Like it or not, if you have employees with access to the internet, they are likely using online social networking websites such as Facebook, Twitter, MySpace and LinkedIn. The explosion in the popularity and use of such sites creates a whole new (cyber)world of concern for employers trying to regulate and monitor the online activities of their employees. The ease with which users can now post information on the internet leads to the possibility that employees may damage their company’s reputation, reveal confidential information, or expose employers to claims of defamation or harassment. To deal with such risks, employers must consider creating a comprehensive set of policies to regulate and monitor the online activities of employees in the workplace, while at the same time remaining cognizant of privacy concerns and other limits on managing online activity and communications.
Liability for Harrassment
As most informed employers already know, federal and California anti-discrimination laws require that employers act to prevent or eliminate harassment in the workplace. With the advent of the online world, employers must now be aware of online activity such as posting unwelcome messages or statements which can form the basis of a hostile work environment claim. An employer may be held liable for such activity if the conduct has a sufficient nexus to the workplace and the employer has actual or constructive knowledge of the unwelcome conduct but takes no steps to stop it.
The risk of liability from employee conduct was illustrated in Blakey v. Continental Airlines, Inc., where the New Jersey Supreme Court found that an employer could be held liable for a hostile work environment claim arising out of derogatory statements posted on an Internet bulletin board designed for continental employees. While the bulletin board was provided by an outside vendor and not Continental itself, the board was available to all pilots and crew members. Continental argued that because the harassment did not occur at a workplace under its direct control, it should not be liable. The Court disagreed, finding that although the electronic board may not be located at a physical site, it may have been so closely related to the workplace and beneficial to the employer that harassment in the forum could be regarded as a part of the workplace. The Court recognized that privacy concerns were implicated by its ruling and emphasized that employers are not required to monitor all private communications of their employees, but that employers still have a duty to stop co-worker harassment in settings related to the workplace if they know or have reason to know that harassment is taking place. This case demonstrates that employers can no longer turn a blind eye to harassment in the virtual world.
Liability for Monitoring
Given the myriad risks associated with employee online activity, employers clearly have an interest in monitoring social networking activities that relate to an employee’s work. While it’s true that employers cannot turn a blind eye to the virtual world, they must cautiously approach any type of online monitoring they undertake. Of primary concern is the employee’s right to privacy. In California, the courts balance the employee’s reasonable expectation of privacy against the employer’s business justification for the monitoring to determine whether an employee’s privacy has been violated. While it used to be well-settled that an employer in the private sector could monitor email and internet activity on equipment provided by the employer (so long as there was an explicit policy which called for such monitoring), the law is becoming increasingly unclear, particularly where an employee has restricted access to his or her online social network.
The Stored Communications Act (“SCA”) is a federal statute that prohibits third parties (i.e. employers) from accessing electronically stored communications – for example, email or Facebook entries – without proper authorization. While the SCA creates an exception where the conduct is “authorized”, most courts have construed that exception narrowly. Two recent cases are illustrative.
In Pietrylo v. Hillstone Restaurant Group, two employees were fired after posting derogatory comments about their employer on a MySpace user group that the employees had created to complain about their jobs. The user group was by invitation only and required a password to view, but the employees’ supervisor requested and received the password from another employee and viewed the postings. The employee who provided the password later testified that she feared her refusal to give the password to her supervisor would have affected her job negatively. The jury found that the employee was coerced into providing the login information and returned a verdict against the employer for violating the SCA. Similarly, in Konop v. Hawaiian Airlines, Inc., a pilot created and maintained a website wherein he posted entries critical of his employer. Access to the site was restricted by the pilot and he only allowed access to “authorized users.” Two of the users provided their login information to a Hawaiian official, who then accessed the site. The creator of the site sued Hawaiian under the SCA and the court held that Hawaiian was liable because there was no evidence that either of the authorized users who provided the login information had ever accessed the site themselves; and therefore, they were not “users” who could authorize the Hawaiian official’s access. These cases illustrate the confusing and unsettled waters employers must navigate when monitoring online activity.
Steps to Take
A final consideration for employers is what they may do once monitoring has uncovered unsavory information. California law prohibits employers from discriminating against employees for lawful conduct that occurs away from the workplace during non-work hours. There is also concern that certain employee online activity may be protected by the National Labor Relations Act. Further, even if an employer were to determine that it could (and should) take action, such action should be taken consistently so as to avoid claims that the employer has discriminated against a protected group by not imposing the same disciplinary action on other similarly situated employees.
So what is an employer to do?
Start by developing a comprehensive set of policies to regulate and monitor employee online behavior in the work context. An employer must consider the goals of these policies, which should include protection of the company’s reputation, confidential information, trade secrets, and the privacy of its employees. Such policies will be most effective if they (1) urge employees to go to human resources before venting online, (2) establish a disciplinary framework for misuse of social networking sites related to employment, (3) establish a reporting system for suspected violations of the policy and, (4) reiterate that the company may monitor email and internet use on company equipment. Above all, the policies must be enforced uniformly.
Wishing the internet away or eliminating its use by employees is, respectively, impossible and increasingly infeasible. Gaining control of the issue proactively through education and a well written policy allows employers to harness the good that can come from the internet while minimizing the bad.