Employees can get carried away on social media. US Airways learned this the hard way when its employee responded to a customer complaint on Twitter with an obscene picture of a woman and a toy jet. An apology and deletion of the tweet followed an hour later (an eternity in cyberspace). US Airways claims its employee made an “honest mistake,” and the incident has not spawned a lawsuit, but one can imagine situations in which the malicious online statements of an employee land the employer in legal trouble.
So what’s an employer to do? Thankfully, employers can find some solace in Section 230 of the federal Communications Decency Act (“CDA”), as a recent Indiana case illustrates. In Miller v. Federal Express Corp., an employee of a non-profit organization, 500 Festival, Inc. (“500 Festival”), and an employee of FedEx separately posted comments on media websites criticizing the plaintiff’s leadership of Junior Achievement of Central Indiana, which he ran from 1994 to 2008. Although the employees posted the comments using aliases, the plaintiff traced the comments back to IP addresses assigned to 500 Festival and FedEx and sued them for defamation.
The Indiana Court of Appeals affirmed the trial court’s dismissal of the defamation claims against 500 Festival and FedEx based on the Section 230 of the CDA. Congress passed Section 230 to protect companies that serve as intermediaries for online speech from liability for harmful content posted by third parties. A defendant claiming Section 230 immunity must show that: (1) it is a provider or user of an interactive computer service; (2) the plaintiff’s claim treats it as the publisher or speaker of information; and (3) another information at issue was provided by another content provider. Satisfying these three elements immunizes the defendant from suit, although the author of the offensive content could still be held liable.
It’s not difficult to see how Section 230 applies where, for instance, the operator of an online discussion forum is sued for defamation based on a comment posted by a forum member. The operator easily qualifies as an “interactive computer service” and can argue it is not liable for content that someone else published. But could a corporate employer qualify for Section 230 immunity? The court in Miller said yes, siding with precedent set by California and Illinois courts. An employer that provides or enables multiple users on a computer network with Internet access qualifies as a provider of an interactive computer service. Since the defamation claims tried to hold 500 Festival and FedEx liable for allegedly publishing statements made by their employees, Section 230 barred the claims.
Controlling what employees say online can be a daunting task, but it’s nice to know that employers have some protection from legal liability for the “honest” (or not so honest) mistakes of employees.
Facebook comments about condition of company vehicles are protected under the NLRA; a Facebook rant about fake problems with the company car, not so much – Butler Medical Transport, LLC, 2013 WL 4761153 (N.L.R.B. Div. of Judges)
A recent decision by a National Labor Relations Board (NLRB) Administrative Law Judge (ALJ) gives employers insight on when they can and cannot fire an employee for their social media conduct outside of work. Particularly interesting is the fact that this decision involved two separate terminations, one of which the ALJ found illegal, and the other not.
The Norvell Termination
William Norvell worked as an emergency medical technician for an ambulance company, Butler Medical Transport (Butler). While on his personal computer at home, Norvell read a post by a co-worker (Zalewski) on her Facebook page stating that she had been fired. Zalewski attributed the firing to a patient report to management that she complained about the condition of Butler’s ambulances. Several people, including another Butler employee, posted comments inquiring into the incident, to which Zalewski responded with more posts about the patient’s report. Norvell responded to Zalewski with this comment:
“Sorry to hear that but if you want you may think about getting a lawyer and taking them to court.”
Another person posted a comment suggesting that Zalewski find a job with another ambulance company. After Zalewski asked where the company was located, Norvell posted the location and added, “You could contact the labor board too.”
Butler’s HR director obtained hard copies of these posts, and in consultation with the COO, decided to terminate Norvell. The HR director told Norvell that he was being terminated for violating Butler’s bullet point list of work rules, one of which prohibited employees from using social networking sites that could discredit Butler or damage its image.
The ALJ determined that Norvell’s Facebook posts were protected concerted activity. By advising Zalewski to see a lawyer or contact the labor board, Norvell was “making common cause” with a co-worker about a matter of mutual concern to the employees, i.e., the condition of Butler’s ambulances. Norvell’s posts had protected status even though they were accessible to people outside of the company because Section 7 of the National Labor Relations Act (NLRA) extends to employee efforts to improve the terms and conditions of employment through channels outside of the employer-employee relationship. The ALJ did not find posts to be so disloyal, reckless, or maliciously untrue as to lose their protected status. The termination of Norvell based on his Facebook posts therefore violated Section 8(a)(1) of the NLRA.
The Rice Termination
Another Butler employee, Michael Rice, posted this comment on Facebook:
“Hey everybody!!!!! Im fuckin broke down in the same shit I was broke in last week because they don’t wantna buy new shit!!!! Cha-Chinnngggggg chinnng-at Sheetz Convenience Store,”
Butler terminated Rice for making this post. At the trial hearing before the ALJ, Butler produced maintenance records showing that Rice’s vehicle was not in disrepair when he made the post. Rice had also testified at his unemployment insurance hearing that his post referred to a private vehicle rather than a Butler ambulance. There being no evidence to the contrary, the ALJ determined that Rice’s post was not protected by Section 7 because it was maliciously untrue and made with the knowledge of its falsity. As a result, Rice’s termination was not illegal.
Legality of Work Rules
Also under scrutiny was the legality of two of Butler’s work rules, one prohibiting the “unauthorized posting or distribution of papers,” and the other requiring employees to acknowledge that they “will refrain from using social networking sights [sic] which could discredit Butler Medical Transport or damages its image.” Butler argued that the rules were not official company policy because they were stated in a bullet point list. The ALJ rejected the argument as making a distinction without a difference. Butler relied on the bullet point rules in terminating Norvell and Zalewski, and new employees were required to acknowledge receipt of the list. As such, employees could reasonably understand that they would be disciplined for failing to follow the rules on the list. The ALJ found that the rules violated Section 7 activity because they prohibited employees from communicating to others about their work conditions.
LegalTXTS Lesson: This case doesn’t break new ground, but it does contain a few important reminders for employers grappling with how far they can go in regulating the social media activity of employees.
1. A policy by any other name … is still a policy. Butler’s failure to convince the ALJ that the bullet point list was not company policy should serve as a reminder that if a company communicates a rule to its employees in writing, expects them to follow the rule, and disciplines them if they don’t, the rule is effectively a policy. It doesn’t matter that the rule appears in a document whose title doesn’t include the word “policy,” or that the wording of the rule is informal.
2. Write it right. Given how easily a supposedly informal rule could qualify as a policy, a company should take care in articulating its work rules in the form of an official written policy. Consult with counsel to make sure the wording doesn’t inadvertently violate the law.
3. Don’t go overboard. The NLRB has consistently frowned upon work rules that flat out prohibit employees from posting content on social media that damages the reputation of their employer, or worse yet, bars them completely from speaking to others about work-related issues, whether on social networking sites or other media. (For examples, see the related posts below). Reject categorical bans on employee speech in favor of rules that focus on creating or avoiding specific results.
4. Context matters. Before disciplining an employee for a social media post, understand the context in which the post was made. Is the post about a work-related issue that other employees have discussed before? Does the post call for co-workers to take action? Asking such questions helps management determine if the post is protected under the NLRA.
NLRB dishes out confusion on social media policies
NLRB sanctions employees who fire employees for online “protected concerted activity”
DirectTV’s work rules invalidated by NLRB
No, it’s not an acronym advising you to come to dinner with your favorite vintage of pinot noir. BYOD stands for Bring Your Own Device, a movement that’s changing the landscape of information technology at workplaces across the globe. In the “old days,” companies issued electronic equipment to employees for work use. Today, employees want to use the latest electronics of their own choice for both work and play. Surveys consistently show that companies are giving in to such requests, citing the benefits of increased productivity and morale, as well as cost savings from not having to buy the equipment themselves. However, BYOD programs also create legal risks for companies, including:
- Violation of labor laws like the Fair Labor Standards Act due to the ability of workers to rack up overtime by doing work on personal devices practically anywhere and at any time, whether or not such overtime is authorized by management
- Violation of laws prohibiting disclosure of the private information of customers, clients, or patients, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act
- Inadvertent disclosure of proprietary company information, which jeopardizes their confidentiality, and as a result, their status as protected trade secrets
- Complicating the e-discovery process, because electronic data that fall within the scope of a discovery request may reside on devices besides those under the direct control of the company
In light of these risks, the knee-jerk response of management might be to forbid BYOD entirely, but that is not necessarily the best approach. BYOD is more prevalent than one might think. A form of BYOD is in play whenever someone stores work data on a personal cloud storage account, uses a personal laptop to draft a memo for work, or forwards work-related word processing files to a private email account for easy access from home. A company need not officially adopt a BYOD program to have one, which is all the reason why management should be proactive about putting BYOD policies in place.
Learn about the specific risks that a BYOD program creates for your company. Develop guidelines on acceptable and unacceptable use of personal devices for work-related purposes. Notify employees of the policies in writing and provide training. Don’t wait until it’s too late!
Want more tips on BYOD? Come to the Advanced Employment Issues Symposium in Las Vegas from November 13-15, where I’ll be giving a presentation on “BYOD Challenges: When Employees Bring Their Own Devices to Work.” Registration information is available at www.aeisonline.com.
Disclosure of confidential client information on the Internet by attorney violates Rule 1.6 of the Rules of Professional Conduct – In re Skinner, 740 S.E.2d 171 (Ga. Mar. 18, 2013)
A Georgia attorney recently learned the hard way that the Internet is no place to vent about a client. The attorney (Skinner) received negative comments from a client on consumer review websites. In response, Skinner posted personal and confidential information about the client on the Internet. After a formal complaint was filed against Skinner by the State Bar of Georgia, Skinner filed a petition for voluntary discipline admitting that she violated Rule 1.6 of the Georgia Rules of Professional Conduct. Rule 1.6 requires a lawyer to maintain the confidentiality of all information gained in the professional relationship with a client unless the client consents to disclosure after consultation. The client obviously did not consent to Skinner sharing her private information on cyberspace.
Skinner filed a motion for voluntary discipline in the form of a reprimand, which is the mildest form of discipline authorized for Rule 1.6 violations. The Georgia Supreme Court rejected Skinner’s petition despite recommendations by the Office of General Counsel of the State Bar and a special master to accept it. As a result, Skinner could face stricter disciplinary measures for her violations.
LegalTXT Lesson: Posting confidential information on the Internet is generally a bad idea. Especially if the information concerns somebody else. And you’re a lawyer. If you’re a professional who has an ethical duty to preserve confidences, like a lawyer, sharing confidential information about a client online is an invitation for trouble.
On a related note, responding to negative online comments with more criticism or hurtful actions (like revealing personal information about the commenter) is rarely an effective means of repairing reputation. The meltdown on the Facebook page of Amy’s Baking Company is an extreme example (although the owners claim the page was hacked). As the adage goes, don’t fight fire with fire.
Google acted as a “publisher” for CDA purposes for including third-party content in search results — Mmubango v. Google, Inc., 2013 WL 664231 (E.D. Pa. Feb. 22, 2013)
Google successfully obtained dismissal of a defamation lawsuit filed by a person (Mmubango) who found derogatory comments about him posted online. Mmubango discovered anonymous statements about himself on the “Wikiscams” website. Mmubango asked Google to remove the statements from its search engine and to give him information about the poster of the comments. Google refused.
Mmubango sued Google and others for defamation, and Google defended by moving to dismiss the claim based on Communications Decency Act (CDA) immunity. The federal district court for the Eastern District of Pennsylvania agreed that Google met the requirements for CDA immunity. First, Google is an interactive computer service provider. Second, Google did not author the allegedly defamatory content, but instead, was provided with it by another information content provider (i.e., Wikiscams). The defamation claim alleged that Google was liable for storing and broadcasting the derogatory comments about Mmubango. Third, Mmubango was seeking to treat Google as the publisher of third-party statements. Deciding whether to provide access to third-party content or, alternatively, to delete the content is an act of publishing. Under section 230 of the CDA, Google could not be held liable for defamation based on its decision to publish a third party’s statements. The court dismissed Google from the case.