If an employer is going to monitor the online activities of its employees, it must strike a careful balance to avoid violating privacy rights. Although companies may think they are protected by policies stating that all activities conducted on company computers may be monitored, such policies are often limited in their reach. The fact that an employee has accessed her Facebook account from work, for instance, does not mean that the employer has free reign to log onto the employee's Facebook account and poke around. Furthermore, employees may retain a right to privacy in certain cases on public policy grounds regardless of policies. Courts have held, for example, that the right to confidentiality in attorney/client communications made from a work computer override the employer's monitoring policy.
Employers can also be liable under state and federal statutes such as the Stored Communications Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and various wiretapping laws, as well as common law invasion of privacy theories. One restaurant chain was held liable for accessing a password-protected MySpace site used by employees. After learning that the site was used to bad mouth the company, the employer convinced an employee, allegedly under duress, to turn over the password to company officials. The employees successfully sued under a state privacy law and the Stored Communications Act.
What you know can also hurt you. Information learned by an organization through employee monitoring may trigger further legal obligations. A company may be liable if it learns an employee is using company computers for unlawful activity and does not intervene. One New Jersey court allowed a plaintiff to file suit against her ex-husband's employer, claiming that it knew he was accessing illegal pornography at work but failed to act. The ex-husband allegedly posted nude photos of his former stepdaughter.
Another exposure comes from information an employer learns that can be used in discrimination suits regarding wrongful termination or other employment actions. For this reason, companies that choose to use social media to monitor employees should (a) identify the categories of information that the employer can legally use; and (b) monitor employees uniformly.
Lastly, companies should obtain employee acknowledgment of policies dictating the extent to which activities may be monitored. Having set these boundaries, an employer should not deviate from them, even if there appears to be implied consent. A federal court in New York, for instance, ruled that the fact that an employee left passwords at his desk did not mean that he had consented to his employer accessing his accounts.
The other major area of risk arises before an employee ever becomes an employee: pre-employment screening. Routine screening of job applicants can lead to various problems, chiefly, exposing yourself to a discrimination lawsuit. Instead of finding red flags, such as drug use or criminal activity, the employer is more likely to discover previously unknown information regarding the applicant's race, age, religion, sexual orientation or disability. This data, as well as other info that employers are legally prohibited from using as hiring criteria, is widely available online.
If the employer does not hire the screened applicant -- even if the decision has nothing to do with the online search -- the fact that the employer knows this information is something that can be used against the employer in a discrimination or retaliation lawsuit. This is doubly true if the applicant knows the company screens possible hires. Many social media sites allow users to track who has accessed their profiles, and courts may, in some circumstances, order subpoenas to determine the identities of people who have visited a site. If it is revealed to be a person involved in the hiring decision, a lawsuit may follow.
__________
Written by Jon Vegosen:
Jon Vegosen is a partner at the Chicago law firm of Funkhouser Vegosen Liebman & Dunn Ltd.