Hawai‘i has jumped on the bandwagon of states (along with 31 other states, according to the National Conference of State Legislatures) introducing legislation to ban employers from requesting access to social media accounts of job applicants.  Several bills on the subject were introduced in this year’s legislative session, but the one that appears to have the best chance of becoming law is HB713 H.D. 2 S.D. 1 (HB713).  The bill has passed the House and gained the approval of two Senate committees.  Next up for the bill is review by the Senate Judiciary Committee.  As HB713 gains traction, let’s take a look at what it says and some issues it raises in its current form.

SUMMARY OF HB713, H.D. 2

HB713 would insert a new section into the Hawai‘i statute governing discriminatory employment practices, Hawai‘i Revised Statutes (HRS) chapter 378, part I.  The proposed law would apply to both job applicants and existing employees.  Employers are prohibited from gaining access to a “personal account,” which is defined as:

An account, service, or profile on a social networking website that is used by an employee or potential employee exclusively for personal communications unrelated to any business purposes of the employer.  This definition shall not apply to any account, service, profile, or electronic mail created, maintained, used, or accessed by an employee or potential employee for business purposes of the employer or to engage in business-related communications.

Specifically, an employer may not “require, request, suggest, or cause” an employee or job applicant to: (1) turn over access to his or her personal account; (2) access his or her personal account while the employer looks on; or (3) divulge any personal account.  An employer also may not fire, discipline, threaten, or retaliate against an employee or job applicant for turning down an illegal request for access.

There are exceptions, however.

  • An employer may conduct an investigation to ensure compliance with law, regulatory requirements, or prohibitions against work-related employee misconduct based on receipt of specific information about activity on a personal online account or service by an employee or other source.
  • An employer may conduct an investigation of an employee’s actions based on the receipt of specific information about unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to a personal online account or service.
  • An employer may monitor, review, access, or block electronic data (a) stored on an electronic communications device that it pays for in part or in whole, or (b) traveling through or stored on an employer’s network, in compliance with state and federal law.
  • An employer may get an employee’s login credentials to access an electronic communications device supplied or paid for in whole or in part by the employer.
  • An employer may get an employee’s login credentials to access accounts or services provided by the employer or “by virtue of the employee’s employment relationship with the employer” or that the employee uses for business purposes.
  • HB713 specifies that the proposed law is not intended to prevent an employer from complying with other law or the rules of self-regulatory organizations, and that the proposed law should not be construed to conflict with federal law.

OBSERVATIONS AND CONCERNS

Shoulder surfing nixed.  The bill appears to make “shoulder surfing” by an employer illegal per se.  Suppose an employee tells his boss, “Man, you cannot believe the whales my friend saw on her boat this weekend!  She sent me a video of it on Facebook.”  Intrigued, the boss says he wants to see the video.  The employee obliges by logging on to her Facebook account while her boss watches over her shoulder.  Did the boss unlawfully “request” that the employee grant him access to her “personal account”?  Technically, yes.  Note that HB713 has no exception for voluntary consent of the employee.

“Friending” employees might become illegal.  Employers and employees sometimes connect on the same social network.  While it isn’t always a good idea for an employer to “friend” an employee, it’s not illegal to do so—unless, perhaps, HB713 becomes the law.  HB713 bans an employer from requesting that an employee “divulge any personal account.”  Yet, that’s exactly what a friend request does—it requests access to portions of a social media account that can be viewed only by the account owner’s “friends.”  The “divulge” language probably was intended to reach situations where an employer demands that an employee hand over access to another employee’s personal account.  But as written, HB713’s prohibition against divulging any personal account could be interpreted to apply to innocent “friending.”

The line between personal and private is blurry.  In a perfect world, employees would use business social media accounts strictly for business purposes and conduct all of their personal social media activity using separate social media accounts.   That’s a best practice, not necessarily reality.  The line between personal and business can get blurry in the social media space.  It’s not unusual for employees to talk about work or promote their company within their personal social networks.  If the employee uses his or her personal account for work purposes, shouldn’t the employer, who might have responsibility for the actions of its employee, be entitled to access the employee’s personal account in certain circumstances?  On the other hand, to what extent must an employee use his or her personal account for work-related interactions before the employer should be allowed access to the account?  These are difficult issues.

To address the issue, the latest draft of the bill tightens up the definition of “personal account” a bit and specifies that an employer may obtain login credentials from an employee to access “[a]ny accounts or services provided by the employer or by virtue of the employee’s employment relationship with the employer or that the employee uses for business purposes.”  This language is somewhat vague.  For example, what does “by virtue of the employer’s employment relationship with the employer” mean?  It might well be that HB713 is trying to draw artificial distinctions between personal and work social media accounts when in practice, the distinction is sometimes fuzzy at best.

HB713 still has a few hurdles to overcome before it becomes law.  Here at LegalTXTS, we’ll keep an eye out for the status of the bill.

Sharing a link to unauthorized video capture of proprietary information is not a violation of Stored Communications ActCastle Megastore Group, Inc. v. Wilson, 2013 WL 672895 (D. Ariz. Feb. 25, 2013)

In closing arguments to the jury at the O.J. Simpson murder trial, defense attorney Johnnie Cochran famously quipped, “If it doesn’t fit, you must acquit.”  Plaintiff’s attorneys looking to add a Stored Communications Act (SCA) claim to their complaint would do well to heed Cochran’s advice.  There have been a rash of cases dismissing ill-fitted SCA claims (see my recent posts here and here).  Castle Megastore Group, Inc. v. Wilson is the latest.

Castle Megastore Group, Inc. (CMG) sued its former employees for allegedly sharing confidential company information with other companies while they were still employed at CMG.  CMG claimed that Flynn, who was employed by CMG as its “Social Media Specialist,” violated the SCA by posting a video of a confidential CMG managers meeting on Vimeo, a third party website, and sending co-workers the link to the video and the password to his personal Vimeo account.

This scenario didn’t fit into within the prohibitions of the SCA, the court said.  CMG argued that Vimeo was an “electronic communication service” within the meaning of the SCA, that the defendants knew the video contained confidential content before accessing it, and that Flynn lacked authority to give others access to the video.  The court agreed that Vimeo is an electronic communication service, but Vimeo is where Flynn shared the video, not where he obtained it.  The CMG did not allege that Flynn obtained the video through unauthorized access to a CMG-owned electronic communication service.  Flynn was authorized to grant access to his personal Vimeo account.  Sharing a link and password to that account did not violate the SCA, the court ruled.

LegalTXTS Lesson:  Read the SCA carefully before making a claim under it.  Understand how the various concepts in the statute (like “access,” “without authorization,” “facility,” and “electronic communication service”) fit together.  Just because one or more of the concepts is present in a given situation doesn’t mean you’ve a viable SCA claim.

A New York federal judge rules that misuse of computer information  gained through legal access does not violate the CFAAAdvanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)

Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act.  Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology.  AAT sued the ex-employees for, among other things, alleged violations of the CFAA.

An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them.  Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.”  Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.

After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative.  A CFAA violation occurs when one accesses a computer without permission.  Judge Carter gave three reasons for his conclusion.  First, the ordinary meaning of the word “authorization” refers to the absence of permission.  Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse.  Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant.  Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.

LegalTXTS Note: I’ve blogged on this issue quite a bit.  That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both.  Here are my previous posts on similar cases.

Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller

CFAA: Recent Cases

One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA

Don’t Just Because You Can

Now that the 2013 legislative session in Hawai‘i is in full swing, let’s take a look at what new measures are in the pipeline to regulate Internet activity.  A chart of relevant information about each bill is available here.  Here’s a summary of the Internet-related proposals working their way through the legislature.

Social Media and Internet Account Passwords

A set of bills (SB207 and HB713) proposes to join other states in banning employers from asking employees or job applicants to disclose the passwords to their personal social media accounts.  Another set of proposals (HB1104 and HB1023) would extend the ban to educational institutions and their students or prospective students.

Privacy Policies

Two bills (HB39 and SB729) would make it a legal requirement for operators of a commercial website or online service to post a privacy policy on their website.

Cyberbullying

Three bills (HB1226, SB525, and HB397) would require the board of education to adopt various policies and programs to combat cyberbullying in public and charter schools.

Teacher/Student Interactions

Apparently responding to incidents in which teachers and students conducted inappropriate relationships online, HB678 would allow a teacher in a public or charter school to engage in electronic communication with a student (including cell phone calls) only on Department of Education networks and systems.

Identity Theft

SB325 would require businesses to implement a comprehensive, written policy and procedure to prevent identity theft and train all employees in implementation of the same.

Cybersecurity

HB462 would establish a statewide cybersecurity council to identify and assess critical computer infrastructure, identify cybersecurity “best practices,” recommend incentives for voluntary adoption of such best practices, evaluate the efficacy of such practices, and report annually to the legislature.

We’ll be tracking these bills, reporting on their status periodically, and posting revisions to the chart.  Stay tuned!

A round-up of recent developments in CFAA litigation is in order.  In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA).  The recent cases address three general questions:

1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

2. What computers are subject to the protections of the CFAA?

3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?

What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.”  Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases.  The recent cases are no exception.  The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.

Downloading Information From a Publicly Accessible Website

Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to  CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012).  The case involved two competing business that offered online access to college catalogs.  One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs.  The link could be inserted into the school’s homepage.  If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain.  Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.

The defendant (AcademyOne) maintained an online course description database.  To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet.  AcademyOne’s contractor obtained over 700 catalogs through CataLink.

The court was not persuaded by CollegeSource’s argument that AcademyOne accessed the CataLink service “without authorization” given that CataLink is available to anyone with an Internet connection.  The court also did not accept CollegeSource’s argument that AcademyOne exceeded its authorization to use CataLink because it violated the terms of use governing the CollegeSource website.  The terms of use were not binding on AcademyOne because the link to CataLink material appeared on the webpage of a school, and clicking on the link did not trigger a notice that the user was leaving the school website and being forwarded to the CataLink page.

Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information

Asking others to get you information that you’re not entitled to have will get you in trouble.  In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company.  Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.

Hacking Into an Employees’ Email Account

This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA.  The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account.  The wrongfulness of the act was undisputed.  The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).

What constitutes a “protected computer”?

Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions.  A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA.  A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….”  18 U.S.C. § 1030.

In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce.  If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.

What “losses” count toward meeting the standing requirement?

A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA.  18 U.S.C. § 1030(g).  One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000.  § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.

The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.”  To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation.  Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation.  So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued.  The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed.  The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.

In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act.  Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.