Published in Citations on Aug. 1, 2014. 

By JILL FRIEDMAN

Social media blew up over the US Supreme Court’s June 30 decision in Hobby Lobby. The uproar nearly squelched any chatter about the Court’s historic, nearly unanimous opinion just five days earlier in Riley v. California and United States v. Wurie, which were combined into one decision (collectively “Riley”). Both cases in Riley involve whether and how to apply the "search incident to arrest" doctrine to cell phones that police find in the possession of an arrestee. The Supreme Court held that police may not examine the digital contents of an arrestee’s cell phone as part of a search incident to arrest. 

The Riley case was a huge Fourth Amendment decision, but more importantly for civil practitioners, the US Supreme Court recognized for the first time the huge potential for invasion of privacy related to searches of digital data. The Court specifically said that a typical cell phone contains extensive data that allows a viewer to learn information about every feature of the cell phone owner’s life. Chief Justice Roberts, writing for the majority (all justices joined, with Justice Alito concurring in part and concurring in the judgment), noted, “Indeed, a cell phone search would typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form – unless the phone is.” This was the first US Supreme Court ruling on privacy in the digital age, and its impact is expected to extend well beyond personal cell phone usage.

Law constantly struggles to keep pace with technology. As employers attempt to keep up with technology, the boundaries between business interests and employees’ privacy rights often become blurred. For example, while an employer may be tempted to review a job candidate’s social media posts, potential liability looms when snooping social media sites leads to discrimination. What happens when an employer hires someone else after discovering through social media that a potential employee is disabled, a member of a religious or political minority group, or is in a same-sex marriage? It may be difficult to prove that the information was not used in making the hiring decision if evidence shows that the search was conducted. Even if the employer ultimately prevails, it is an expensive exercise in employer rights versus First Amendment freedoms.

The lines become less defined in the workplace. What happens when employees use company-owned cell phones or work from home using company-owned computers? What happens when an employee uses company-owned equipment to post on social media, such as Facebook, Twitter, and Instagram? The Riley decision gives us a glimpse of where the law might be heading in this regard, but it is still largely unchartered territory. 

Certainly an employer can access an employee’s social media activity that is available to the general public. An employer may also monitor an employee’s social media activity where the activity takes place using employer-issued equipment or on an employer owned network. But what does an employer do with information gained through social media? Employee use of social media can raise a whole host of issues, including disclosure of the employer’s confidential, privileged and proprietary information — all of which an employer would be legitimately have an interested.

The federal Stored Communications Act (the “SCA”) protects stored electronic communications that are configured to be private. Courts have found that social media activity, such as non-public Facebook posts, is protected under the SCA. Therefore, an employer potentially violates the SCA where it accesses an employee’s non-public Facebook posts without the employee’s authorization. 

Some statutes help define the boundaries, but are by no means definitive. California Labor Code section 980, enacted in 2012, prohibits an employer from requesting a job applicant or employee for access to his or her social media, except in limited circumstances. Section (b) of the statute provides that an employer may not “require or request” a job applicant or employee to do any of the following: (1) Disclose a username or password for the purpose of accessing personal social media; (2) Access personal social media in the presence of the employer; or (3) Divulge any personal social media. However, an employer may request that the employee “divulge any personal social media” if it is relevant to a formal investigation. The statute does not preclude an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.

Where an employer elects to monitor its employees’ social media activity, the employer must proceed carefully if and when it uses the information learned to discipline or terminate an employee. Terminating or disciplining an employee based on information gained through monitoring the employee’s social media activity potentially violates existing law. For example, the National Labor Relations Act (“NLRA”) protects the right of employees to engage in concerted activities. Generally, this requires two or more employees acting together to improve wages or working conditions, but the action of a single employee may be considered concerted if he or she involves co-workers before acting, or acts on behalf of others. An employer who is considering terminating or disciplining the employee after learning that an employee is making derogatory posts about the employer on his or her Facebook page that are shared with other co-workers, should consider whether the employee’s posts would be considered concerted activity protected by the NLRA.

Any employer who intends to monitor its employees’ social media activity on employer-issued equipment or employer-owned networks should disseminate written policies that inform employees that they have no expectation of privacy for any social media activity sent or received on employer-owned networks or using employer-issued equipment and that all such communications and activity may be monitored. In a litigation context, such policies help demonstrate that employees do not have a reasonable expectation of privacy in any activity they conduct on an employer’s network or using an employer’s equipment.

Even with such policies in place, employers do not have free reign. An employer should only use legal means to monitor an employee’s social media activity, regardless of the equipment or network on which this activity takes place. For example, an employer can access an employee’s social media accounts that are generally available to the public. However, an employer should never attempt to gain access to an employee’s private social media account through the use of deceptive means, like using a false identity or by obtaining the employee’s private password from a friend or coworker.

“Privacy comes at a cost,” wrote Roberts in Riley. Employers who monitor their employees’ and potential employees’ social media posts may end up paying the price. Time will tell where the line is to be drawn between employers’ interests and employees’ privacy rights. In the meantime, however, employers should be on their toes, ready to adapt to the changing landscape of privacy rights in the digital age.