Category Archives: Employment

Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla., May 6, 2011)

Former employee sued the company she used to work for alleging pregnancy discrimination. The company countersued under the Computer Fraud and Abuse Act (“CFAA”) alleging that the former employee violated the CFAA by using her work computer to access Facebook and check her personal email. She moved to dismiss the counterclaim, and the court granted the motion. The court found that the company failed to allege that its computer system was damaged by plaintiff’s internet usage, and plaintiff was alleged only to have accessed her own information, not that of the employer.

Plaintiff failed to show that Facebook pics supported hostile workplace claim

Jabbar v. Travel Services, Inc., 2010 WL 3563112, (D.Puerto Rico September 10, 2010)

Plaintiff sued her former employer for racial discrimination. The court granted summary judgment in favor of the employer, finding there was not enough evidence to go to trial on plaintiff’s claim. Plaintiff asked the court to reconsider the judgment against her. The court held its ground.

One of the assertions that plaintiff made was that someone from work had posted a discriminatory comment on a Facebook photo taken at a company outing.

The court found there was no evidence apart from plaintiff’s own deposition testimony that the company’s official policy was to upload photos to Facebook. And there was no evidence as to who owned the Facebook account in question.

So the court found no basis to overturn its earlier determination that plaintiff failed to establish a prima facie case of employment discrimination.

Judge: the concept of internet privacy is a fallacy upon which no one should rely

People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)

Let’s hope that’s an overstatement.

A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.

The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.

The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.

That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.

Here’s the first paragraph of the opinion:

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.

Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.

If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?

Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.

Nefarious LinkedIn use finally makes it to the courts

TEKsystems, Inc. v. Hammernick, No. 10-99819 (D. Minn., Filed 3/16/2010). [Link to Complaint (PDF)]

Here is an interesting lawsuit that is bound to convince some employers that social media is causing the sky to fall (to the extent they’re not thinking that already).

Minnesota, showing roads and major bodies of water
Image via Wikipedia

An IT headhunting company that does business in the Twin Cities area of Minnesota has filed suit against a former recruiter-employee for breach of her noncompetition agreement. The complaint says that she violated that agreement when she connected on LinkedIn with 20 of the candidates her old firm was working with.

One thing that’s missing from the allegations is when the defendant made these allegedly improper LinkedIn connections. Did she already have them as connections when she left the plaintiff’s employment or did she invite them to connect after she left? The distinction seems like it would be relevant.

No doubt this case should get some attention due to the novelty of the allegations, namely, that the defendant used a social networking site to break the law. But as thinking persons, we should be careful not to sensationalize these facts. When you stop and think about it, how does the fact that the defendant may have used LinkedIn really differentiate the case from one in which she would have used a more conventional form of communication to solicit?

[Thanks to Paul Cherner at the HR Counsel blog for alerting me to this case. More coverage at the Delaware Employment Law Blog and Portfolio.com]

Emails sent through Yahoo account using work computer protected under attorney-client privilege

The New Jersey supreme court has held that emails an employee sent to her lawyer using her company-issued computer and a personal Yahoo account are protected by the attorney-client privilege.

Stengart v. Loving Care Agency, Inc., — A.2d —, 2010 WL 1189458 (N.J. March 30, 2010)

The New Jersey courts have a reputation of being protective of “informational privacy.” See, e.g., State v. Reid. A recent decision concerning employee privacy in personal emails adds to that reputation.

Plaintiff-employee used a work-issued laptop to access her Yahoo email account, through which she communicated with her lawyer about her lawsuit against the employer. During the discovery phase of that employment discrimination lawsuit, the employer used computer forensics to recover those Yahoo emails that had been copied to the computer’s temporary internet files folder.

Counsel for plaintiff demanded that the employer turn over the recovered emails, arguing that the communications were protected by the attorney-client privilege. When the employer agreed to turn them over but not discontinue use of the information garnered from them, plaintiff sought relief from the court.

The trial court denied relief and plaintiff sought review with the appellate court. That court reversed, and the employer sought review with the state’s supreme court. The supreme court upheld the appellate court’s decision, holding that the employee had a reasonable expectation of privacy in the communications.

The employer relied on a broadly-written company policy through which the employer reserved the right to review and access “all matters on the company’s media systems and services at any time.” But the court rejected those arguments.

Framework for the analysis

The supreme court considered two aspects in its analysis: (1) the adequacy of the notice provided by the company policy, and (2) the important public policy concerns raised by the attorney-client privilege.

As for the adequacy of the notice provided by the policy, the court found that because the policy did not address the use of password-protected personal email accounts, the policy was “not entirely clear.” As for the importance of the attorney-client privilege, the court lavished it with almost-sacred verbal accoutrements, calling it a “venerable privilege . . . enshrined in history and practice.”

“Intrusion upon seclusion” as source for standard

The court noted that the analysis for a reasonable expectation of privacy in dealings between two private parties was a bit different than the analysis in a Fourth Amendment case. The common law source for the standard in this context is with the tort of “intrusion upon seclusion.” Under New Jersey law, that tort is committed when one intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, in a manner that would be highly offensive to a reasonable person. (This language comes from the Restatement (Second) of Torts § 652B.)

In this situation, the court found that plaintiff had both a subjective and objective expectation that the messages would be private. Supporting her subjective belief was the fact that she used a private email account that was password protected, instead of her work email account. And she did not store her password on the computer. Her belief was objectively reasonable given the absence of any discussion about private email accounts in the company policy.

Plaintiff’s expectation of privacy was also bolstered by the fact that the email messages were not illegal, nor would they impact the performance of the employer’s computer system. And they bore all the “hallmarks” of attorney-client communications.

For all these reasons, not the least of which the priority of the courts “to keep private the very type of conversations that took place here,” the court found that the conversations were protected by the attorney-client privilege.

Probable cause existed to arrest employee for criminal data tampering

Deng v. Sears, Roebuck & Co., 552 F.3d 574 (7th Cir. January 5, 2009).

Employee Deng got a bad review from his employer Sears, Roebuck & Co. Disaffected, he took disability leave but continued to come into the office. On one of these visits, he deleted a bunch of data relating to work he had been doing. It cost Sears more than $40,000 to restore that data.

Sears called the police to report the data deletion, and Deng was arrested a year and a half later in Massachusetts (which is where he had fled). Deng was charged with violation of 720 ILCS 5/16D-3(a)(3), the Illinois law that prohibits tampering with computer files without the permission of the files’ owner. The criminal court dismissed the charges at the preliminary stage because a witness failed to appear.

Deng then filed a federal civil action against Sears for malicious prosecution. After his case was thrown out at the district court level, he sought review with the Seventh Circuit. On appeal, the court affirmed the dismissal of Deng’s suit. Among the things Deng was required to prove was that his arrest was made without probable cause. The court found that probable cause existed.

Deng had argued that he was authorized to delete the data, since statistical modelers like him were expected from time to time to free up disk space and get rid of unneeded data. One problem with this argument, however, was that Deng was on disability leave. Nothing in the record showed that the remaining Sears employees thought the data was no longer needed. After all, they spent significant sums to restore it. Moreover, because Deng was on disability leave, he had no authority to do anything with the data, let alone get rid of it. Finally, Deng’s fleeing after the troubles began was an indicator to authorities that he had done something wrong. Probable cause requires an objective analysis. Flight added to the impression that a crime had been committed.

Tennessee lawyer Jack Burgin also discusses this case at his blog Our Own Point of View.

No CFAA claim where no impairment of system or data

Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2008)

When defendants Pettit and Harper worked for plaintiff Andritz, Inc., they had company-issued laptops with which they accessed proprietary information. After defendants resigned, they allegedly took that proprietary information and gave it to defendant-competitor SMC.

Andritz sued in federal court, alleging violation of the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss for failure to state a claim. The court granted the motion.

The CFAA claim failed because the plaintiff did not allege the type of “loss” or “damage” required to sustain such a claim. The loss that plaintiff alleged was that defendants took proprietary information and used it to poach customers.

But the CFAA requires there be an impairment of the computer system or data accessed. Because the plaintiff “still had access to the data just as it had before [d]efendants’ actions,” there was no violation of the CFAA.

Similar cases: Sam’s Wines & Liquors, Inc. v. Hartig and Garelli Wong & Assoc. v. Nichols.

Laptop photo courtesy Flickr user maveric2003 via this Creative Commons license.

North Carolina supreme court reverses employee hard drive removal decision

Removal of hard drive and false claim of copyright ownership in company website and catalogs were misconduct sufficient to disqualify former employee from receiving unemployment benefits.

Binney v. Banner Therapy Products, Inc., — S.E.2d —-, 2008 WL 2370887 (N.C. June 12, 2008)

I covered this case back in 2006 after the appellate court’s decision. Now the state supreme court has reached a different conclusion.

Employee Binney was fired from her job because she claimed a copyright in the company’s website and catalogs (which she had helped create) and also because she took the hard drive of her work computer home with her over the weekend without asking. After she was terminated, she sought unemployment benefits. Her employer contested the claim.

Hard drive on a wooden table

The administrative body in charge of determining unemployment benefits found that Binney was terminated for employee misconduct and therefore not entitled to receive anything. Binney appealed that decision to a trial court, which affirmed the denial. She then appealed to the state appellate court, which reversed, and found that that given Binney’s position and responsibilities in the company and the reasonableness of her conclusions as to ownership of copyright, her actions did not rise to the level of misconduct that warranted a denial of benefits. [Internet Cases coverage of that decision.]

But the state supreme court reversed the appellate court, meaning that Binney is not entitled to benefits. The supreme court concluded that the appellate court incorrectly applied the standard of review, namely, whether the decision to deny benefits was based on “any competent evidence”.

As for the alleged misconduct of taking the hard drive home, the supreme court found that although the employer had no policy on removing hard drives, that did not contradict the administrative body’s finding that the employer did not authorize the hard drive’s removal. So there was competent evidence in the record that the removal was unauthorized, and corresponding misconduct in having removed it.

And as for claiming copyright in the website and materials, the supreme court similarly found that a determination of misconduct was supported by the record. Whether Binney believed in good faith that she had a personal copyright interest in the materials was irrelevant. She never asked for nor received permission to assert a personal claim on the company’s property by including the copyright statements, so in doing so, she engaged in misconduct.

Be careful with email because your employer is “looking over your shoulder”

Workplace email policy destroyed attorney-client privilege

Scott v. Beth Israel Medical Center, — N.Y.S.2d —-, 2007 WL 3053351 (N.Y. Sup. October 17, 2007).

Dr. Scott, who used to work for Beth Israel Medical Center in New York, sued his former employer for breach of contract and a number of other different things. Before he was terminated, however, he had used his work email account to send messages to his attorneys, discussing potential litigation against Beth Israel.

When Dr. Scott found out that Beth Israel was in possession of these email messages, he asked the court to order that those messages be returned to him. He argued that they were protected from disclosure to Beth Israel under the attorney client privilege.

Beth Israel argued that they were not subject to the privilege because they were not made “in confidence.” There was an email policy in place that provided, among other things, that the computers were to be used for business purposes only, that employees had no personal right of privacy in the material they create or receive through Beth Israel’s computer systems, and that Beth Israel had the right to access and disclose material on its system.

Dr. Scott argued that New York law [CPLR 4548] protected the confidentiality. Simply stated, CPLR 4548 provides that a communication shouldn’t lose its privileged character just because it’s transmitted electronically.

The court denied Dr. Scott’s motion for a protective order, finding that the messages were not protected by the attorney client privilege.

It looked to the case of In re Asia Global Crossing, 322 B.R. 247 (S.D.N.Y. 2005) to conclude that the presence of the email policy destroyed the confidential nature of the communications. The policy banned personal use, the hospital had the right to review the email messages (despite Scott’s unsuccessful HIPAA argument), and Dr. Scott had notice of the policy.

The decision has implications for both individuals and the attorneys who represent them. Employees should be aware that when they are sending messages through their employer’s system, they may not be communicating in confidence. And attorneys sending email messages to their clients’ work email accounts, on matters not relating to the representation of the employer, must be careful not to unwittingly violate the attorney client privilege.

What’s more, although the decision is based on email communications, it could affect the results of any case involving instant messaging or text messaging through the company’s server.

Employer immune under Section 230 in suit over employee conduct

In 2002, an employee of Agilent Technologies named Moore used his computer at work to send a number of e-mail messages and make postings to a Yahoo! group which were threatening in nature. Plaintiffs Delfino and Day were on the receiving end of this rough treatment, and filed suit against Agilent for, among other things, intentional infliction of emotional distress, for allowing Moore to use the system in the manner he had.

At the trial court level, Agilent moved for summary judgment, on grounds that the Communications Decency Act at 47 U.S.C. §230 shielded it from liability. The trial court granted the motion, and plaintiffs sought review. The California Court of Appeal affirmed, holding that §230 immunity barred the action.

To evaluate Agilent’s claim of immunity under §230, the court applied the three elements parsed out of §230(c)(1) in the case of Gentry v. eBay, 99 Cal.App.4th 684 (2002). That test provides that a defendant is immune where (1) it is a provider or user of an interactive computer service, (2) the cause of action treats the defendant as a publisher or speaker of information, and (3) the information at issue is provided by another information content provider.

The court observed that there were no other published decisions in which a corporate employer had been held to be a provider of interactive computer services. But it cited to a couple of law review articles in which commentators had concluded that an employer could meet the §230 provider criterion, and also observed that the evidence on file showed that Agilent’s servers were the means of access to the Internet by thousands of its employees across the country. That commentary and those facts led the court to conclude that the first element in the §230 immunity test had been met.

Next the court considered whether the plaintiffs’ cause of action sought to treat Aglient as a publisher or speaker of information. In addressing this point, the court did not clearly set forth any basis by which the plaintiffs sought to allege that Agilent was the one speaking or publishing the content giving rise to the alleged infliction of emotional distress. Instead, the court looked to the robust history of other cases addressing §230 immunity, noting the varieties of causes of action that had been held barred. Among those causes of action were defamation, nuisance and premises liability, invasion of privacy, misappropriation of right of publicity, and negligent failure to control. With these cases supporting a broad scope of immunity, the court held that the second element in the test for §230 immunity had likewise been met.

Finally, the court easily dispensed with the third element of the test, noting that the record was devoid of any allegations or evidence that anyone other than Moore was responsible for generating the offending content.

[Also covered at IP Law Observer]

Delfino v. Agilent Technologies, Inc., No. 1-03-CV-001573 (Cal. Ct. App. 6th Dist., December 14, 2006)