Federal court dismisses claims against charter school for expelling student due to cyberbullyingLindsey v. Matayoshi, 2013 WL 3092450 (D. Haw. June 19, 2013)

The federal district court of Hawaii recently dismissed a lawsuit against a charter school that expelled a student for cyberbullying.  The student and her parents claimed that the school denied them a property interest in a free public education in violation of their constitutional right to due process.  The court ruled that the damage claims against the school were barred by Eleventh Amendment immunity and that injunctive relief was unavailable because the school did not violate the constitutional rights of the student and her parents.

RFL was a student at Kanu, a charter school in the state of Hawaii.  On several occasions, RFL threatened, bullied, and teased other students through Facebook posts and text messages.  RFL also got involved in a fight with a classmate.  Kanu initially suspended RFL and reminded her of Kanu’s “no tolerance” policy toward bullying, but when RFL persisted in taunting and threatening classmates through social media, Kanu expelled her.

Kanu discussed several options with RFL’s parents for continuing her education, including nearby public high schools and home schooling, and offered to assist in transitioning RFL to the school of her parents’ choice.  RFL’s parents declined to enroll RFL in any of the public high schools offered to them as alternatives.  Instead, RFL and her parents sued Kanu, the superintendent of the state department of education, and various school officials.  The plaintiffs sought damages and injunctive relief for the deprivation of their due process rights, emotional distress, and a violation of state administrative laws.

The court ruled that the Eleventh Amendment barred the plaintiffs from seeking monetary damages claims from Kanu, a state entity, and the other defendants, who were state officials sued in their official capacity.  As for injunctive relief claim for an order requiring Kanu to re-enroll RFL, the court found that the defendants had not deprived the plaintiffs of a constitutionally-protected property interest in public education.  Kanu offered alternative schooling options to the plaintiffs, but they rejected them all because they did not like the schools that were available to them.  The court held that an entitlement to public education did not include the right to attend a particular school or to a particular kind of education or curriculum.

Ownership of contents of online email account gets called into question after account owner diesAjemian v. Yahoo!, Inc., 987 N.E.2d 604 (Mass. Ct. App. May 7, 2013)

Who owns the data in an online account after the account owner dies?  It’s a question that’s growing in importance as online email accounts become commonplace and cloud storage services like DropBox and Google Drive gain users.  A Massachusetts court faced that question in Ajemian v. Yahoo!, Inc., but left it unresolved.

In Ajemian, an individual (Robert) opened a Yahoo! email account for the primary use of his brother, John.  Robert shared the account as a co-user.  Several years after Robert opened the account, John died.  Robert and his sister Marianne were appointed co-administrators of John’s estate.  At the time of John’s death, Robert had not accessed the Yahoo! account for several years and had forgotten the password.

Robert and Marianne tried to get access to the contacts in Yahoo! account to retrieve email addresses of John’s friends and notify them of John’s death and memorial service.  Robert and Marianne also wanted access to the emails in the account to help identify and locate John’s assets and administer his estate.

After negotiations, Yahoo! agreed to turn over the subscriber information for John’s account to Robert and Marianne if they obtained a valid court order, which they did.  Yahoo! believed that the Stored Communications Act prohibited it from disclosing the contents of the emails in the account, however.  This prompted Robert and Marianne to sue Yahoo! in the Massachusetts probate court.  Robert and Marianne argued that the emails were the property of John’s estate and, therefore, as administrators of the estate, they were entitled to access to the emails.  Robert also argued that as co-owner of the account, he was entitled to its contents.

The probate court dismissed the lawsuit on various grounds, including that the Terms of Service (TOS) governing the Yahoo! account required the lawsuit to be filed in California.  On appeal, the Appeals Court of Massachusetts decided that the TOS was unenforceable because Yahoo! failed to prove that it reasonably communicated the TOS to Robert and that he indicated his acceptance of the TOS, such by clicking on a box that says “I Agree” (i.e., a “clickwrap” agreement).  Even if Robert had accepted the TOS, the court would not enforce the forum selection clause contained in the TOS because it was unreasonable and overbroad.   The Appeals Court sent the case back to the probate court for a ruling on the issue of access to the contents of the Yahoo! account.

LegalTXTS LessonBecause the contents of online accounts can be quite valuable, they should be treated as an asset in an estate planning program.  Much hassle and confusion can be avoided by making pre-death decisions about how one’s online information should be handled upon one’s death, such as entitlement of access to the accounts and ownership of their contents.  To plan effectively, one might need to take into account the terms and service corresponding to online services.  In Ajemian, for example, the terms and conditions for the Yahoo! account purportedly limited the transferability of the account and terminated the rights to the Yahoo! ID and the account’s contents when the account owner died.  If an online service has similar terms, a workaround might be needed to preserve the rights of the account owner’s estate to data stored by the service.

Enhanced by Zemanta

Supervisor snoops into former employee’s personal Gmail account after she returns company-issued BlackberryLazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)

Verizon BlackBerry Tour 9630The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets.   Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns.  The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.

Verizon issued a Blackberry smartphone to its employee, Sandi Lazette.  Lazette set up a personal Gmail account on the phone with Verizon’s permission.  Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee.  Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not.  Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.

Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy.  A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions.  The court also allowed Lazette’s privacy claim to move forward.

LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.

1.  Don’t read your employees’ personal messages—even if they are readily accessible.  Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent.  A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA.  Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry.  Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails.  The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.

2.  Construe grants of access narrowly.  If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account.  In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account.  Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him.  Years later, the supervisor logged into the account to read emails about the status of the company.  In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial.  Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.

3.  Thoroughly purge personal data from company-issued electronic devices before reusing them.  Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired.    Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like.  Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.

4.  Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools.  One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised.  MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device.  To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.

Related articles

Enhanced by Zemanta