Student Sues Cheerleading Coach, School District for Facebook Incident

The complaint, filed June 16, 2009, in U.S. District Court for the Southern District of Mississippi, does not specify the precise content Hill passed along from Jackson’s Facebook account, other than to say district officials “publicly reprimanded, punished and humiliated Jackson for a private discussion between Jackson and another student.” The Student Press Law Center reported the discussion included “an exchange of profanity-laced messages between Jackson and the cheerleading captain in which Jackson asked the student to ‘stop harassing’ several of the cheerleaders.”²¹⁹ As a result, Jackson was forced to sit out of cheer and dance training and other school sponsored events, according to the complaint.

The suit, filed on behalf of Jackson by her parents, seeks more than $100 million in damages for violations to Jackson’s constitutional rights to privacy, free speech, free association and due process. The suit also includes claims for defamation, intentional infliction of emotional distress and cruel and unusual punishment.
B. Be Wary of Writing Reviews on LinkedIn
Management-side attorneys are warning employers against writing reviews on LinkedIn, the business networking site that contains recommendations for job candidates. The attorneys advise that since most of the reviews on LinkedIn are positive, plaintiffs lawyers could use them in wrongful termination suits to dispute claims a worker was let go for poor performance.²²⁰

“Just don’t do it,” advised Carolyn Plump, an attorney and partner at Mitts Milavec in Philadelphia. “Generally, my advice is that I think employers are often better served by merely stating dates of employment, positions with the company and salary, and staying away from much more because there are so many potential ramifications if they say something.”²²¹

A recommendation could also work against a plaintiff in certain situations. If a supervisor treated all workers equally by writing positives reviews about everyone, that could help disprove a discrimination claim, said Linda Friedman, an employee rights attorney at Stowell & Friedman in Chicago. She added that employers could explain a positive review as an attempt to help a person who had just lost his job.²²²

LinkedIn has already been cited in at least one employment-related dispute. In Kelly Services Inc. v. Marzullo, 591 F. Supp. 2d 924 (E.D. Mich. 2008), the Michigan-based staffing services company cited the LinkedIn profile of a former employee who went to work for a competitor. The company persuaded the court to issue a preliminary injunction enforcing a non-competition agreement that limited the worker’s role with his new employer.

Of the 69 schools that responded to the request, The Dispatch reported that more than 80 percent released unedited information about ticket lists, about half did not censor flight manifests, 20 percent gave full information about football players’ summer jobs, and 10 percent provided unedited information about rules violations.

In December 2008, the Department of Education modified its interpretation of “education records” by expanding the definition of “personally identifiable information.” The definition under the revised rule includes not only a student’s name, address, and social security number, but also information that could lead the requester to identify the student “with reasonable certainty” and “information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.”²²⁷

Sen. Sherrod Brown (D-Ohio) sent a letter to the Assistant Education Secretary Carmel Martin that asked the department to “take additional steps to clarify for students, parents, colleges, universities, and the public what is an educational record.”²²⁹ Paul Gammill, head of the Education Department’s Family Policy Compliance Office, said the Dispatch investigation led his office to take a closer look at how schools apply FERPA because of apparent differences in the interpretation of the law.²³⁰ Gammill added that while his office advises institutions on compliance, any changes in the law would have to be made by Congress.²³¹

Nick Akerman, a partner in Dorsey & Whitney’s New York office, identified Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) as the leading authority for using the CFAA against workers who steal their employers’ data.²³⁴ In Citrin, the Seventh Circuit held that an employee’s authorization to use company computers is based on his “agency relationship” with the employer, and this relationship is voided when the worker violates “his duty of loyalty” to the employer, such as by accessing a computer to steal data. Courts have since offered conflicting rulings on whether an employee’s alleged violation of the CFAA hinges on his authorization to access the data or his intent in doing so.

For example, in Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 963 (D. Ariz. 2008), the court dismissed an employer’s claim against an employee who e-mailed confidential company information to himself before he went to work for a competitor. Since the employee had authorization to view the files he e-mailed to himself, the court found that the worker did not access the information “without authorization” or in a manner that “exceeded authorized access.”²³⁷

In U.S. v. Nosal, 2009 WL 981336 at *7 (N.D. Calif. 2009), the court refused to dismiss criminal charges against a former “high level executive at an international executive search firm” who stole competitively sensitive data from his employer’s computer before he left the firm. The defendant argued that the CFAA generally applied to hackers or other “outsiders,” and not to employees who “abuse computer access privileges to misuse information derived from their employment.” The court rejected this argument and instead focused on the worker’s intent to use the information fraudulently at the time it was accessed.

Restaurant management learned of the site and asked a greeter at the restaurant for her password. The circumstances surrounding the request were critical to the resolution of the case. The greeter testified that she knew she “was going to get in trouble or something was going to happen” if she did not provide her password.²⁴³ After managers accessed the forum multiple times, Pietrylo and Marino were fired. On its verdict form, the jury answered affirmatively that the MySpace group was “a place of solitude and seclusion” designed to protect users’ private affairs. However, the jury answered “No” to the question of whether users should have a reasonable expectation of privacy in the group. “The argument of coercion is the only aspect of this that gave the plaintiff success,” said Bernard W. Bell, a professor at Rutgers Law School who teaches privacy law. “If you are distributing these comments, or posting these comments, on a site that is not password protected, there is very little argument that there is an invasion of privacy.”²⁴⁴

In a July 2008 ruling, U.S. District Court Judge Faith Hochberg denied summary judgment to the Beverly Hills, Calif.-based Hillstone Restaurant Group on the workers’ claims of wrongful termination, invasion of privacy and violations of the Stored Communications Act, 18 U.S.C. §§ 2701-11, and the parallel provision of the New Jersey Act, N.J.S.A. 2A: 156A-27. Hochberg dismissed a claim that the restaurant violated the workers’ rights to free speech.²⁴⁵ The jury awarded a total of $3,400 in back pay and $13,600 in punitive damages.
2. Workers Had ‘Expectation of Privacy’ in Text Messages
In Quon v. Arch Wireless, 529 F.3d 892, 910-11 (9th Cir. 2008), the Ninth Circuit overturned a district court ruling and found that the city of Ontario, Calif., and Arch Wireless, a provider of text messaging pagers, violated the privacy rights of police officers under the Fourth Amendment and California Constitution by searching the content of text messages on their work-issued pagers without their consent.

The city of Ontario had an informal policy that it would not look at the content of the messages as long as the officers paid for any overage charges that accrued as a result of using the text messaging pagers for personal use. When a lieutenant got “tired of being a bill collector with guys going over the allotted amount of characters on their text pages,” the police chief ordered an audit of the messages to determine if officers were sending too many text messages on city time or an increase was needed in the number of characters allotted to officers each month.²⁴⁶ The audit revealed one officer had gone over his limit by 15,158 characters and that many of the messages were sexually explicit.²⁴⁷

The court determined that Arch provided an electronic communication service (ECS) as opposed to a remote computing service (RCS). Both an ECS and RCS can release private information to, or with the lawful consent of, “an addressee or intended recipient of such communication, while only an RCS can release such information “with the lawful consent of . . . the subscriber.”²⁴⁸ The court found it undisputed that the city was not an “addressee or intended” recipient,” but a “subscriber,” so the officers had “a reasonable expectation of privacy in the content of their text messages vis-à-vis the service provider.”²⁴⁹
3. Fired Worker Claims Employer Accessed Personal E-mail
A terminated worker claims his employer violated federal and state privacy laws by accessing his personal e-mail account and using the contents of e-mails against him in his termination dispute.²⁵⁰ Scott Sidell was fired from his job as chief executive officer of Structured Settlement Investments on Aug. 24, 2007. Before he left the company’s office building in Norwalk, Conn., Sidell accessed his personal Yahoo! e-mail account, but did not log off, enabling the account to be accessed for up to two weeks without a password, according to his compliant. Sidell claims his employer accessed his personal e-mails and shared them with the attorneys representing the company in his termination dispute. Sidell alleged violations of the Electronic Communications Privacy Act, 18 U.S.C. § 2510, the Stored Communications Act, 18 U.S.C. § 2701 and similar Connecticut state laws.

Based on an employment agreement to arbitrate all claims, U.S. District Court Judge Vanessa L. Bryant on Jan. 14, 2009, ordered that an arbitrator should first decide whether to exercise jurisdiction over Sidell’s invasion of privacy claims in addition to the wrongful termination dispute.²⁵¹ If the arbitrator declines jurisdiction, Sidell can re-file his suit. Sidell had yet to re-file his suit as of early August.

‘Sexting’

The introductory statements to each of the bills identify “sexting” and teenagers posting sexual images online as “nationwide problems that have perplexed parents, school administrators, and law enforcement officials.” In March 2009, the Passaic County (N.J.) Sheriff’s Department charged a 14-year-old girl with distribution of child pornography after she posted nude photos of herself on MySpace.²⁵⁴ Prosecutors later agreed to drop the charges if the girl received counseling and stayed out of trouble for six months.²⁵⁵

According to the bills, county prosecutors would have discretion to admit a minor to the educational program that would focus on the consequences of sexting, including its affect on relationships and employment prospects. The New Jersey Attorney General’s Office would develop the precise makeup of the program that would be an option for those charged under N.J.S.A. 2C:24-4, which governs endangering the welfare of a child. Those who successfully complete the program would be able to avoid prosecution.

State lawmakers also introduced bills in June 2009 that would require schools to distribute information to students in grades six through twelve on the dangers of electronically sending sexually explicit images.²⁵⁶ Other bills would require stores that sell cellular phones to provide information on sexting to phone purchasers.²⁵⁷

The working party framed its recommendations to require SNS to comply with the EU’s Data Protection Directive²⁵⁹ “even if their headquarters are located outside” of the European Economic Area. The working party’s opinion is not binding, but often serves as an indication for the future direction of legislation at the national and EU levels.²⁶⁰ If these recommendations are adopted in their current or slightly altered terms, SNS such as Facebook and MySpace will have to alter some of their practices. Facebook has hired Richard Allan, the former head of European regulatory affairs for Cisco, to lobby EU governments on its behalf.²⁶¹

In preparing its opinion, the working party drew on previous recommendations made by the Berlin International Working Group on Data Protection in Telecommunications,²⁶² the Resolution on Privacy Protection in Social Network Services,²⁶³ and a position paper published in October 2007 by the European Network and Information Security Agency.²⁶⁴
1. Tagging Photos
Facebook users currently do not need permission to post photos on their personal profiles and “tag,” or identify, friends by name with a link to the profile of the tagged person. The working party wants SNS to require users who post pictures or information about others to first get the individual’s permission. To achieve this, the working party suggests SNS create space on users’ personal home pages that lists the photos seeking to tag a user. A user would then be able to review the photos and consent to be tagged before the photos can be posted for others to view.
2. Retention of Personal Data
The working party wants SNS to adopt higher standards for the deletion of personal data. These include deleting personal data “as soon as either the user or the SNS provider decides to delete the account.” In addition, when a user updates his profile, the former account information should not be retained. When a user does not log into a SNS account for a specific period of time, the profile should be blocked from view of other users and after another set time period, the account should be deleted after trying to notify the user.

The recommendations also encouraged setting parameters regarding the collection of “sensitive data,” which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and information about one’s health or sex life. The sites should make clear to users that answering such questions is voluntary. Facebook currently has options for users to enter their religious and political preferences; however, doing so is not required to create a profile.