New forms of electronic communications pose unique challenges for those seeking to determine appropriate bounds for communications at and about the workplace. Clear and concise policies saying what is and is not permissible can help all parties avoid situations where it’s necessary to “dooce the Blogzilla.”
Your client is very agitated … a late-night, impromptu Google search has led to the unpleasant discovery of an employee’s blog where recent postings name your client publicly and make specific, arguably defamatory, statements about workplace culture and coworkers. You are expected to know what to do, but your knowledge of blogs is limited to something called “Facebook” that you suspect may not be a healthy diversion for your teenager. This article offers some legal guidelines for your advice to a client thrust into the world of e-communications, blogs and employment law when you need to “dooce the Blogzilla.”
According to Technorati of San Francisco, a blog search engine currently tracking 75.2 million online journals, there are more than 175,000 blogs created per day.1 At its best, the blog world is an accessible, rich venue for scholars and experts in all industries to comment intelligently on trends, new developments, products and services, and other news. It can be an effective interactive marketing tool that provides unlimited opportunity to reach large audiences with insider information while establishing credibility.
The accompanying reality, however, is that there is no official gatekeeper for the “blogosphere.” It simultaneously plays host to unreliable, inaccurate and harmful communications that can invade individuals’ privacy and destroy the confidentiality of personal and corporate information. It can do so with enormous speed and scope through a medium that immediately engages reader discussion and creates hyperlinks from blog to blog. Similar issues arise with respect to employees’ use of other e-communication tools, including email, instant messages (IMs), web pages, camera phones and listservs.Cybersmearing, hacking, cyberstalking, spoofing, doocing — these are all terms arising from cases of technology gone wrong.
State and federal law provide some protection for employers struggling with problematic employee e-communication issues, but there are also strong public policies favoring free speech that sometimes make it difficult to halt questionable language or content in its tracks (as opposed to seeking damages after the fact).
Tensions between conflicting public policies provide fertile ground for potential power struggles between employers and employees at any given time. Clear employee policies that aim to protect employer information, coupled with an understanding of both employer rights and limitations, are essential to safeguarding an organization against the threat of employees’ careless or intentionally detrimental e-communications.
Employees hold significant power in their fingertips and in some unfortunate instances, pose risk to the reputation of a company or individual. In 2002, for example, blogger Heather Armstrong was fired from her job after a fellow employee blew the whistle on her weblog, dooce.com, where she reportedly posted satirical accounts of life at work. It was one of the first notable incidents involving blog-related legal issues to receive national attention and from it, the term “dooce”— to be fired or lose one’s job as a result of blog contents — was officially born. Claiming no intentions of slandering her company, Armstrong’s May 19, 2003, entry reads, “I also have not pursued any legal action against the company because I believe that I don’t have a legitimate case.”2 Armstrong continues to maintain the now famous blog today.
There have been many notorious examples of misuse of e-communications systems. In Doe v. XYC Corp., an employee used his work computer to transmit pornographic pictures of his ten-year-oldstepdaughter.3 When the mother sued the employer, claiming that the company had received reports of the employee’s prior viewing of porn at work, a New Jersey appeals court reversed an initial dismissal of the case, saying that the employer had a duty to exercise reasonable care to report and/or take effective action to stop an employee from viewing child porn at work.
In contrast, however, in Delfino v. Agilent Technologies Inc., the court determined that the employer was entitled to immunity under the Communications Decency Act of 1996 and therefore was not subject to liability for an employee’s electronic transmission of threats to third parties.4 The court also found that the employer was not subject to liability since the employee’s misuse of a company computer was unknown and the content was not related to work.
In Apple Computer v. Does, Apple filed a lawsuit against a host of unidentified sources who leaked proprietary company information about a rumored new Apple product to several websites. Apple subpoenaed one site and received support from a trial court.5 However, a California state appeals court ruled in favor of the three web journalists who published the product information, indicating that online journalists have the right to protect source confidentiality.6 As a result, Apple could not identify the culprits or lawfully dismiss employees for misappropriating trade secret information. The court deemed the subpoena unenforceable because it “cannot be enforced consistent with the plain terms of the federal Stored Communications Act” and reporters are protected by California shield law.7
Rights v. Limitations
Just where employee rights end and employer rights to restrict employee behavior in these matters begin is less than crystal clear, but interpretations have emerged. Generally speaking, employers have the right to require that employees limit their use of company resources and technology. If a policy is implemented to govern activities on company-owned electronic communication tools — from blogging to internet chatting — employee discipline or discharge for violation of a clear policy is usually defensible.
In fact, employers have a duty to prevent certain kinds of inappropriate use of company resources. For example, employers must take effective measures to stop behaviors that are harassing or offensive based on the protected classes such as race, color, religion, sex, national origin, age, disability and sexual orientation. It has long been clear that failure to do so may result in liability under federal, state and local employment laws. Employers should also act to prevent and/or stop use of their technology to defame, disparage, threaten or otherwise harm others. Factors influencing employer liability often include whether the employer knew or should have known about the problem, the status of the employee, and the employer’s response once informed.
Employers may also face claims if company technology is used to cause other business injuries, including copyright infringement, securities violations, disclosure of confidential business information, and hacking into third-party systems. Securities fraud, for example, has stolen headlines in recent years. According to a 2002 article in the UCLA Journal of Law and Technology, internet-related stock fraud is the second most common form of investment fraud and may cost as much as $10 billion per year.8 The internet has been used to manipulate the stock market through such tactics as disseminating false information to inflate or deflate stock prices. Employers must take reasonable steps to ensure that a work computer is not the vehicle for such activities.9
Employers are also obligated to secure highly confidential customer and patient information. The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities go through very specific processes, including employee training, to protect the privacy and security of patient information.10 Nonetheless, there have been several notorious cases involving the loss or theft of patient information. In 2006, the Veterans Administration learned that a computer was missing from a subcontractor who provided support to two of its medical centers. The computer contained claims information on thousands of patients.11 That incident followed another data breach in which the Veterans Administration lost sensitive data for 26.5 million veterans and their spouses when a laptop was stolen from an analyst’s house during a burglary.12 Early estimates about the impact of that incident forecasted costs ranging from $100 million to $500 million.13
Employers may generally take disciplinary action to control the use of their own technology and/or dissemination of business information. But there are limitations on an employer’s ability to control communications, particularly when the employer’s technology is not used. Ford Motor Company v. Robert Lane d/b/a Warner Publications provides a good example.14 An individual maintained a website that focused on Ford product development and news, and chose to release confidential trade secret information from anonymous sources in as many as 40 Ford documents. When the company objected, more documents appeared on the website. The court declined an injunction sought by Ford to prohibit the dissemination, noting the absence of a confidentiality agreement or fiduciary duty between the parties, and noting that “prior restraint” of speech is generally unconstitutional under the 1st Amendment. While 1st Amendment rights typically do not protect employees against discharge or other disciplinary actions in a private workplace setting, they do apply to governmental actions and create barriers to court orders enjoining and otherwise limiting speech, whether public or private.
There are other limitations on an employer’s right to control communications even within the workplace. Sarbanes-Oxley and federal and state antidiscrimination laws, for example, prohibit disciplinary and other adverse actions against employees who engage in protected activities, including reporting certain types of corporate wrongdoing.15 Labor laws protect employees engaging in activities and communication related to common workplace issues such as wages or other terms and conditions of work.16 Employers who attempt to regulate or prohibit employee communications need to be careful that their actions are not prohibited or constitute retaliation under various state and federal laws.
Employers’ ability to monitor e-communications must also be assessed for possible violation of privacy and other laws such as the federal Electronic Communications Privacy Act of 1996 and the Minnesota Privacy of Communications Act. Each act limits interception of telephone and email communications, and privacy claims may arise when an employee has a reasonable expectation ofprivacy.17 Clear notice to employees that they have no reasonable expectation of privacy arising out of the use of an employer’s technology, along with consent to monitoring, can greatly reduce the risk to employers who seek to monitor employee communications for legitimate business purposes.
Whatever the scenario, employers must control communications in a lawful manner. The infamous Hewlett-Packard scandal demonstrated the potential cost of illegal practices. Top Hewlett-Packard officials became the center of a media furor over “pretexting,” which in this case referred to obtaining confidential information through misrepresentation. The negative repercussions included extensive bad publicity; a mass departure from the board of directors; criminal charges brought against the past chairwoman (recently dropped); and investigations by Congress, the FBI and the SEC.18
Policy Clean Up
Less than half of employers in a recent survey have blogging policies, yet there are obvious liabilities associated with this virtually unregulated medium. When concerns do arise regarding employee use of blogs and other e-communication tools, employers will want to take effective action to stop unacceptable behavior. While there are some practical and legal limitations on the employer’s ability to do so, preventative measures are key in safeguarding the client’s interests. A review of company policies is a necessary first step.
There are several important considerations to include when incorporating rules regarding blogging into existing client policies or into the development of a distinctive e-communication policy that aims to set boundaries for acceptable use of blogs, personal web pages, email, IMs, listservs, and camera phones.
First, the company’s level of tolerance for various types of communications should be clear and communicated at the outset of employment. If communications about the company that occur both on and off the job — and with or without use of the company’s resources — are prohibited, policy should make that clear. Restrictions on misrepresenting opinions and positions on behalf of the company should also be clear. Some states, currently including Minnesota, have statutes prohibiting termination for certain lawful activities outside of work, but at least in Minnesota, the statute is limited and does not apply to blogging or other electronic communications.19
Second, to avoid possible invasion-of-privacy claims or claims that state or federal laws prohibit monitoring employee electronic communications, policies should expressly give employers consent to monitor emails and related electronic communications. Absent clear notice, employees may think of email and IMs as private and, in event of monitoring by the employer, may have grounds for an invasion-of-privacy claim. It is important to clearly indicate in policy manuals that all technology and content of the work technology belongs to the employer and, therefore, personnel should have no reasonable expectation of privacy for information stored or transmitted by means of work equipment.
Third, employees should be aware of the employer’s zero-tolerance stance on inappropriate communications, including prohibitions on protected-class-based harassment, discrimination, and defamatory communications, as well as employee disclosure of confidential employer or customer information and trade secrets. The potential risks of not doing so include possible claims from employees, vendors and clients and loss of confidential information, trade secrets, and privileged information.
Fourth, implementing effective security procedures and consistently enforcing policies will strengthen the company’s lawful control over employee activities. All employees should be aware of the employer’s expectations and of the specific consequences, including discipline and discharge, associated with violation of workplace e-communication policies.
In summary, an appropriate technology-use policy addressing all media (email, camera phones, blogs, instant messaging, etc.) essentially should provide that:
Technology tools are provided for business purposes only;
There is no right to privacy while communicating at work or on work equipment;
Communications and activities may be monitored;
Certain types of communications are prohibited, including those that involve:*Disclosure of trade secrets and confidential information, whether of the employer, vendors, customers, or other third parties;* Harassing, demeaning, obscene or offensive communications;* Defamatory or disparaging communications, or those that threaten to harm the reputation or good will of the company, its employees, or others;* Communications that invade others’ privacy;* Unauthorized downloading, uploading, or use of copyrighted materials;* Unauthorized use of company logos, trademarks;* Misrepresentation of company positions, endorsements etc; and* Communications that violate company codes of conduct or other polices.
Any violation is grounds for discipline.
As to blogging specifically, employers should consider including policies that:
Make clear that if an employee discusses his or her workplace, confidentiality is to be preserved. As one employer said, “It’s one thing to blog about your workday, another thing to give away the recipe to the secret sauces.”
Require a disclaimer of any endorsement by the company;
Require that the author identifies self;
Prohibit blogging on company time;
Include a general blog-at-your-own-risk prohibition.
Employer blog policies need to be even tighter when company blogs are at issue; clear monitoring of employee input is necessary since this type of blog speaks for the company.
Finally, in addition to having a written policy, companies should also take care to provide clear communication, education, and implementation of company rules. Training, FAQ sheets, reviews of security procedures, filters and blocks on certain internet communications, regular equipment audits, reviews of retention policies, monitoring of employee activity, and implementation of exit procedures all play an important role. Companies should be aware that reporting certain criminal activities to law enforcement may be appropriate in some circumstances.
Monitoring employee communications related to rapidly evolving forms of electronic communication can help employers to regain control over potentially damaging activities performed at work.However, the best course of action for counsel is to help clients develop clear, concise policies that communicate what is and is not acceptable behavior, preferably before the internet-surfing client is unpleasantly surprised by the Blogzilla. As the blogosphere expands, with its capacity to disseminate information, both factual and inaccurate, quickly and broadly, employers are faced with a myriad of challenging workplace scenarios. It is essential that clients and counsel understand the fine line between employee rights and employer limitations, and become educated on how the courts are responding to e-communication matters. Whether careless or intentional, employee actions can result in the loss of confidential information and damage to reputations and relationships. Clear policies governing internet use and blogging will assist your clients in “doocing the Blogzilla” while also minimizing any potential legal repercussions.
Glossary of Terms
blogzilla n: a legal term of art for an individual who wreaks havoc through the use of a blog or other electronic communications. Example: The company had no choice but to dooce the blogzilla.
cybersmear vb: to use the internet or other electronic communication to express an adverse opinion about a person or company, most commonly though damaging or defamatory statements or through disclosure of trade secret information. Example: Steve cybersmeared the company by posting internet messages insinuating it was on the verge of financial collapse.
cyberstalk vb: to pursue, harass, or threaten an individual via the internet or other electronic communication, often by sending numerous unsolicited emails, engaging in repeated and unwelcome instant messaging, or posting derogatory statements about the individual being stalked. Example: Clara accused Jim of cyberstalking after he sent her hundreds of menacing emails.
dooce vb: to be fired or lose one’s job as a result of statements or other content posted on one’s blog. Example: Meg was dooced for badmouthing coworkers on her blog.
hack vb: to illegally access a computer system. Example:An unknown perpetrator hacked into the hospital’s medical records.
spoof vb: 1: to hide one’s identity while engaging in activity on the internet by masquerading as a legitimate website or a legitimate user 2: to gain unauthorized access to a computer by sending a message which indicates the message is from a trusted host 3: to reproduce a legitimate website on a different server with the intent of misleading users. Example: David obtained hundreds of passwords by spoofing the company’s website.
3 Doe v. XYC Corp., 887 A.2d 1156 (N.J. Super. Ct. App. Div. 2005).
4 Delfino v. Agilent Techs, Inc., 52 Cal. Rptr. 3d 376 (Cal. App. 2006).
5 Apple Computer, Inc. v. Doe 1, No. 1-04-CV-032178, 2005 WL 578641 (Cal. Superior, 03/11/05).
6 O’Grady v. Superior Court of Santa Clara County, 44 Cal. Rptr. 72 (Cal. App. 2006).
8 Christine Souhrada, “Securities Fraud, Market Manipulation, and the Internet,” 2002 UCLA J.L. & Tech. 28 (2002).
10 See e.g. 45 C.F.R. §§164.308, 164.530 (2006).
11 Latest Information on Veterans Affairs Data Security, http://www.usa/gov/vereransinfo.shtml
12 Jeanne Sahadi, “Doing Right by 26.5 Million Vets,” CNNMoney.com, 05/26/06, http://money.cnn.com/2006/
14 Ford Motor Co. v. Robert Lane d/b/a Warner Publ’ns, 67 F.Supp. 2d 745 (E.D. Mich. 1999).
15 See e.g. 18 U.S.C. §1514A; 29 C.F.R. §1980 (2006); 42 U.S.C. §2000e-3(a); Minn. Stat. §363A.15 (2006).
16 29 U.S.C. §157.
17 18 U.S.C. §2510 et seq.; Minn. Stat. §626A et seq.
18 MSNBC.com, “Charges Dropped against Ex-HP Chairwoman,” 03/17/07, http://www.msnbc.msn.com/id/17611695/
19 See Minn. Stat. §181.983 (2006); N.D. Cent. Code §14-02.4-01 (2004); Cal. Lab. Code §§96(k) (West 2003 and Supp. 2007); 98.6; Colo. Rev. Stat. Ann. §24-34-402.5 (West 2001).
NEAL BUETHE is a shareholder in the labor and employment law section at Briggs and Morgan, Professional Association. He represents clients in employee privacy, discrimination and harassment suits, and provides employment law counseling.
SALLY SCOGGIN is a shareholder in the labor and employment law section at Briggs and Morgan, Professional Association. She handles employment and health care litigation and counseling matters, including those involving discrimination, noncompetes, privacy, and workplace policies.