You’ve adopted a social media policy after hearing all the warnings about employees behaving badly on social media. But do you enforce the policy consistently? Failure to do so can be risky business, as illustrated by a recent federal court decision, Redford v. KTBS, LLC, 2015 WL 5708218 (W.D. La. Sept. 28, 2015). The court in Redford allowed an employment discrimination claim to continue because of management’s uneven enforcement of its social media policy.
The social media policy of KTBS, a Louisiana TV station, instructs employees not to respond to viewer complaints on social media. Chris Redford, an on-air crime reporter for KTBS and a white male, posted a negative comment on his Facebook page in response to a viewer’s comment on a KTBS story. Redford was fired for violating the KTBS social media policy.
Redford sued KTBS for race and sex-based employment discrimination. Redford pointed to KTBS’ treatment of two other employees for their social media conduct. Lee, an on-air personality and an African-American female, responded multiple times to negative viewer comments on the official KTBS Facebook page. She received numerous warnings from management before being fired on the same day as Redford. Sarah Machi, an on-air personality and a white female, responded negatively to a KTBS viewer’s comment on her personal Facebook page, but received no warning or discipline. Based on this evidence, Redford argued that KTBS fired him not for violating the social media policy, but to prevent a potential lawsuit by Lee for race or sex discrimination. According to the court, Redford had a viable claim that he was treated less favorably than Lee and Machi because of his race or sex.
KTBS argued that it took no action against Machi because she posted her comments on her personal Facebook page, which was set to “private” so that only her Facebook friends could access it. Redford’s Facebook page did not have privacy filters turned on, and he often used his page to promote his work at KTBS. Since KTBS apparently considered comments posted on an employee’s “private” Facebook page to be outside the scope of its social media policy, the court reasoned that KTBS’ stated reason for firing Redford could be pretextual if Redford’s Facebook page was considered “private.” This issue had to be resolved at trial, so the court denied summary judgment to KTBS on the pretext issue.
Redford is a good reminder of the importance of consistent enforcement of social media policies. Even-handed enforcement is made easier by clearly spelling out the scope of the policy. If the policy makes a distinction between “company” and “personal” pages, for example, describe the specifically and consider providing examples. Ambiguity and inconsistency are your worst enemies when it comes to enforcing a social media policy.
One of the bombshells in the DeflateGate saga was the revelation that Tom Brady had his cell phone destroyed shortly before meeting with the National Football League’s investigators. According to the NFL’s written decision suspending Brady, Brady knew that the investigators wanted access to text messages on the phone he had when the AFC Championship was played. Even so, Brady instructed his assistant to dispose of the phone—just four months after starting to use it. The dubious circumstances surrounding the disappearance of the phone greatly hurt Brady’s credibility in NFL Commissioner Roger Goodell’s eyes, and was instrumental to his eventual decision to discipline Brady.
There are HR lessons to be learned from this story. An employee’s mobile device can contain information you need for an investigation or lawsuit. So what can you do to get access to the device or the data on it now that employees frequently use their personal devices for work?
Adopting a Bring Your Own Device (BYOD) work policy is a good start. At a minimum, a BYOD policy should reserve the company’s right to access any electronic device an employee uses for work, even if the employee owns it. The policy should also state upfront that employees have no expectation of privacy to data stored on their personal devices – that’s the tradeoff for letting them connect to the company network.
After establishing the ability to take possession of employee-owned devices, think through the steps for preserving data on the devices before it’s too late. One measure is to issue a “litigation hold” instructing employees not to destroy a device or delete data from it. Be specific about the kinds of data they need to preserve. A crucial element of a litigation hold is an instruction to suspend routine purging of data or equipment – much like Brady’s practice of destroying his old phone whenever he got a new one. The litigation hold should be issued as soon as you know that a lawsuit or investigation is coming.
Next, determine the kind of electronic information you want. Preservation and extraction methods differ depending on the kind of data. Text messages need to be preserved quickly because once they’re deleted off a phone or tablet, it’s difficult to find a copy of them elsewhere. As Brady learned when he tried accessing text messages on his missing phone through his wireless carrier, carriers don’t keep subscribers’ text messages on their servers for very long, and they typically delete the messages after delivery to the recipient. Emails have a longer shelf life, especially if they’re stored in a web-based account like Gmail or Yahoo or transmitted through company servers.
Be proactive and act quickly. Don’t let your hopes of getting the electronic evidence you need get deflated.
Have you ever been tempted to delete a social media message you posted that exposes you or your company to liability? That post that seemed like a harmless joke but now could turn into evidence in a wrongful termination lawsuit. Or that photo that could cast you in an unflattering light. If it ever crossed your mind that no one will notice if you simply pressed the “delete” button, here’s a case illustrating why succumbing to the temptation doesn’t end well.
In Crowe v. Marquette Transportation Company, Gulf-Inland, LLC, 2015 WL 254633 (E.D. La. Jan. 20, 2015), Brannon Crowe sued his employer, Marquette, for injuries he sustained due to an accident that allegedly occurred at work. Marquette discovered a Facebook message Crowe had allegedly sent to a co-worker in which he admitted injuring himself while fishing. This prompted Marquette’s lawyers to serve Crowe with a discovery request for a complete copy of Crowe’s Facebook history.
Crowe’s response to the request was that he didn’t “presently” have a Facebook account. When confronted in his deposition with a printout of a Facebook message that appeared to have been sent from an account with the username “Brannon CroWe,” Crowe claimed that he stopped having a Facebook account around October 2014, and that his account had been hacked. To substantiate his hacking claim, Crowe pointed out rather unconvincingly that, unlike the username on the printout, there’s no capital “W” in his name.
Crowe wasn’t entirely forthcoming. Although Crowe was technically correct that he didn’t have an active Facebook account when he responded to the request in December 2014, the truth was that Crowe deactivated his Facebook account four days after receiving the discovery request in October 2014. To make things worse for Crowe, data in a deactivated Facebook account isn’t deleted. A deactivated Facebook account can be reactivated at any time. Needless to say, the court was displeased with Crowe’s attempts to evade discovery. The court ordered Crowe to provide Marquette with his entire Facebook account history and the login information for all his Facebook accounts.
Although Crowe involved an employee who tried to hide unhelpful social media information, the lessons from the case apply equally to employers. Deactivating a social media account doesn’t necessarily shield information in the account from discovery because the information is probably still available. Deleting a social media account also doesn’t always mean the information in the account is gone forever. It’s not unusual for social media providers to store deleted user data in its servers before permanently deleting the information. And even if social media information is truly deleted, that in itself can be problematic. A person (or company) has a duty to preserve evidence that’s relevant to reasonably anticipated litigation. Violating the duty to preserve can lead to unpleasant consequences, including court sanctions.
Learn from Crowe’s example. The next time you’re tempted to dispose of an incriminating Facebook post, deactivate the temptation, not your Facebook account.
The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.
The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information. Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.
Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.
Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work. Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.
If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.
Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.
Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.
In 2007, the National Labor Relations Board (NLRB) issued its Register Guard decision allowing employers to prohibit employees from using company email to engage in discussions about the terms and conditions of their work with other employees or unions for purposes of “mutual aid and protection,” which are protected under Section 7 of the National Labor Relations Act. In April 2014, the NLRB issued a notice and invitation to the parties in a case involving Purple Communications, Inc. and interested amici curiae to file briefs on whether Register Guard should be overruled. The NLRB received numerous amici briefs on the issue. Employers were relieved when the NLRB deferred a decision on overruling Register Guard in September of last year.
The relief was short-lived. Just three months later, the NLRB reversed course and overruled Register Guard, noting that email “has become a critical means of communication” and is “a natural gathering place” for employees to communicate with each other. In a 3-2 decision involving Purple Communications, Inc., the NLRB ruled that employees who have access to their employer’s email system for work purposes presumptively have a right to use the system for protected communications on nonwork time.
Here are answers to some basic questions about how Purple Communications impacts company email policies:
Must employers give all their employees access to the company email system?
No. Employees have a right to use corporate email for protected communications only if they already are given access to the system for work or personal reasons. Purple Communications does not force employers to grant email access to anyone. For that matter, employers are not required to grant email access to non-employees, including unions and union organizers.
May employers put restrictions on use of company email for protected discussions during nonwork hours?
Maybe. Employers may restrict use of company email to engage in protected discussions during nonwork time by demonstrating that there are actual (as opposed to theoretical) “special circumstances” that “make the ban necessary to maintain production or discipline.” This appears to be a difficult standard to meet. Employers must establish a connection between the restriction and their interest in imposing the restriction.
Is it ok to ban all nonbusiness use of company email?
A total ban would be subject to the “special circumstances” test discussed above. According to the NLRB, the existence of special circumstances “will be a rare case.”
May employers impose guidelines on using nonbusiness of company email?
Yes. Employers may establish specific guidelines for nonbusiness use of corporate email. Use of corporate e-mail for protected communications may be restricted to nonworking time. Employers also have the right to establish “uniform and consistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline.” The single example provided by the NLRB is “prohibiting large attachments or audio/video segments, if the employer can demonstrate that they would interfere with the email system’s efficient functioning.”
May employers monitor their employees’ email use?
Yes. Employers may monitor computer and email systems for legitimate management reasons, such as ensuring productivity and preventing email use for harassment or other activities that could give rise to employer liability. However, employers may not change their monitoring practices specifically in response to union or other protected activity. On that note, any modifications to an email policy that targets protected activity for discrimination is likely unlawful.
Do employers need to change their email policies now?
Purple Communications applies retroactively, so unless the decision is appealed and stayed in the interim, employers should seriously consider modifying their company email policy to comply with the decision.
Does Purple Communications apply to other company electronic communications systems like texting or instant messaging?
Currently no, but the NLRB has signaled that it might extend the reasoning in the Purple Communications decision to other forms of electronic communication in the future.
Purple Haze: NLRB Still Unclear on Whether It Will Stop Employers From Limiting Use of Company Email to Business Purposes