2. Student Sues Cheerleading Coach, School District for Facebook Incident
A Mississippi high school cheerleader filed suit against her coach and school district, claiming that her coach logged into her Facebook account and distributed material that led to her dismissal from the team.217 The student, Mandi Jackson, claims Tommie Hill, the cheerleading coach at Pearl High School in Pearl, Miss., asked each member of the cheerleading squad on Sept. 10, 2007, to provide her with the passwords to their Facebook accounts. Jackson claims she did not know what to do other than to turn over her password to “an authority figure.”218 Hill then accessed her Facebook account the same day and “disseminated the information” to other teachers, cheerleading coaches, the principal and superintendent, according the complaint.
The complaint, filed June 16, 2009, in U.S. District Court for the Southern District of Mississippi, does not specify the precise content Hill passed along from Jackson’s Facebook account, other than to say district officials “publicly reprimanded, punished and humiliated Jackson for a private discussion between Jackson and another student.” The Student Press Law Center reported the discussion included “an exchange of profanity-laced messages between Jackson and the cheerleading captain in which Jackson asked the student to ‘stop harassing’ several of the cheerleaders.”219 As a result, Jackson was forced to sit out of cheer and dance training and other school sponsored events, according to the complaint.
The suit, filed on behalf of Jackson by her parents, seeks more than $100 million in damages for violations to Jackson’s constitutional rights to privacy, free speech, free association and due process. The suit also includes claims for defamation, intentional infliction of emotional distress and cruel and unusual punishment.
B. Be Wary of Writing Reviews on LinkedIn
Management-side attorneys are warning employers against writing reviews on LinkedIn, the business networking site that contains recommendations for job candidates. The attorneys advise that since most of the reviews on LinkedIn are positive, plaintiffs lawyers could use them in wrongful termination suits to dispute claims a worker was let go for poor performance.220
“Just don’t do it,” advised Carolyn Plump, an attorney and partner at Mitts Milavec in Philadelphia. “Generally, my advice is that I think employers are often better served by merely stating dates of employment, positions with the company and salary, and staying away from much more because there are so many potential ramifications if they say something.”221
A recommendation could also work against a plaintiff in certain situations. If a supervisor treated all workers equally by writing positives reviews about everyone, that could help disprove a discrimination claim, said Linda Friedman, an employee rights attorney at Stowell & Friedman in Chicago. She added that employers could explain a positive review as an attempt to help a person who had just lost his job.222
LinkedIn has already been cited in at least one employment-related dispute. In Kelly Services Inc. v. Marzullo, 591 F. Supp. 2d 924 (E.D. Mich. 2008), the Michigan-based staffing services company cited the LinkedIn profile of a former employee who went to work for a competitor. The company persuaded the court to issue a preliminary injunction enforcing a non-competition agreement that limited the worker’s role with his new employer.
C. Confusion and Abuses of FERPA
An investigation by The Columbus (Ohio) Dispatch found that the nation’s biggest athletic programs interpret the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232(g) et seq., in vastly different ways.223 Also known as the Buckley Amendment, FERPA was passed in 1974 to require educational institutions that receive federal funds to meet privacy requirements regarding the “education records” of students or face the loss of that funding. The newspaper’s findings have sparked a debate over a statute that has long created obstacles for journalists and led to a movement urging Congress to clarify how schools should apply the law.224
1. Findings By the Newspaper
The Dispatch submitted public records requests to 119 colleges and universities in the National Collegiate Athletic Association’s Football Bowl Subdivision requesting records that generally would not pertain to student athletes’ grades or academic performance, but could offer insight on how the sports programs operate. The newspaper requested airplane flight manifests for football team travel to road games, lists of people designated to receive athletes’ complimentary admission to football games, football players’ summer employment documents, and reports of NCAA rules violations.
Of the 69 schools that responded to the request, The Dispatch reported that more than 80 percent released unedited information about ticket lists, about half did not censor flight manifests, 20 percent gave full information about football players’ summer jobs, and 10 percent provided unedited information about rules violations.
2. What is an ‘Education Record?’
The Dispatch reported that the primary cause for the disparity in disclosure, sometimes between different schools in the same state, came from the schools’ interpretations of what qualifies as “education records.” FERPA defines “education records” as records that “contain information directly related to a student” and “are maintained by an educational agency or institution or by a person acting for such agency or institution.”225 According to the statute, “education records” do not include administrative or instructional notes or records that are not available to anyone aside from their creator; records maintained by the institution’s law enforcement unit; employee records that “related exclusively to the individual in that individual’s capacity as an employee” (as opposed to a student’s work-study records, which are considered “education records” under 34 C.F.R. § 99.3); medical records; “records created or received by an . . . institution after an individual is no longer a student in attendance and that are not directly related to the individual’s attendance as a student;” or “grades on peer-graded papers before they are collected and recorded by a teacher.”226
In December 2008, the Department of Education modified its interpretation of “education records” by expanding the definition of “personally identifiable information.” The definition under the revised rule includes not only a student’s name, address, and social security number, but also information that could lead the requester to identify the student “with reasonable certainty” and “information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.”227
3. Report Spurs Calls to Clarify FERPA
The Dispatch report prompted an effort to re-examine FERPA. The author of the law, former Sen. James L. Buckley (R-N.Y.), said that extending the law to athletes who have gambled or cheated, coaches who have broken recruiting rules, or boosters who offer free meals or no-work jobs to players is “not what we intended.” He added that “the law needs to be revamped” because “institutions are putting their own meaning into the law.”228
Sen. Sherrod Brown (D-Ohio) sent a letter to the Assistant Education Secretary Carmel Martin that asked the department to “take additional steps to clarify for students, parents, colleges, universities, and the public what is an educational record.”229 Paul Gammill, head of the Education Department’s Family Policy Compliance Office, said the Dispatch investigation led his office to take a closer look at how schools apply FERPA because of apparent differences in the interpretation of the law.230 Gammill added that while his office advises institutions on compliance, any changes in the law would have to be made by Congress.231
D. Split Develops in Application of Computer Fraud
and Abuse Act
As companies downsize in the current economic crisis, some terminated employees steal data to improve their job prospects with a new employer.232 This may lead to an increase in litigation involving the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and further expose a split in judicial interpretations of the CFAA. The CFAA criminalizes the theft of computer data and enables a company that “suffers damage or loss” through a CFAA violation to pursue damages and injunctive relief against the violator in a civil action. Four of the seven violations of the CFAA require an employer to show that the worker’s access to the company’s computers was “without authorization” or “exceeds authorized access.” The CFAA does not define “without authorization,” but defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”233
Nick Akerman, a partner in Dorsey & Whitney’s New York office, identified Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) as the leading authority for using the CFAA against workers who steal their employers’ data.234 In Citrin, the Seventh Circuit held that an employee’s authorization to use company computers is based on his “agency relationship” with the employer, and this relationship is voided when the worker violates “his duty of loyalty” to the employer, such as by accessing a computer to steal data. Courts have since offered conflicting rulings on whether an employee’s alleged violation of the CFAA hinges on his authorization to access the data or his intent in doing so.
1. ‘Authorized Access’ Does Not Violate
CFAA
Many district courts have departed from Citrin and have held that “access to a protected computer occurs ‘without authorization’ only when initial access is not permitted, and a violation for ‘exceeding authorized access’ occurs only when initial access to the computer is permitted but the access of certain information is not permitted.”235 This line of reasoning focuses on the “use” of the access rather than the “intent” of the departing employee.236
For example, in Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 963 (D. Ariz. 2008), the court dismissed an employer’s claim against an employee who e-mailed confidential company information to himself before he went to work for a competitor. Since the employee had authorization to view the files he e-mailed to himself, the court found that the worker did not access the information “without authorization” or in a manner that “exceeded authorized access.”237
2. Personal Gain Can Constitute CFAA Violation
Another line of cases emphasizes the intent of an employee’s actions so that once he is “working for himself or another, his authority to access the computer ends, even if he or she is still employed at the present employer.”238 In addition to Citrin, Akerman believes decisions in three other circuit courts support “sanctioning use of the CFAA against employees” when their “agency relationship” with the employer ends.239
In U.S. v. Nosal, 2009 WL 981336 at *7 (N.D. Calif. 2009), the court refused to dismiss criminal charges against a former “high level executive at an international executive search firm” who stole competitively sensitive data from his employer’s computer before he left the firm. The defendant argued that the CFAA generally applied to hackers or other “outsiders,” and not to employees who “abuse computer access privileges to misuse information derived from their employment.” The court rejected this argument and instead focused on the worker’s intent to use the information fraudulently at the time it was accessed.
3. Judicial Advice to Businesses
With the current uncertainty in how courts will apply the CFAA, U.S. District Court Judge James I. Cohn of the Southern District of Florida suggested that businesses can help protect themselves by drafting detailed policies on the scope of employees’ use of work computers. “Though the district court decisions on this issue are in dispute, an employer . . . clearly has a right to control and define authorization to access its own computer systems,” Cohn wrote, finding that an employer had a substantial likelihood of succeeding on a CFAA claim by showing that a worker downloaded files she did not need for business purposes during a time when she was negotiating to leave her employer for a competitor.240
E. Limits to What Employers Can Know, Say About Employees
1. Jury Finds Restaurant Managers Violated Privacy of Workers
A federal jury in Newark, N.J., found that restaurant managers who monitored employees’ workplace complaints in a MySpace group violated federal and state privacy laws that protect Web communications.241 Brian Pietrylo and Doreen Marino, employees at a Houston’s restaurant in Hackensack, N.J., created an invitation-only, password-protected MySpace group designed for workers to “vent about any BS we deal with [at] work without any outside eyes spying on us.”242 Comments on the site included sexual remarks about management and restaurant customers as well as references to violence and illegal drug use.
Restaurant management learned of the site and asked a greeter at the restaurant for her password. The circumstances surrounding the request were critical to the resolution of the case. The greeter testified that she knew she “was going to get in trouble or something was going to happen” if she did not provide her password.243 After managers accessed the forum multiple times, Pietrylo and Marino were fired. On its verdict form, the jury answered affirmatively that the MySpace group was “a place of solitude and seclusion” designed to protect users’ private affairs. However, the jury answered “No” to the question of whether users should have a reasonable expectation of privacy in the group. “The argument of coercion is the only aspect of this that gave the plaintiff success,” said Bernard W. Bell, a professor at Rutgers Law School who teaches privacy law. “If you are distributing these comments, or posting these comments, on a site that is not password protected, there is very little argument that there is an invasion of privacy.”244
In a July 2008 ruling, U.S. District Court Judge Faith Hochberg denied summary judgment to the Beverly Hills, Calif.-based Hillstone Restaurant Group on the workers’ claims of wrongful termination, invasion of privacy and violations of the Stored Communications Act, 18 U.S.C. §§ 2701-11, and the parallel provision of the New Jersey Act, N.J.S.A. 2A: 156A-27. Hochberg dismissed a claim that the restaurant violated the workers’ rights to free speech.245 The jury awarded a total of $3,400 in back pay and $13,600 in punitive damages.
2. Workers Had ‘Expectation of Privacy’ in Text Messages
In Quon v. Arch Wireless, 529 F.3d 892, 910-11 (9th Cir. 2008), the Ninth Circuit overturned a district court ruling and found that the city of Ontario, Calif., and Arch Wireless, a provider of text messaging pagers, violated the privacy rights of police officers under the Fourth Amendment and California Constitution by searching the content of text messages on their work-issued pagers without their consent.
The city of Ontario had an informal policy that it would not look at the content of the messages as long as the officers paid for any overage charges that accrued as a result of using the text messaging pagers for personal use. When a lieutenant got “tired of being a bill collector with guys going over the allotted amount of characters on their text pages,” the police chief ordered an audit of the messages to determine if officers were sending too many text messages on city time or an increase was needed in the number of characters allotted to officers each month.246 The audit revealed one officer had gone over his limit by 15,158 characters and that many of the messages were sexually explicit.247
The court determined that Arch provided an electronic communication service (ECS) as opposed to a remote computing service (RCS). Both an ECS and RCS can release private information to, or with the lawful consent of, “an addressee or intended recipient of such communication, while only an RCS can release such information “with the lawful consent of . . . the subscriber.”248 The court found it undisputed that the city was not an “addressee or intended” recipient,” but a “subscriber,” so the officers had “a reasonable expectation of privacy in the content of their text messages vis-à-vis the service provider.”249
3. Fired Worker Claims Employer Accessed Personal E-mail
A terminated worker claims his employer violated federal and state privacy laws by accessing his personal e-mail account and using the contents of e-mails against him in his termination dispute.250 Scott Sidell was fired from his job as chief executive officer of Structured Settlement Investments on Aug. 24, 2007. Before he left the company’s office building in Norwalk, Conn., Sidell accessed his personal Yahoo! e-mail account, but did not log off, enabling the account to be accessed for up to two weeks without a password, according to his compliant. Sidell claims his employer accessed his personal e-mails and shared them with the attorneys representing the company in his termination dispute. Sidell alleged violations of the Electronic Communications Privacy Act, 18 U.S.C. § 2510, the Stored Communications Act, 18 U.S.C. § 2701 and similar Connecticut state laws.
Based on an employment agreement to arbitrate all claims, U.S. District Court Judge Vanessa L. Bryant on Jan. 14, 2009, ordered that an arbitrator should first decide whether to exercise jurisdiction over Sidell’s invasion of privacy claims in addition to the wrongful termination dispute.251 If the arbitrator declines jurisdiction, Sidell can re-file his suit. Sidell had yet to re-file his suit as of early August.
F. N.J. Law Would Prohibit Prosecuting Teens for
‘Sexting’
Instead of prosecuting teenagers who e-mail, text message or post nude or sexually suggestive photos online, a proposed New Jersey law would give prosecutors the option of placing minors in a diversionary program. Sponsors of identical bills252 introduced in June 2009 in the New Jersey Assembly and Senate say that teenagers who distribute such material, a practice known as “sexting,” often do so out of a need for approval or a lack of confidence, and that the law should reflect their lack of criminal intent.253
The introductory statements to each of the bills identify “sexting” and teenagers posting sexual images online as “nationwide problems that have perplexed parents, school administrators, and law enforcement officials.” In March 2009, the Passaic County (N.J.) Sheriff’s Department charged a 14-year-old girl with distribution of child pornography after she posted nude photos of herself on MySpace.254 Prosecutors later agreed to drop the charges if the girl received counseling and stayed out of trouble for six months.255
According to the bills, county prosecutors would have discretion to admit a minor to the educational program that would focus on the consequences of sexting, including its affect on relationships and employment prospects. The New Jersey Attorney General’s Office would develop the precise makeup of the program that would be an option for those charged under N.J.S.A. 2C:24-4, which governs endangering the welfare of a child. Those who successfully complete the program would be able to avoid prosecution.
State lawmakers also introduced bills in June 2009 that would require schools to distribute information to students in grades six through twelve on the dangers of electronically sending sexually explicit images.256 Other bills would require stores that sell cellular phones to provide information on sexting to phone purchasers.257
V. SOCIAL NETWORKING SITES: PRIVACY CONCERNS AND POTENTIAL
PITFALLS OF USE
A. EU Regulators Recommend Stricter Rules
In June 2009, a group of European Union regulators recommended social networking sites (SNS) implement a host of reforms to comply with EU law, including prohibiting users from posting photos of others without their consent.258 Other measures highlighted by the council of EU regulators, known as the Article 29 Working Party, involve deleting personal information when a user deletes an account and setting up a homepage link to a “complaint handling office” that deals with privacy and data protection issues.
The working party framed its recommendations to require SNS to comply with the EU’s Data Protection Directive259 “even if their headquarters are located outside” of the European Economic Area. The working party’s opinion is not binding, but often serves as an indication for the future direction of legislation at the national and EU levels.260 If these recommendations are adopted in their current or slightly altered terms, SNS such as Facebook and MySpace will have to alter some of their practices. Facebook has hired Richard Allan, the former head of European regulatory affairs for Cisco, to lobby EU governments on its behalf.261
In preparing its opinion, the working party drew on previous recommendations made by the Berlin International Working Group on Data Protection in Telecommunications,262 the Resolution on Privacy Protection in Social Network Services,263 and a position paper published in October 2007 by the European Network and Information Security Agency.264
1. Tagging Photos
Facebook users currently do not need permission to post photos on their personal profiles and “tag,” or identify, friends by name with a link to the profile of the tagged person. The working party wants SNS to require users who post pictures or information about others to first get the individual’s permission. To achieve this, the working party suggests SNS create space on users’ personal home pages that lists the photos seeking to tag a user. A user would then be able to review the photos and consent to be tagged before the photos can be posted for others to view.
2. Retention of Personal Data
The working party wants SNS to adopt higher standards for the deletion of personal data. These include deleting personal data “as soon as either the user or the SNS provider decides to delete the account.” In addition, when a user updates his profile, the former account information should not be retained. When a user does not log into a SNS account for a specific period of time, the profile should be blocked from view of other users and after another set time period, the account should be deleted after trying to notify the user.
The recommendations also encouraged setting parameters regarding the collection of “sensitive data,” which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and information about one’s health or sex life. The sites should make clear to users that answering such questions is voluntary. Facebook currently has options for users to enter their religious and political preferences; however, doing so is not required to create a profile.
Share with your friends: |