In the last few years, we’ve seen how the private social media activity of employees can get employers in trouble for violating a variety of laws. The National Labor Relations Act. HIPAA. Title VII. Now you can add the Americans With Disabilities Act (ADA) to the list.
In Shoun v. Best Formed Plastics, Inc., 2014 WL 2815483 (N.D. Ind. June 23, 2014), a federal judge held that an employer may be liable under the ADA for an employee’s Facebook comments about the medical condition of a co-worker. George Shoun, an employee at Best Formed Plastics, sustained a workplace injury and took leave to recover. Shoun’s co-worker, Jane Stewart, learned about his injury because she processed his worker’s compensation claim and monitored his medical treatment for the company. Stewart posted this snarky message on her personal Facebook account: “Isn’t [it] amazing how Jimmy experienced a 5 way heart bypass just one month ago and is back to work, especially when you consider George Shoun’s shoulder injury kept him away from work for 11 months and now he is trying to sue us.”
Shoun sued the company, alleging that Stewart’s post made it liable for violating the ADA. According to Shoun, the post was visible to the business community. Shoun claimed that prospective employers refused to hire him because of the post, causing him emotional distress and mental pain and suffering.
The court refused to dismiss the ADA claim against the company, reasoning that Stewart obtained the information through an employment-related medical inquiry and then wrongfully disclosed it. As a result, Shoun could sue for violation of Section 102 of the ADA, which provides that any information relating to a medical condition of an employee obtained by an employer during “voluntary medical examinations, including voluntary work histories, which are part of an employee health program available to employees at that work site,” must be “collected and maintained on separate forms and in separate medical files and [be] treated as a confidential medical record.” Moreover, the company could be liable for Stewart’s actions even though she posted the message on her private Facebook account in her own time.
Shoun is another reminder of how easily the lines between personal and professional conduct can get blurred on social media. Employers must train their employees about what they may and may not disclose on social media. It is almost never proper for an employee to share medical information obtained at work on his or her personal social media account. The confidential nature of medical information needs to be emphasized especially when training employees who handle workers’ compensation claims, medical leave requests, billing for health services, FMLA claims, etc.
Employees can get carried away on social media. US Airways learned this the hard way when its employee responded to a customer complaint on Twitter with an obscene picture of a woman and a toy jet. An apology and deletion of the tweet followed an hour later (an eternity in cyberspace). US Airways claims its employee made an “honest mistake,” and the incident has not spawned a lawsuit, but one can imagine situations in which the malicious online statements of an employee land the employer in legal trouble.
So what’s an employer to do? Thankfully, employers can find some solace in Section 230 of the federal Communications Decency Act (“CDA”), as a recent Indiana case illustrates. In Miller v. Federal Express Corp., an employee of a non-profit organization, 500 Festival, Inc. (“500 Festival”), and an employee of FedEx separately posted comments on media websites criticizing the plaintiff’s leadership of Junior Achievement of Central Indiana, which he ran from 1994 to 2008. Although the employees posted the comments using aliases, the plaintiff traced the comments back to IP addresses assigned to 500 Festival and FedEx and sued them for defamation.
The Indiana Court of Appeals affirmed the trial court’s dismissal of the defamation claims against 500 Festival and FedEx based on the Section 230 of the CDA. Congress passed Section 230 to protect companies that serve as intermediaries for online speech from liability for harmful content posted by third parties. A defendant claiming Section 230 immunity must show that: (1) it is a provider or user of an interactive computer service; (2) the plaintiff’s claim treats it as the publisher or speaker of information; and (3) another information at issue was provided by another content provider. Satisfying these three elements immunizes the defendant from suit, although the author of the offensive content could still be held liable.
It’s not difficult to see how Section 230 applies where, for instance, the operator of an online discussion forum is sued for defamation based on a comment posted by a forum member. The operator easily qualifies as an “interactive computer service” and can argue it is not liable for content that someone else published. But could a corporate employer qualify for Section 230 immunity? The court in Miller said yes, siding with precedent set by California and Illinois courts. An employer that provides or enables multiple users on a computer network with Internet access qualifies as a provider of an interactive computer service. Since the defamation claims tried to hold 500 Festival and FedEx liable for allegedly publishing statements made by their employees, Section 230 barred the claims.
Controlling what employees say online can be a daunting task, but it’s nice to know that employers have some protection from legal liability for the “honest” (or not so honest) mistakes of employees.
The Federal Trade Commission (FTC) just announced that Snapchat agreed to settle charges that it deceived consumers about how its popular mobile message app worked and what personal user data it collected. (Read the FTC’s press release here). Part of Snapchat’s appeal was a feature enabling users to control how long a message could be seen by the recipient. After the designated time limit expires, the message is destroyed, much like the mission briefings in Mission Impossible. At least that’s what Snapchat told users. According to the FTC, Snapchat misled consumers because the app didn’t exactly work the way it said it did. The FTC’s complaint against Snapchat (read it here) included these allegations:
- Recipients of a “snap” (a Snapchat message) could save the snap using tools outside of the app. Snapchat apparently stored video snaps in a location on the recipient’s mobile device outside of the app’s secure “sandbox.” This enabled recipients to find and save video snaps by connecting their mobile device to a computer and using simple file browsing tools. Another way to bypass the deletion feature was to use apps that connected to Snapchat’s API to download and save snaps.
- Snapchat told users that if a message recipient took a snapshot of the snap, the sender would be notified. In fact, the screenshot detection mention could be bypassed.
- Snapchat collected geolocation data of users when it said it would not.
- Snapchat told users to enter their mobile number to find friends who also use the app, implying that the user’s mobile phone number was the only information it collected. Without the user’s knowledge, Snapchat also collected the names and phone numbers of all contacts in the address book on the user’s phone.
So what’s the significance of the settlement? Here are a few quick takeaways.
- Descriptions of mobile apps in an app marketplace like iTunes App Store or Google Play are product descriptions that could be the basis for false advertising claims.
- Take into account exploits and workarounds when drafting privacy policies and product descriptions. This includes software that uses the app’s API.
- The FTC is getting more active in pursuing false advertising claims against mobile app makers. In December of last year, the FTC settled charges that the developer of the “Brightest Flashlight Free” app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. The FTC’s interest in suing companies that allow a data breach to occur is also a growing concern, especially after the New Jersey federal district court’s decision in FTC v. Wyndham Worldwide Corp., recognizing the FTC’s authority to prosecute cases where a company is alleged to have failed to maintain “reasonable and appropriate data security for consumers’ sensitive personal information.”
- Information transmitted over the Internet is rarely, if ever, gone forever. Somehow, somewhere, electronic data can be retrieved.
Birth announcements. Girl Scout cookies fundraisers. Leftovers in the company lounge. We’ve all probably received an email at work on these or similar subjects. It’s uncommon for an employee be disciplined for sending an email of such nature. But would that limit a company’s ability to act when employees circulate emails on more controversial topics?
This question was raised in a recent National Labor Relations Board (NLRB) decision involving the Jet Propulsion Laboratory (JPL) affiliated with NASA. In re California Inst. of Tech. Jet Propulsion Lab, 360 NLRB 63 (Mar. 12, 2014). Based on a Homeland Security directive, NASA began requiring JPL employees to submit to federal background checks as a condition of continued employment. Twenty-eight JPL employees who believed that the background check process violated their privacy rights filed a federal class action. The case led to a U.S. Supreme Court decision holding that mandatory compliance with the background check process did not violate the right to informational privacy. See NASA v. Nelson, 131 S. Ct. 746 (2011).
Several of the plaintiffs felt that management did not adequately inform employees about the actual impact of the Supreme Court decision, so they expressed their view of the decision in emails to their colleagues. The emails were sent to several thousand JPL employees using NASA-owned computers and JPL email addresses. After allegedly receiving complaints about the emails, management issued written warnings to the authors of the emails. The warnings alleged that the authors had violated several work policies prohibiting, among other things, “spamming” co-workers; sending unauthorized, non-work-related emails; and implying JPL endorsement of a position on political, social, or legal issues. The authors filed charges with the NLRB claiming that JPL violated their right to engage in concerted protected activity under Section 7 of the National Labor Relations Act.
The NLRB found that JPL employees frequently circulated emails on topics like charity fundraisers and social causes. Such emails technically violated work policies, but there was no evidence of enforcement in those instances. The discipline in this case was thus suspect. Although employees have no legally protected right to use their employer’s computers to engage in protected concerted or union activity, and may be lawfully disciplined for doing so, management may not choose to enforce only work policies involving concerted protected activity.
The decision is not a prompt to start disciplining employees who offer home-baked cookies to co-workers using email. Email can be a convenient tool for building company morale. But the decision does warn against using work policies pretextually to control discussion of work matters. JPL selectively enforced its work policies to silence certain viewpoints on a work-related issue, as highlighted by the fact that JPL supervisors commented on the Supreme Court decision using their work email accounts without being subjected to discipline. Work rules commonly included in an employee manual but inconsistently enforced– like an email use policy – shouldn’t be used as a basis for silencing employees who criticize management or express dissatisfaction with work conditions.
The Hawaii Judiciary is proposing amendments to the Hawaii Rules of Civil Procedure (HRCP) to address e-discovery issues. The deadline for submitting comments is April 17, 2014. The proposed amendments are available here.
Some of the more notable changes being proposed are:
- The addition of references to “electronically stored information” (ESI) to Rule 26 (general discovery provisions), Rule 30 (depositions), Rule 33 (interrogatories), Rule 34 (document requests), Rule 37 (discovery sanctions and motions to compel), and Rule 45 (subpoenas)
- Amended Rule 26 expressly permits discovery of ESI with the caveat that a party need not provide discovery of ESI from sources that are not reasonably accessible because of undue burden or expense. The party claiming undue burden or expense has the burden to make that showing. However, even if the showing is made, a court may still order disclosure or discovery of ESI for good cause.
- Amended Rule 34 allows document requests to specify the form in which documents or ESI are to be produced. The responding party may object to the requested form, and if it does so, it must state the form it intends to use. If a request does not specify a form for producing the requested documents or ESI, the responding party must produce the requested materials in the form in which they are ordinarily maintained or in a form that is reasonably usable. A party does not need to produce the same documents or ESI in more than one form absent showing of good cause.
- Amended Rule 37 prohibits a court from imposing sanctions for failure to provide ESI lost as a result of routine, good-faith operation of an electronic information system absent exceptional circumstances.
- Amended Rule 45 would address requests for, and production of, ESI in the context of subpoenas.
For more information on the proposed amendments, visit the Judiciary’s website. To submit comments online, click here.