Expectation of Privacy and the Social Media Policy

According to the Fourth Amendment of the United States Constitution, citizens have the right to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures. Therefore, the obvious question that arises with social media is, does the Fourth Amendment provide employees using social media in the workplace with an expectation of privacy? This question is at the center of many legal battles that have recently filled court dockets across the Country – and early reports from the field indicate that social media users should not be expect Fourth Amendment protection.

Social media by name and design is a “social” media. It is not called “private media” for a very specific reason – there is nothing private about it. Regardless of privacy settings and other controls, increasingly courts around the Country are sending the following message to American workers: “employees using social media should not be under the false impression of a right and expectation of privacy in the workplace.” These court cases are concluding that social media in the workplace is not protected by the Fourth Amendment and as such, information contained within social media platforms may be subject to discovery during the legal process as well as part of other procedures such as audits, background checks and similar activities that benefit from the use of information contained on social networks.

The Fourth Amendment provides a “reasonable” expectation of privacy. However, the standard upon which reasonableness is judged depends upon the current standards of society. In today’s open and social media-enabled society, we live our lives more openly and transparently than ever before, sharing everything from our choice of breakfast cereal in the morning to photos of our children to our location in real-time. For the most part, there are fewer and fewer secrets being kept as more and more of us become increasingly comfortable giving up more of our information than ever before. While the evidence does not suggest that every life should be an open book, judicial decisions appear to take a practical approach when it comes to information contained on social media platforms. In other words, employees are not going to be allowed to act to the detriment of an organization and then hide behind a form of social media immunity.

From the organization’s point of view, the assumption of the lack of privacy plays a key role in managing employees’ use of social media within the workplace. Based upon the current direction of case law, it is in every organization’s best interest to disclose the organization’s right to inspect social media-based records to the extent such records originated through the use of the organizational assets, including computers, network infrastructure and company-controlled/owned social media accounts. The social media policy should be clear about its right to monitor social media interactions in real-time (network monitoring), in stored files (caches, temporary files, etc), while on “company time” and using the organization’s equipment. Such a policy statement will assist the organization in defeating opposition to demands for information during the legal process and will provide protection against claims of invasion of privacy. Once the formal written policy is in place, the organization must ensure that employees are informed of the policy and comply with its requirements. Deviation from the written policy may result in questioning whether or not the employee had an expectation of privacy due to “practices” that are inconsistent with the written policy.

In City of Ontario v. Quon, a California police officer had his case ultimately reach the United States Supreme Court when the police officer was verbally told by a supervisor that he indeed did have an expectation of privacy when using for personal use a department-issued digital device – a statement that contradicted the written policy. While a lower court supported Officer Quon’s assertion that his personal electronic messages were protected based upon the verbal assurance, the U.S. Supreme Court eventually determined that the officer did not have an expectation of privacy on the basis that 1) a formal written policy existed, 2) the device used was provided by the police department and as such, the police department had certain rights to monitor appropriate usage of its assets, and, 3) there was no less invasive practical manner of monitoring general activity on the device.

In Romano v. Steelcase, Inc., a New York trial concluded that an employee had no reasonable expectation of privacy regarding information posted on social networks – despite the restricted privacy settings established by the user.

Another important piece of federal legislation that affects organizations’ access to employee information is the Stored Communications Act (“SCA”). The SCA prohibits employers from, among other things, accessing employee accounts maintained by third-party hosts such as social networks. The SCA generally allows organizations to access stored communications such as emails and other information stored within its own computer network. The SCA, however, limits an organization’s ability to access such information (without the employee’s authorization) if it is stored by a third party service provider. A further complication is that even in instances where an employee has granted an employer access to third-party sites, such access may be deemed to be done under duress and as such, a violation of the SCA. As such, experts generally recommend that employers not extend their reach beyond information contained within their systems in order to prevent violations of the SCA.

In drafting this section of the social media policy, organizations should check with their legal departments in order to determine how to best describe an organization’s policy regarding monitoring of social media activities. Further, each organization should work with its legal department to determine the various local, state and federal laws that may be applicable.