by ·0 Comments

UPDATE:  On April 30, 2013, a three-member panel of the NLRB adopted the ALJ’s decision in this case.  Read the board decision here (the ALJ decision and the Dish Network social media policy that got invalidated are attached).

The NLRB recently dealt another blow to the ability of employers to prohibit employees from engaging in disparaging speech on social media.  On November 14, 2012, an Administrative Law Judge (“ALJ”) of the NRLB issued a decision striking down two rules in Dish Network’s employee handbook dealing with social media use.  The first rule prohibited employees from making disparaging or defamatory comments about their employer.  The ALJ found that the rule could unlawfully chill employees in the exercise of their Section 7 rights to engage in concerted activity.  The second rule prohibited employees from engaging in “negative electronic discussion” during company time.  This rule could effectively ban union activities during breaks and other non-working hours at the workplace, the ALJ concluded.

This was not the first time Dish Network’s social media policy came under fire.  On May 31, 2012, the Acting General Counsel of the NLRB issued a memo criticizing provisions of actual social media policies.  Dish Network was one of the companies whose policies were scrutinized in the memo.  But while the memo was merely advisory, the latest ALJ ruling is not.

Recent NLRB rulings like this one leave behind a wake of confusion for employers.  Provisions that are commonplace in employee handbooks, like non-disparagement rules, are being invalidated when applied in the social media context.  To add to the confusion, the NLRB can seem inconsistent.  For example, the May 30 memo approved Wal-Mart’s social media policy, which includes an instruction to “refrain from using social media while on work time” or on company equipment.  However, the NLRB struck down Dish Network’s practice of banning social media activity on company time.  What’s an employer to do?  Few definitive answers are available, but here are a few ideas to help you survive in this uncertain environment:

  • Stop treating social media as a novelty.  Employers who still regard social media as a frivolous activity tend to use draconian measures (like categorical bans) to regulate it.  The reality is that social media has become part of everyday life, nearly as much as cellphones and texting has.  The point is not to restrict social media use per se, but to manage the consequences of such use.  Which leads us to . . .
  • Focus on outcomes.  Dish Network very well could have intended its non-disparagement work rule to protect its brand and reputation rather than prohibit employee discussion about their work conditions or compensation.  However, the rule did not clearly spell out its objectives.  Tell employees the outcomes you want to avoid.  If what you want to prevent are discriminatory remarks that create a hostile work environment, say so.  This was one of the features of the Wal-Mart policy that the NLRB’s May 30 memo approved.  In a section of the policy entitled “Be Respectful,” Wal-Mart states that if an employee decides to post complaints or criticism, they should ” avoid using statements, photographs, video or audio that reasonably could be viewed as malicious, obscene, threatening or intimidating, that disparage customers, members, associates or suppliers, or that might constitute harassment or bullying.”  The policy then listed examples of such conduct, such as “offensive posts meant to intentionally harm someone’s reputation or posts that could contribute to a hostile work environment on the basis of race, sex, disability,religion or any other status protected by law or company policy.”
  • Stay positive.  Rather than just banning certain kinds of conduct on social media, consider setting affirmative guidelines that employees should adhere to when communicating with others, whether on social media or other communication channels.  For example, do you want your organization to be portrayed in a certain way?  Then describe the image you would like your employees to convey to others in their communications when talking about the organization.
  • It’s not over.  The NLRB rulings are not the final word on how broadly employers may regulate social media activity of employees.  Although ALJ decisions and even those of NLRB panels are more authoritative than guidance memos, courts have yet to weigh in.

by ·0 Comments

The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)

Nosal is back.  This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity.  The case returned to the trial court after the Ninth Circuit decision.  The trial court recently convicted the defendant (David Nosal) of violating the CFAA.  But before analyzing the decision, let’s take a brief look at the background.

Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm.  After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others.  In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems.  In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system.  Nosal used the stolen data to start his own executive search business.  Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”

An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use.  The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information.  The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.

Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further.  Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer.  Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA.  The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted.  Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.

Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee.  The court wasn’t enamored with this argument either.  Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system.  Clearly, an employer would not authorize an employee to allow another person to use his or her password.  Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law.  The court also rejected this argumen.

Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.”   The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system.  Both situations qualify as “access” under the CFAA.

LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms.  According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.

Related articles
Enhanced by Zemanta

by ·3 Comments

Employers who discipline employees for their social media activity could unwittingly violate protections under the National Labor Relations Act (NLRA) for employees who engage in “protected concerted activity.”  An employee engages in protected concerted activity when acting together with other employees, or acting alone with the authority of other employees, for the mutual aid or protection of co-workers regarding terms and conditions of employment.  Since social networks by nature connect people, online gripes about work—which could be read by co-workers of the author within the same social network—could constitute protected concerted activity.  Three recent National Labor Relations Board (NLRB) decisions highlight this risk.

In Hispanics United of Buffalo, Inc., 359 NRLB No. 37 (Dec. 14, 2012), an employee at a domestic violence relief organization posted on Facebook about a co-worker (Cruz-Moore) who threatened to complain about the work habits of other employees to the executive director of the organization.  The employee wrote: “Lydia Cruz, a coworker feels that we don’t help our clients enough . . . .  I about had it!  My fellow coworkers how do u feel?”  Four off-duty employees responded to this post with disagreement over Cruz-Moore’s alleged criticisms.  Cruz-Moore saw these posts, responded to them, and brought them to the attention of the executive director.  The employee who authored the original post and the employees who responded were fired.  Two NLRB members of a three-person panel found the termination to be a violation of Section 8(a)(1) of the National Labor Relations Act (NLRA).  The NLRB found the posts to be “concerted” because they had the “clear ‘mutual aid’ objective for preparing coworkers for a group defense to [Cruz-Moore’s] complaints.”   The NLRB also considered the posts “protected” because they related to job performance matters.

In Pier Sixty, LLC, 2013 WL 1702462 (NLRB Div. of Judges Apr. 18, 2013), the service staff of a catering company were in the process of taking a vote on union representation when a staff member (Perez) got upset by what he perceived as harassment by his manager.  During a break, Perez went to the bathroom and posted on Facebook: “Bob is such a NASTY M***** F****R don’t know how to talk to people!!!!!  F**k his mother and his entire f*****g family!!!!  What a LOSER!!!!  Vote YES for the UNION.”  Various co-workers responded to the post.  The company fired Perez after learning about the post.  An administrative law judge of the NLRB held that the employer violated Section 8(a)(1) of the NLRA.  The judge found the post to constitute “protected activity” because it was part of an ongoing sequence of events involving employee attempts to protest and remedy what they saw as rude and demeaning treatment by their managers.  The post was also “concerted” because it was activity undertaken on behalf of a union.

In Design Technology Group, LLC d/b/a Bettie Page Clothing, 359 NLRB No. 96 (Apr. 19, 2013), employees of a clothing store repeatedly but unsuccessfully attempted to persuade their employer to close the store earlier so that they wouldn’t have to walk through an unsafe neighborhood at night.  The employees posted Facebook messages lamenting the denial of their request and criticizing their manager.  In one message, an employee said she would bring in a book on workers’ rights to shed light on their employer’s labor law violations.  Another employee saw the messages and sent them to the HR director, who in turn forwarded them to the store owner.  The owner fired the employees who posted the messages, allegedly for insubordination.   A NLRB administrative law judge found the terminations unlawful because the messages were a continuation of an effort to address concerns about work safety (i.e., leaving work late at night in an unsafe neighborhood) and thus constituted protected concerted activity.

LegalTXTS Lesson:  What should employers learn from these decisions?  To avoid violating Section 8(a)(1) of the NLRA, employers might consider the following before disciplining employees based on their social media activity:

  • Check whether the employee’s post attracted or solicited a response from co-workers.  The interactive nature of social networking means that communications via social media are often “concerted.”
  • Calls for co-workers to take action likely constitute “protected” activity.
  • Complaints about work or co-workers—even if vulgar—can be considered “protected” activity.
  • Messages posted outside of the workplace or work hours can still be considered protected concerted activity.
  • Be especially sensitive to messages that reference collective bargaining activity or labor requirements.  Those are red flags indicating the need to exercise caution.
  • Often, social media is not the initial venue for airing work-related complaints.  Investigate whether the complaints voiced online were previously brought to the attention of the employer.  If they were, the online messages are more likely to be found to be part of a series of protected activity.
Related articles
Enhanced by Zemanta

by ·1 Comment

Proof of actual damages is not necessary to recover the minimum $1,000 in statutory damages under the Stored Communications ActShefts v. Petrakis, 2013 WL 1087695 (C.D. Ill. Mar. 14, 2013)

A person who brings a successful Stored Communications Act (SCA) claim can recover at least $1,000 without having to prove actual damages.  In Shefts v. Petrakis, the plaintiff (Shefts) sued his former employer for violating the SCA by illegally accessing his various messaging accounts, including a Yahoo! email account.  (See my post on an earlier decision in this case regarding after-the-fact authorization of access to emails.)  Shefts did not seek actual damages, but instead, statutory damages under the SCA.  The SCA states that “[t]he court may assess as damages . . . the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.”  18 U.S.C. § 2707(c).  The defendants argued that Shefts could not recover statutory damages without proving actual damages.  Shefts countered that he may recover statutory damages as an alternative to actual damages.

The trial court agreed with Shefts.  Finding no Supreme Court precedent on point, the court looked at the plain language of the damages statute, legislative history, and other district court decisions.  The court found that the plain language of the statute entitled a successful plaintiff to obtain minimum recovery of $1,000 in statutory damages.  The legislative history also evidenced the intent of Congress to allow recovery of at least $1,000.  Also persuasive to the court were other district court decisions finding that the SCA does not require actual damages as a condition to recovery.  The court’s ruling meant that, assuming Shefts could establish liability under the SCA, his failure to seek actual damages would not preclude him from recovering statutory damages.

by ·2 Comments

Hawai‘i has jumped on the bandwagon of states (along with 31 other states, according to the National Conference of State Legislatures) introducing legislation to ban employers from requesting access to social media accounts of job applicants.  Several bills on the subject were introduced in this year’s legislative session, but the one that appears to have the best chance of becoming law is HB713 H.D. 2 S.D. 1 (HB713).  The bill has passed the House and gained the approval of two Senate committees.  Next up for the bill is review by the Senate Judiciary Committee.  As HB713 gains traction, let’s take a look at what it says and some issues it raises in its current form.

SUMMARY OF HB713, H.D. 2

HB713 would insert a new section into the Hawai‘i statute governing discriminatory employment practices, Hawai‘i Revised Statutes (HRS) chapter 378, part I.  The proposed law would apply to both job applicants and existing employees.  Employers are prohibited from gaining access to a “personal account,” which is defined as:

An account, service, or profile on a social networking website that is used by an employee or potential employee exclusively for personal communications unrelated to any business purposes of the employer.  This definition shall not apply to any account, service, profile, or electronic mail created, maintained, used, or accessed by an employee or potential employee for business purposes of the employer or to engage in business-related communications.

Specifically, an employer may not “require, request, suggest, or cause” an employee or job applicant to: (1) turn over access to his or her personal account; (2) access his or her personal account while the employer looks on; or (3) divulge any personal account.  An employer also may not fire, discipline, threaten, or retaliate against an employee or job applicant for turning down an illegal request for access.

There are exceptions, however.

  • An employer may conduct an investigation to ensure compliance with law, regulatory requirements, or prohibitions against work-related employee misconduct based on receipt of specific information about activity on a personal online account or service by an employee or other source.
  • An employer may conduct an investigation of an employee’s actions based on the receipt of specific information about unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to a personal online account or service.
  • An employer may monitor, review, access, or block electronic data (a) stored on an electronic communications device that it pays for in part or in whole, or (b) traveling through or stored on an employer’s network, in compliance with state and federal law.
  • An employer may get an employee’s login credentials to access an electronic communications device supplied or paid for in whole or in part by the employer.
  • An employer may get an employee’s login credentials to access accounts or services provided by the employer or “by virtue of the employee’s employment relationship with the employer” or that the employee uses for business purposes.
  • HB713 specifies that the proposed law is not intended to prevent an employer from complying with other law or the rules of self-regulatory organizations, and that the proposed law should not be construed to conflict with federal law.

OBSERVATIONS AND CONCERNS

Shoulder surfing nixed.  The bill appears to make “shoulder surfing” by an employer illegal per se.  Suppose an employee tells his boss, “Man, you cannot believe the whales my friend saw on her boat this weekend!  She sent me a video of it on Facebook.”  Intrigued, the boss says he wants to see the video.  The employee obliges by logging on to her Facebook account while her boss watches over her shoulder.  Did the boss unlawfully “request” that the employee grant him access to her “personal account”?  Technically, yes.  Note that HB713 has no exception for voluntary consent of the employee.

“Friending” employees might become illegal.  Employers and employees sometimes connect on the same social network.  While it isn’t always a good idea for an employer to “friend” an employee, it’s not illegal to do so—unless, perhaps, HB713 becomes the law.  HB713 bans an employer from requesting that an employee “divulge any personal account.”  Yet, that’s exactly what a friend request does—it requests access to portions of a social media account that can be viewed only by the account owner’s “friends.”  The “divulge” language probably was intended to reach situations where an employer demands that an employee hand over access to another employee’s personal account.  But as written, HB713’s prohibition against divulging any personal account could be interpreted to apply to innocent “friending.”

The line between personal and private is blurry.  In a perfect world, employees would use business social media accounts strictly for business purposes and conduct all of their personal social media activity using separate social media accounts.   That’s a best practice, not necessarily reality.  The line between personal and business can get blurry in the social media space.  It’s not unusual for employees to talk about work or promote their company within their personal social networks.  If the employee uses his or her personal account for work purposes, shouldn’t the employer, who might have responsibility for the actions of its employee, be entitled to access the employee’s personal account in certain circumstances?  On the other hand, to what extent must an employee use his or her personal account for work-related interactions before the employer should be allowed access to the account?  These are difficult issues.

To address the issue, the latest draft of the bill tightens up the definition of “personal account” a bit and specifies that an employer may obtain login credentials from an employee to access “[a]ny accounts or services provided by the employer or by virtue of the employee’s employment relationship with the employer or that the employee uses for business purposes.”  This language is somewhat vague.  For example, what does “by virtue of the employer’s employment relationship with the employer” mean?  It might well be that HB713 is trying to draw artificial distinctions between personal and work social media accounts when in practice, the distinction is sometimes fuzzy at best.

HB713 still has a few hurdles to overcome before it becomes law.  Here at LegalTXTS, we’ll keep an eye out for the status of the bill.