September 24, 2018

Your Private Posts are Less Private Then You Think

Your Private Posts are Less Private Then You Think

Imagine that instead of driving in the newest and latest automobile, you are driving a Model-T on the beltway during non-rush hour.  Instead of zipping along at 70 mph, never mind that the speed limit is 55, you have the pedal pushed to the floor and you are doing 30 mph in the third lane.  If you can imagine the absurdity of that situation then you can imagine the state of the law regarding Internet privacy issues.  In fact, Congress has not passed a single major law addressing the protection of privacy on the Internet since 1986 when it passed the Stored Communications Act (SCA) as part of the Electronic Communications Privacy Act (ECPA) that is intended to restrict disclosure of privacy communications by providers of electronic communications services.  At the time, Congress enacted the SCA, most of what we take for granted about the Internet was not even imaginable.  There was no world wide web, the creators of Google had not even entered college and the founder of Facebook was barely out of diapers.

Nowhere in this area do the problems become more obvious than when a party seeks discovery from a non-party service provider through the issuance of a standard third party subpoena.  Whether and to what extent the subpoena must be complied with may depend on whether the service provider can be classified as an remote computing service, “RCS,” or an electronic computing service, “ECS,” and on whether the information is public or private, distinctions that perhaps only law professors can appreciate.

At the time Congress passed the SCA in 1986, there were generally two types of service providers: (1) those that had the capability to send or receive wire or electronic communications and which, Congress called an “electronic communication service” (ECS) and, (2) those that provided computer storage or processing by means of an electronic communications system and were defined as a “remote computing service” (RCS).  The SCA prohibits ECS providers from knowingly divulging the contents of a communication while in “electronic storage” by that service, which includes those messages that are in storage pending transmission, and any communications stored for purposes of back-up protection

In contrast, RCS providers are prohibited from divulging the content of any electronic communication carried or maintained on its service solely for the purpose of providing storage or computer processing services.  For a number of years the distinction between and ECS and a RCS was largely academic because an ECS generally did not offer the services of a RCS and vice-versa.

However, the distinction between an ECS and a RCS has become blurred.  In particular, social media websites offer traditional ECS services such as email and RCS services such as computer storage.  In other words, a social media website may be both an ECS and an RCS depending on the services provided.  To put it simply, there is no good reason why the degree of protection for information should turn on whether the service provider may be classified as an ECS or a RCS.

For example, in a recent case, defendants issued subpoenas to two non-party social networking service providers, Facebook and MySpace, Inc., and to a non-party Web hosting company that provides webmail services.  The subpoenas sought disclosure of plaintiff’s private e-mail and social networking messages, as well as plaintiff’s MySpace comments and Facebook wall postings.  Plaintiff moved to quash the subpoenas, asserting that they were protected under the SCA.

The Court first found that plaintiff has standing to contest the issuance of the subpoena stating that “an individual has a personal right in information in his or her profile and inbox on a social networking site and his or her webmail inbox in the same way that an individual has a personal right in employment and bank records.  As with bank and employment records, this personal right is sufficient to confer standing to move to quash a subpoena seeking such information.” Crispin v. Christian Audiger, 717 F.Supp.2d 965, 975 (C.D.Cal. 2010).

Next, the court determined the Web hosting company is a ECS provider because it provides webmail, a service that users can access remotely to send and receive e-mail messages.  More importantly, the court also held that Facebook and MySpace are also ECS providers in connection with Facebook’s “wall posting” and MySpace’s “comment posting” services.  The court compared the activities in that regard to private electronic bulletin board services (“BBS”).

The Court’s analysis did not end there.  The court then examined the more difficult question whether the postings constitute electronic storage within the meaning of the statute which necessitates determining whether the providers also act as RCS providers with respect to certain stored communications.  On that point, the court determined that when providers allow users to retain opened messages, the providers become RCS providers.  According to the court, after the message has been delivered, the service is no longer electronic communication, but rather data storage.  Thus, while the court quashed the subpoena with regard to wall postings that were clearly marked private, it remanded the matter to the magistrate judge to develop a fuller record regarding plaintiff’s privacy settings and the extent of access allowed to his Facebook and MySpace comments.

Congress has let far too much time lapse since the passage of the SCA.  Technology has simply bypassed the law, “until Congress brings the laws in line with modern technology, protection of the Internet and websites such as [these] will remain [at best] a confusing and uncertain area of the law.”  Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002).


Disciplining Employees for Unapproved Posts

Disciplining Employees for Unapproved Posts

It has become commonplace for companies and employees to use social media to build their businesses and interact with customers.  In fact, more than 500 million people are now using Facebook® and over 175 million are using Twitter(R).  Even if businesses do not have an official social media page, their employees or at least some of them probably maintain their own personal pages.  This may create legal and business risks for companies, especially for those which do not fully understand the use of social media.  Indeed, if such use is not given careful consideration, it can damage and destroy goodwill with partners, investors, and consumers almost overnight.

Social networking’s expansive reach, and its impact on personal and professional communication, has put the traditional notions of privacy and free speech to the test.  Employees routinely post both personal and work-related content for their own purposes and without company consent, which can not only have negative implications for the employee, but the business as well.  For example, if an employee of a cell phone provider posts pictures of the newest 4G phone before it has been released to the public, there is a real risk that such a post can cause fiscal and legal damage to the company.  It has been widely assumed that such posting could be grounds for termination, but a recent case suggests that the answer may not be so black and white.

A complaint issued by the National Labor Relations Board (NLRB)’s Hartford regional office on October 10, 2010 alleges that an ambulance service illegally terminated an employee after that employee posted negative comments about his boss on Facebook ®.  The complaint goes on to allege that the company maintained and enforced an ‘overly broad’ blogging and internet posting policy.  An NLRB investigation found that the employee’s postings constituted protected “concerted activity” of which an employer cannot interfere.

‘Protected concerted activity’ arises when, with respect to working conditions or other matters that are of interest to them, employees generally speak about work issues.   While there are certainly limits to the freedom that employees have to post information about their employers, the outcome of this case could impact how some social media policies are written and enforced going forward, even in non-union companies.

The complaint filed in Hartford is contrary to the decision reached by the NLRB involving a challenge to Sears®’ social media policy.  In that case, the Board denied a claim by a union that a portion of Sears® policy restricted the rights guaranteed under the National Labor Relations Act, which essentially protects an employee’s right to self-organize or form a union.   The NLRB found that Sears’® policy was sufficient for “a reasonable employee to understand that it prohibits the online sharing of confidential intellectual property or egregiously inappropriate language and not Section 7 protected complaints about grievances, on-the-job protests, picketing and strikes.

The uncertainty surrounding what can and should be included in a social media policy does not always mean that a company should not have one, but rather highlights that these policies must constantly be reviewed and updated to reflect  the ever-changing technical and legal landscape.  In addition, banning social media use by employees is not likely to be effective because employees will undoubtedly continue to use it on their own time for personal use. Having a policy is critical both  for companies to avoid the risks associated with the use of Web 2.0 platforms and take advantage of the opportunities to remain competitive.  While it is essential for a policy to be tailor made to reflect the needs and requirements of an individual company and be directed to the protection of the employer’s business, professional reputation and client obligations, a review of policies finds that many of them cover similar topics:

  1. Scope – Employees must understand that they are not necessarily protected by the first amendment and they will face discipline (including termination) for any postings that are injurious to or unapproved by the business.
  2. Affiliation – The policy must make it clear that employees are not permitted to speak on behalf of the company unless authorized to do so.  Thus, postings by employees that are not clearly personal in nature should include a disclaimer that the employee is not expressing the company’s position.
  3. Confidentiality/Use of Intellectual Property – The policy must remind employees of their confidentiality obligations and prohibition against unauthorized use of a company’s intellectual property.  Companies should also use this opportunity to review their policies concerning the handling of intellectual property and confidential information and take steps to better protect such information.
  4. Marketing – The policy should contain clear guidelines on the use of endorsements and testimonials by third parties.  Not only is such transparency required by the Federal Trade Commission but a number of companies have gotten into trouble by failing to disclose that they were responsible for the on-line endorsements.  In other words, the testimonials should come from a legitimate third-party not simply from a friendly co-worker.
  5. Non-disparagement Language – Despite the NLRB complaint discussed above, companies (especially non-union ones), should consider including language requiring that employees not disparage their own company or anything related to the company.

Other issues that a company should consider when crafting its social media policy include required separation of personal and professional accounts and guidelines for social media PR crisis response.  By adopting a comprehensive social media policy that includes the elements set forth above, a company can simultaneously reduce the risks and increase business opportunities, visibility, and engagement that can be created through the use of social media.





Are You Ready To Be Hacked?

A number of the largest ever computer security breaches have occurred over the past several months.  For example, at the end of March, computer hackers stole the names and email addresses of customers of Barclayscard US, Capital One and other large firms from the email provider Epsilon.  Then in April, 2011, reports suggest that hackers obtained credit card information and other personal identifiable information of potentially 77 million Sony Playstation users in 59 countries.  There have also been a number of other large scale attacks since then. While it is extremely difficult to measure with precision the total costs and damages caused by a security breach, especially for ones as large as these, it is estimated that Epsilon and Sony may be out tens of millions of dollars.  According to one estimate, the average cost to respond to a breach in 2010 was more than $300 per affected customer.  Thus, if the estimates are correct, Sony could be facing a bill of more than $20 billion just for notifying affected customers.
[Read more…]