by ·3 Comments

Sutton v. Bailey, 2012 WL 5990291 (8th Cir. Dec. 3, 2012), is the latest reminder that private Facebook postings can lead to professional consequences.   Sutton was hired as a Funeral Science Director at Arkansas State University–Mountain Home for the 2010-11 academic year.  His employment contract provided that he could be terminated at any time “for adequate cause.”  A month after Sutton got hired (but apparently before he began teaching), he posted on his Facebook page: “Toby Sutton hopes this teaching gig works out.  Guess I shouldn’t have cheated through mortuary school and faked people out.  Crap!”

University officials somehow learned about the post and asked to meet with Sutton about it.  At the meeting, the university’s vice-chancellor (Bailey) and director of instruction (Thomas) confronted Sutton with the post.  He admitted to making the post.  Bailey then told Sutton that he was fired.  Sutton asked if it mattered that the statement was a joke, and that he posted the statement before he began teaching.  Baily replied “no” to both questions.  Sutton then received an Employee Counseling Statement form stating that he was being dismissed for an incident of “Academic Fraud and unprofessional conduct.”  The “Supervisor Statement” portion of the form explained: “Mr. Sutton posted material on Facebook indicating he had ‘cheated’ his way through mortuary school.  There are multiple other class related issues.”  Bailey told Sutton he had an opportunity to make a statement before signing the form.  Sutton declined and signed the form without further comment.  Sutton later sued Bailey and Thomas in their individual capacities, alleging that he was deprived of procedural due process in connection with his firing.

The bulk of the Eighth Circuit Court of Appeals’ opinion addressed the defendants’ defense of qualified immunity, which the court found to have merit.

LegalTXT Lesson: This case has two important, if obvious, takeaways.  First, employees need to remember that whatever content they share on their private social media networks could come back to haunt them professionally.  Employees need to be reminded constantly that social media blurs the line between personal and public, private and professional.

Second, Sutton answers a question I often get asked by employers: Can employees be disciplined or even terminated for their private social media conduct?  The answer is yes.  (For another example, read my post on the Careflite case, which recently settled).  There are limits, of course (and the NLRB Acting General Counsel has waxed long about many of them), but there are circumstances in which it is proper to discipline or terminate an employee for his or her private social media activity.  Now, it would help greatly if an employer sets standards of employee conduct clearly identifying the kinds of social media conduct that could lead to adverse employment action.  We don’t know what was in the employee handbook of the university in this case, but a rule that could’ve come in handy is one instructing faculty members not to endorse or make light of academic dishonesty.

by ·1 Comment

An NLRB administrative law judge ruled on November 28 that a union did not engage in unlawful labor practices by failing to disavow threatening comments posted on its Facebook page.  In addition to finding that the Facebook page was not an extension of the picket line, the judge concluded that, under Section 230 of the Communications Decency Act (CDA), the union was not responsible for the comments posted on the page.  The case is Amalgamated Transit Union, Local Union No. 1433 v. Weigand, 28-CB-78377 (NLRB Nov. 28, 2012).   (Read the decision here)

A union representing public bus drivers went on strike.  Several months earlier, the union set up a Facebook page, which the union’s vice-president administered.  The union accepted “friend requests” only from union members in good standing.  Friends of the union Facebook page could see messages posted on the union’s “wall” and “like” such posts.

Shortly before and during the strike, union members posted comments on the union’s Facebook page threatening retaliation against workers who crossed the picket line.  The comments threatened less favorable union representation for those crossing the line, more aggressive reporting of workplace violations against line-crossers, and even violence.  Several comments suggested that line-crossers would be physically beaten.  Another comment announced the location where employer’s replacement drivers were allegedly being housed, to which a rank-and-file member commented: “Can we bring the Molotov Cocktails this time?”  At least one other union member “liked” this comment.

The NLRB Acting General Counsel issued a complaint alleging that the union violated Section 8(b)(1) of the Act by failing to disavow the threatening comments.  Rather than alleging that the members posting comments acted as the union’s agents, the Acting General Counsel relied on the theory that a union is responsible for the coercive acts of its pickets on a picket line when the union fails to take corrective action or disavow the actions.  The Acting General Counsel argued that the union’s Facebook page is an “electronic extension” of the picket line.

The judge rejected the “electronic extension” theory, noting initially that the Facebook page existed well before the picket line.  Moreover, unlike a picket line, a Facebook page does not force union members to make a public and immediate decision to cross the picket line.   The Facebook page did not serve to communicate a message to the public, as it is private in nature.

In a somewhat surprising twist, the judge further ruled that the CDA immunized the union from liability for the comments on its Facebook page–an argument neither side had raised.  Often invoked in online defamation cases, Section 230(c)(1) of the  CDA states that  “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided.”  The judge regarded the union as merely the “provider” of the Facebook page, not the “publisher or speaker” of the comments posted on the page by its rank-and-file members.  Thus, the union itself could not be held liable for the comments posted on the page.

by ·1 Comment

A round-up of recent developments in CFAA litigation is in order.  In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA).  The recent cases address three general questions:

1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

2. What computers are subject to the protections of the CFAA?

3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?

What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.”  Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases.  The recent cases are no exception.  The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.

Downloading Information From a Publicly Accessible Website

Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to  CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012).  The case involved two competing business that offered online access to college catalogs.  One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs.  The link could be inserted into the school’s homepage.  If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain.  Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.

The defendant (AcademyOne) maintained an online course description database.  To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet.  AcademyOne’s contractor obtained over 700 catalogs through CataLink.

The court was not persuaded by CollegeSource’s argument that AcademyOne accessed the CataLink service “without authorization” given that CataLink is available to anyone with an Internet connection.  The court also did not accept CollegeSource’s argument that AcademyOne exceeded its authorization to use CataLink because it violated the terms of use governing the CollegeSource website.  The terms of use were not binding on AcademyOne because the link to CataLink material appeared on the webpage of a school, and clicking on the link did not trigger a notice that the user was leaving the school website and being forwarded to the CataLink page.

Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information

Asking others to get you information that you’re not entitled to have will get you in trouble.  In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company.  Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.

Hacking Into an Employees’ Email Account

This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA.  The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account.  The wrongfulness of the act was undisputed.  The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).

What constitutes a “protected computer”?

Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions.  A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA.  A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….”  18 U.S.C. § 1030.

In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce.  If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.

What “losses” count toward meeting the standing requirement?

A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA.  18 U.S.C. § 1030(g).  One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000.  § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.

The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.”  To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation.  Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation.  So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued.  The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed.  The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.

In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act.  Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.

by ·0 Comments

In two weeks, the NLRB has issued just as many decisions agreeing with the positions of the NLRB’s Office of General Counsel (OGC) on employee social media use, as stated in the OGC’s well-known guidance memos.  On September 18, the NLRB invalidated Costco’s policy prohibiting employees from making statements on social media that could damage the company or other employees’ reputations.  Yesterday, the NLRB publicly released a decision weighing in on the BMW dealership case that was discussed in the OGC’s August 18, 2011 memo. (The decision and briefing in the case are available here).

Here’s a quick review of the case for those not familiar with it.  A salesperson at a BMW dealership posted photos on Facebook showing a car that a test driver accidentally drove into a pond in front of a Land Rover dealership across the street (who shares a common owner with the BMW dealership).  The employee  included mocking comments about the incident in the post.  That same day, the employee posted photos on Facebook depicting the low-quality food and beverages that the BMW dealership provided at a sales event to promote a new car model.  Again, the employee accompanied the photos with sarcastic remarks.  The employee was discharged for the Facebook posts regarding the Land Rover incident.  The employee claimed that the primary reason for his discharge was the Facebook posts regarding the sales event, which he argued was protected activity.

The NLRB agreed with the findings of the Administrative Law Judge (ALJ) that the discharge was based on the Land Rover posts, which were not concerted or protected activity because they were in no way connected to the terms or conditions of employment.  The ALJ’s decision also stated that the sales event posts could constitute concerted or protected activity because they could be construed as legitimate concerns about compensation.  Salespeople at the dealership were paid partly by commission, which are tied to sales.  Sales could be negatively impacted by damage to the reputation of the dealership due to the low-quality sales event.  The NLRB found it unnecessary to pass on the sales event posts, however, because the discharge was based on the Land Rover posts.

The NLRB also struck down a rule in the dealership’s employee handbook stating:

Courtesy: Courtesy is the responsibility of every employee.  Everyone is expected to be courteous, polite and friendly to our customers, vendors and suppliers, as well as to their fellow employees.  No one should be disrespectful or use profanity or any other language which injures the image or reputation of the Dealership.

The NLRB found the rule overbroad, as it could have the effect of prohibiting employees from making protected statements to other employees about their working conditions.  However, a dissenting member of the NLRB’s three-member panel found that the courtesy rule was “nothing more than a common-sense behavioral guideline for employees” and that “nothing in the rule suggests a restriction on the content of conversations (such as a prohibition against discussion of wages)”.

LegalTXTS Lesson:  Here are three quick takeaways from the decision.

  1. Work rules regulating “offensive” social media activity should be vetted for any connection to concerted or protected activity, such as employee discussions about their compensation or the terms and conditions of their employment.
  2. “Courtesy” work rules similar to the one the NLRB struck down should be revisited to ensure they are specific enough to exclude protected activity.
  3. The positions taken in the OGC guidance memos are gaining credibility as the NLRB increasingly adopts those positions in published decisions.

by ·0 Comments

Employers should clarify ownership and control over social media accounts by which their employees promote the organizationInsynq v. Mann, No. 3:12-cv-05464 RBL, 2012 WL 3763550 (W.D. Wash. Aug. 29, 2012)

Earlier this year, the Phonedog v. Kravitz case attracted buzz on the issue of who owns a social media account that’s started by an employee, purportedly to promote his employer’s organization.  In PhoneDog v. Kravitz, the former editor-in-chief (Kravitz) of an online news service refused to relinquish the Twitter account on which he posted content promoting the company.   Kravitz argued that he owned the Twitter account because he personally opened the account and amassed its sizeable following of approximately 17,000 followers.  PhoneDog sued Kravitz for ownership of the Twitter account.

The issue hasn’t gone away.  The most recent case is Insynq v. Mann.  In that case, the employee (Mann) of an application service provider (Insynq) registered three domain names during her employment and began writing three blogs associated with each domain name.  After Insynq terminated Mann, it claimed ownership of the blogs.  Mann refused to give her former employer the credentials to the blog.  In the lawsuit that followed, Insynq sued Mann for breach of her non-compete agreement, misappropriation of trade secrets, and unfair competition.

Cases like PhoneDog and Insynq are a good reminder that if an organization has its employees managing its social media activity, it needs to clarify who owns the social media account used by the employee and the contents of the account.  Otherwise, an organization might find itself fighting for control over a social media account after the departure of the employee responsible for managing the account.  Not having such control could lead to alienation of a painstakingly developed community of customers or fans, or worse, the inability to exercise editorial discretion over content about the organization being pushed out to the community.

To avoid messy disputes over ownership and control over social media assets, organizations should consider the following guidelines when developing social media policies:

  • Specify that only authorized employees may publish social media content on behalf of the organization, and that employees must use the organization’s official social media accounts when publishing such content.
  • Specify who owns the login credentials to the social media accounts used to promote the organization, as well as the content published on such accounts.
  • Require an employee who is responsible for managing the organization’s social media activity to disclose to his or her manager the login credentials for the accounts used for that purpose.  The employee should also be required to disclose any changes to the login credentials.
  • Prohibit employees from using the organization’s official social media accounts for their personal use.