This post is part of a series of posts entitled A Legal Guide To The Use Of Social Media In The Workplace. For a comprehensive list of articles contained in this series, click here.
In addition to privacy laws, federal electronic communication laws may also be implicated by an employer’s search of social media sites or other online data. These laws include the Electronic Communications Privacy Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. These laws are briefly summarized below.
The Electronic Communications Privacy Act (“ECPA” or the “Wiretap Act”), 18 U.S.C. § 2510, et seq.
The federal Wiretap Act prohibits the unlawful “interception” of an electronic communication contemporaneously with the communication being made. As such, employers that monitor and intercept employee’s online communications through social media or other online sources could, depending on the circumstances, be liable under the Act. Most employers do not, however, monitor employee communications in real time as they are occurring. If there is no real-time, contemporaneous “interception” of an electronic communication, the Wiretap Act most likely does not apply.
The Stored Communications Act (“SCA”), 18 U.S.C. § 2701, et seq.
The SCA prohibits the knowing or intentional unauthorized access to “a facility through which an electronic communication service is provided.” 18 U.S.C. §§ 2701, 2707. This includes unauthorized access to a password-protected email account or social networking site. Key exceptions exist, however, if the person accessing the communication is the provider of the service, a user of the service and the communication is from or intended for that user, or has been granted access to the site by an authorized user. 18 U.S.C. § 2701(c)(2).
At least three notable cases have applied the SCA to electronic communications. In Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), the Ninth Circuit Court of Appeals was confronted with a situation where the employer gained access to the site by submitting an eligible employee’s name and creating a password to enter, after accepting terms and conditions that prohibited viewing by management. According to the court, this conduct alleged by the plaintiff was sufficient to bring a claim under the SCA.
In the Pietrylo case discussed above, the District Court of New Jersey upheld a jury verdict imposing liability against an employer under the SCA. 2009 U.S. Dist. LEXIS 88702. The Court found sufficient evidence that a company supervisor accessed the password protected employee chat room with a password provided by an employee coerced into giving access.
Finally, in the Quon case mentioned above, the Ninth Circuit Court of Appeals held that the employer and wireless provider violated the SCA by viewing the content of text messages sent by employees through a third-party pager service, even though the employer paid for the service. The Supreme Court declined to hear the wireless provider’s challenge to this ruling. USA Mobility Wireless, Inc. v. Quon, 130 S. Ct. 1011 (2009).
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq.
The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.” The CFAA provides for both criminal prosecution and civil actions for violations. Although the CFAA may apply against employers in some circumstances, the CFAA is far more often a tool for employers to pursue claims against employees who abuse their access to the employer’s computer network. For example, an employer may pursue claims against employees who abuse their access to confidential information in violation of the employer’s policies. See United States v. Rodriguez, 627 F.3d 1372 (11th Cir. 2010).