Employers Liable Under Stored Communication Act for Accessing Employee Facebook and Gmail Accounts

By Cameron G. Shilling (originally published 9/25/2013)

Employers frequently access and review data created or stored by employees on company-owned electronic devices, such as computers, laptops, tablets (iPad), and cellphones (iPhone, Droid and Blackberry).  Well-crafted technology and social media policies specifically authorize employers to do so.  But, if not careful, employers can step over the line between permissible conduct and conduct that violates the federal Stored Communications Act (SCA).  The line between permitted and unlawful conduct is not always apparent,so employers need to be aware of the SCA and seek counsel before accessing or reviewing an employee’s electronic communications.Company-owned electronic devices are treasure troves of evidence of employee misconduct, particularly where employees use the devices to access personal email (Gmail, Yahoo!, etc.) or social media (Facebook, Google+, Twitter, Flickr, etc.).  Employers feel justifiably entitled to access and review data created and stored on such devices, particularly where employees are instructed that the company owns the devices and has the right to monitor the data, and that employees have no right to privacy.  As a general rule, the law supports employers here.

But the SCA imposes some limits on employers.  And, as few recent cases demonstrate, it is all too easy for employers to step over the line and violate the federal law.

In Deborah Ehling v. Monmouth-Ocean Hospital Service Corp., the employer terminated the employee based (in part) on posts she made on Facebook.  The court underwent a rigorous analysis to determine that the SCA protects Facebook posts, as long as the posts are limited to friends and not on the person’s public Facebook pages.  As the court explained,

“when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls” and the “privacy protection provided by the SCA does not depend on the number of Facebook friend that a user has.”

Although the employee’s Facebook posts were protected, the employer did not violated the SCA because it received the posts through a person authorized to access them: one of the employee’s co-workers, who was her Facebook friend, gave them to the employer.  However, as this court and others have recognized, an employer violates the SCA if it obtains an employee’s private Facebook posts by other means, such as (1) using a password retrieved from the hard drive of the employee’s company-owned electronic device or from a keystroke logger installed on the device, (2) accessing the account by using the employee’s company-owned device where the password populates automatically, (3) creating a fictitious person on Facebook to friend the employee, and (4) pressuring co-workers to divulge the employee’s Facebook posts.  In those circumstances, access to the Facebook posts would not be authorized under the SCA.

In another case, Sandi Lazette v. Verizon Wireless, the employee returned her company-owned Blackberry to her employer, but did not properly disconnect her Gmail account from it before doing so.  Over the next 18 months, her supervisor read 48,000 emails sent to that account, some of which were quite personal.  The court in that case (like many other courts) found that email stored in webmail accounts (like Gmail) is protected by the SCA, at least while the email resides unread on the servers of the service provider.

The employer made several unsuccessful arguments to avoid liability.  For example, the court rejected the argument that the supervisor was accessing only the company-owned Blackberry, recognizing that he was actually using that device to access an account on the Gmail servers.  However, an employer does not violate the SCA if it recovers an employee’s personal emails that are stored on a company-owned device, such as when the data is in a backup file or recovered from the “residual” space of a hard drive.  The court also rejected the employer’s argument that the employee had impliedly consented to the employer’s review of her Gmail by not properly disconnecting the account.  While consent need not be explicit, the court recognized that,

“Negligence is … not the same as approval, much less authorization.  There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone will be stopping by.”

Technology presents legitimate opportunities for employers to monitor their employees.  It also presents potential pitfalls, some of which are not apparent.  Employers should continue to harvest valuable information from company-owned electronic devices, but also need to become aware of the SCA and seek counsel before accessing or reviewing employee electronic communications.

McLane Recognized as “Thought Leader” in Data Privacy

By Cameron G. Shilling (originally published 10/3/2011)

The leader of McLane’s Privacy and Data Security Group, Cam Shilling, has been identified and interviewed as a “Thought Leader” with respect to Data Privacy by Beagle Research Group, LLC.  You can read the interview at http://www.beagleresearch.com/.
Beagle Research Group, LLC is a market research and consulting firm focusing on front office business processes and white collar productivity.  The company is led by Denis Pombriant, who is a well-known analyst and thought leader in the CRM space.  Denis writes for CRM Magazine, Destination CRM, Search CRM, and CRM Buyer, conducts research in emerging areas of front office technology and business, and consults regularly to many of the leading companies in CRM.

Digital Privacy Article Analyzing Quon v. City of Ontario Published in ABA Journal

By Cameron G. Shilling (originally published 5/27/2011)

The American Bar Association has published in its Journal of Employment and Labor Relations Law an article I recently wrote analyzing the U.S. Supreme Court’s decision in Quon v. City of Ontario. The following is the opening passage from the District Court’s decision, and foreshadows the potential significance of this case with regard to data privacy issues.

Continue reading

Facebook Exonerated by Federal Court of EPCA and SCA Claims

By Cameron G. Shilling (originally published 5/20/2011)

A federal court has dismissed class action claims against Facebook under the Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA).  The claims arose from Facebook’s practice in early 2010 of disclosing to advertisers the user names of Facebook users who clicked on advertisements, even though that practice was contrary to Facebook’s privacy policy.

The ECPA prohibits the interception of an electronic communication when it is in transit from sender to recipient.  The SCA prohibits the unauthorized access or disclosure of electronic communications stored on certain computer systems.

Continue reading