you get the most out of Savings Clauses.

It’s time for a roundup of recent Stored Communications Act (SCA) decisions.  The issues addressed in these decisions include: (1) is a company network a “facility” subject to the prohibitions of the SCA; (2) what is “electronic storage”; (3) can there be secondary liability for violating the SCA; and (4) how broadly is “authorization” under the SCA defined.

Is a company network a “facility”?

Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012)

A terminated employee remotely accessed her ex-employer’s company computers to transmit spyware and monitor network communications.  The company sued the ex-employee under the Computer Fraud and Abuse Act (CFAA) and SCA.  (I discussed the CFAA claim in this case in an earlier post.)  The SCA makes it an offense to intentionally access without authorization (or exceed one’s authorization to access) a “facility through which an electronic communication service is provided” and thereby obtain, alter, or prevent authorized access to a wire or electronic communication “while it is in electronic storage in such system.”

The company alleged that its computers are “facilities” because they enable the use of electronic communication services.  The court rejects that interpretation of “facilities.”  Information that an individual stores to his or her hard drive, such as images, personal information and emails that he or she has downloaded, is not in “electronic storage” as defined by the SCA.  The “facilities” the SCA is designed to protect are not computers that enable the use of an electronic communication service, but facilities operated by electronic communication service providers and used to store and maintain electronic storage.  The court dismissed the SCA claim.

(LegalTXT Note: This decision conflicts with a number of other federal district court decision that have held that private servers are within the scope of the SCA)

What is “electronic storage”?

Jennings v. Jennings, 2012 WL 4808545 (S.C. Oct. 10, 2012)

Gail Jennings initiated a divorce proceeding after discovering that her husband (Lee Jennings) was having an affair. Gail’s daughter-in-law (Broome) decided to help Gail by hacking into Lee’s Yahoo! email account to retrieve messages between him and his mistress.  In the lawsuit that followed, the trial court granted summary judgment for the defendants on all claims, including those brought under the SCA.  The court of appeals affirmed except as to the SCA claim against Broome.  The court of appeals found that the emails at issue were in “electronic storage” as defined in 18 U.S.C. § 2510(17), and therefore within the SCA’s prohibition against unauthorized accessing of an electronic communication while it is in “electronic storage.”

The South Carolina Supreme Court disagreed that the emails in questions were in “electronic storage.”  Part of the SCA’s definition of “electronic storage” involves storage of an electronic communication “by an electronic communication service for the purposes of backup protection of such communication.”   The emails in Lee’s account were left on the Yahoo! server after they were opened.  Keeping an email after opening it does not amount to storing it for “backup protection,” the court ruled.

Can there be secondary liability for violating the SCA?

Can a person have secondary liability for violating the SCA, such as by “aiding and abetting” a violation?  A Florida court suggests that the answer is yes, but the federal district court for the District of Columbia says no.

Vista Marketing, LLC v. Burkett, 2012 WL 3860435 (M.D. Fla. Sept. 5, 2012)

Plaintiff’s wife (Burkett) accessed the webmail account of Plaintiff’s company (Vista) to read Plaintiff’s emails so as to gain a strategic advantage in their divorce proceeding.  She did not have authorization to access the Vista email account.  Vista alleged that told her divorce attorney (Park) what she had done, and that Park encouraged Burkett to continue accessing Vista’s webmail account and advised her to compile and print many of the communications for use in the divorce proceeding.  Vista sued Park under Florida common law for conspiracy to violate the SCA.  Park moved to dismiss, but the court denied the motion, holding that Vista adequately alleged facts supporting the conspiracy claim.

Council on American-Islamic Relations Action Network, Inc. v. Gaubatz, 2012 WL 4054141 (D.D.C. Sept. 17, 2012)

Chris Gaubatz obtained an internship with a national Muslim advocacy organization (CAIR-AN) under false pretenses to infiltrate the organization and collect information that would cast the organization in a negative light.  Chris is the son of David Gaubatz, an investigator hired by the Center for Security Policy, Inc. (CSP) and the Society of Americans for National Existence (SANE) as an independent contractor to collect “field data” about CAIR-AN.  Chris was able to collect thousands of documents, which he turned over to David.  David disclosed the stolen information on his blog and in a book he co-authored.  CAIR-AN sued Chris and David, CSP and its employees, and SANE and its employees.  One of the claims in the lawsuit alleged that the Defendants “conspired with” or “aided and abetted” Chris in violating the SCA.

The court concluded that the text of the SCA did not support a theory of secondary liability.  According to the court, the SCA’s “plain language shows that Congress had one category of offenders in mind—i.e., those who directly access, or exceed their authority to access, a facility through which an electronic communication service is provided.”

(LegalTXT Note:  Although Vista Marketing discussed the SCA, the claim at issue there was based on Florida’s common law of conspiracy rather than the SCA itself.  In contrast, Gaubatz squarely involved an SCA claim.)

What’s the scope of “authorization”?

Is after-the-fact authorization effective?

Shefts v. Petrakis, 2012 WL 4049509 (C.D. Ill. Sept. 13, 2012)

There is an exception to the SCA’s prohibitions for conduct authorized by the entity providing the electronic communication service that was accessed.  But what if the authorization was provided after there has already been access?  Is authorization effective if it is given after the fact?

The answer is yes, according to the court in Shefts.  (Some of the facts relevant to the case are supplied by an earlier published decision, Shefts v. Petrakis, 758 F. Supp. 2d 620 (C.D. Ill. 2010).  Access2Go, Inc., a telecommunications company, initiated a program to monitor the email and texting activity of its president after learning of concerns that he was sexually harassing Access2Go employees and violating his fiduciary duties.  As part of the monitoring program, a shareholder and member of the Access2Go board of directors (Petrakis) accessed Shefts’ company email account.  The board appointed Petrakis as its liaison of security.  Petrakis collected emails allegedly showing Shefts engaged in sexually harassing behavior and other improper acts.  Based on this and other evidence, the board suspended Shefts and recommended his termination.

When Shefts sued the board members under the SCA, the board members countered that the company had authorized access to his email account.  Since Shefts’ company email account was maintained by and resided on Access2Go’s servers, Access2Go could legitimately authorize access to the account.  The question is, when did Access2Go give the authorization?  The board never voted to allow an employee to access another employee’s computer.  However, the board members were aware that Petrakis had accessed Shefts’ company email account, and they relied on the emails that Petrakis collected in suspending Shefts and recommending his termination.  Based on these facts, the court concluded that the board had “ratified” Petrakis’ actions, and such ratification qualified as “authorization” under the SCA.

You’re in, now what?

Cheng v. Romo, 2012 WL 6021369 (D. Mass Nov. 28, 2012)

Just because the owner of an email account gives you permission to access his account doesn’t mean you are “authorized” to read every email in there.  In Cheng, the plaintiff (Cheng) and the defendant (Romo) and her husband worked for a medical imaging company.  Cheng maintained a Yahoo! email account while working at the company, the password for which he shared with Romo.  Although Cheng never qualified Romo’s access to his email account in any way, never stated a time limit on his grant of access to Romo, and never changed his password during the relevant time, his purpose in sharing his email account was to enable Romo to review radiologic images for their work.  Romo testified that she would check Cheng’s email account to read consultant reports that radiologists emailed to Cheng.  Initially, Romo did not look at any personal items in Cheng’s email account.  But after Romo and her husband’s relationship with Cheng and others at the company deteriorated—leading ultimately to their separation from the company—Romo accessed Cheng’s account to find out about the state of the company.  Romo shared with her husband the emails she printed from Cheng’s account.  Cheng sued Romo for violations of the SCA and invasion of privacy under Massachusetts law.

The court denied Romo’s motion for summary judgment as to both claims.  Regarding the SCA claim, the court found genuine issues of material fact as to whether Romo had authorization to access Cheng’s email account.  The fact that Cheng had given Romo his password years earlier was not determinative, given the context in which the password was given and the later use that Romo made of it.  It was up to the factfinder to look at the circumstances in which the password was given and to determine whether Romo was authorized, or exceeded her authorization, to access Cheng’s email account, the court said.

As for the privacy claim, the court held that it was cognizable, but there were genuine issues of material fact concerning whether Cheng had a reasonable expectation of privacy in his email messages and whether Romo’s actions interfered with Cheng’s privacy.

(LegalTXT Note: The court in Cheng noted that the term “authorization” in the SCA could have analogous meaning as the same term in the CFAA.  The court summarized the different approaches court take in defining the term in the context of the CFAA, including those finding “authorization” where there was no breach of technical barriers to access, and those finding no “authorization” where permission to access was granted but the information collected via such access was misused (see my post on Wentworth-Douglass Hosp. v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), a case the Cheng court cites).  Ultimately, the court does not indicate which approach it adopts, although its summary judgment ruling suggests that it considers the purpose behind the grant of access, and not the mere grant of permission itself, relevant to determining the existence of authorization.)