The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.
The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information. Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.
Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.
Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work. Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.
If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.
Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.
Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.
In 2007, the National Labor Relations Board (NLRB) issued its Register Guard decision allowing employers to prohibit employees from using company email to engage in discussions about the terms and conditions of their work with other employees or unions for purposes of “mutual aid and protection,” which are protected under Section 7 of the National Labor Relations Act. In April 2014, the NLRB issued a notice and invitation to the parties in a case involving Purple Communications, Inc. and interested amici curiae to file briefs on whether Register Guard should be overruled. The NLRB received numerous amici briefs on the issue. Employers were relieved when the NLRB deferred a decision on overruling Register Guard in September of last year.
The relief was short-lived. Just three months later, the NLRB reversed course and overruled Register Guard, noting that email “has become a critical means of communication” and is “a natural gathering place” for employees to communicate with each other. In a 3-2 decision involving Purple Communications, Inc., the NLRB ruled that employees who have access to their employer’s email system for work purposes presumptively have a right to use the system for protected communications on nonwork time.
Here are answers to some basic questions about how Purple Communications impacts company email policies:
Must employers give all their employees access to the company email system?
No. Employees have a right to use corporate email for protected communications only if they already are given access to the system for work or personal reasons. Purple Communications does not force employers to grant email access to anyone. For that matter, employers are not required to grant email access to non-employees, including unions and union organizers.
May employers put restrictions on use of company email for protected discussions during nonwork hours?
Maybe. Employers may restrict use of company email to engage in protected discussions during nonwork time by demonstrating that there are actual (as opposed to theoretical) “special circumstances” that “make the ban necessary to maintain production or discipline.” This appears to be a difficult standard to meet. Employers must establish a connection between the restriction and their interest in imposing the restriction.
Is it ok to ban all nonbusiness use of company email?
A total ban would be subject to the “special circumstances” test discussed above. According to the NLRB, the existence of special circumstances “will be a rare case.”
May employers impose guidelines on using nonbusiness of company email?
Yes. Employers may establish specific guidelines for nonbusiness use of corporate email. Use of corporate e-mail for protected communications may be restricted to nonworking time. Employers also have the right to establish “uniform and consistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline.” The single example provided by the NLRB is “prohibiting large attachments or audio/video segments, if the employer can demonstrate that they would interfere with the email system’s efficient functioning.”
May employers monitor their employees’ email use?
Yes. Employers may monitor computer and email systems for legitimate management reasons, such as ensuring productivity and preventing email use for harassment or other activities that could give rise to employer liability. However, employers may not change their monitoring practices specifically in response to union or other protected activity. On that note, any modifications to an email policy that targets protected activity for discrimination is likely unlawful.
Do employers need to change their email policies now?
Purple Communications applies retroactively, so unless the decision is appealed and stayed in the interim, employers should seriously consider modifying their company email policy to comply with the decision.
Does Purple Communications apply to other company electronic communications systems like texting or instant messaging?
Currently no, but the NLRB has signaled that it might extend the reasoning in the Purple Communications decision to other forms of electronic communication in the future.
Purple Haze: NLRB Still Unclear on Whether It Will Stop Employers From Limiting Use of Company Email to Business Purposes
Employees can get carried away on social media. US Airways learned this the hard way when its employee responded to a customer complaint on Twitter with an obscene picture of a woman and a toy jet. An apology and deletion of the tweet followed an hour later (an eternity in cyberspace). US Airways claims its employee made an “honest mistake,” and the incident has not spawned a lawsuit, but one can imagine situations in which the malicious online statements of an employee land the employer in legal trouble.
So what’s an employer to do? Thankfully, employers can find some solace in Section 230 of the federal Communications Decency Act (“CDA”), as a recent Indiana case illustrates. In Miller v. Federal Express Corp., an employee of a non-profit organization, 500 Festival, Inc. (“500 Festival”), and an employee of FedEx separately posted comments on media websites criticizing the plaintiff’s leadership of Junior Achievement of Central Indiana, which he ran from 1994 to 2008. Although the employees posted the comments using aliases, the plaintiff traced the comments back to IP addresses assigned to 500 Festival and FedEx and sued them for defamation.
The Indiana Court of Appeals affirmed the trial court’s dismissal of the defamation claims against 500 Festival and FedEx based on the Section 230 of the CDA. Congress passed Section 230 to protect companies that serve as intermediaries for online speech from liability for harmful content posted by third parties. A defendant claiming Section 230 immunity must show that: (1) it is a provider or user of an interactive computer service; (2) the plaintiff’s claim treats it as the publisher or speaker of information; and (3) another information at issue was provided by another content provider. Satisfying these three elements immunizes the defendant from suit, although the author of the offensive content could still be held liable.
It’s not difficult to see how Section 230 applies where, for instance, the operator of an online discussion forum is sued for defamation based on a comment posted by a forum member. The operator easily qualifies as an “interactive computer service” and can argue it is not liable for content that someone else published. But could a corporate employer qualify for Section 230 immunity? The court in Miller said yes, siding with precedent set by California and Illinois courts. An employer that provides or enables multiple users on a computer network with Internet access qualifies as a provider of an interactive computer service. Since the defamation claims tried to hold 500 Festival and FedEx liable for allegedly publishing statements made by their employees, Section 230 barred the claims.
Controlling what employees say online can be a daunting task, but it’s nice to know that employers have some protection from legal liability for the “honest” (or not so honest) mistakes of employees.
Birth announcements. Girl Scout cookies fundraisers. Leftovers in the company lounge. We’ve all probably received an email at work on these or similar subjects. It’s uncommon for an employee be disciplined for sending an email of such nature. But would that limit a company’s ability to act when employees circulate emails on more controversial topics?
This question was raised in a recent National Labor Relations Board (NLRB) decision involving the Jet Propulsion Laboratory (JPL) affiliated with NASA. In re California Inst. of Tech. Jet Propulsion Lab, 360 NLRB 63 (Mar. 12, 2014). Based on a Homeland Security directive, NASA began requiring JPL employees to submit to federal background checks as a condition of continued employment. Twenty-eight JPL employees who believed that the background check process violated their privacy rights filed a federal class action. The case led to a U.S. Supreme Court decision holding that mandatory compliance with the background check process did not violate the right to informational privacy. See NASA v. Nelson, 131 S. Ct. 746 (2011).
Several of the plaintiffs felt that management did not adequately inform employees about the actual impact of the Supreme Court decision, so they expressed their view of the decision in emails to their colleagues. The emails were sent to several thousand JPL employees using NASA-owned computers and JPL email addresses. After allegedly receiving complaints about the emails, management issued written warnings to the authors of the emails. The warnings alleged that the authors had violated several work policies prohibiting, among other things, “spamming” co-workers; sending unauthorized, non-work-related emails; and implying JPL endorsement of a position on political, social, or legal issues. The authors filed charges with the NLRB claiming that JPL violated their right to engage in concerted protected activity under Section 7 of the National Labor Relations Act.
The NLRB found that JPL employees frequently circulated emails on topics like charity fundraisers and social causes. Such emails technically violated work policies, but there was no evidence of enforcement in those instances. The discipline in this case was thus suspect. Although employees have no legally protected right to use their employer’s computers to engage in protected concerted or union activity, and may be lawfully disciplined for doing so, management may not choose to enforce only work policies involving concerted protected activity.
The decision is not a prompt to start disciplining employees who offer home-baked cookies to co-workers using email. Email can be a convenient tool for building company morale. But the decision does warn against using work policies pretextually to control discussion of work matters. JPL selectively enforced its work policies to silence certain viewpoints on a work-related issue, as highlighted by the fact that JPL supervisors commented on the Supreme Court decision using their work email accounts without being subjected to discipline. Work rules commonly included in an employee manual but inconsistently enforced– like an email use policy – shouldn’t be used as a basis for silencing employees who criticize management or express dissatisfaction with work conditions.
“It’s my First Amendment right to say what I want!” The First Amendment is commonly invoked to justify personal expression. But did you know that the First Amendment applies only when the government is involved? For example, the First Amendment wouldn’t prevent a private company from firing an employee for making offensive comments about the governor. If the same employee worked for a government office, then the First Amendment might apply. As a lawsuit recently filed against the County of Maui illustrates, the First Amendment adds a layer of complexity for public employers dealing with controversial social media activity of its employees.
The First Amendment Lawsuit Against Maui County
Neldon Mamuad is a volunteer Liquor Commissioner for Maui County and part-time aide to a Maui County Council member. In July 2013, Mamuad started a Facebook fan page called “TAGUMAWatch,” named after a Maui police officer well-known for strict enforcement of parking and traffic violations. The page was intended to enable Facebook users to post about “Taguma sightings” and share their thoughts about him. TAGUMAWatch gained popularity quickly and evolved into a discussion forum on a variety of topics including news, traffic, and politics.
Mamuad claims that he didn’t publicize his involvement with TAGUMAWatch until a TV news story about the page named him as its creator. Mamuad also didn’t identify himself as a County employee when posting to the page or suggest that he spoke for the County.
The County somehow linked Mamuad to the page. Allegedly under pressure from the County, Mamuad changed the page’s name to MAUIWatch. A few days later, Officer Taguma submitted a complaint to the County alleging harassment via the page. After notifying Mamuad of the complaint and conducting an investigation, the County determined that Mamuad had engaged in harassment and cyber-bullying through social media and required him to enroll in an employee counseling program.
On March 3, 2014, Mamuad sued the County in federal court for violating his First Amendment rights. As of the time of this post, Mamuad’s motion for a TRO was pending.
When Does Employee Discipline Violate the First Amendment?
Most forms of internet expression qualify as “speech” under the First Amendment. That point has been driven home by recent legal developments, including a court decision that Facebook “likes” are protected by the First Amendment, a Ninth Circuit opinion recognizing that bloggers have the same First Amendment protections as traditional journalists, dismissal of an appeal from the termination of a public school teacher, and a federal lawsuit filed by a gun rights group alleging that the Honolulu Police Department censored comments on its Facebook page. Whenever the government is the one restricting speech, the First Amendment becomes relevant.
So how does a public employer know when it may discipline an employee for his or her social media conduct without violating the First Amendment? The general test in the Ninth Circuit, as spelled out in Mamuad’s TRO motion, looks at these factors:
- Did the employee speak on a matter of public concern?
- Did the employee speak as a private citizen or public employee?
- Was the employee’s protected speech a substantial or motivating factor in the adverse employment action?
- Did the government have an adequate justification for treating the employee differently from other members of the general public?
- Would the government have taken the adverse employment action even absent the protected speech?
Dahlia v. Rodriguez, 735 F.3d 1060, 1067 (9th Cir. 2013) (en banc). For a court to find that employee discipline violates the First Amendment, the first and third question must be answered in the affirmative, the fourth and fifth question answered in the negative, and for the second question, the employee must have spoken as a private citizen. The employee also has the burden to prove the first three factors. If the employee is successful, then the burden shifts to the government to prove the fourth and fifth factors.
Applying this test to employee social media conduct isn’t simple, but it helps government employers assess whether the First Amendment counsels against disciplinary action.
Complaint in the Mamuad lawsuit
Motion for TRO in Mamuad lawsuit (w/o attached declarations and exhibits)