Social networking communications among employees require a new look at corporate Internet use policies, according to lawyer Andrew Baer. In part 2 of this series, Baer discusses an actual case that illustrates what to do and what not to do in setting policy.
As a cautionary Web 2.0 communications tale, let's take a look at Pietrylo v. Hillstone Restaurant Group. On June 16, a federal jury in New Jersey rendered a verdict for compensatory and punitive damages against the operator of the Houston's restaurant chain, which it found had maliciously and without authorization invaded a password-protected, invitation-only employee gripe group on MySpace.
Pietrylo, a server, created the group (in his own eloquent words) to "vent about any BS we deal with at work without any outside eyes spying in on us. This group is entirely private, and can only be joined by invitation. … Let the s--t talking begin." Pietrylo invited other Houston's employees to join the group, and soon the forum abounded with droll and insightful content referring to managers and others as "stupid corporate f--ks" and "d--k suckers," lampooning the standards for customer service and surveying users on such burning questions as, "If you had to drop acid with one person in Houston's, who would it be?"
An advance copy of a new wine test to be given to employees was also posted. While the content of Pietrylo's and others' posts cheerfully made mincemeat of Houston's core values of professionalism, positive mental attitude, etc., Pietrylo and his co-offenders created and maintained the discussion group on their own time and without using Houston's computers or Internet access.
This good, clean fun came to an abrupt end after a greeter at the restaurant lightheartedly showed the discussion group page to a restaurant manager at a dinner party, only to be asked the following week to provide her password to another manager, who accessed the site. Houston's regional supervisor of operations also obtained the password and accessed the site, and soon senior managers were viewing the derogatory and racy content.
Pietrylo and a fellow server were fired. The two employees then sued the restaurant chain operator for wrongful termination, invasion of privacy and violations of the federal and parallel state wiretapping and stored communications statutes, among other things.
The wiretapping claims were dismissed before trial, and, notably, the jury rejected the plaintiffs' invasion of privacy claim. However, the jury essentially concluded that the greeter's hand-over of the group password to Houston's management was coerced and involuntary (even though she had not been threatened with disciplinary action if she refused), and that by using it to view site content they intentionally accessed stored communications without authorization or in excess of authorization, in violation of the federal Stored Wire and Electronic Communications act and the corresponding provision of the state statute. Finding such behavior malicious, the jury awarded Pietrylo and his fellow plaintiff $17,000 in back pay and punitive damages. (Hillstone Group will also have to pay the plaintiffs' attorneys' fees, which will likely be considerable.)
Case study in failed compliance
Although some legal commentators are hailing the case as a landmark victory for employee privacy rights, actually it is better viewed as a case study in failed compliance. The case does not create or recognize any new privacy rights; in fact, the jury specifically decided that Pietrylo had no reasonable expectation of privacy in the Web 2.0 communications. Nor does the case somehow stand for the proposition that employees cannot be fired for posting Internet communications critical of their employer as long as they do it on their own time. Let's examine how, with a well-drafted and administered Internet posting policy, Houston's could have won the case against its loquacious servers.
 |
|
|
|
|
Although
some legal commentators are hailing the case as a landmark victory for employee privacy rights, actually it is better viewed as a case study in failed compliance.
|
|
|
|
|
|
|
|
|
|
To begin with, there is no indication that Houston's ever provided to its employees and required them to sign an Internet use policy. While bartenders, servers and greeters may not be users of corporate IT resources, the restaurant managers clearly were, so a global policy should have been distributed to and acknowledged by all employees at the beginning of their employment. This policy should have explicitly stated that employees have no expectation of privacy in content they post on the Internet (regardless of whether or not a site is labeled or set up as "private") and that the company reserved the right to monitor all Internet postings.
Moreover, given management's professed concern over the possible impact of offensive MySpace postings on operations, the policy should also have prohibited any disparagement of the company or its personnel or customers in employee Internet postings. (Some employers may not want to go this far, since policing what employees say outside of work may seem Orwellian and lead to image problems. The point here is simply that if Houston's wanted to prohibit such criticism, it should have told this to its employees, up front and in writing.)
Houston's ham-fisted investigation of Pietrylo's MySpace group also should make corporate counsel and compliance experts cringe. The jury's verdict hinged on its finding that restaurant management had obtained the password through implied coercion. Instead of accessing the discussion group directly, management could have asked a member to print out screenshots. Additionally, whether a password or printouts were delivered, the circumstances of the hand over should have been better documented so as to dispel the air of menace that came across to the jury.
Thinking about compliance: Be systematic and communicate clearly
Enterprises ignore the risks of Web 2.0 tools -- and clumsy management of employee Web 2.0 communications – at their peril. Since employees' Web 2.0 usage, both at work and at home, is already widespread and will only increase as the available platforms and applications continue to multiply, enterprises must think systematically in terms of creating, coordinating, documenting and administering a compliance strategy.
Understanding the risks as they apply to each enterprise is key, but to properly manage them, the enterprise must find the right balance between mitigation and respect for employee creativity and expression, while taking into account the many beneficial uses of Web 2.0 tools for marketing and public relations. Finally, whatever strategy is formulated, it must be clearly and universally communicated within the enterprise, so the compliance process itself does not become a new source of risk.
Andrew M. Baer is an attorney and founder of Baer Business Law LLC, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. Baer can be contacted at andrew@baerbizlaw.com.
