by ·1 Comment

A New York court overturns the termination of a public school teacher for posting offensive comments on social mediaRubino v. City of New York, 106 A.D.3d 439 (May 7, 2013)

The New York Supreme Court, Appellate Division recently ruled that the firing of a fifth-grade public school teacher for making inappropriate comments on social media was too harsh of a penalty.  After a difficult day at class, the teacher posted comments alluding to a tragedy involving an unknown student at a different school.  The court’s opinion is sparse on details, but according to a Huffington Post article, the teacher wrote: “After today, I am thinking the beach sounds like a wonderful idea for my 5th graders!  I HATE THEIR GUTS!”  The beach reference alluded to the drowning of a 12-year old girl on a school trip to Long Island beach the day before.  The comments were only visible to the teacher’s private network of friends, who did not include any of her students or their parents.  The teacher deleted the comments three days after posting them.  She denied making the comments when she was initially confronted about them, but later confessed at her disciplinary hearing.

The court agreed that the comments were “clearly inappropriate” but it noted that the purpose of the comments was just to vent.  The teacher did not intend the public to see her comments, and she expressed remorse over making them.  She had no prior disciplinary history in her 15-year career.  Given the record, the appellate court found the termination to be “shocking to one’s sense of fairness.”  The appellate court upheld a lower court order setting aside the termination and sending the case back down for imposition of a lesser penalty.

LegalTXTS Lesson: Not all courts have been as kind toward teachers who vent on social media as the New York Appellate Division.  In fact, in In re O’Brien, a court in neighboring New Jersey upheld the firing of a first-grade teacher under similar circumstances earlier this year.  One difference might be that the teacher in Rubino expressed remorse for making the comments whereas the teacher in O’Brien did not.  Whether that factor alone accounts for the different outcomes is questionable.  One thing the cases do share in common is that the teachers in both thought that no one outside of their network of “friends” would see their comments.  With apologies to Las Vegas, Rubino and O’Brien teach that what happens in an employee’s social network doesn’t always stay in his or her social network.

Related articles
Enhanced by Zemanta

by ·0 Comments

Supervisor snoops into former employee’s personal Gmail account after she returns company-issued BlackberryLazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)

Verizon BlackBerry Tour 9630The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets.   Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns.  The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.

Verizon issued a Blackberry smartphone to its employee, Sandi Lazette.  Lazette set up a personal Gmail account on the phone with Verizon’s permission.  Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee.  Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not.  Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.

Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy.  A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions.  The court also allowed Lazette’s privacy claim to move forward.

LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.

1.  Don’t read your employees’ personal messages—even if they are readily accessible.  Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent.  A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA.  Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry.  Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails.  The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.

2.  Construe grants of access narrowly.  If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account.  In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account.  Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him.  Years later, the supervisor logged into the account to read emails about the status of the company.  In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial.  Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.

3.  Thoroughly purge personal data from company-issued electronic devices before reusing them.  Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired.    Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like.  Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.

4.  Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools.  One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised.  MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device.  To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.

Related articles

Enhanced by Zemanta

by ·1 Comment

Employer sues ex-employee for not updating his LinkedIn profileJefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).

What would you do if your ex-employee told everybody he still works for you?  One company’s response was to sue.  In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.

Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer.  Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud.  JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee.  A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile.  At most, JAVS alleged that the profile tricked others.  Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.

LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging.  Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization.  Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:

1.  Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.

2.  Specify who owns Internet accounts handled by the ex-employee for the organization’s  benefit and the information stored in the accounts.  This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data.  As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.

3.  Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization.  Limiting access helps to prevent theft of trade secrets and proprietary information.  Many CFAA lawsuits have been spawned by a failure to take this precaution.

4.  Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”

5.  Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.

6.  Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
Enhanced by Zemanta

by ·0 Comments

UPDATE:  On April 30, 2013, a three-member panel of the NLRB adopted the ALJ’s decision in this case.  Read the board decision here (the ALJ decision and the Dish Network social media policy that got invalidated are attached).

The NLRB recently dealt another blow to the ability of employers to prohibit employees from engaging in disparaging speech on social media.  On November 14, 2012, an Administrative Law Judge (“ALJ”) of the NRLB issued a decision striking down two rules in Dish Network’s employee handbook dealing with social media use.  The first rule prohibited employees from making disparaging or defamatory comments about their employer.  The ALJ found that the rule could unlawfully chill employees in the exercise of their Section 7 rights to engage in concerted activity.  The second rule prohibited employees from engaging in “negative electronic discussion” during company time.  This rule could effectively ban union activities during breaks and other non-working hours at the workplace, the ALJ concluded.

This was not the first time Dish Network’s social media policy came under fire.  On May 31, 2012, the Acting General Counsel of the NLRB issued a memo criticizing provisions of actual social media policies.  Dish Network was one of the companies whose policies were scrutinized in the memo.  But while the memo was merely advisory, the latest ALJ ruling is not.

Recent NLRB rulings like this one leave behind a wake of confusion for employers.  Provisions that are commonplace in employee handbooks, like non-disparagement rules, are being invalidated when applied in the social media context.  To add to the confusion, the NLRB can seem inconsistent.  For example, the May 30 memo approved Wal-Mart’s social media policy, which includes an instruction to “refrain from using social media while on work time” or on company equipment.  However, the NLRB struck down Dish Network’s practice of banning social media activity on company time.  What’s an employer to do?  Few definitive answers are available, but here are a few ideas to help you survive in this uncertain environment:

  • Stop treating social media as a novelty.  Employers who still regard social media as a frivolous activity tend to use draconian measures (like categorical bans) to regulate it.  The reality is that social media has become part of everyday life, nearly as much as cellphones and texting has.  The point is not to restrict social media use per se, but to manage the consequences of such use.  Which leads us to . . .
  • Focus on outcomes.  Dish Network very well could have intended its non-disparagement work rule to protect its brand and reputation rather than prohibit employee discussion about their work conditions or compensation.  However, the rule did not clearly spell out its objectives.  Tell employees the outcomes you want to avoid.  If what you want to prevent are discriminatory remarks that create a hostile work environment, say so.  This was one of the features of the Wal-Mart policy that the NLRB’s May 30 memo approved.  In a section of the policy entitled “Be Respectful,” Wal-Mart states that if an employee decides to post complaints or criticism, they should ” avoid using statements, photographs, video or audio that reasonably could be viewed as malicious, obscene, threatening or intimidating, that disparage customers, members, associates or suppliers, or that might constitute harassment or bullying.”  The policy then listed examples of such conduct, such as “offensive posts meant to intentionally harm someone’s reputation or posts that could contribute to a hostile work environment on the basis of race, sex, disability,religion or any other status protected by law or company policy.”
  • Stay positive.  Rather than just banning certain kinds of conduct on social media, consider setting affirmative guidelines that employees should adhere to when communicating with others, whether on social media or other communication channels.  For example, do you want your organization to be portrayed in a certain way?  Then describe the image you would like your employees to convey to others in their communications when talking about the organization.
  • It’s not over.  The NLRB rulings are not the final word on how broadly employers may regulate social media activity of employees.  Although ALJ decisions and even those of NLRB panels are more authoritative than guidance memos, courts have yet to weigh in.

by ·0 Comments

The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)

Nosal is back.  This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity.  The case returned to the trial court after the Ninth Circuit decision.  The trial court recently convicted the defendant (David Nosal) of violating the CFAA.  But before analyzing the decision, let’s take a brief look at the background.

Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm.  After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others.  In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems.  In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system.  Nosal used the stolen data to start his own executive search business.  Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”

An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use.  The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information.  The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.

Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further.  Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer.  Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA.  The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted.  Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.

Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee.  The court wasn’t enamored with this argument either.  Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system.  Clearly, an employer would not authorize an employee to allow another person to use his or her password.  Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law.  The court also rejected this argumen.

Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.”   The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system.  Both situations qualify as “access” under the CFAA.

LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms.  According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.

Related articles
Enhanced by Zemanta