Supervisor snoops into former employee’s personal Gmail account after she returns company-issued Blackberry — Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)
The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets. Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns. The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.
Verizon issued a Blackberry smartphone to its employee, Sandi Lazette. Lazette set up a personal Gmail account on the phone with Verizon’s permission. Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee. Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not. Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.
Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy. A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions. The court also allowed Lazette’s privacy claim to move forward.
LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.
1. Don’t read your employees’ personal messages—even if they are readily accessible. Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent. A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA. Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry. Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails. The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.
2. Construe grants of access narrowly. If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account. In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account. Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him. Years later, the supervisor logged into the account to read emails about the status of the company. In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial. Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.
3. Thoroughly purge personal data from company-issued electronic devices before reusing them. Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired. Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like. Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.
4. Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools. One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised. MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device. To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.
Creative Commons image courtesy of Daigo Oliva on Flickr
The Hawaii anti-paparazzi bill eponymously named after its chief supporter is back after getting an extreme makeover, and it just took another step toward becoming law in Hawaii. The Senate Judiciary Committee has recommended passage of a revised version of the Steven Tyler Act (SB426, S.D. 1). The revised bill is a big improvement from the original version. It goes a long way toward remedying the problems discussed in my previous post on the Act, and now it looks much more like the California statute after which it was patterned. But despite the revisions, the Act remains quirky in some ways, and it still doesn’t answer the question of why we need a brand-new privacy law.
Here are the highlights of the revised bill. The revised bill:
- creates an actual tort for constructive invasion of privacy, not just one in the name. The original bill tried to create a constructive invasion of privacy tort, but the parameters of the tort were not well-defined.
- defines certain concepts that are key to liability under the Act, like “personal and familial activity.”
- makes it very difficult to impose liability on those publicizing or selling images or sound recordings that were captured in violation of the Act.
- carves out exceptions to liability, including one for law enforcement activities.
- creates a fairly novel process for raising a defense against invasion of privacy claims in court based on the First Amendment or its counterpart in the Hawaii State Constitution.
Now, let’s look at some of the features of the revised bill in greater detail.
Constructive Right of Privacy
The revised bill creates two types of invasion of privacy, one physical in nature and the other constructive. Both require an intrusion into land owned or leased by the plaintiff. This is an important revision because it gets rid of the “taking pictures at the beach” scenario (i.e., why should a celebrity complain about invasion of privacy if her picture is taken on a public beach?)
An intrusion, however, does not necessarily require a physical trespass onto the plaintiff’s property. Spying and eavesdropping could constitute intrusion, but does not necessarily involve a physical trespass. The tort of constructive invasion of privacy accounts for this distinction, stating that non-physical intrusions will be treated as invasions of privacy. The use of “visual or auditory enhancing devices” to probe into the plaintiff’s private affairs, regardless of whether it involves a physical trespass, counts as an invasion of privacy. That’s how constructive invasion of privacy works.
The original bill bungled the concept of constructive invasion of privacy by not tying liability to the use of visual or auditory enhancing devices. The revised bill fixes that problem.
“Personal and Familial Activity”
The original bill left out definitions of key concepts. A notable one was “personal and familial activity,” which is what the plaintiff must have been engaged in when the defendant captured images or recordings of him or her. The original bill did not define the term. The revised bill adopts the definition used in the California anti-paparazzi law.
Having a definition rather than none is a step in the right definition, but the definition is still too vague. The revised bill defines “personal and familial activity” as “intimate details of the plaintiff’s personal life, interactions with the plaintiff’s family or significant others, or other aspects of the plaintiff’s private affairs or concerns.” What range of activities does “the plaintiff’s private affairs or concerns” include? The revised bill doesn’t say.
Liability of Sellers of Images and Recordings
One criticism of the Act was that it punishes sellers of images or recordings of celebrities. The Act imposes liability on those who sold images or recordings that were captured in violation of the Act if they had “actual knowledge” of the violation and received compensation for the rights to the images or recordings. One problem of the original bill is that “actual knowledge” was not defined, so the level of intent needed to trigger liability wasn’t clear. The revised bill remedies that problem by defining “actual knowledge.” The definition requires “actual awareness, understanding, and recognition” that the image or recording was taken or captured in violation of the Act. That’s difficult to prove.
But the revised bill goes one step further in limiting publisher and seller liability. The plaintiff has the burden of establishing actual knowledge by “clear and convincing evidence.” This is the highest standard of proof in a civil matter (just below the “beyond a reasonable doubt” standard in criminal cases).
The plaintiff’s burden to prove the liability of publishers and sellers is reminiscent of the “actual malice” standard applicable in libel cases brought by a public official or public figure. In other words, the revised bill makes it very, very difficult to prove publisher and seller liability.
The revised bill also makes clear that there is no derivative liability for publicizing or selling an image or recording if it had been previously publicized or sold before without violating the Act.
Exceptions to Liability
The revised bill creates exceptions to liability, most notably for activities relating to law enforcement and investigation into illegal conduct. The revised bill also clarifies that the Act does not preclude suits for other legal or equitable relief under other theories, including the Hawai‘i anti-SLAPP law or a claim for publication of private facts.
First Amendment Defense
Perhaps the most interesting feature of the revised bill is an expedited process for handling defenses based on the First Amendment or its Hawaii counterpart, i.e., Hawaii Constitution, Article I, Section 4 (the revised bill does not cite specifically to Section 4, which is the section that parallels the First Amendment, so the expedited process apparently applies to a defense based on any portion of Article I is raised). The basic idea is to give first priority to resolving questions of the constitutionality of enforcing the Act in a particular situation.
Here’s how the expedited process works. If the defendant files a motion to dismiss a claim for violation of the Act based on First Amendment/Article I grounds, the case basically comes to a halt until the motion is decided. The court cannot look outside the allegations in the pleadings to decide the motion, and all discovery is suspended until the motion is decided. The court must hold a hearing and rule on the motion on an expedited basis. If the court denies the motion, the defendant may immediately appeal the denial.
The revised bill also flips the burden of proof. When the defendant files a motion to dismiss based on a First Amendment/Article I defense, the plaintiff has the burden to prove that, more likely than not, the plaintiff’s “claim is [not] barred by a defense based on the First Amendment of the United States Constitution or article I of the Hawaii State Constitution” (note that the quoted language in the revised bill omits the word “not”; that’s probably a typo). If the defendant wins the motion, it can recover damages, attorneys’ fees, costs, punitive damages, and other sanctions against the plaintiff and even the attorneys and law firm representing the plaintiff.
Thoughts on the Revised Bill
The revised bill is much better than the original version. I’m still not convinced, though, that the solution to the problem of overzealous paparazzi is a new law. Hawaii already recognizes the privacy tort of inclusion into seclusion, and that seems to cover the type of intrusion addressed in the concept of “constructive invasion of privacy.” The tort of intrusion into seclusion does not require a physical invasion into the plaintiff’s personal space. The use of visual or auditory enhancing equipment to remotely gain access to the plaintiff’s private affairs would seem already covered under existing law. Creating a new law to deal with the issue would add little new benefits while potentially creating more problems.
Take the expedited process for dealing with First Amendment issues, for example. According to a Standing Committee Report, the expedited process was created in response to constitutional concerns about the Act. As a lawyer who represents media defendants, I welcome extra procedural protections for airing out First Amendment issues. But I do think the expedited process is somewhat sloppy. The process gives too much incentive to a defendant to respond initially to a Tyler Act claim with First Amendment defenses, even unmeritorious ones. The defendant has nothing to lose and everything to gain by using such a tactic. By filing a motion to dismiss on First Amendment grounds, the defendant can freeze discovery in the case, shift the burden of proof to the plaintiff, and potentially reap the benefit of recovering fees, costs, and damages from the plaintiff, his or her attorney, and even the attorneys’ law firm! There are few circumstances in which a defendant should not raise a First Amendment defense. And on the flip side, true victims of constructive invasion of privacy might think twice before suing under Tyler Act due to the risks involved. Which again begs the question: Do we really need the Tyler Act?
A personal cell phone is not a “facility” within the meaning of the Stored Communications Act—Navarro v. Verizon Wireless, L.L.C., 2013 WL 275977 (E.D. La. Jan.24, 2013)
A federal court in Louisiana recently ruled that a hacking and “sexting” victim could not sue under the Stored Communications Act (SCA). The plaintiff (Navarro) visited a cell phone store and accepted the offer from a Verizon sales associate to try a new cell phone model for two weeks. Navarro later returned the trial phone to the store and had a different Verizon sales associate (Stillwell) transfer data from the trial phone back to her phone. After leaving the store, she received a message on her phone from an unknown number. The message contained nude photographs of Navarro that she had taken using her phone’s camera. When Navarro’s mother confronted the manager of the cell phone store, Stillwell admitted that he copied the photos from Navarro’s phone for his own use and accidentally sent them to Navarro from his phone.
Navarro sued Verizon and the cell phone for violating the SCA, among other theories. She inadvertently omitted a claim for punitive damages under the SCA, however, and asked the court for permission to add such a claim. The defendants argued that the claim would be futile because a personal cell phone is not a “facility” under the SCA. Liability under the SCA requires the unauthorized intentional access of “a facility through which an electronic communication service is provided” to obtain, alter, or prevent “authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a).
The court agreed with the defendants. In a Fifth Circuit case, the court concluded that the SCA envisions regulation of network service providers (like Verizon). A home computer of an end user does not qualify for SCA protection. Relying on that case, the court ruled that a personal cell phone is not a “facility.” While a cell phone enables the use of an electronic communication service, it is not itself such a service. The information stored on a cell phone therefore is not in “electronic storage.” Navarro suggested that the defendants might have copied her photographs from a “cloud based” storage system run by Verizon, but there was no evidence of that, so the court rejected the theory. Navarro was denied permission to add a punitive damages claim under the SCA.
Use of Competitor’s Name in Keyword Advertising Ruled Not a Violation of Publicity Rights – Habush v. Cannon, 2013 WL 627251 (Wis. Ct. App. Feb. 21, 2013)
Can your business competitor use your name to promote itself and never mention your name to the public? Keyword advertising makes that possible. A competitor can bid on keyword search terms consisting of your company name to make links to its website appear whenever a person searches for your name on the Internet. A law firm that fell prey to such an advertising strategy decided to sue its competitor for violating its publicity rights, which is a form of invasion of privacy.
Robert Habush and Daniel Rottier are shareholders in Habush Habush & Rottier, a well-known personal injury law firm in Wisconsin. Another Wisconsin law firm also specializing in personal injury law, Cannon & Dunphy (C&D), bid on the keyword search terms “Habush” and “Rottier” through Google, Yahoo!, and Bing. As a result, when a person searched for “Habush” or “Rottier” in one of the three search engines, links to C&D’s website would appear at the top of the list of “sponsored” results, i.e., those links produced by keywords that been bid on and paid for by advertisers. Sponsored results generally appear above the “organic results” generated by the search engine’s algorithm.
Habush and Rottier sued C&D for violating Wisconsin’s invasion of privacy statute. Under the statute, a person’s privacy could be invaded by “[t]he use, for advertising purposes or for purposes of trade, of the name . . . of any living person, without having first obtained the written consent of the person . . . .” The main question was whether C&D engaged in a “use” of Habush and Rottier’s names.
Habush and Rottier argued that any attempt to benefit from the commercial or other value of a person’s name or image is a “use.” Under this interpretation, C&D “used” the names of Habush and Rottier. C&D countered that the statute covers only “use” that is visible to the public. Under that perspective, bidding on names for keyword advertising purposes is not a “use” because the public does not see the use of the names.
The court found both interpretations reasonable, but adopted C&D’s interpretation. The court held back from ruling that unauthorized use of a name can never be an invasion of privacy unless the use is visible to the public, but it agreed with C&D that bidding on a competitor’s name to get one’s ad placed near links to the competitor’s website in search results is not a violation of the competitor’s publicity rights.
The court analogized competitive keyword advertising to “proximity advertising.” Examples of proximity advertising include: a new car dealership opens across the street from an established car dealership; a business advertises on billboards next to a competitor’s billboards; a lawyer places a Yellow Pages ad near the phone listing of competing lawyers. Although a competitor is trying to take advantage of the name of an established business in each of these scenarios, none involves an impermissible “use”, such as when a competitor puts the name of an established business in its ad or on its product. The court similarly did not see a problem with using a third party—in this case, a search engine—to engage in proximity advertising.
LegalTXTS Notes: This is a pretty novel case because most competitive keyword advertising cases are based on theories of trademark infringement or dilution. Since Habush and Rottier are personal names, they might not have acquired sufficient second secondary meaning to qualify for trademark protection, so publicity rights was invoked as a creative alternative.
Hawai‘i has its own publicity rights statute, so would the outcome have been different had the lawsuit been filed in Hawai‘i? Hawai‘i courts have not had the occasion to interpret the statute, but if you buy the reasoning of the court in Habush, the answer is probably not. The Hawai‘i statute is similar enough to the Wisconsin statute for the logic of Habush to apply.
As a partner in a law firm (and therefore a business owner), I’m not sure how I feel about Habush. I think the court rightly rejected the interpretation that any attempt to benefit from the commercial value of a person’s qualifies as a violation of publicity rights. That’s a pretty broad proposition. But something about the decision makes it hard to swallow. There’s an element of deception the court doesn’t adequately address. I wonder if, instead of claiming violation of publicity rights, Habush and Rottier could have sued under an unfair competition theory.
UPDATE 2/19/13: HB713 has been scheduled for decision making on February 21. Its companion bill, SB207, passed second reading and has been referred to the Senate committee on Judiciary and Labor. Also, an updated chart of all Internet-related legislative proposals in the 2013 Hawaii legislative session is available here.
Two Hawaii bills that would ban employers from requesting employees or job applicants to disclose access information to their personal Internet accounts moved forward today. The House committee on Labor and Public Employment voted to recommend passage of HB713 with the amendments reflected in the HD1 version of the bill. HD1 amended the original bill to replace the term “social media” with “personal account”; define “personal account”; place the new legislation under the employment practices statute, HRS chapter 378; create an exception for law enforcement agencies conducting background checks of applicants for employment). HB713 now goes to the House Judiciary committee for review.
SB207, a companion bill to HB713, was also recommended for passage with amendments by the Senate committee on Technology & the Arts.