Two New Jersey defense lawyers face attorney ethics charges in connection with the way they allegedly accessed Facebook. Regardless of how these charges are resolved, the facts in the case should serve as a reminder to attorneys to become more familiar with social media, and perhaps be more specific in the direction they give to their staff.  

The New Jersey Office of Attorney Ethics (OAE) alleges that John Robertelli and Gabriel Adamo caused a paralegal to "friend" the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page that was not publicly available.  The OAE alleges that the conduct violated Rules of Professional Conduct governing communications with represented parties, along with other rules.  Both attorneys deny the charges and claim that they only directed the paralegal to do general internet research, and that they did not tell her to add the plaintiff as a “friend” to gain access to otherwise private information. 

The Facebook access came to light during deposition questioning when the plaintiff was asked very specific questions about his travel, dancing, wrestling, or activities which would tend to disprove his claims as to the seriousness of the injuries he allegedly suffered after being struck by a police cruiser while doing push-ups in a driveway.   

The attorneys are charged with violating RPC 4.2, concerning communications with represented parties; 5.3(a), (b) and (c), failure to supervise a nonlawyer assistant; 8.4(c), conduct involving dishonesty and violation of ethics rules through someone else’s actions or inducing those violations; and 8.4(d), conduct prejudicial to the administration of justice. Mr. Robertelli, the supervising partner, is also charged with breaching RPC 5.1(b) and (c), which impose ethical obligations on lawyers for the actions of attorneys they supervise.

While no New Jersey ethics opinion to date addresses “friending” individuals in connection with litigation, the bars of New York, New York City, Philadelphia, and San Diego have deemed it unethical.

These OAE charges, along with other New Jersey legal precedent, highlights the concerns and issues surrounding improper access to otherwise private social media content. 

Updating an earlier post, California A.B. 1844 is on its way to Gov. Jerry Brown. If signed into law, the bill would update California’s Labor Code to significantly limit when employers could ask employees and job applicants for social media passwords and account information. However, the law would still permit employers to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations. This exception would apply so long as the social media is used solely for purposes of that investigation or a related proceeding.

If A.B. 1844 becomes law, it would join Maryland and Illinois which have enacted similar laws.

One of the consequences faced by companies that neglect workplace privacy issues is the possibility of a defamation lawsuit. Human resources departments should be careful to limit information about employees and former employees, including the reasons for a termination or leave of absence, to those with a need to know. References and requests for references should be treated carefully lest a provably false statement lead to the loss of a job and result in litigation. Carefully crafted social media policies can also help mitigate the possibility of one employee smearing another on the Internet. 

Anecdotal evidence suggests the use of email and social media is increasing the potential for defamation claims arising out of the workplace. Never before has it been so easy to have a career ruined so publicly and so quickly. High unemployment has also raised the stakes for litigation involving one’s professional reputation. Many litigants decide to sue after they are unsuccessful finding a new job and feel they have no other choice.

Here is a link to an article I wrote for Bench & Bar magazine about Workplace Defamation Claims in Minnesota. Most of the concepts are applicable in other states as well.

 

"Back to School" is upon us and over the next couple of weeks millions of parents (including me) will be in local stores getting our kids the stuff they need for a successful school year. The Federal Trade Commission (FTC) reminds parents, for good reason, to be mindful of how their children’s personal information is used and disclosed. In fact, the agency provides a guide for parents that could be very helpful. As we have written and others have reported, the risk to children’s untouched credit histories and other information is real.  

New York takes another step toward safeguarding Social Security Numbers (SSN), this time limiting certain entities, including employers, from requiring a person to disclose or furnish his or her SSN for any purpose. Signed into law by Gov. Andrew Cuomo on August 14, 2012, the new law (A.8992-A / S.6608-A) adds a new section 399-ddd to the General Business Law of the Empire State, that becomes effective 120 days from enactment (December 12, 2012). Businesses will need to revisit their practices with employees, customers and other individuals in situations where all or a part of the Social Security Number is involved. 

There are two important points to note about the law: (i) the definition of SSN; and (ii) the exceptions.

Under the new law, SSN includes the 9-digit number issued by the Social Security Administration, but also "any number derived from such number," unless the number is encrypted.  So, for example, unless one of the exceptions below applies, requiring employees or customers to use the last four digits of their SSN as part of an identification number will become unlawful later this year.  

Here are some of the exceptions:  

  • The individual consents to the acquisition or use of his or her SSN (of course, while not expressly stated in the statute, a court would likely interpret this provisions to mean a voluntary consent);
  • The SSN is expressly required by federal, state or local law or regulation; 
  • The SSN is used for internal verification or fraud investigation;
     
  • The SSN is requested for credit or credit card transaction initiated by the consumer or in connection with a lawful request for a consumer report or investigating consumer report (in addition to permissible background checks under the Fair Credit Reporting Act and New York law, this provision also may cover corporate credit card programs, frequently used by companies to better manage business expense reimbursement);
  • The SSN is requested for purposes of employment, including in the course of administration of a claim, benefits, or procedure related to employment, such as termination from employment, retirement, workplace injury, or unemployment claims;
  • The SSN is requested for tax compliance, collecting child or spousal support, or determining whether a person has a criminal record; and
  • The SSN is requested by an authorized insurance company for purposes of furnishing information to the Centers for Medicare and Medicaid Services (this likely captures the recent reporting requirements under Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007)

The law does not provide for a private right of action; it is enforced by Attorney General of the State and carries a civil penalty for a first offense of not more the $500 per violation ($1,000 for second offenses). However, the law seems to suggest that so long as reasonable measures have been adopted to avoid a violation, unintentional, bona fide errors will not result in penalties. 

The District Court of New Jersey recently denied an employer’s motion to dismiss a former employee’s causes of action for invasion of privacy following a supervisor’s alleged unauthorized access to the employee’s Facebook account. 

In Ehling v. Monmouth-Ocean Hospital Service Corp., the plaintiff, a registered nurse and paramedic, alleged that the defendants engaged in a pattern of retaliatory conduct as soon as she became President of the local union. Specifically, the plaintiff alleged that defendants gained access to her “private” Facebook account by having a supervisor summon another employee, who was “friends” with the plaintiff, into an office and coercing or threatening that employee into accessing their Facebook account so that the supervisor could view those posts which the plaintiff had restricted to only her “friends.”   Plaintiff went on to allege that the supervisor then viewed and copied plaintiff’s Facebook postings. One such post was in regard to a shooting that took place at the Holocaust Museum in Washington, DC and stated:

An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I wasn’t to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a different! WTF!!!! And to the other guards…go to target practice.

Ultimately, in June 2009 the Hospital sent letters regarding the above posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services as it was concerned that Plaintiff’s Facebook posting showed a disregard for patient safety. Plaintiff alleged the letters were malicious and meant to damage her professionally.

The Court dismissed plaintiff’s New Jersey Wiretapping and Electronic Surveillance Control Act (“NJ Wiretap Act”) claim holding that the NJ Wiretap Act only protects those electronic communications which are in the course of transmission or are backup to that course of transmission. As plaintiff’s allegations involve a “live” posting, it did not fall under the purview of the NJ Wiretap Act. 

However, the Court went on to hold that plaintiff’s common law invasion of privacy claim involving defendants’ unauthorized “accessing of her private Facebook postings” could proceed. In relying on another New Jersey district court case which involved a supervisor’s asking an employee to gain access to a private social media account, the Court held that privacy determinations are made on a case-by-case basis, in light of all the facts presented. The Court went on to hold that the plaintiff had a plausible claim for invasion of privacy as she may have had a reasonable expectation that her Facebook posting would remain private, considering that she actively took steps to protect her Facebook page from public viewing.   

As we have mentioned before, legal guidance involving the utilization of social media in employment decisions is ever evolving and employers must remain vigilant as courts continue to develop these cases.  

 In what could be a portend of broader actions to follow, the Federal Trade Commission (“FTC”) last week has settled a $2.6 million claim against an employment background screening company for perceived violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a) (the “FCRA”). U.S. v. HireRight Solutions, Inc.  This is the second-largest civil penalty obtained by the FTC against a private company for violations of the FCRA.

As employers increasingly rely on databrokers and credit reporting agencies to conduct background checks, they must review their background check providers’, as well as their own, policies and practices for legal compliance. Employer use of background report is increasingly under review by state and federal authorities. Employers that have failed to comply with the FCRA’s procedures in obtaining background reports regarding employees have also been sued and faced liability in several lawsuits in the past several years. 

 

As we have previously written, under recently-issued EEOC enforcement guidance, any employer seeking a criminal background check of a potential employee must engage in an individualized assessment of that individual to determine whether a background check is required. Employers also may want to look more closely at the methodologies their screening companies employ, and related representations made in service agreements, to ensure their vendors meet and continue to meet the increasing scrutiny on the screening process. 

 

READ ON…

 

Continue Reading The FTC Flexes Its Muscle In the Background Screening Industry

The Fourth Circuit recently held that the Consumer Fraud and Abuse Act’s (“CFAA”) prohibitions against unauthorized access or access in excess of authorization were not violated by an employee when the employee used his valid access to employer’s computer network to download confidential business information that he later used while working for a competitor.

Prior to his departure from his former employer, the defendant downloaded proprietary information from the plaintiff’s network which he allegedly used to win a contract for business. The plaintiff filed a civil lawsuit against defendant, alleging, among other things, that he violated the CFAA when he downloaded its proprietary information. Specifically, the plaintiff alleged that its policy prohibited employees from downloading confidential and proprietary information to a personal computer. 

In dismissing the CFAA claim, the trial court held, and the Fourth Circuit affirmed, that this policy only regulated the use of company information, not accessing that information.  Accordingly, a violation of the policy would not support liability under the CFAA’s authorized access provisions. The court ruled that the CFAA prohibits unauthorized acts of obtaining and altering information from a protected computer, not using without authority lawfully accessed information. Because the employee in this case was permitted to have access to the information at the time he downloaded it, his later use of that information for a subsequent employer did not violate the CFAA.

By its holding, the court agreed with the Ninth Circuit.  However, the court rejected the Seventh Circuit’s reading of the CFAA that an employee loses lawful authority to access an employer’s computer network if the access violates the employee’s fiduciary duty of loyalty to the employer. The Fifth and Eleventh Circuit have similarly held that employees will exceed authorized access under the CFAA whenever they go beyond their authorized access. 

While this decision may have limited Fourth Circuit employers’ ability to seek legal action against departing employees under the CFAA, employers in other jurisdictions, as highlighted above, must still consider what remedies may be available under the CFAA.  

Bringing work home is nothing new, but for one Oregon Health & Science University Hospital (OHSU) employee, it resulted in a significant data breach when a flash drive was stolen from the employee’s house containing protected health and other personal information on over 14,000 patients and OHSU employees, as reported by a health information privacy watchdog.

Based on a statement OHSU put out concerning the breach, it appears the organization had taken steps to safeguard the information:

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

However, it remains to be seen whether those safeguards will stand up to scrutiny should the Office of Civil Rights investigate the situation and review with 20/20 hindsight OHSU’s policies and procedures. When developing policies and procedures, covered entities under HIPAA, business associates and any other entity charged with protecting personal information should be thinking about not only whether their safeguards are reasonable and "compliant," but whether they will stand up to the applicable regulatory agency’s scrutiny following a data breach.    

Before addressing the privacy of employee social media activity as in Maryland and Illinois, Delaware has become the first state to prohibit public or nonpublic academic institutions from requesting or requiring current students or applicants to "disclose any password or other related account information in order to gain access to the student’s or applicant’s social networking site profile or account by way of an electronic communication device." The law, called the "Higher Education Privacy Act" was signed into law on July 20 by Gov. Jack Markell and becomes effective upon enactment.

 

Continue Reading Delaware’s Higher Education Privacy Act Becomes Law