by ·0 Comments

A New York federal judge rules that misuse of computer information  gained through legal access does not violate the CFAAAdvanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)

Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act.  Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology.  AAT sued the ex-employees for, among other things, alleged violations of the CFAA.

An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them.  Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.”  Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.

After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative.  A CFAA violation occurs when one accesses a computer without permission.  Judge Carter gave three reasons for his conclusion.  First, the ordinary meaning of the word “authorization” refers to the absence of permission.  Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse.  Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant.  Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.

LegalTXTS Note: I’ve blogged on this issue quite a bit.  That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both.  Here are my previous posts on similar cases.

Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller

CFAA: Recent Cases

One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA

Don’t Just Because You Can

by ·1 Comment

NLRB Strikes Down Restrictions on Employee Communications on Social Media and Elsewhere — DirectTV U.S. DirecTV Holdings, LLC, 359 NLRB 54 (Jan. 25, 2013)

On the same day that the D.C. Circuit Court of Appeals ruled that President Obama’s recess appointments to the National Labor Relations Board (NLRB) were unconstitutional, the NLRB struck down several of DirectTV’s work rules, including one relating to social media use.  The ruling comes as little surprise, as it mirrors the positions and rationale stated in previous Guidance Memoranda issued by the NLRB’s Office of General Counsel.  Of course, this decision carries more weight because it’s issued by the Board itself (but query the ruling’s validity in light of the D.C. Circuit decision).

Restrictions on employee communication with the media

The first two rules instructed employees to “not contact the media,” and “not contact or comment to any media about the company unless pre-authorized by Public Relations.”  Section 7 of the National Labor Relations Act (NLRA) protects employee communications with the media concerning labor disputes.  The broad and unequivocal language of the rules could lead an employee to believe that such protected activity is not permitted under the rules, which is unlawful, the NLRB.  The rules did not distinguish between protected and unprotected communications (e.g., maliciously false statements).

Restrictions on employee communication with NRLB agents

The next rule in question stated: “If law enforcement wants to interview or obtain information regarding a DIRECTV employee, whether in person or by telephone/email, the employee should contact the security department . . . who will handle contact with law enforcement agencies and any needed coordination with DIRECTV departments.”  The NLRB found that this rule would make employees think that they must go through their employer before cooperating with an NLRB investigation, as NLRB agents could reasonably be considered “law enforcement” as far as labor matters are concerned.  This violates Section 8(a)(4) of the NLRA, which protects employees who file unfair labor practice charges or who provide information in the course of an NLRB investigation.  While an employer could have a legitimate interest in knowing about attempts by law enforcement agents to interview employees, the rule failed to separate out those situations from those in which the Section 8(a)(4) protections apply.

Confidentiality

DirecTV instructed employees to “[n]ever discuss details about your job, company business or work projects with anyone outside the company” and to “[n]ever give out information about customers or DIRECTV employees.”  The rule identified “employee records” as one of the categories of “company information” that must be kept confidential.  The NLRB struck down these rules because employees could reasonably understand them to restrict discussion of their wages and other terms of conditions of employment.  The rule was also deficient in not exempting protected communications with third parties such as union representatives, NLRB agents, or other governmental agencies concerned with workplace matters.

Online Disclosures of “Company Information”

DirecTV posted a corporate policy on its intranet stating: “Employees may not blog, enter chat rooms, post messages on public websites or otherwise disclose company information that is not already disclosed as a public record.”  In addition to the policies on the intranet, DirecTV issued a handbook with overlapping sets of rules governing employee conduct and effectively directed employees to read them as one.  The handbook contains a confidentiality rule that defines “company information” as including “employee records.”  Reading the two policies together, an employee could understand the intranet policy to prohibit online disclosure of information concerning wages, discipline, and performance ratings.

LegalTXT NotesThis ruling isn’t groundbreaking, but it confirms that the Board agrees with the positions taken in the previous OGC Guidance Memoranda on social media policies.  The D.C. Circuit does cast a pall over the validity of this ruling, although the NLRB supported the ruling with multiple Board decisions that were issued well before the recess appointments were made.

by ·0 Comments

Now that the 2013 legislative session in Hawai‘i is in full swing, let’s take a look at what new measures are in the pipeline to regulate Internet activity.  A chart of relevant information about each bill is available here.  Here’s a summary of the Internet-related proposals working their way through the legislature.

Social Media and Internet Account Passwords

A set of bills (SB207 and HB713) proposes to join other states in banning employers from asking employees or job applicants to disclose the passwords to their personal social media accounts.  Another set of proposals (HB1104 and HB1023) would extend the ban to educational institutions and their students or prospective students.

Privacy Policies

Two bills (HB39 and SB729) would make it a legal requirement for operators of a commercial website or online service to post a privacy policy on their website.

Cyberbullying

Three bills (HB1226, SB525, and HB397) would require the board of education to adopt various policies and programs to combat cyberbullying in public and charter schools.

Teacher/Student Interactions

Apparently responding to incidents in which teachers and students conducted inappropriate relationships online, HB678 would allow a teacher in a public or charter school to engage in electronic communication with a student (including cell phone calls) only on Department of Education networks and systems.

Identity Theft

SB325 would require businesses to implement a comprehensive, written policy and procedure to prevent identity theft and train all employees in implementation of the same.

Cybersecurity

HB462 would establish a statewide cybersecurity council to identify and assess critical computer infrastructure, identify cybersecurity “best practices,” recommend incentives for voluntary adoption of such best practices, evaluate the efficacy of such practices, and report annually to the legislature.

We’ll be tracking these bills, reporting on their status periodically, and posting revisions to the chart.  Stay tuned!

by ·0 Comments

Discovery of Social Media Content Relevant to “Mental State”Reid v. Ingerman Smith LLP, 2012 WL 6720752 (E.D.N.Y. Dec. 27, 2012)

Plaintiff Karissa Reid sued her employer for damages resulting from alleged sexual harassment.  The defendants in the case requested discovery of information and documents relating to Reid’s social media accounts.  The defendants argued that the postings and photographs from the public portions of Reid’s Facebook account contradicted her claims of emotional distress due to her alleged sexual harassment and termination.  The defendants asked for discovery of the non-public portions of Reid’s Facebook account.

The court allowed discovery into the private portions of Reid’s Facebook account, finding that the publicly available portions of the account provided probative evidence of her mental and emotional state and could reveal the range of her activities—an important check against allegations that she no longer engaged in certain activities as a result of mental anguish.  Although disclosure of Reid’s personal social media account could raise privacy concerns, the court ruled that privacy alone does not justify shielding information from discovery.  The court cited the example of personal diaries, which are discoverable if they contain relevant information regarding contemporaneous mental states and impressions of parties.  By analogy, the fact that Reid used privacy settings to allow only certain Facebook friends to see her postings did not give her a justifiable expectation of privacy as to the content posted on her social media accounts.

The court stopped short of ordering disclosure of everything in Reid’s social media accounts.  The appropriate scope of discovery, according to the court, includes social media communications and photographs “that reveal, refer, or relate to any emotion, feeling, or mental state . . . [and] that reveal, refer, or relate to events that could reasonably expected to produce a significant emotion, feeling, or mental state.”

by ·0 Comments

No First Amendment Protection for public school teacher’s comments on Facebook — In re O’Brien, 2013 WL 132508 (N.J. Super. App. Div. Jan 11, 2013)

We’ve seen a number of cases in which employees are fired for making comments on Facebook that they never thought would get around. (For a sampling, see my posts on Sutton v. Bailey, the BMW dealership decision, and Sumien v. Careflite.)  Put In re O’Brien in this category of cases, except add a twist: Here, the employer is a public school district.  Does the First Amendment (which applies only to government action) add a layer of protection to comments posted by a public employee on social media?  Not in this case.

Jennifer O’Brien was a first-grade schoolteacher.  O’Brien posted two statements on Facebook:

I’m not a teacher—I’m a warden for future criminals!

And the second:

They had a scared straight program in school—why couldn’t [I] bring [first] graders?

The Facebook comments were brought to the attention of the principal at O’Brien’s school (Ortiz).  Ortiz was “appalled” by the statements.  O’Brien’s Facebook comments also spread quickly throughout the school district, causing a well-publicized uproar.

The school district charged O’Brien with conduct unbecoming of a teacher.  An administrative law judge (ALJ) found support for the charge and recommended O’Brien’s removal from her tenured position, and the acting commissioner of the school district agreed.  The ALJ was particularly bothered by O’Brien’s lack of remorse in posting the comments.  A New Jersey court adopted with the reasoning of the ALJ on appeal.

Both at the administrative level and on appeal, O’Brien argued that the First Amendment protected her Facebook statements.  The court disagreed, applying the test stated in the Supreme Court’s decision in Pickering v. Board of Education that analyzes whether a public employee’s statements are protected by the First Amendment by balancing the employee’s interest, “as a citizen, in commenting on matters of public concern against the interest of the State, as an employer, in promoting the efficiency of the public services it performs through its employees.”

The court accepted the findings of the ALJ and Commissioner that O’Brien’s real motivation for making the statements was her dissatisfaction with her job and the conduct of some of her students, not a desire to comment on “matters of public concern.”  Even if the comments regarded a matter of public concern, O’Brien’s right to express those comments was outweighed by the school district’s interest in the efficient operation of its schools.  The court also rejected O’Brien’s arguments that there was insufficient evidence to support the charge against her, and that removal was an inappropriate penalty.

LegalTXTS Lesson: Public employers need to exercise more caution when disciplining employees for their activity on social media networks.  Unlike the private sector, public agencies are limited by the First Amendment when regulating expression of their employees.  But even public employees don’t have absolute freedom to say whatever they want.  As O’Brien reminds us, when public employees make comments of a personal nature, or their comments interfere with the delivery of government services, such expression is not protected by the First Amendment.