Privacy Claim for Employer’s Shoulder Surfing of Employee’s Facebook Page

When can an employer ask an employee to show the employer a coworker’s Facebook page? My friends, that question is getting more difficult to answer. State legislators across the country are attempting to pass laws that would prohibit this and similar conduct under most circumstances. Delaware’s proposed “Workplace Privacy” law would prohibit it in every instance–even if the employer has a legitimate business-related need to investigate misconduct, for example. A recent decision from the District of New Jersey makes one thing clear: nothing is clear when we’re talking about privacy interests and Facebook.

The Facts

The plaintiff, Deborah Ehling, was hired by the hospital in 2004 as a registered nurse and paramedic. In July 2008, Ehling took over as Acting President of the local union for paramedics. In this role, she was “very proactive” in her efforts on behalf of union members and filed numerous complaints and charges against the hospital. Ehling alleged that, when she became President of the Union, the hospital engaged in retaliatory conduct against her, ending in her termination in July 2011.

Ehling was Facebook friends with many of her coworkers but not with any members of hospital management. Her profile was private and could be viewed only by her friends.

Ehling alleged that the hospital gained access to her Facebook profile when a supervisors “coerced, strong-armed, and/or threatened” one of Ehling’s coworkers into accessing his Facebook account in the presence of a supervisor. The supervisor then viewed and copied Plaintiff’s Facebook posts. The hospital later sent a copy of one of Ehling’s Facebook posts to the State Department of Health, stating that it was concerned that it showed a disregard for patient safety. Plaintiff alleged that the letter was a “malicious’ attempt to attack Plaintiff’s reputation, her job, and her nursing license and paramedic certification.

The Claims

The hospital moved to dismiss 2 of the 9 counts in Ehling’s Amended Complaint: (a) a state-law statutory claim under the New Jersey Wiretapping and Electronic Surveillance Control Act; and (2) a state-law tort claim for invasion of privacy.

The court dismissed the Wiretapping count because the supervisor did not access the Facebook posts “in the course of transmission,” which is a required element. The court concluded that, like the federal Wiretapping statute, the New Jersey Act does not apply to electronic communications once they are received. The court held that the Amended Complaint alleged that the posting was “live on the Facebook website for all of Plaintiff’s Facebook friends to access and view.” Thus, the post was no longer in transmission when the defendant allegedly accessed it.

The court did not dismiss the privacy claim. The hospital moved to dismiss this count on the ground that Plaintiff did not have a reasonable expectation of privacy in her Facebook post. The court rule that “[p]rivacy in social networking is an emerging, but underdeveloped, area of case law.” The court noted that there are cases on both ends of the “privacy spectrum”–some courts have found that there is absolutely no expectation of privacy once information has been posted online; whereas other courts have found a reasonable expectation of privacy exists for individual, password-protected online communications.

Because the law “has not yet developed a coherent approach to communications falling between these two extremes,” the court declined to dismiss the claim, finding that Plaintiff had stated a plausible claim for invasion of privacy “especially given the open-ended nature of the case law.” In other words, the Court punted on the question of whether the plaintiff had a reasonable expectation of privacy in her Facebook posts.

The Take-Away for Employers

On Eric Godman’s Technology & Marketing Law Blog, Venkat Balasubramani, who alerted to me to this case via Twitter message (Thanks again, Venkat!) wrote an insightful post about several of the legal issues in the case. He also uses a term I heard only recently–“shoulder surfing”–which refers to a person who stands behind an internet user and watches the user’s browsing activity. What I take away from the case is more back-to-basics than Venkat’s more sophisticated approach.

In short, assuming everything alleged in the Amended Complaint are true, the key employer take-away is this:

Don’t look for trouble or you just may find it.

If the supervisor did not have a reason to look at the employee’s Facebook page–i.e., to go snooping around without reasonable suspicion of some conduct that would have harmed the hospital or prevented Ehling form performing her job duties is a bad idea. It makes you seem like you’re prosecuting the employee, being malicious, and/or, as was alleged here, engaging in retaliation.

Ehling v. Monmouth-Ocean Hosp. Serv. Corp., No. 2:11-cv-03305-WJM (D.N.J. May 30, 2012).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s