Not so very long ago, employees who “surfed the web” at work might only be surfing news sites, shopping, gambling, or browsing inappropriate material instead of working. But now, social networking has exploded, and the issues in the workplace may not always be so cut and dry between acceptable and non-acceptable Internet usage in the workplace. 

As the numbers on page 15 indicate, Web 2.0 is prevalent and here to stay. Given these statistics, the reality is that most employees expect a certain level of Web 2.0 usage at work. There are marketing benefits, as well as risks, for employers allowing such usage.

Media Reports of Web 2.0 Workplace Misconduct

A judge was reprimanded when he “friended” one of the lawyers in a case before him, and the two engaged in ex parte communications about the case.5

A Delta Airlines attendant was fired after she posted “inappropriate images” of herself wearing the company’s uniform on her blog, “Queen of the Sky.”6

A schoolteacher faced being fired after she posted derogatory comments about some of her students on Facebook.7

Policing Policies

The first place for all employers and employees to look regarding the workplace “rules of the road” is the employment manual (handbook). For Web 2.0, the following issues should be considered and possibly addressed:8

Whether to permit social networking at work at all? It may not be realistic to ban all social networking at work, but this would offer the greatest amount of protection on this particular Internet issue. If done, the employer may lose the benefit of business-related networking, such as LinkedIn. A total ban is also hard to monitor and enforce, and could be expensive.9

At work and away. For employers, social networking presents two main issues­—what employees are doing at work regarding Web 2.0; and their social networking activity away from work (specifically, how they are portraying the employer when not at work).  Any social networking policy should address both types of online use.

Monitoring: Turning off Internet access, installing software to block certain sites, or monitoring employees’ use and disciplining offenders are all possibilities, depending on how aggressive employers want to be and how much time they want to spend watching what their employees do online.  Additional IT time and costs are also factors here.

If employees are allowed to social network at work, determine whether to limit it to work-related conduct, or permit limited personal use.

Do you want employees to identify with your business when networking online? Employees should be made aware that if they post as an employee of your company, the company will hold them responsible for any negative portrayals. Or, employers could simply require that employees not affiliate with their business and lose the networking and marketing potential Web 2.0 offers.

Define “appropriate business behavior.”  Employees need to understand that what they post online is public, and they have no privacy rights in what they put out for the world to see. Anything in cyberspace can be used as grounds for discipline, no matter whether the employee wrote it from work or outside of work. There should be consequences for any information that reflects negatively on your business.

How will social networking intersect with your broader harassment, technology, and confidentiality policies?  Employment policies do not work in a vacuum. Employees’ online presence, depending on what they are posting, can violate any number of other corporate policies. Drafting a social networking policy is an excellent opportunity to revisit, update, and fine-tune other policies.

Privacy Please

With only e-mail, the legal state-of-the-art could be effectively summarized that an employee’s personal e-mail was not his or her own if viewed or sent through the employer’s computer server. This argument was based largely on property principles:  the company owns and provides the server, for ostensibly business purposes only. Thus, from a legal perspective, employees do not have a reasonable expectation of privacy in e-mails accessed through the employer’s server. This view was strengthened when companies began putting their employees on specific notice of such fact through carefully designed e-mail policies distributed through employee handbooks.

Personal cell phones and similar communication devices are widespread and not dependent on the employer’s computer server. While cell phones and the like might be purchased for employees or the calling plans reimbursed, this does not necessarily guarantee that employers have the right to access user records. In any event, these records are maintained by a third party, and the contract between the employer and third party will dictate initial access.  In that case, the employer is left with having to subpoena the third party. Often such companies are not located in Minnesota, and out-of-state service and enforcement of such subpoenas can be a time-consuming, confusing, and expensive legal process.

Social networking sites often contain information that individuals would claim as being highly personal, and because such information is often restricted to certain users, an argument can be made that there is a heightened expectation of privacy. Users often have control over what they allow others to see. On Facebook, for example, different privacy settings range from full and open disclosure to anyone who finds that person on Facebook, to limited disclosure only to a very select few: their Facebook “friends” to whom they authorize access.  Users who fail to adjust their settings may be embarrassed, or worse, should inappropriate material on their social networking profile pages filter back to their employer.  Employers are generally allowed to conduct Internet searches for information on which to base employment decisions. Employers are also generally able to discipline and fire employees for off-work activity they deem misconduct.10 

From a practical standpoint employees may feel they have more privacy law rights as to Web 2.0 sites than is the case with e-mails. This is an important internal policy consideration for employers, one that may also have legal consequences.

The “Curious” Case of Yath v. Fairview Clinics

MySpace figured prominently in a local case decided in late June 2009, Yath v. Fairview Clinics, N.P.11 Yath had the misfortune of visiting a clinic for treatment where an acquaintance worked. The acquaintance engaged in Curious-George-like behavior: searching Yath’s medical records,12 and learning that Yath received a sexually transmitted disease from someone other than her estranged husband.  Not being satisfied, the acquaintance shared this information with others. Eventually, a MySpace page was created solely to broadcast this information.  Litigation ensued against the individuals directly involved and the clinic on a variety of invasion of privacy and related claims. Summary judgment was granted for the defendants and Yath appealed. Examining how the appeals court addressed the defenses to the privacy claim is instructive.

In Minnesota, invasion of privacy’s elements includes widespread publicity of private facts that are highly offensive to a reasonable person and not of legitimate public concern.13  The defendants argued that the offending MySpace page was not “widespread,” because it was available between one and two days, and only six people accessed it. The court disagreed on this point, holding that where the information is made available to the public at large (via broadcast media), the actual number of viewers is “irrelevant.”14 

The clinic next tried to argue that MySpace by its very nature is a private communication and not of general interest.  The court was unimpressed, holding that it is how the communication is broadcast to the public that is important, not whether the subject matter is of general interest.15 Also determinative was that MySpace pages are not password protected, so the public has access. The court disagreed with the concurring opinion, which argued that the actual number of people receiving the information satisfies the publicity prong of the tort. The court observed that the Internet has “more than one billion… surfers worldwide. This extraordinary advancement in communication argues for, not against, a holding that the MySpace posting constitutes publicity” under the privacy tort.16 Previously, many privacy defendants have tried to argue that even if the broadcast was made available to the public, because so few actually saw it, the publicity factor was not satisfied. Yath appears to have done major damage to that defense.

Ultimately, the court sided with the defendants in dismissing the privacy claim because Yath was apparently unable to show that the remaining defendants17 on appeal created the MySpace page.

The clinic that employed the offending acquaintance faced liability, even for the intentional misconduct of its employee.  The critical inquiry was whether it was foreseeable that such misconduct would occur.  Yath argued yes, but “presented no evidence that the wrongful access and dissemination of private medical information…was foreseeable.”18 This raises a potential issue in future cases, depending on the available evidence and its use. Privacy plaintiffs will have to show, perhaps through an expert in the industry, how that particular industry or business should have foreseen such a privacy violation.  Defendants will be on the lookout to discredit or exploit flimsy forseeability claims as to intentional misconduct.19

Discovery Dilemmas

Collecting and storing all e-mails was the old “new” challenge for businesses, especially as new federal rules of discovery made such archiving a near necessity in litigation.  Approved in 2006, the updated federal rules now require that a broader range of “electronically stored information,” including e-mails, be disclosed early in the legal process.20  The new rules also require that even when electronic information is not reasonably accessible due to “undue burden or cost,” identifying information must still be disclosed to the other party. 21 

However, with the proliferation of such Internet usage, it is only a matter of time until lawyers will be incorporating requests for such social networking activity as part of litigation. For example, in a sexual harassment case, a prudent lawyer would want to see the social network profile (or its analog) of the accused harasser (and likewise, the alleged victim).  That should be easy enough for those individuals to produce.  Getting all their postings may be tougher, and may require more than a signed authorization from the targeted individuals and include subpoenaing records from the network sites themselves.  Such postings may very well include exculpatory or damning evidence as they act as a kind of digital diary.22

At a minimum, attorneys investigating and pursuing claims that may entail Web 2.0 evidence would do well to consider specifically alerting those involved in writing to preserve such evidence, and refrain from taking any steps to delete, alter, or otherwise hide it.  Putting parties on this notice has risks, certainly, from a strategic standpoint.  Failing to do so may jeopardize the case as well as cause additional expense in computer forensic analysis. 

This issue was present in Yath.23  There, certain computer information was requested through a subpoena duces tecum.  The subpoena was faxed to one of the defendants’ attorneys on July 3; the defendant was served on July 5, being out of town on July 4.24  The defendant produced the computer on July 16 for inspection, upon which it was found that information had been “’erased and scrubbed’” as of the evening of July 3.  Yath argued that this timing showed intentional spoliation of evidence.  The court disagreed, pointing out that the deletion may have occurred through the computer’s standard maintenance, and that the defendant had not been served with the subpoena until two days later. While there was evidence for suspicion, there was not enough, the court found, for “compelling support to require a finding that intentional destruction of evidence occurred.”25  The record is silent as to whether the defendant may have been put on prior notice by Yath to preserve the computer and avoid such a “mishap.”

With social networking, there are more reasons why employers may want to allow such activity, with policies ruling out inappropriate material or excessive usage at work. Clearly, such Internet usage is too widespread to effectively police or filter, especially for micro, small, and even medium-sized businesses.  Therefore, it may be more efficient to allow such usage with the above caveats.  Another potential plus is that such usage may assist with marketing efforts, especially business-oriented sites, like LinkedIn. Encouraging appropriate usage as long as it tracks with specific marketing goals is a cheap way for many smaller businesses to get the word out through their employees. Still other employers, like the one in Yath, have chosen to specifically block such sites; there, the protective blanket approach provided clear dividends for the clinic and helped save it from liability.

Conclusion

Several lessons can be drawn from the Web 2.0 phenomenon. First, it illustrates, again, how technology outpaces the law.  News accounts are predicting something called “singularity,” a technological concept that says the development of technology is racing so quickly, doubling the speed and memory at an ever quickening pace, that by the year 2050 it will outstrip the human brain in its ability to reason.26  Second, it underscores that certain workplace policies are organic documents. In turn, employers need to continually review and revise such policies and communicate them effectively so that the workforce is on notice of reasonable expectations, and employers and their lawyers have a viable argument when things go wrong. Third, lawyers would do well to take steps in their own standard discovery practice to address Web 2.0 in discovery and the preservation of evidence.

WEB 2.0 BY THE NUMBERS

·         The typical 21-year-old graduate has “exchanged 250,000 e-mails and instant messages, has spent 10,000 hours on their mobile phone and put in 3,500 hours surfing the internet.”1

·         A recent survey asserts that 93% of employees spend some time at work accessing the Internet; 50% do so for both work and personal reasons.2

·         50% of employers are estimated to either entirely block or restrict Facebook.3

·         2 billion daily Google searches

·         200 million Facebook users; half of whom log on every day.

·         133 million blogs

·         70 million YouTube videos

·         3 million daily Twitter “tweets”4

² Surfing the Web at Work May Be as Addictive as Cup of Joe, May 9, 2005, Websense, http://files.shareholder.com/downloads/WBSN/0x0x155648/d3986c05-ec6f-4700-b35b-5cdf10927d3d/285219.pdf.

³ Tim Ferguson, Poll: Half of Employers Restrict Facebook, Cnet, Aug. 22, 2007, http://news.cnet.com/2100-1029_3-6203889.html.

⁴ Adam Singer, Social Media, Web 2.0 and Internet Stats, The Future Buzz, Jan. 12, 2009, http://thefuturebuzz.com/2009/01/12/social-media-web-20-internet-numbers-stats/. 

⁵ Molly DiBianca, More Stories from the Facebook Frontier, The Delaware Employment Law Blog, June 15, 2009, http://www.delawareemploymentlawblog.com/2009/06/more_stories_from_the_facebook.html.

⁶  Laura Smith-Spark, How to Blog – and Keep Your Job, BBC, July 20, 2006; http://news.bbc.co.uk/2/hi/europe/5195714.stm.

⁷ Ann Doss Helms, North Carolina Teachers Face Consequences for Facebook Posts about Students, Raleigh News & Observer, Nov. 12, 2008, http://www.nsba.org/MainMenu/SchoolLaw/Issues/Employment/News/TeacherFacebook.

⁸ Jon Hyman, Drafting a Social Networking Policy: 7 Considerations, Ohio Employment Law Blog, June 10, 2009, http://ohioemploymentlaw.blogspot.com/2009/06/drafting-social networking-policy-7.html.  Mr. Hyman is credited for the seven points content herein, with some modifications and editing by this author.

⁹ A recent survey of IT managers showed that 95% allow access to some Web 2.0, while only 9% have security to protect “from all threat vectors.”  Websense, 2009 Web 2.0@Work Survey of 1300 IT Managers Worldwide, May 2009, http://www.slideshare.net/cpurdy/2009-web20work-survey-of-1300-it-managers-worldwide.

¹⁰ Minn. Stat. § 268.095 subdiv. 6 (2008); see also, e.g., Mullins v. Dep’t of Commerce, 244 Fed. Appx. 322, 2007 WL 1302152 (May 4, 2007); Washington v. Dunwoody Coll. of Tech., 2005 WL 468355 (Minn. Ct. App.); Hein v. Gresen Div., 552 N.W.2d 41 (Minn. Ct. App. 1996).

¹¹ 2009 WL 1751767 (Minn. Ct. App. June 23, 2009).

¹² A rash of similar instances has occurred to celebrities, including Britney Spears and the now-deceased Farrah Fawcett.  In both instances, the individuals involved were terminated by their employers.  Raquel Maria Dillon, Hospital Worker Fired for Leaking Farrah Fawcett’s Medical Records, The Huffington Post, Apr. 2, 2008, http://www.huffingtonpost.com/2008/04/02/hospital-worker-fired-for_n_94788.html.

¹³ Yath, at *6 (citing Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550, 553 (Minn. 2003)).

¹⁴ Id. at *7.

¹⁵ Id.

¹⁶ Id. at *8.

¹⁷ The defendants responsible for the MySpace page had been dismissed after summary judgment but before the appeal.  Id. at *9.

¹⁸ Id. at *12.

¹⁹ The court upheld summary judgment, but remanded the case to determine liability under Minnesota’s Health Records Act, to wit, whether the term “person” includes the defendant clinic insofar as the act precludes “persons” from disclosing health records.  Relatedly, the court held that HIPPA did not preempt the Health Records Act.  Id. at *13-14.

²⁰ Fed. R. Civ. P. 26(a)(1).  See also Fed. R. Civ. P. 16(b), 26(b)(2)(B), 26(f)(3), 37(f); Roger Matus et. al. The New Federal Rules of Civil Procedure: IT Obligations for Email, InBoxer, Inc., 2006, http://technology.findlaw.com/resources/images/whitepaper_frcp1.pdf.

²¹ Fed. R. Civ. P. 26(b)(2)(B).

²² By Web 2.0’s very interactive nature, it is possible that third parties who have received such information might have their own, independent, claim of privacy, insofar as they have shared personal and sensitive information of their own as part of the back and forth communications.

²³ 2009 WL 1751767.

²⁴ This, incidentally, raises one of the pitfalls of serving legal documents close to major holidays.

²⁵ Yath, at *5.

²⁶ Thomas Ricker, Intel CTO Predicts Singularity by 2050, Engadget, Aug. 22, 2008, http://www.engadget.com/2008/08/22/intel-cto-predicts-singularity-by-2050/.