In a case that has been widely followed by employment lawyers in the hope of gaining some clarity as to employees' privacy rights on personal social media sites, the federal district court in New Jersey recently upheld the jury's verdict finding Hillstone Restaurant Group liable for violations of the Stored Communications Act and New Jersey's parallel electronic surveillance statute.
In Pietrylo v. Hillstone Restaurant Group, two employees created a MySpace page that they used to air their grievances against their employer in a password protected environment and invited other employees -- but not managers -- to join. At some point along the way, one of the managers learned of the site and its sometimes profane content when one of the invited employees showed him a posting from it. That manager told another and then the two of them twice requested the employee's log-in ID and password to the site. Eventually the employee gave them the information and the managers logged into the site a few times before firing the site's creators for damaging employee morale and for violating the restaurant's "core values."
The central issue at trial was whether the employee was coerced into giving the managers her log-in ID and password information to permit them to enter the site. The employee testified that she felt pressure to give the manager her password and that she felt she would have gotten into trouble had she not done so. There, of course, was no documentary evidence that she willingly authorized the managers to enter the site and, in any event, it would have been just as easy to claim that her signature on any documentation had been coerced. In light of the employee's testimony, the court found that the jury had reasonably concluded that the managers had not been authorized to enter the site and refused to toss out their verdict.
The Pietrylo court's decision upholding the jury's verdict teaches employers at least two lessons when presented with potential evidence of employee misconduct obtained from a social media site.
First, in the absence of reliable evidence that the employee is doing something really damaging to the employer's interests or violating substantial company policies, leave any password-protected social media site alone. If it is just a bunch of employees blowing off steam, it won't be the first time employees have gotten together somewhere to say something unflattering about the boss.
On the other hand, one can easily envision scenarios where employers will want to investigate more deeply. Consider the employee who seeks bereavement leave because a dear aunt has passed away. Later, you learn from that employee's co-worker who is his Facebook "friend" that the employee actually spent a long weekend on a hunting trip.
Second, if the employer's interests are substantial and it is possible to do so without jeopardizing any investigation, first seek authorization to access the site directly from the employee involved. Even when the password is offered on a silver platter to a manager by a rank and file employee, understand that he or she eventually will feel pressure to avoid looking like a snitch in front of co-workers. Therefore, employers should attempt to ensure that co-worker authorization is corroborated by at least one additional trustworthy source. Nevertheless, even with full belief that the access is authorized, employers should always ensure that their interests in accessing a password-protected site are substantial.