Court ruling a warning to companies on workers' Facebook privacy

A recent federal court ruling is a warning to companies that workers' non-public Facebook postings are private and uninvited employers have no right to read them.

The ruling, handed down last month, stemmed from a lawsuit filed by a paramedic against Monmouth-Ocean Hospital Service Corp. (MONOC) in New Jersey. Deborah Ehling was disciplined after posting on her Facebook wall a comment criticizing Washington, D.C., paramedics' handling of a deadly shooting at the U.S. Holocaust Memorial Museum.Ã'Â

The U.S. District Court decision is significant because it is one of very few rulings addressing whether Facebook postings meant only for users' "friends" are protected under the federal Stored Communications Act. Passed in 1986, the act extends protection to electronic communications that are configured to be private.

"The message that we're getting here is that the courts will take very seriously the privacy interests of someone who is using social media and designates it as private communications," Robert Quackenboss, a partner in the labor employment group of the law firm Hunton & Williams, said on Thursday.

While the ruling only applies to the parties in the case, the decision is expected to be influential because so few courts have addressed the issue of how privacy protections apply to social media. Because the district court was on relatively virgin ground, it was particularly thoughtful in addressing the legal issues.

"The first federal court to do so with sound reasoning ends up being very persuasive to other courts that take up the matter subsequently," Quackenboss said.

MONOC suspended Ehling for a post that followed the June 2009 shooting, in which white supremacist James W. von Brunn, 88, opened fire in the Holocaust museum, killing a guard and sending visitors, including children, diving for cover. Other guards returned fire, wounding von Brunn in the head.

Ehling's post, which was not explained in the court's decision, read, in part, "I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards....go to target practice."

In suspending Ehling, who was president of the Professional Emergency Medical Services Association union at the time, MONOC officials said the posting was a "deliberate disregard for patient safety."

[Also see: Storify shows how Facebook privacy more illusion than fact]

Ehling had configured Facebook to show her postings only to roughly 300 "friends," which included co-workers, but not management. Unbeknownst to Ehling, Tim Ronco, another paramedic who was on her friends list, was taking screenshots of her postings and sending them to MONOC manager Andrew Caruso, who then sent them to Stacy Quagliana, executive director of administration at MONOC, according to the court ruling.

Caruso, who was friends with Ronco, but not his boss, never asked to be informed of Ehling's Facebook activity and never asked for the screenshots. "In fact, Caruso was surprised that Ronco showed him plaintiff's Facebook posts," federal Judge William J. Martini said in his ruling.

Nevertheless, the court found that the postings were private and protected by the Stored Communications Act, because Ehling had configured her Facebook settings, so only her "friends" could see writings.

Ultimately, the court ruled in favor of MONOC based on an exception in the Stored Communications Act, which is part of the federal Electronics Communications Privacy Act. Because Ronco was authorized to see the postings, he could share them with other people, including Ehling's employer.

"The court said there's no liability because she authorized the spy to see [the posts," said David Straite, a digital privacy lawyer for the law firm Kaplan Fox & Kilsheimer. "And that's important. This spy had no obligation to keep her private thoughts private."

Had MONOC management coerced Ronco into providing the screenshots or had asked for them, then the company would have been guilty of violating Ehling's privacy. Under the SCA, the company would then be liable for punitive damages and lawyer fees.

"Sometimes, frankly, that's all you need to attract plaintiff lawyers to a claim," Quackenboss said.

The court did not address the issue of whether a company would violate an employee's privacy, if the employer had hired someone to spy on workers' Facebook postings.

However, the ruling is an indicator that the federal courts would see that as a conscious attempt to underhandedly bypass people's privacy settings of social media. "It's just a step short of coercion," Quackenboss said.

Read more about social networking security in CSOonline's Social Networking Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityData Protection | Social Networking Securitysoftwaresocial networking privacydata protectionprivacyFacebookworkplace privacy

More about Andrew Corporation (Australia)FacebookKaplan

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place