What You Need to Know about Monitoring Employees’ Off-Duty Social

Networking Activity
Almost a third of all CEOs are on Facebook and three fourths of all companies use social networks like
Facebook and Twitter. But what are the legal risks when employees go off the reservation with
questionable activities blurring the line between personal use and business?

May 3, 2010
By Paul E. Starkman

To say that social networking, social media and Web 2.0 has grown exponentially is putting it mildly.
Facebook alone has 400,000,000 members, which would make it the third largest country in the world,
and Twitter reportedly had 180 million unique visitors in March 2010. Not surprisingly, employers have
taken an increased interest in what their employees are saying about them on the thousands of blogs,
Twitter and other “micro-blogs,” video and picture sharing sites like YouTube and Flickr, as well as the
hundreds of social networking websites like Facebook, MySpace and LinkedIn. Employees’ off-duty social
networking can severely injure a business reputation and brand and result in employer liability for cyber-
slander, on-line harassment, and the theft of crucial data. However, as this article will discuss, attempting
to monitor employees’ off-duty social networking without a coordinated and comprehensive strategy led
by senior management can cause serious business and legal risks too.

A 360 degree approach to social networking must take into account that businesses themselves are
increasingly using social media for marketing and communication purposes, even though this also poses
legal issues for employers. Moreover, efforts by executives to grapple with employees’ off-duty social
networking have been complicated by the advent of smart phones (iPhones and Blackberrys) and other
technological advances that provide easy access to the Internet, which in turn has blurred the lines
between personal and work-related social networking. In sum, company executives who want to monitor
the off-duty social networking activity of their employees must understand the legal risks, utilize best
practices and take into account their over arching social media strategies in order to develop
comprehensive and legally defensible strategies to address this cultural phenomenon.

The Reasons for Monitoring Employee Off-Duty Social Networking.

A 2009 Deloitte Social Networking Survey found that 74 percent of managers believe employees’
personal postings on social networking sites can put their firms and brands at risk and 60% of those
managers believe they have the right to know what their employees are saying about the company on
personal social networking Web pages. There are many reasons why employers have become so
concerned about employees off-duty social networking.

For one thing, employee off-duty social networking can severely damage a company’s reputation. An
egregious example occurred on April 13, 2009 when two Domino’s Pizza employees filmed themselves
doing disgusting things with cheese and other ingredients on a delivery order and then posted the video
on YouTube. Within two days, the video was viewed by more than a million disgusted viewers and
received over 300,000 comments. Over the following week, Domino’s share value plummeted. To deal
with this media tsunami, on April 15, Domino’s posted its own YouTube video of its president (which
received over 650,000 views and almost 7,000 comments) and set up an official Domino’s Twitter
account.

Another example occurred in April 2009, when the Chief of the U.S. Capitol Police had to initiate a public
investigation after the Washington Post reported that members of the police force had established a 1,750
member Facebook group called the “Make It Rain Foundation for Underprivileged Hoes” (referring to
tossing money at strippers). The group’s Facebook page showed one officer in uniform and another in a
Capitol Police T-shirt. It linked to another Facebook group called “Passed Out In Trashcans.”

The incidents involving Domino’s and U.S. Capital Police show why off-duty social networking is an issue
for top management. If they do not deal with it beforehand, they may find themselves trying to stop the
bleeding after a social media scandal has erupted.

Monitoring Employee Social Networking to Protect Confidential Data.

Employees’ social networking can also result in the disclosure of confidential information. In February
2010, highly confidential personal contact details about thousands of Royal Dutch Shell Company
employees located in dangerous parts of the world, which the company claimed compromised their
personal safety, was leaked by an employee to a blogger critical of the company. In 2008, the Mayor of
Battlecreek, Michigan inadvertently included a link to confidential personal files of city employees in a
“tweet” on his personal Twitter account.

The threat of data leakage is one reason why more employers are monitoring employees’ off-duty social
networking. However, employees’ off-duty social networking has also led to potential employer liability for
electronic harassment of co-workers, cyber-defamation, and other improper employee Internet activities.

Employers could also be liable for employee off-duty social networking under the Federal Trade
Commission’s new “Endorsement” Guidelines that became effective on December 1, 2009, if employees
make unauthorized endorsements, testimonials and similar positive statements on their blogs and social
media sites about the company’s products and services, particularly when the employees fail to disclose
who they work for.

Employee off-duty social networking can also lead to a SEC violation if an employee violates the “quiet
period” before an initial public offering by blogging about it. Similarly, if an employee blogs or posts about
a product, invention or other development more than a year before a patent application, the company can
lose significant patent rights.

Even anonymous off-duty blogging by corporate officials using pseudonyms can cause big problems for
their employers. The CEO of Whole Foods, John Mackey, frequently posted anonymous comments on
Yahoo! Financial message boards using a pseudonym in which he disparaged a smaller competitor Wild
Oats and its management. However, when Whole Foods began efforts to acquire Wild Oats, the CEO’s
anonymous postings came to light and were cited in a lawsuit filed by the Federal Trade Commission in
2007 to stop the acquisition as being anticompetitive. The SEC also launched an investigation into
whether the CEO’s anonymous blog postings were an attempt to defraud the market. Eventually, the
government actions were dropped, but only after Whole Foods incurred a substantial amount of attorney’s
fees and a substantial amount adverse publicity from the CEO’s anonymous off-duty blogging.

Monitoring During the Hiring Process Also Poses Risks.

In addition to the above reasons for monitoring personal internet activities, a growing number of
employers peruse the Facebook profiles and other social networking activities of job applicants during the
pre-hire screening process in an effort to obtain an unvarnished look at the candidates. A recent Microsoft
survey noted that 70 percent of the employers surveyed found evidence of poor judgment, immaturity and
other undesirable behavior (drinking and drug use, carping about prior bosses, etc.) on candidate’s social
networking sites that caused them to reject those candidates.

One example of this occurred in March 2009 when a person offered a job at Cisco tweeted: “Cisco just
offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San
Jose and hating the work.” A Cisco associate found the Tweet and reported it to the hiring manager who
rescinded the job offer.
However, there are potential risks in monitoring job applicants’ personal social networking. For one thing,
employers can’t believe everything they read on the Internet. In J.S. v. Blue Mountain School District, a
2010 decision by the Third Circuit, a student posted a fake profile of a school principal on Facebook with
false quotes in the profile suggesting he was a sex addict and a pedophile.

Moreover, even viewing accurate information on an applicant’s Facebook page may be problematic since
the Americans with Disabilities Act (ADA) and the newly enacted Genetic Information Non-Discrimination
Act (GINA) preclude employers from gathering and using information about an applicant’s present
disability, history of health problems, and family medical history. Thus, if an employer finds information
about an applicant’s struggles with cancer on his or her Facebook profile, it may taint the hiring process
and expose the employer to discrimination claims. Even if an employer tries to insulate its hiring decision-
makers by using a third party vendor to do this kind of background checking, the employer may have to
comply with the notice and disclosure requirements of the federal Fair Credit Reporting Act, which despite
its name encompasses a third party’s review of applicants’ Facebook pages in connection with the
employer’s hiring decisions.

Accessing Secure Sites Can Be Especially Problematic.

Employers’ attempts to access employee’ password-protected websites pose special legal risks that
include invasion of privacy claims and violating federal laws such as the Stored Communications Act.

In Konop v. Hawaiian Airlines, a 2002 decision by the Ninth Circuit, a dissident employee-pilot (Konop)
established on his own time a password-protected, invitation-only website that required members to log-in
with a user name and password he provided. On his website, Konop advocated for a dissident union and
complained about the company. A Hawaiian Airlines Vice President surreptitiously accessed the pilot’s
website using passwords obtained from other pilots and then terminated Konop. Ultimately, Hawaiian
Airlines was held liable for the Vice President’s actions because he violated the Stored Communications
Act by using the passwords of pilots who had never visited the site and were not “authorized users” who
could lawfully give consent.

Similarly, in Pietrylo v. Hillstone Restaurant Group in September 2009, a federal district court in New
Jersey affirmed an award of compensatory and punitive damages where a pair of restaurant managers
violated the Stored Communications Act by improperly accessing an employee’s private password-
protected, invitation-only MySpace chat room that was created during non-work hours so employees
could talk about the “crap/drama/and gossip” at the restaurant. The managers used a password obtained
from another employee who was a chat room member. However, because she testified that she “would
have gotten in trouble” if she had not let the managers use her password, the court held her consent may
have been coerced. As a result, the restaurant chain was held liable for compensatory and punitive
damages because its managers inadvertently violated the Stored Communications Act.

Konop and Pietrylo illustrates why the monitoring of off-duty social networking cannot be left to middle
managers. Rather, senior executives must take a leadership role in deciding when, how and who should
monitor employees’ off-duty social networking in order to ensure conformity with the company’s
overarching social media policy and the law.

Monitoring Off-Duty Social Networking Must Be Integrated with At-Work Internet Policies.

In addition, no strategy on employee social networking could be considered complete or comprehensive

without also addressing employee Internet activity during work hours and using company equipment and
systems. A Deloitte 2009 Social Networking Survey finding that 55 percent of employees admitted to
visiting social networking sites during work hours (and those were just the ones who admitted it). Not
surprisingly, over 70 percent of employers now monitor employee at-work Internet use and many have
established electronic communications policies that either prohibit on-the-job social networking or attempt
to eliminate any expectation of privacy by employees in social networking involving any company-owned
equipment or internet service. However, even monitoring on-duty social networking can cause problems
for employers.
In City of Ontario v. Quon, the first social networking case to reach the U.S. Supreme Court, the City of
Ontario’s police department provided officers with memory-less pagers that allowed texting but did not
preserve images of the texts on the City’s equipment. The police department had a technology policy that
did not mention the pagers or texting, but prohibited the personal use of its computer and email systems.
Moreover, there was evidence that a supervisor told officers that their texts would not be monitored if they
paid overage fees. The question before the U.S. Supreme Court is whether a police sergeant (Quon) had
a reasonable expectation of privacy in sexually explicitly texts (i.e., “sexts”) sent to his wife and mistress
on the City-owned pagers using the third-party internet service paid for by the City. Another question that
the Supreme Court may address is whether the City violated the federal Stored Communications Act
when it obtained transcripts of the texts from its third party service provider without the consent of an
“authorized user” like Quon. Whatever the Supreme Court decides in Quon, employers need to look at
their own social media policies and to make sure they cover all technologies and may not be undermined
by mid-level managers.

However, the New Jersey Supreme Court’s 2010 decision in Stengart v. Loving Care Agency indicates
that some courts will disregard even broadly worded policies and prohibit employers from monitoring
privileged communications between employees and their personal attorneys sent on company computers
as long as they used personal password-protected email systems and other measures to protect the
confidentiality of the attorney-client communications.

Future Issues.

The advent of iPhones, BlackBerrys, iPads and other computer devices now provide employees with
remote access to organizations’ data systems and the Internet from virtually anywhere in the world has
greatly increased the complexity of monitoring employees’ off-duty social media activity. These devices
may use equipment and internet services that are owned by the company, by the employee, or by a third
party provider. Moreover, “Cloud computing” (where a company’s data is no longer maintained on its own
computers and servers, but rather is stored on “the Cloud” in hardware and software owned by third party
vendors) and “collaborative” computing (in which employees from various entities contribute to the
development of shared software and other content -- think Wikopedia and other Wikis) has further
clouded (pun intended) the issues for executives about who owns what data and how to monitor such
activities.

Adding to the confusion is the widespread adoption by many businesses of social networking as a
communication tool. A Cisco Study on Business Use of Social Networking released in 2010 found that 31
percent of America’s CEOs are already on Facebook and that 75 percent of organizations use social
networks (such as Facebook) as their primary consumer-based social media tool, while a significant
percentage of them also use blogs and micro-blogs, such as Twitter, to communicate with customers.
These technological advances and changes in business strategies will continue to blur the lines between
work-related and personal internet activities, which in turn will only make it more difficult for executives to
develop comprehensive social media strategies.

Moreover, as it continues to develop with cases like Quon and Stengart, there is a need for on-going
review of a company’s social networking policies. There is also a need to establish monitoring protocols.
Most importantly, they show the need for senior leadership to address the many legal and business
issues that arise when employers attempt to monitor their employees’ social networking activities.

Paul E. Starkman (pestarkman@arnstein.com or 312.876.7890) is chair of the Labor & Employment

practice at the Chicago law firm Arnstein & Lehr LLP. He counsels public and private employers on a
broad range of employment-related matters, including issues related to social networking media.