The IP Law Blog Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Shoulder Surfing: Can Employers Access Your Facebook Account

Posted in Cyberspace Law

By: Jeff Pietsch and Michael Robinson

It is Monday morning and you are recovering from a bachelor party in Sin City. Thankfully, your privacy settings on Facebook allow you to share pictures of your shenanigans in Vegas with only your friends. But what happens when your boss asks a friend and coworker to show him your embarrassing and private photos? Should a status update intended for a select few be protected from the prying eyes of your employer?

At an age when over 900 million people use Facebook, it is no surprise employers increasingly use social media in evaluating current and prospective employees. For example, last week the Federal Trade Commission (FTC) approved a process allowing a background check company to screen job applicants’ Internet photos and postings. The FTC determined that such actions were in compliance with the Fair Credit Reporting Act. This means a search of what you have said or posted to Facebook, Twitter, Flickr, blogs, and the Internet may become a standard part of background checks when you apply for a job.  

Despite the rapid expansion of social media, the law is relatively unclear as to privacy in this digital space with respect to employers’ use of such information.  A recent suit by a New Jersey nurse may shed some light on this area of the law.  In this case, the plaintiff, a registered nurse and paramedic for Monmouth Ocean Hospital Service Corp. (Monmouth), claimed that Monmouth engaged in a pattern of retaliatory conduct against her based on her activities and statements on Facebook.

In 2009, a hospital supervisor gained access to plaintiff’s Facebook account by coercing a fellow coworker, who was plaintiff’s Facebook friend, to access plaintiff’s Facebook page in the employer’s presence. The practice of an employer attempting to gain access to inaccessible private information via another individual’s access is known as “shoulder surfing.”  The employer viewed and copied several of plaintiff’s postings. One such posting was in response to an incident where a white supremacist opened fire at the Holocaust Museum in Washington, D.C.  The plaintiff commented on Facebook ridiculing the DC paramedic’s response to the shooting.  As a result, Monmouth sent letters to the New Jersey Board of Nursing claiming plaintiff showed a blatant disregard for patient safety and argued that plaintiff should lose her nursing license. In response to these claims, plaintiff brought a variety of claims against Monmouth including a violation of New Jersey’s wiretapping statute, a Stored Communications Act (SCA) violation and an invasion of privacy.

The first claim against Monmouth was brought under New Jersey’s wiretapping statute.  This statute has been construed to cover only messages that are in the course of transmission or a backup to that transmission. According to the court, the statute does not cover communications that have been received and are in post-transmission storage such as a Facebook post. As result, the wiretapping claim was not able to survive a motion to dismiss on this particular claim.

The second claim brought by Monmouth was based on the SCA which provides a civil right of action for any damages incurred through the intentional access of electronic communication without authorization. Facebook posts may fall under the SCA depending on an individual’s privacy settings. A couple of cases have allowed SCA claims where an employer gains access to privacy protected employee pages. However, those cases are somewhat distinguishable on the basis that the employers obtained the credentials themselves and repeatedly accessed the sites or pages in question.

The final claim brought was based on an invasion of privacy.  Under New Jersey law, to succeed on this type of claim, the plaintiff must show that: (1) Monmouth intruded on her solitude, seclusion or private affairs and (2) the intrusion would be highly offensive to a reasonable person.  On one end of the spectrum, plaintiff should have no expectation of privacy for material posted to an unprotected site that is accessible by anyone. On the other end of the spectrum, courts have recognized an expectation of privacy for password-protected on-line communications. There is merit to the view that disclosure to a small group shouldn’t undermine privacy rights in personal communications. The court recognized in Moreno v. Hanford Sentinel, the claim of a right of privacy is not "so much one of total secrecy as it is of the right to define one’s circle of intimacy." Moreno involved a MySpace post which was made generally available on the internet, which distinguishes it from the post in this case which was ostensibly limited to plaintiff’s Facebook friends.

Whether this case will be a cautionary note to employers practicing “shoulder surfing” or a wake up call to employees that the digital realm of Facebook can permeate into the real world remains unknown. However, it is clear this case reaffirms the prudence every one of us should use in our internet activities.