Disclosure of confidential client information on the Internet by attorney violates Rule 1.6 of the Rules of Professional Conduct – In re Skinner, 740 S.E.2d 171 (Ga. Mar. 18, 2013)
A Georgia attorney recently learned the hard way that the Internet is no place to vent about a client. The attorney (Skinner) received negative comments from a client on consumer review websites. In response, Skinner posted personal and confidential information about the client on the Internet. After a formal complaint was filed against Skinner by the State Bar of Georgia, Skinner filed a petition for voluntary discipline admitting that she violated Rule 1.6 of the Georgia Rules of Professional Conduct. Rule 1.6 requires a lawyer to maintain the confidentiality of all information gained in the professional relationship with a client unless the client consents to disclosure after consultation. The client obviously did not consent to Skinner sharing her private information on cyberspace.
Skinner filed a motion for voluntary discipline in the form of a reprimand, which is the mildest form of discipline authorized for Rule 1.6 violations. The Georgia Supreme Court rejected Skinner’s petition despite recommendations by the Office of General Counsel of the State Bar and a special master to accept it. As a result, Skinner could face stricter disciplinary measures for her violations.
LegalTXT Lesson: Posting confidential information on the Internet is generally a bad idea. Especially if the information concerns somebody else. And you’re a lawyer. If you’re a professional who has an ethical duty to preserve confidences, like a lawyer, sharing confidential information about a client online is an invitation for trouble.
On a related note, responding to negative online comments with more criticism or hurtful actions (like revealing personal information about the commenter) is rarely an effective means of repairing reputation. The meltdown on the Facebook page of Amy’s Baking Company is an extreme example (although the owners claim the page was hacked). As the adage goes, don’t fight fire with fire.
UPDATE: On April 30, 2013, a three-member panel of the NLRB adopted the ALJ’s decision in this case. Read the board decision here (the ALJ decision and the Dish Network social media policy that got invalidated are attached).
The NLRB recently dealt another blow to the ability of employers to prohibit employees from engaging in disparaging speech on social media. On November 14, 2012, an Administrative Law Judge (“ALJ”) of the NRLB issued a decision striking down two rules in Dish Network’s employee handbook dealing with social media use. The first rule prohibited employees from making disparaging or defamatory comments about their employer. The ALJ found that the rule could unlawfully chill employees in the exercise of their Section 7 rights to engage in concerted activity. The second rule prohibited employees from engaging in “negative electronic discussion” during company time. This rule could effectively ban union activities during breaks and other non-working hours at the workplace, the ALJ concluded.
This was not the first time Dish Network’s social media policy came under fire. On May 31, 2012, the Acting General Counsel of the NLRB issued a memo criticizing provisions of actual social media policies. Dish Network was one of the companies whose policies were scrutinized in the memo. But while the memo was merely advisory, the latest ALJ ruling is not.
Recent NLRB rulings like this one leave behind a wake of confusion for employers. Provisions that are commonplace in employee handbooks, like non-disparagement rules, are being invalidated when applied in the social media context. To add to the confusion, the NLRB can seem inconsistent. For example, the May 30 memo approved Wal-Mart’s social media policy, which includes an instruction to “refrain from using social media while on work time” or on company equipment. However, the NLRB struck down Dish Network’s practice of banning social media activity on company time. What’s an employer to do? Few definitive answers are available, but here are a few ideas to help you survive in this uncertain environment:
- Stop treating social media as a novelty. Employers who still regard social media as a frivolous activity tend to use draconian measures (like categorical bans) to regulate it. The reality is that social media has become part of everyday life, nearly as much as cellphones and texting has. The point is not to restrict social media use per se, but to manage the consequences of such use. Which leads us to . . .
- Focus on outcomes. Dish Network very well could have intended its non-disparagement work rule to protect its brand and reputation rather than prohibit employee discussion about their work conditions or compensation. However, the rule did not clearly spell out its objectives. Tell employees the outcomes you want to avoid. If what you want to prevent are discriminatory remarks that create a hostile work environment, say so. This was one of the features of the Wal-Mart policy that the NLRB’s May 30 memo approved. In a section of the policy entitled “Be Respectful,” Wal-Mart states that if an employee decides to post complaints or criticism, they should ” avoid using statements, photographs, video or audio that reasonably could be viewed as malicious, obscene, threatening or intimidating, that disparage customers, members, associates or suppliers, or that might constitute harassment or bullying.” The policy then listed examples of such conduct, such as “offensive posts meant to intentionally harm someone’s reputation or posts that could contribute to a hostile work environment on the basis of race, sex, disability,religion or any other status protected by law or company policy.”
- Stay positive. Rather than just banning certain kinds of conduct on social media, consider setting affirmative guidelines that employees should adhere to when communicating with others, whether on social media or other communication channels. For example, do you want your organization to be portrayed in a certain way? Then describe the image you would like your employees to convey to others in their communications when talking about the organization.
- It’s not over. The NLRB rulings are not the final word on how broadly employers may regulate social media activity of employees. Although ALJ decisions and even those of NLRB panels are more authoritative than guidance memos, courts have yet to weigh in.
Cyberbullying. Employer social media password requests. Crowdfunding. Those were some of the hot tech topics that the Hawai‘i State Legislature grappled with this session. (See my post on Internet related legislative proposals in the 2013 session). The bills addressing those topics didn’t pass, however. In fact, none of the bills listed in my chart of Internet Related Legislative Proposals survived. The closest to passing, perhaps, were two bills prohibiting employer requests to employees to disclose their personal social media account information, but the bills got stuck in committee.
That’s not to say that the 2013 session was completely devoid of tech. I’ve prepared a chart of all the bills related to electronic, digital, and information technology that the Hawai‘i State Legislature passed this session. (Many thanks to the Legislative Reference Bureau for providing the summaries that are incorporated into the chart). Governor Neil Abercrombie has already signed some of the bills into law. Others are pending a decision from the Governor. To summarize, the legislature this year addressed:
- Adoption of the Uniform Electronic Legal Material Act
- Portable electronics insurance
- Clarification of relationship between Uniform Commercial Code Article 4A and Electronic Fund Transfer Act
- Licensing requirements for telemedicine practitioners employed by the U.S. Department of Defense
- Duties of the State Chief Information Officer
- Electronic posting of reports of Department of Health inspection of state licensed care facilities
- Availability of State open data
- Approval of broadband related permits
- Tax credits for film and digital media industry
- Ban on use of mobile electronic devices while operating a motor vehicle
For summaries of all the bills that passed this session, read the full LRB report. For even more information visit the Legislature’s website for the full text of bills, committee reports, and testimony. I’ll update the chart after the Governor’s veto deadline has passed, so check back in a while.
The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)
Nosal is back. This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity. The case returned to the trial court after the Ninth Circuit decision. The trial court recently convicted the defendant (David Nosal) of violating the CFAA. But before analyzing the decision, let’s take a brief look at the background.
Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm. After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others. In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems. In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system. Nosal used the stolen data to start his own executive search business. Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”
An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use. The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information. The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.
Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further. Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer. Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA. The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted. Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.
Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee. The court wasn’t enamored with this argument either. Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system. Clearly, an employer would not authorize an employee to allow another person to use his or her password. Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law. The court also rejected this argumen.
Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.” The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system. Both situations qualify as “access” under the CFAA.
LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms. According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.
Employers who discipline employees for their social media activity could unwittingly violate protections under the National Labor Relations Act (NLRA) for employees who engage in “protected concerted activity.” An employee engages in protected concerted activity when acting together with other employees, or acting alone with the authority of other employees, for the mutual aid or protection of co-workers regarding terms and conditions of employment. Since social networks by nature connect people, online gripes about work—which could be read by co-workers of the author within the same social network—could constitute protected concerted activity. Three recent National Labor Relations Board (NLRB) decisions highlight this risk.
In Hispanics United of Buffalo, Inc., 359 NRLB No. 37 (Dec. 14, 2012), an employee at a domestic violence relief organization posted on Facebook about a co-worker (Cruz-Moore) who threatened to complain about the work habits of other employees to the executive director of the organization. The employee wrote: “Lydia Cruz, a coworker feels that we don’t help our clients enough . . . . I about had it! My fellow coworkers how do u feel?” Four off-duty employees responded to this post with disagreement over Cruz-Moore’s alleged criticisms. Cruz-Moore saw these posts, responded to them, and brought them to the attention of the executive director. The employee who authored the original post and the employees who responded were fired. Two NLRB members of a three-person panel found the termination to be a violation of Section 8(a)(1) of the National Labor Relations Act (NLRA). The NLRB found the posts to be “concerted” because they had the “clear ‘mutual aid’ objective for preparing coworkers for a group defense to [Cruz-Moore’s] complaints.” The NLRB also considered the posts “protected” because they related to job performance matters.
In Pier Sixty, LLC, 2013 WL 1702462 (NLRB Div. of Judges Apr. 18, 2013), the service staff of a catering company were in the process of taking a vote on union representation when a staff member (Perez) got upset by what he perceived as harassment by his manager. During a break, Perez went to the bathroom and posted on Facebook: “Bob is such a NASTY M***** F****R don’t know how to talk to people!!!!! F**k his mother and his entire f*****g family!!!! What a LOSER!!!! Vote YES for the UNION.” Various co-workers responded to the post. The company fired Perez after learning about the post. An administrative law judge of the NLRB held that the employer violated Section 8(a)(1) of the NLRA. The judge found the post to constitute “protected activity” because it was part of an ongoing sequence of events involving employee attempts to protest and remedy what they saw as rude and demeaning treatment by their managers. The post was also “concerted” because it was activity undertaken on behalf of a union.
In Design Technology Group, LLC d/b/a Bettie Page Clothing, 359 NLRB No. 96 (Apr. 19, 2013), employees of a clothing store repeatedly but unsuccessfully attempted to persuade their employer to close the store earlier so that they wouldn’t have to walk through an unsafe neighborhood at night. The employees posted Facebook messages lamenting the denial of their request and criticizing their manager. In one message, an employee said she would bring in a book on workers’ rights to shed light on their employer’s labor law violations. Another employee saw the messages and sent them to the HR director, who in turn forwarded them to the store owner. The owner fired the employees who posted the messages, allegedly for insubordination. A NLRB administrative law judge found the terminations unlawful because the messages were a continuation of an effort to address concerns about work safety (i.e., leaving work late at night in an unsafe neighborhood) and thus constituted protected concerted activity.
LegalTXTS Lesson: What should employers learn from these decisions? To avoid violating Section 8(a)(1) of the NLRA, employers might consider the following before disciplining employees based on their social media activity:
- Check whether the employee’s post attracted or solicited a response from co-workers. The interactive nature of social networking means that communications via social media are often “concerted.”
- Calls for co-workers to take action likely constitute “protected” activity.
- Complaints about work or co-workers—even if vulgar—can be considered “protected” activity.
- Messages posted outside of the workplace or work hours can still be considered protected concerted activity.
- Be especially sensitive to messages that reference collective bargaining activity or labor requirements. Those are red flags indicating the need to exercise caution.
- Often, social media is not the initial venue for airing work-related complaints. Investigate whether the complaints voiced online were previously brought to the attention of the employer. If they were, the online messages are more likely to be found to be part of a series of protected activity.