As long as there has been Facebook, attorneys have been scratching their heads asking whether Facebook posts fall under the purview of the Federal Stored Communications Act (“SCA”). In Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-cv-03305 (WJM) (D.N.J. Aug 20, 2013) the District Court for the State of New Jersey gave us its opinion by holding that non-public Facebook posts, which are configured to be private are indeed covered under the SCA because they are:

  • electronic communications;
  • transmitted via an electronic communication service;
  • in electronic storage; and
  • not accessible to the general public.

Even though the posts were covered under the SCA, the court went on to find that the “authorized user” exception — one of two exceptions to the SCA — applied and held there was no violation of the SCA, or of Facebook user’s privacy, when the Facebook posts were accessed. Here’s how the case played out in more detail.

The Factual Background

Plaintiff Deborah Ehling is a registered nurse and paramedic who was hired as registered nurse and paramedic by the defendant MONOC, a non-profit hospital service corporation that provides emergency medical services to citizens in New Jersey. Ehling was heavily involved in taking actions intended to protect MONOC employees.

From 2008 through 2009 Ehling maintained a Facebook account and amassed approximately 300 Facebook “friends.” Ehling selected privacy settings for her account and limited access to her Facebook wall so that only her Facebook “friends” could see her posts and they were not posted publicly. Ehling did not add any MONOC managers as her Facebook friends, but she did add some of her MONOC coworkers, including a paramedic named Tim Ronco. Ehling posted on Ronco’s wall and Ronco had access to Ehling’s Facebook wall. Unbeknownst to Ehling, and for whatever reason, Ronco began taking screenshots of Ehling’s Facebook wall, printing them out, and emailing them to one of MONOC’s managers.

In its decision, the court emphasized that there was no evidence that anyone at MONOC asked Ronco for any information about Ehling and never requested that Ronco keep MONOC apprised of Ehling’s Facebook activity, which will come into play later.

On June 8, 2009, Ehling posted the following statement on her Facebook wall:

An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards….go to target practice.

After learning of the post, MONOC management temporarily suspended Ehling with pay and sent her a memo noting its concern that her comment reflected “deliberate disregard for patient safety.” Ehling eventually was fired. She responded by filing a complaint with the National Labor Relations Board (“NLRB”), but the NLRB found that MONOC did not violate the National Labor Relations Act for taking action against Ehling in response to the post that was sent unsolicited to MONOC management.

In the lawsuit filed in New Jersey federal court, Ehling raised numerous claims against MONOC and the individual defendants, including claims that MONOC’s accessing of her Facebook posts violated the SCA and invaded her privacy. The court, however, granted MONOC’s summary judgment on all counts.

Ehling’s Stored Communication Act Claim

Ehling alleged that MONOC violated the SCA by improperly accessing her Facebook wall post about the museum shooting. She argued that her Facebook posts were covered by the SCA because she had selected privacy settings limiting access to her Facebook “friends.” MONOC countered that even if the SCA applied, it was authorized to access her post regarding the museum shooting under the “authorized user” exception. The court agreed with MONOC.

In analyzing Ehling’s SCA claim, the court discussed the statute’s history, which was first passed in 1986 long before social media websites like Facebook existed. As a result, the court noted that courts have had very few opportunities to address whether the SCA applied to Facebook wall posts.

With respect to its application, the SCA provides that whoever “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters or prevents the authorized access to a wire or electronic communication while in electronic storage in such a system” shall be liable for damages. 18 U.S.C. §2701(a); 18 U.S.C. §2707. The statute further provides that “[i]t shall not be unlawful … [to] access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” 18 U.S.C. §2511(2)(g)(i). In other words, the SCA covers: (1) electronic communications, (2) that were transmitted via an electronic communication service, (3) that are in electronic storage, and (4) that are not public. The court found the Facebook posts that are configured to be private meet all four criteria and therefore fall within the purview of the SCA.

Check 1: Facebook Posts Are Electronic Communications. As to the first element, the court found that Facebook posts are electronic communications under the definition of “electronic communication” as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system.” 18 U.S.C. §2510(12). Since users create Facebook posts through electronic transmissions of writing, images or other data via the internet from their computers or mobile devices to the Facebook servers, these are indeed electronic communications.

Check 2: Facebook Posts are Transmitting Via Electronic Communication Service. The court then held that Facebook posts are transmitted via an electronic communication service, which is defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. §2510(15). Since Facebook provides its users with the ability to send and receive electronic communications including private messages and Facebook wall posts, Facebook is, in turn, an electronic communications service provider under the second element of the SCA.

Check 3: Facebook Wall Posts are in Electronic Storage. As to the third element, the court found that Facebook wall posts are also in electronic storage. The court noted the two types of electronic storage that the SCA distinguishes: (1) “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof;” and (2) “any storage of any such communication by an electronic communication service for purposes of backup protection of such communication” 18 U.S.C. §2510(17)(A)-(B). Because Facebook wall posts, unlike e-mail, are not held somewhere else temporarily before they are delivered, and the Facebook website itself is the final destination, the court found that Facebook wall posts are not held in temporary intermediate storage. However, Facebook does store electronic communications for back-up purposes. When Facebook users post information the information is immediately saved to the Facebook server. When new posts are added, older posts are archived on separate pages and though not displayed, are still accessible. Because Facebook saves and archives wall posts indefinitely, the court found that Facebook posts are stored for back-up purposes and that wall posts are indeed electronic storage within the third element of the SCA.

Check 4: Facebook Posts Configured to be Private are not Available to the Public. As to the last element, the court found that Facebook posts configured to be private are, by definition, not accessible to the general public. The touchstone of the SCA is that it protects private information, making it clear that the statute’s purpose is to protect information that the user took steps to keep private. Cases on this subject confirm this reasoning, i.e., information is protectable so long as the user actively restricts the public from accessing it. See e.g. Viacom Int’l Inc. v. Youtube Inc., 253 F.R.D. 256, 265 (S.D.N.Y. 2008); Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d at 965, 911 (C.D. Cal. 2010).

Because Facebook allows users to select their privacy settings, users can limit their posts to Facebook friends, particular groups, individuals, or to the user solely. The court found that when a user makes a Facebook wall post inaccessible to the general public, the wall posts are “configured to be private” for purposes of the SCA. The critical inquiry is whether the Facebook user took steps to limit access to the information on his or her Facebook wall. Not wanting to draw what it felt was an arbitrary line, the Ehling court held that privacy protection afforded by the SCA is not limited to or dependent on the number of Facebook “friends” that the user has.

Choose Your “Friends,” or Rather Your Frenemies Carefully – Application of the Authorized User Exception to Facebook Posts: While the court found that non-public Facebook wall posts are covered by the SCA, it held that the SCA’s “authorized user” exception applied to the case to find against any liability. See, the SCA “does not apply with respect to conduct authorized (1) by the person or entity providing a wire or electronic communications service; [or] (2) by a user of that service with respect to a communication of or intended for that user.” 18 U.S.C. §2701 (c).

The authorized user exception applies where (1) access to the communication was “authorized,” (2) “by a user of that service,” (3) “with respect to a communication … intended for that user.” 18 U.S.C. §2701(c)(2). The court found that all three of these elements of the “authorized user” exception were met in the case.

First, access to Ehling’s Facebook wall post was indeed “authorized.” The evidence established that Ronco voluntarily provided Ehling’s Facebook post to MONOC management without any coercion or pressure. Ehling provided no evidence to support her theory that access to her Facebook was unauthorized.

As to the second element, Ehling’s Facebook wall post was authorized “by a user of that service” which is “any person or entity who (A) uses an electronic communications service; and (B) is duly authorized by the provider of such service to engage in such use.” Because Ronco was a Facebook user and Ehling acknowledged that she added Ronco as a Facebook friend and posted on Ronco’s wall, the court found that access to the wall was authorized by a user of the service.

Lastly, the court found that Ehling’s Facebook wall post was “intended for that user.” Based on the privacy settings that Ehling selected for her page, Ehling’s wall posts were visible to and intended to be viewed by any of Ehling’s Facebook friends “including Ronco.” As such, when Ehling posted the June 8, 2009 comment about the museum shooting and Ronco viewed it, as one of plaintiff’s Facebook friends, the post was indeed intended for Ronco within the definition of the exception. With that the court found the authorized user exception to the SCA applied in the case and there was no violation of the SCA for MONOC reviewing and using Ehling’s Facebook wall post to suspend her employment.

Ehling’s Invasion of Privacy Claim

Ehling’s invasion of privacy claim was also based on her theory that the defendants invaded her privacy by accessing her private Facebook postings regarding the museum shooting. The defendants argued they were entitled to summary judgment on the privacy claim because Ehling’s friend “freely chose to share the information” with them, and the court agreed. For an invasion of privacy claim to exist under New Jersey state law, Ehling had to show (1) there was an intentional intrusion of her solitude or seclusion or private affairs; and (2) the intrusion would highly offend a reasonable person.

Here the court found there was no intrusive act because Ehling had no evidence that the defendants obtained access to Ehling’s Facebook page by logging into her account, by logging into another employee’s account or by asking another employee to log-in to Facebook. Rather, the defendants were the passive recipients of information they did not seek or request. Since Ehling voluntarily gave information to her Facebook “friend” and the “friend” voluntarily gave that information to another party, the only possibility violation of that of trust, not privacy.

Takeaways. This case underscores our experience that the vast majority of employers learn about problematic Facebook posts from co-worker “friends” of the employee poster. As a result, employers need not, and should not, make demands for their employees’ social media passwords or log-in information and should not take underhanded steps, i.e., logging into someone else’s account to back in to someone else’s account or setting up a false account. Not only is it illegal in 11 states for an employer to demand social media passwords from employees (and it looks like New Jersey will be added to the list relatively soon), but Ehling demonstrates that non-public posts will likely be deemed to fall under the protection of the SCA. Therefore, coerced or underhanded access to an employee’s Facebook posts will be deemed “unauthorized” and employers will lose the protection of the SCA’s “authorized user” exception. Employers could also be deemed liable for invasion of privacy under state law. Given the NLRB’s decision in this matter, the NLRB is likely to take the same approach.

So, employers beware and think twice before you start snooping around an employee’s social media account. The public stuff is fine, but the private stuff that would require more work to dig into, you should back off. As we noted in another blog on gathering social media evidence, available here, your employees are your top social media evidence gathers. Owners and managers of a company should not be Facebook “friends,” or Twitter “followers” of employees, but to the extent co-workers are “friends” and/or “followers” and bring information regarding fellow co-worker’s social media activity to the employer’s attention, which is unsolicited and not encouraged by the employer, the employer should be able to avoid a SCA or invasion of privacy lawsuit.