The Journal of The DuPage County Bar Association

Back Issues > Vol. 24 (2011-12)

Expectation of Privacy in A Digital Age: An Overview of Employment Law Cases and Statutes Struggling to Create Precedent as Expectations Evolve
By James S. Barber and Karen E. Bettcher

Many employees assume that they have a right to use an employer’s electronic devices to engage in private personal communications.  Many employers consider employee personal use of an employer’s electronic devices an abuse and a threat to productivity.  At least a dozen statutes and common laws can be implicated in social media communications on work-related devices.[1]  This article reports some of the recent case law developed as courts struggle to craft precedential guidelines while both technology and society’s expectations continue to evolve.

Statutory Protections: Stored Communications Act (“SCA”). The SCA protects the privacy of users of electronic communication services.  The SCA prohibits unauthorized access to stored communications such as e-mails and Internet accounts.  Specifically, 18 U.S.C §2707(a) with some exceptions, provides a cause of action to:  “. . . any provider of electronic communication service, subscriber or other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind, may in a civil action, recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate. Relief under the statute includes injunctive and declaratory relief, damages both compensatory and punitive, and attorney’s fees and litigation costs.”[2]

The Supreme Court had the opportunity to decide a SCA claim in City of Ontario, California v. Quon, a case where a municipal government searched the text messages of a police officer.[3]  However, the Supreme Court observed that technology and cultural habits are still evolving and reasoned that it “would have difficulty predicting how employees’ privacy expectations will be shaped by those changes or the degree to which society will be prepared to recognize those expectations as reasonable.”[4]  The Supreme Court, therefore, only considered the Fourth Amendment claim and reversed the Ninth Circuit by holding that the search was reasonable and did not violate the Fourth Amendment.[5]  Staying silent on this has resulted in varying interpretations by lower courts of what constitutes authorized access by employers to password protected employee websites under the SCA. 

For example, the District Court of New Jersey was faced with this question in Pietrylo v. Hillstone Restaurant Group.  In Pietrylo, two employees sued their employer, a restaurant chain, for unauthorized access to a private, invitation only, chat room on MySpace.[6]  An employee, after being invited into the chat room, showed the website to one of the restaurant’s managers and later gave her password to two other managers.[7]  A jury found in favor the employees on their SCA claims and awarded punitive damages.[8]  The restaurant filed motions for judgment as a matter of law, for a new trial and to strike the punitive damage award.[9]  However, the trial judge concluded that the jury could reasonably infer that, as the employee testified, she had felt that she would get in trouble if she had not provided the information.[10]  In addition, because the website provided clear warnings that it was “private,” the Court found that the managers acted with a state of mind prescribed by the statute for a knowing or intentional violation.[11]   

More recently, in Maremont v. Susan Friedman Design Group, Ltd., an employee alleged that her employer gained unauthorized access and use of her Twitter and Facebook accounts to promote the company in violation of both the SCA and Lanham Act.[12]  The plaintiff was the director of marketing, public relations and e-commerce for the defendant company.[13]  She developed a company blog and linked company Facebook and Twitter accounts to the blog and website.[14]  The plaintiff-employee also opened personal Twitter and Facebook accounts solely for her own benefit and she developed a personal following on Twitter in the Chicago design community.[15]  The plaintiff stored all company account access information as well as her own passwords for her personal Twitter and Facebook accounts on the company server.[16]  However, she stored her personal information in a locked folder and never gave anyone access to her personal Twitter and Facebook accounts.[17] 

The employee was involved in a serious auto accident and was hospitalized.[18]  During her absence, she discovered that the company had posted Tweets on her personal Twitter account and her Facebook page announcing that the plaintiff was out due to her accident and posted a link to its company blog, which announced that, during plaintiff’s absence, there would be a specific guest blogger.[19]  The employee returned to work temporarily, but ultimately quit on her doctor’s recommendation.[20]  She later became employed by another company in the public relations business.[21]  The plaintiff filed a federal complaint alleging a violation of the SCA.  The court denied summary judgment on the SCA claim because there was a material issue of fact as to whether the defendants “exceeded their authority in obtaining access to [her] personal Twitter and Facebook accounts.”[22] 

Plaintiff also alleged a false association claim under the Lanham Act, a claim under the Illinois Right to Publicity Act, and a common law intrusion upon seclusion claim.[23]  The Lanham Act permits claims for false representations communicated through wrongful use of another’s distinctive mark, name, trade dress or other device.[24]  The former employer argued that the plaintiff neither had standing under the Lanham Act nor had she suffered any financial injury and sought summary judgment.[25]  However, the court disagreed and found that because the plaintiff had developed a personal following on Twitter and Facebook for her own economic benefit and to use if she left her employment, in order to promote another employer to those followers, the plaintiff met the standing requirement of “protected, commercial interest in her name and identity within the Chicago design community.”[26]

The plaintiff also brought a claim under the Illinois Right to Publicity Act (“IRPA”),[27] which precludes appropriation of a person’s name or likeness without written consent.[28]  The court granted the defendant’s motion for summary judgment on the IRPA claim because the employer did not pass itself off as the plaintiff in the Tweets.[29]  In fact, the employer announced that the plaintiff was injured in an accident and that other employees would temporarily act in her absences.[30]  Finally, the court dismissed the common-law intrusion upon seclusion claim because it was undisputed that the plaintiff had a following of 1,250 people on her Twitter account and she also had Facebook followers, and as a result, was unable to show any private information upon which the defendant intruded.[31]

Statutory Protections: Computer Fraud And Abuse Act. The Computer Fraud and Abuse Act (“CFAA”)[32] is a powerful litigation tool that can discourage employee computer fraud.  Under the CFAA an employer can seek both civil and criminal penalties, money damages and injunctions against former employees and their future employers who take company information.[33]  Correctly applied, the employer can successfully get into federal court to accomplish all this without having to meet the rigors of proof required in traditional state court trade secret and unfair competition cases.  Interpretation of the CFAA, however, varies among the courts. 

Ninth Circuit.  In LVRC Holdings, LLC v. Brekka, the Ninth Circuit held that once an employer authorizes an employee to access its computer database and the employee subsequently takes information off the database for his personal use, the employee has not violated CFAA.[34]  Further, the court found that there is no language in CFAA supporting the employer’s argument that authorization ceases “when an employee resolves to use the computer contrary to the employer’s interest.”[35]  The decision in the Brekka case applies as precedent in the nine states covered by the Ninth Circuit, i.e., California, Alaska, Arizona, Hawaii, Idaho, Montana, Nevada, Oregon and Washington. 

However, in a 2011 decision, a separate Ninth Circuit panel applied a more expansive application of the CFAA.  In U.S. v. Nosal, the Ninth Circuit reinstated a federal criminal CFAA indictment against a former company executive.[36]  The enterprising executive had enlisted current employees to collect information from his former employer, which enabled the former executive to organize a competing business.[37]  Initially, the district court held that “a person’s accessing a computer ‘knowingly and with intent to defraud . . . render the access unauthorized or in excess of authorization.”[38]  Following the Brekka decision, the district court reconsidered and held that the Brekka decision compelled the dismissal of the CFAA counts finding that because the current employees had authorized access to the company’s computer system, they had not exceeded the authority under the CFAA.[39]  However, the Ninth Circuit panel distinguished the facts presented to it from the facts in the Brekka case.[40]  Important here, the Ninth Circuit panel pointed out that the employer in the Brekka case had not established clear limitations on the employee’s authorization, while the employer in the Nosal case had.[41]  The employees, in Nosal, violated those clear and conspicuous restrictions on their access to confidential databases under company policies.[42]  The court stated that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.  It is as simple as that.”[43]

But, this more expansive application of the CFAA is potentially already in jeopardy.  On October 27, 2011, the Ninth Circuit decided to rehear Nosal en banc.[44]  As a result, at least one district court has recognized that “exactly how the words ‘excess of authorization’ are to be interpreted for the purposes of liability under CFAA” remains unsettled in the Ninth Circuit.[45]

Seventh Circuit.  The Ninth Circuit panel in the Nosal decision echoed the earlier Seventh Circuit opinion in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).  In the Citrin decision, the employee was responsible for downloading into a company laptop real properties that the company might target for acquisition.[46]  The employee decided to quit, go into business for himself and before returning the company laptop, deleted all the data from the laptop, including data that would have revealed improper conduct in which he engaged, and used an eraser program to “scrub” the deleted data files in order to cover his tracks.[47]

The company’s employment contract authorized the employee to either return or destroy the data on the laptop when he ceased being employed.[48]  Therefore, the employee argued that he had not violated the employment agreement when he deleted the information after he left.[49]  However, the Seventh Circuit disagreed with the opportunistic employee and ruled that deleting the data to cover his tracks was a breach of the employee’s duty of loyalty.[50]  The employee thereby terminated his employment and his authorization to use the laptop – despite the fact that at the time the company was unaware of the deletion and had not personally terminated the employee.[51]

Fifth Circuit.  In 2010, the Fifth Circuit, in United States v. John, held that an employee violates and is subject to prosecution under the CFAA when the employee knows or should have known that he is not authorized to obtain information from a company computer to perpetrate fraud.[52] 

First Circuit. Adding to the mix the First Circuit in E.F. Cultural Travel BV v. Explorica, Inc., a decision that preceded the Citrin and the John decisions, upheld the issuance of a preliminary injunction, finding the employer was likely to prove that a former employee, who had been under a confidentiality agreement, exceeded the authorization given to him when he accessed a website in order to “mine” his former employer’s proprietary information for a competitor.[53] 

Stretching Too Far? In Lee v. PMSI, Inc., an employee brought a pregnancy discrimination complaint against her employer. [54]  The employer filed a counterclaim under the CFAA, the crux of which was the allegation that, while at work and on the company’s computer, the employee had visited personal websites such as Facebook and monitored and sent personal e-mails through her Verizon webmail account.[55] 

However, the Florida district court found that “[b]oth the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the [I]nternet instead of working.”[56]  The Court observed that the employee had not damaged a computer system nor obtained confidential, proprietary company information via its computer system.[57]  In the Court’s view, the CFAA was intended to apply only to those situations.[58]  An employer simply is at its own risk when it authorizes an employee to use a company computer even if when the employee violates limitations placed on her use provided that she is still authorized to use the computer.[59]

P2P Exposures to Corporations from Regulatory and Common Law Attacks.[60] Employees’ use of employers’ electronic devices not only subjects employers to the misconduct of employees but also exposes corporations to potentially greater external threats.  Using programs like Napster, e-Donkey, BitTorents, or Gnutella or other game-sharing programs to download music means that the user is implementing “peer-to-peer” networking, otherwise known as P2P.  In more technical jargon, P2P is a distributed application architecture that partitions tasks or workloads between equally privileged peers, which form a peer-to-peer network.  The “peers” become suppliers and consumers of resources in contrast to the traditional client-server model where only servers supply and users consume data.  Using P2P on a home network or on a work laptop raises a very real risk of a breach of confidential information.  For example, if a sales person at a company downloaded a customer spreadsheet to use on his or her personal laptop, which is shared with a son or daughter who downloads music using P2P software, there are hackers who can gain access by participating in the exchange of information over the peer-to-peer network in order to get into the data that the salesperson stored on the laptop.  Firewalls set up to prevent hackers from gaining access to the company network are generally not helpful here.  Regulatory enforcement is possible from the Federal Trade Commission, the Justice Department, States Attorney General or municipalities to investigate a breach of confidentiality if customer’s social security numbers, private medical information of clients or other personal data are “mined” and published on the Internet.   Regulatory compliance may require a company to identify the breach, terminate it, prevent it, and prove that this was all accomplished in a very short period of time.[61]

Other Potential Legal Theories. There also is a potential for liability under common-law legal theories such as (i) negligence, (ii) invasion of privacy, (iii) identity theft and (iv) emotional distress depending upon what information was mined by the hacker.  Depending upon the industry and nature of the information, liabilities could arise under (v) patient rights acts, (vi) healthcare reform acts and, (vii) personal information protection acts. 

Conclusion. As the United State noted in its decision in City of Ontario, California v. Quon, technology and cultural habits still are developing in the area of social media.[62]  The preceding cases and observations are made from one point in time on the continuum of that evolutionary development.

[1] See, e.g., The Fair Credit Reporting Act, 15 U.S.C. § 1681 (2006); The Stored Communications Act, 18 U.S.C § 2707 (2006);  The Federal Wire Tap Act, 18 U.S.C. ch. 119 (2006); The Fair Labor Standards Act, 29 U.S.C. ch. 8 (2006); The National Labor Relations Act, 29 U.S.C. ch. 7 (2006); The Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2006); Illinois Right to Privacy in the Workplace Act, 820 ILCS 5; Illinois Right to Publicity Act, 765 ILCS § 1075; Illinois Personnel Records Review Act, 820 ILCS 40. 

[2] Stored Communications Act, 18 U.S.C §2707(b)-(c) (2006).

[3] Quon, 130 S. Ct. 2619 (2010).

[4] Id. at 2629-2630.

[5] Id.

[6] Pietrylo v. Hillstone Rest. Group, No. 06-5754, 2009 WL 3128420, *1 (D.N.J. Sept. 25, 2009).

[7] Id. at *3.

[8] Id. at *1.

[9] Id. at **1, 5.

[10] Id. at *3.

[11] Id. 

[12] Maremont v. Susan Friedman Design Group, Ltd., No. 10 C 7811, 2011WL 6101949, **1-2 (N.D. Ill., Dec. 7, 2011).

[13] Id. at *2.

[14] Id.

[15] Id.

[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] Id. at *3.

[21] Id.

[22] Id. at 5. 

[23] Id. at *1.

[24] Id. at *4.

[25] Id.

[26]  Id. 

[27] Right of Publicity Act, 765 ILCS § 1075.

[28] Maremont, 2011WL 6101949, *6.

[29] Id. at *7.

[30] Id.

[31] Id.

[32] Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2006).

[33] See generally id.

[34] LVRC Holdings, 581 F.3d at 1129, 1132.

[35] Id. at 1133.   

[36] U.S. v. Nosal, 642 F.3d 781, 782 (9th Cir. 2011), reh’g en banc granted, 661 F.3d 1180 (9th Cir. 2011). 

[37] Id. at 783.

[38] Id. at 784.

[39] Id.

[40] Id. at 787.

[41] Id. 

[42] Id.

[43] Id. at 788. 

[44] U.S. v. Nosal, 661 F.3d 1180 (9th Cir. 2011) (en banc).

[45] Platinum Logistics v. Ysais, No. 11-cv-1174, 2012 WL 177418, *2 (S.D. Cal. Jan. 20, 2012).

[46] Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 419 (7th Cir. 2006).

[47] Id.

[48] Id. at 421.

[49] Id.

[50] Id. at 420-21.

[51] Id.

[52] U.S. v. John, 597 F. 3d 263, 271 (5th Cir. 2010).

[53] E.F. Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001).

[54] Lee v. PMSI, Inc., No. 8:10-cv-2904-T-23TBM, 2011 WL 1742028, *1 (M.D. Fla. May 6, 2011).

[55] Id.

[56] Id.

[57] Id.

[58] Id.

[59] Id. at *2 (citing LVRC Holdings, LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). 

[60] Special thanks to my partner Tom Ryerson in our Wheaton office for his prior collaboration on this section on P2P.

[61] See e.g. Health Insurance Portability and Accountability Act, 42 U.S. C. §§ 1320d et seq; The Health Information Technology for Economic and Clinical Health Act, American Recovery and Reinvestment Act of 2009, Pub. L 111-5, §§ 13001-13424, §§ 4001-4302; Gramm-Leach Bliley Act of 1999 (“GLBA”), 15 U.S.C. §§ 6801-6809 (regulations implementing GLBA’s privacy requirements include, among others, 16 C.F.R. part 13 and 12 C.F.R. Parts 40; 216, 332, 573, and 716);  Standards for Safeguarding Customer Information, Federal Trade Commission, 16 C.F.R. part 314; Fair and Accurate Transactions Act, Pub. L. 108-159, 111 Stat 1952; Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.

[62] Quon, 130 S. Ct. at 2630.

James S. Barber is a partner with Clausen Miller P.C. and head of its Employment Practice Group.  He counsels and represents clients in areas of employment policy, contracts, labor standards and employment litigation.  Mr. Barber has extensive experience in injunction actions, specifically in disputes related to enforcement of covenants not to compete, confidentiality agreements and trade secrets.  He is an accomplished author and lecturer.  For eight consecutive years, Mr. Barber has been recognized as a Leading Lawyer and Illinois Super Lawyer.

Karen E. Bettcher is an associate attorney at Clausen Miller P.C. specializing in litigation.  She has represented clients in matters involving liability claims and property rights disputes arising from computer usage and data storage.   Ms. Bettcher received her Juris Doctor from The John Marshall Law School where she was the managing editor of the Review of Intellectual Property Law.  She is a former federal law clerk and did her undergraduate work at Miami of Ohio.

DCBA Brief