Delaware Employment Law Blog

Employee resigns. But before her last day of work, Employee copies thousands of emails and documents from Employer’s computer.  Off goes Employee into the sunset.

How often is this scenario?  I bet most employers think this never happens in their workplace. I’d be willing to bet that it happens in almost every workplace.  It happens with such regularity, yet most employers are absolutely stunned to discover that it’s happened to them.

If you think it doesn’t happen pretty much all of the time, check out this post at the uber-popular website, Lifehacker.com, titled, How Can I Save All My Work Emails for a Personal Backup?  A reader submitted the following question:

I'm leaving my job and want to take my work emails with me. I've been burned at jobs before, and it became very useful to have an email paper trail behind me. How can I save all the emails so I can access them in the future, just in case I need them?

The author of the piece responds back, providing detailed, step-by-step instructions for how to do exactly that—take with you each and every email you sent and/or received during the course of your employment.

Putting aside how terrible of an idea this is on Lifehacker’s part (can you say, “promoting or endorsing illegal activity?), let’s focus just on the reality—which is, clearly, that your employees are taking your stuff!

What remedies are available to the employer?  Well, most immediately, there’s the demand that the items be returned.  Lawyers have a particular flair when it comes to a well-crafted cease-and-desist letter, so consider having your employment counsel get involved from the outset.

But if the employee refuses to return the documents or ignores your demand, then what? One option is to sue.  A variety of claims may be applicable, depending on the precise nature of the documents and information and on what the employee has done with them since her departure.  For example, the employer may have claims like conversion (civil theft, generally speaking), misappropriation of trade secrets, tortious interference, etc. 

And, depending on where the employee worked, there also may be a claim under the state and/or federal computer-misuse statutes.  In Delaware, for example, we have computer-misuse statutes that provide for recovery of an award of treble damages and attorney’s fees.  And, because Delaware is in the Third Circuit, we have the Computer Fraud and Abuse Act. 

This statute has limited application in other states—including those within in the Fourth and Ninth Circuits, where the Courts of Appeals have rejected the application of the CFAA in the employee-traitor context.  Instead, in those states, the statute is construed as applying only to the true computer hacker. 

The CFAA is a fascinating statute with complex provisions.  The Florida Bar Journal has an excellent analysis of the law—and of the different interpretations of the various Courts of Appeals—for those who may be interested.

For the rest of you, though, now is the time to implement a confidentiality agreement if you don’t already have one in place and to consider just how certain you are about what employees can and cannot take at the end of employment.

See also

Judge's Porn Habit Results In Suspension

Computer Fraud and Abuse Act: Government to the Rescue of Employers?

Putting the Computer Fraud and Abuse Act to Work for Employers

Putting the CFAA to Use, TV Style

Michigan is the latest State to pass a "Facebook-privacy" law. The law, called the Internet Privacy Protection Act, was signed by Gov. Rick Snyder last Friday. The law prohibits employers and educational institutions from asking applicants, employees, and students for information about the individual's social-media accounts, reports The Detroit News.

The Michigan law contains four important exceptions. Specifically, the law does not apply when:

1. An employee "transfers" (i.e., steals) the employer's "proprietary or confidential information or financial data" to the employee's personal Internet account;

2. The employer is conducting a workplace investigation, provided that the employer has "specific information about activity on the employee's personal internet account;"

3. The employer pays for the device (i.e., computer, smartphone, or tablet), in whole or in part; or

4. The employer is "monitoring, reviewing, or accessing electronic data" traveling through its network.

The enactment of Michigan's Social Network Account Privacy Act makes Michigan the fifth State this year to enact legislation that prohibits employers from requiring or requesting an employee or applicant to disclose a username or password to a personal social-media account. Maryland, Illinois, California, and New Jersey were the first four. California and Delaware passed similar legislation applicable to educational institutions. Notably, new legislation was introduced in California on December 3, which would extend that State's law to public employers.

I continue to believe that these laws are unnecessary and do nothing more than expose employers to legal risk with no real benefit to the citizenry. However, of all of the states to have passed such "internet-password-protection" laws, Michigan's is the first to contain these critically important exceptions. Without them, the laws have the potential to paralyze employers from conducting internal investigations that are necessary to protect both the organization as a whole and individual employees.

Problems With Delaware's Proposed Social-Media Law

Lawfulness of Employers' Demands for Facebook Passwords

Should Employer Cyberscreening Be Legislated?

Employers Who Demand Facebook Passwords from Employees. Oy Vey.

New Jersey is the latest State to prohibit employers from requesting the passwords of employees and applicants. The N.J. Senate passed A2878 on October 25, 2012. The bill also prohibits employers from any kind of inquiry into whether the employee has an account on a social-networking site and from requiring that the employee or applicant grant the employer access to his or her social-networking account.
Although the Bill passed the Senate unopposed, the added exemption of law-enforcement agencies requires that the Bill be returned to the Assembly for approval before being sent to the Governor for approval, reports CBS New York.

Following Maryland, Illinois, and California, New Jersey is the fourth State in the country to pass a "Facebook-privacy" law applicable to employers.

New Jersey also passed a piece of sister legislation extending the prohibition to colleges and universities. That law passed the N.J. Senate unanimously and will prohibits educational instiuttions from requiring a student to disclose any user name, password or other means for accessing a personal social-networking site. Delaware and California are the only other states in the country with similar prohibiitons.

It's no secret that I am hardly a fan of these laws, which attempt to vigorously legislate a problem that does not exist. When I think of my friends and loved ones who have just experienced the loss and devastation resulting from Hurricane Sandy, I can't help but wonder whether the New Jersey legislature couldn't have found something better to make laws about.

This lawsuit, which we'll file in the category of "Ultimate Jerks at Work," was reported by Kashmir Hill on Forbes.com. Here's the story, as alleged in the lawsuit.

Jonathan Bruns was working for a staffing agency when he was placed with a company in Houston, Texas. According to the complaint, Bruns asked if he could charge his cellphone in a wall outlet. His supervisor, Pete Offenhauser, obliged.

Apparently, after Offenhauser approved the request, he unplugged the phone from the wall and into his laptop. Once the phone was connected, Offenhauser had access to the pictures Bruns had stored on his phone. Among them were photos of Bruns' fiancee.

In the photos, Bruns' fiancee was, er, uh, nude.

What did Offenhauser do next? Oh, come on, I think we all know. He called everyone in the office over to his laptop. Once the whole group was gathered 'round, he showed them Bruns' photos. Bruns walked in and saw the goings on. When he asked what all the excitement was about, he was greeted with "laughs and inappropriate comments," many of which were made by his boss.

Bruns and his fiancee filed suit against the company, alleging invasion of privacy. This is not exactly a surprise, I'd say. But why not sue the supervisor, Offenhauser, individually? Well, presumably, because he was acting in his capacity as a supervisor at the time of the alleged conduct. But the alleged acts were, after all, tortious in nature, so there would likely be a claim against him, as well as against the company. The company, however, is more likely to have the money to pay.

And that, dear readers, is how the pixels crumble.

Ownership of employees' social-media accounts was my pick for "hottest topic facing employers in the next 12 months" when I spoke to the Labor & Employment Section of the Delaware Bar Association back in April. A decision issued by the Eastern District of Pennsylvania last week on this issue is proving me right. And, if I say so myself, it is nice to be right every once in a rare while.

The plaintiff, Dr. Linda Eagle, co-founded Defendant EdComm, Inc., in 1987. The company was purchased in 2010 and Dr. Eagle was terminate shortly thereafter. Prior to the purchase, EdComm's CEO encouraged all EdComm employees to create a profile on LinkedIn listing EdCommas their current employer.

Dr. Eagle, with the help of a designated EdComm employee, followed the suggestion and set up a LinkedIn account and profile. The company had a policy that required employees to use their company e-mail address in their LinkedIn profile and to set up their profiles using a company-created template. Once the account had been created, EdComm kept a copy of the account's password on file.

It was the company's general policy that, when an employee separated from EdComm, the company "would effectively 'own' the LinkedIn account and could 'mine' the information and incoming traffic, so long as it did not steal that former employee's identity."

The same day she was fired, Dr. Eagle attempted to log into her LinkedIn account but was not able to do so. The next day, the company announced its new executive management team, including Dr. Eagle's replacement. Using Dr. Eagle's password, EdComm accessed her account and changed the password, thereby precluding her from future access. It also changed the account profile to display the successor's name and photograph. Dr. Eagle's honors, awards, recommendations, and connections, however, were unchanged.

Dr. Eagle filed suit asserted numerous state and federal statutory and common-law causes of action. Thereafter, she was able to regain access to her account, although she was not able to retrieve messages sent to and from the account for some additional period of time. The company asserted various counter-claims, which Dr. Eagle moved to dismiss. In December, the court denied the motion to dismiss, finding that the "connections" had value for the company.

The parties completed discovery and Defendant moved for summary judgment. In an opinion dated October 4, 2012, Judge Buckwalter dismissed Dr. Eagle's federal claims but declined to dismiss her state-law claims. With just two weeks remaining before trial and Defendant's several state-law claims having survived the earlier motion to dismiss, the court ordered the case to proceed.

Dr. Eagle was acting pro se and it showed. Both of her federal claims--brought under the Computer Fraud and Abuse Act and the Lanham Act--were not litigated in a way that they could have survived summary judgment. For more specifics about the dismissal of these claims, see Venkat Balasubramani's post on Eric Goldman's Technology and Marketing Blog.

Whether either claim would have stood a more reasonable chance had she been represented by counsel is anyone's guess but I suspect it's at least in the realm of the possible. But she wasn't. And, as a result, the court's decision is likely to have limited impact on similar disputes over the ownership of social-media accounts.

So what's the real lesson to be learned from this case, if it's not about the application of the CFAA to LinkedIn accounts? I have to agree with Venkat on this one--employers who encourage (or require) employees to create or use a social-media account for work should get the ownership rights in writing before they find themselves litigating against a pro se plaintiff with two weeks to go before a full trial on the merits.

Eagle v. Morgan, No. 11-4303 (E.D. Pa. Oct. 4, 2012).
H/T to Francis Pileggi, who writes the Delaware Corporate and Commercial Litigation Blog.

Delaware was the first State to legislate the privacy of students' social-media passwords. California's legislature was the first and, so far, the only State to pass a bill that protects students' and employees' social-networking passwords. That bill is awaiting the signature of California's Governor. For more information about the California law, check out this great post at Seyfarth Shaw's Trading Secrets blog in which the authors were nice enough to mention my previous post on the topic. (Even if they did call me by [gasp] my legal name, Margaret. It's not their fault my parents couldn't pick just one name and stick with it.)

But a state statute is not necessarily the only way to protect students' free-speech and privacy rights in their online content. As reported by blawgger extraordinaire,Venkat Balasubrami, and, subsequently, by GigaOm.com, a federal judge in Minnesota recently held that a school violated a 12-year-old student's First Amendment rights when it cooerced her into turning over her Facebook password so school administrators could investigate comments the girl was alleged to have made.

Although schools' access to students' social-media accounts may be the hot topic du jour but it's not the first. For about as long as Facebook has been around, teachers have been getting into trouble for what the post on it. One of the most distasteful types of posts are those in which a teacher criticizes his or her students.

Long-time readers and Philadelphia-area natives may recall the story of Natalie Munroe, an AP English teacher who was suspended after parents and students discovered posts she'd written, mocking and demoralizing the youths in her class.

A story was recently reported in North Carolina, where a high-school teacher was suspended pending an investigation involving simlar allegations. The English teacher is alleged to have posted photos of her students' works, highlighting the grammar gaffes and misspellings and making fun of their mistakes. Although her Facebook posts were not public, someone with access to them (i.e., a "Facebook Friend"), reported the photos to school officials, which prompted the investigation.

Although the stories vary slightly from one to the next, I continue to believe that the key lessons are time tested. For those who in charge who receive a complaint about a comment made online, deal with the problem for what is--no more and no less. Don't overreact and, for heaven's sake, don't make little girls cry in order to get access to their Facebook pages.

And for those who are posting, think before you do so, just like you would, hopefully, think before you speak. For teachers, don't post about a comment online about student that you wouldn't say directly to the student's parent. And, even more basic, don't mock people's weaknesses. Nobody likes a snob and grammar snobs are no exception.

Delaware's Court of Chancery is renowned as the country's premier venue for business litigation. Law students across the nation are, at this very moment, reading a seminal case in a corporate-law textbook written by the Court of Chancery.

For the uninitiated, there are two critical things to know about the Delaware Court of Chancery. (For a real lesson on the Chancery Court, check out the blog, Delaware Litigation, written by Francis Pileggi and Kevin Brady. Francis tipped me off to the case I'm discussing today.) First, it is a court of equity. At the most basic level, this means that the rulings of the Chancellor and Vice-Chancellors are based on principles of fairness. In other words, they have far-ranging power to award relief. Second, the Court is known for issuing opinions with a literary flare of sorts.

In a 79-page decision issued yesterday, the Court lived up to all of these laudable traits. And the case is, at its roots, an employment-law case, to boot. The decision addresses breach-of-contract claims brought by an employee against his former employer and the employer's counter-claims based on the same contract. The Facts section of the decision starts with this:

Just as its lovely harbors are crowded with their expensive, less than fully utilized vessels, so are southern Connecticut's towns filled with wealthy money managers. This case is about the falling out between two of them.

The falling out in question arose when the employer, an investment manager, discovered that, over the course of about a month, the employee had emailed himself many of the employer's documents, which he planned to use once he started a new (and competing) venture. The Court found the employee liable for this conduct but what really caught my eye were the words of warning contained in a footnote:

A word of caution here. I recognize that the principle set forth above is not one that most of us can claim that we have adhered to with fidelity 100% of the time in our working lives. Section 8.05 of the Restatement (Third) of Agency should not be read in a nonsensical, Stalinistway that allows employers an easy excuse to sue or penalize faithful employees for human behavior that does not diminish the effectiveness of the employer in any way. Phones get used for personal phone calls, work copiers get used to make a few copies of necessary personal documents, computers get used to plan vacations, etc., because employees have lives and families. But so too do employees' own computers, paper, and resources get used for work benefiting their employers.

Fascinating, right?! Of course, the Chancellor is right. What knowledge worker today doesn't use his personal electronic equipment for the benefit of his employer? In fact, I am writing this post from my "personal" iPad, which is to the benefit of my firm.

I think, at its essence, the Court's message is this: Employers should not be encouraged or rewarded for suing their employees for de minimis detours along the path of loyal employment. Readers may recall from a prior post that an employer who brought suit against an employee for the employee's use of Facebook during working time did not fare well.

Seibold v. Camulos Partners LP, C.A. 5176-CS (Del. Ct. Ch. Sept. 17, 2012).
See also Delaware Noncompete Law Blog for more on the Delaware Court of Chancery's rulings that impact employment law.

California is now the third state to pass legislation banning employers from requesting or requiring the social-networking passwords of employees and applicants. The bill was passed by the state Assembly on Wednesday, reports the WSJ Blog. Maryland was the first state to pass a social-media password-protection law, with Illinois following suit just a few weeks ago. The bill now moves to the desk of the Governor for signature by the end of the month.

Last week, the California Senate unanimously passed a bill that prohibits colleges and universities from requesting access to student's social-media accounts. Delaware was the first state to pass social-media privacy legislation applicable to students and academic institutions. With the passage of the employer-based bill, California's protections will be the most comprehensive in the country.

The WSJ Blog article also references Bradley Shear, a Maryland attorney who has "advised lawmakers around the country on social media privacy legislation" and who the article quotes as saying that the California bill "is a huge win for the business community because it may provide California businesses with a legal liability shield from plaintiffs who may allege that businesses have a legal duty to monitor their employees' personal password protected digital content."

Seriously? Who does he think he's kidding with that nonsense? The law imposes new restrictions on employers--and new liability to go with those restrictions. It limits an employer's ability to regulate its workplace, investigate wrongdoing, and, in some instances, to protect employees. There has never been a successful lawsuit based on an employer's failure to "monitor [its] employees' personal password protected digital content." So, if the law protects employers from something that never happens but imposes new restrictions and liability, I fail to see how that counts as a "win" for employers.

Of course, it is a win for Mr. Shear, who, apparently, is devoting his time to the passage of these laws and enjoying the media resulting from his involvement. But I doubt this line on his resume will help him secure many businesses as clients because, contrary to his claim otherwise, businesses don't like these laws because they are unnecessary and overly broad.

You can, according to Joe Cocker, leave a light on. But, if you want a second opinion, I'd suggest that you be sure you log out before you leave the computer room. The case of discussion in today's post, Marcus v. Rogers, was brought by a group of New Jersey public-school teachers. The District made computers with Internet access available for teachers to use during breaks. One of the teachers was in the "computer lab" (my phrase) to check his email when he bumped the mouse connected to the computer next to the one he was using, turning off the screensaver. On the screen, the teacher saw the Yahoo! inbox of a colleague, who had, apparently, failed to log out of her email account before she left.

The teacher recognized his own name in the subject lines of several of the emails. Too curious to resist the temptation, he opened, read, and printed the emails that made reference to him planning to use them at an upcoming staff meeting.

When his colleague learned that her emails had been discovered, she filed suit. The case was tried before a jury, who found in favor of the nosy teacher-defendant. The colleague-plaintiff appealed the decision. On appeal, the question before the court was whether the defendant was acting "without authorization" or whether his access of the emails had "exceeded [his] authorization."

On the first question, the court held that the defendant was not "without authorization" when he accessed the emails because the emails in the inbox were available for anyone to see, since the colleague had failed to log out of her account.

The court upheld the jury's decision on the second question, as well. Specifically, the court found that the defendant had not exceed his authorization because his colleague had "tacitly" authorized the access when she failed to log out.

This is an interesting case that provides some good news for employers. Some good news--but not much. The question of whether an employer can access an employee's personal email account that the employee accessed through the employer's equipment is far from settled. The answer is very fact specific. For example, the answer may be different where, like here, the employee fails to log out when she leaves the computer, versus where the employer uses software to discover the employee's password and then uses the password to access the account.

The answer also can change depending on the jurisdiction. New Jersey has been an outlier in several of the employee-email cases and employers in other states should be cautious about relying on this decision for much more than its interesting set of facts.

[H/T Evan Brown, Internet Cases, which I first heard him discuss on a recent edition of This Week In Law]

Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012).

Delaware's Workplace Privacy Act (H.B. 308), died with the end of the legislative session. As readers know from my several prior posts, I won't exactly be mourning the loss. The Bill's companion legislation, H.B. 309, did survive, however, passed by the State Senate during its final session. Although my attention has been focused on H.B. 308, which would have affected all employers operating in the State, H.B. 309 is worthy of discussion, as well.

If signed by Gov. Markell, H.B. 309 will prohibit post-secondary schools in Delaware from certain practices relating to student's social-media accounts. Specifically, the Bill will prohibit colleges and universities from:

• requiring a student to turn over his or her Facebook username or password as a condition of obtaining or keeping a scholarship;


• requiring a student to install social-media-monitoring software onto his or her personal phone or computer; and


• requiring a student to accept a Facebook friend request from a school employee or other agent of the school.

Delaware is the first state in the country to pass such a law, although several similar Bills have been introduced in several states, as well as on Capital Hill. So what motivated this legislative initiative? Lest I not pretend to understand the political machine, I'll venture a general guess. Over the past few years, it has become increasingly common for schools to require students on athletic scholarships to be Facebook friends with their coaches, presumably so the coach can monitor the student's Facebook page.

For what exactly, I'm not entirely sure but I would guess that "scandalous" photos would be at the top of the list. How "scandalous" is defined, surely, varies by coach and school. I've also heard of this practice being adopted by high schools for their student athletes.

In April, I was invited to speak to a class of students at the University of Pennsylvania's Wharton School of Business. As I have in years past, I asked them whether the practice of "mandatory friending" was something they'd seen for student athletes. To my surprise, they said that mandatory friending was commonplace--and it was not limited to students on scholarship. Several members of the school's swim team were present and said that all swim-team members had to be Facebook friends with their coach, regardless of whether they were scholarship recipients.

I asked them whether they were offended by the practice or felt that it was an invasion of privacy. Again to my surprise, the answer was a resounding, "no." They said that they understood that the practice had a legitimate purpose--to prevent scandal to the swim team that could embarrass the school or, worse, cause the team to lose funding or other support. They also said that they didn't mind because they had nothing to be embarrassed about in the first place. They didn't engage in scandalous behavior and certainly didn't post any scandalous pictures of themselves on their social-networking profiles.

How mature, I thought.

So, if signed, how will the new law affect Delaware students? I have never heard reports of any of our State's post-secondary institutions engaging in either of the first two prohibited acts--demanding a student turn over his password or requiring that students install monitoring software. The third prohibited practice, though, mandatory friending, will have to cease to the extent it goes on in the first place.

And what will be the impact of this prohibition? According to the Wharton students, it would be detrimental only to the students. Here's the example they gave:

Student X, a member of the track team, sells anabolic steroids and "advertises" his conduct via Facebook. If the student-player is required to be Facebook friends with the team's coach, such conduct could be quickly detected and turned over to law enforcement. Without the watchful eyes of a school authority, it would be up to fellow students and team members to turn over the student to police or school authorities. Although it's nice to think that this would happen, I think it's fair to say that there's hardly any guarantees.

If, however, the student is arrested and a public scandal ensues, the team loses credibility and support from the university community, fellow students, and from donors. The loss of donor support can result in decreased funding to the program, which can, in turn, translate into less scholarship money. Which harms--not helps--student athletes.

Although I think the law has far fewer negative implications than H.B. 308 would have had, if it had been passed, I tend to think that they two Bills share at least one unfortunate similarity--both are the result of over-zealous legislative efforts. Contrary to the claims of the Bill's drafters, it seems to me that this is another example of legislating a problem that does not exist.

I suppose there is one problem that this law will correct, though. If you are a student at a Delaware college or university and want to do bad things and post about them on your Facebook page without consequence from your authority figures, this law will probably fix that problem. Congratulations, wrongdoers--you can count H.B. 309 as a big "W" in your Win column.

BYOD (short for "bring your own device"), is all the rage these days. Well, at least you'd think so based on all of the on-line talk about it. See, e.g., this post on the WSJ Blog, CIO Report. The basic idea is that employees are using their own electronic devices, such as smartphones and laptops, for work-related purposes. The causes of the BYOD movement are not entirely clear but one explanation is that employees are dissatisfied with the technology provided by their employer, so they just "bring their own" technology with them.

In any event, the reality is that, even in workplaces where no one brings their own device to work, many of us bring our employer-provided devices home with us. For example, it's not uncommon for an employee to have just one smartphone, through which he access both his personal and work email accounts. If the employer pays for or subsidizes the cost of the device and/or the monthly charges, there is an argument to be made that the employer may have some rights to access all data stored on the phone.

So what's an employee to do? Heaven forbid we had to carry around two phones everywhere we went. (This would particularly disastrous for airheads like me, who can barely remember to bring one cellphone with us when we leave the house). Well, according to the tech blog, Chip Chick, there is now, officially, an app for that. At least for Android users, anyway.

According to Chip Chick, the aptly named app, Device, "allows you to have your personal device and work device all in one." Users can keep the work side of the device encrypted and secure. If you're a really outstanding [read: show-off] employee, you can even limit the apps that will function on the work side to "business-oriented" apps. And, if you lose your phone (which I do no more than twice a year, I swear), Divide allows you to remotely wipe everything on the work side.

FDA officials developed "a wide-ranging surveillance operation" against a group of its own employees, according to the N.Y. Times. The federal agency is said to have surreptitiously captured "thousands of emails" that disgruntled employee-scientists sent to members of Congress, lawyers, labor officials, and journalists.

The surveillance began as a workplace investigation of a possible leak of confidential information. The investigation was limited to five scientists. But it developed into a far broader-ranging endeavor, eventually culminating in 80,000 pages of documents. The massive surveillance was an effort to curb the "collaboration" of the agency's opponents, according to the report.

This story is interesting on several levels. First, on the most basic level, the idea that an employer the size of the FDA determined that a massive surveillance endeavor was the best way to stop what it perceived to be disparaging or antagonist commentary between employees and outsiders. I don't know what the culture has to be or what the level of negative murmurs has to be to prompt an employer to consider this type of effort in the first instance, nevertheless what it takes to push it to cross that line.

Second, the nature of the communications that were monitored is particularly striking. According to the NY Times report, the emails "were collated without regard to the identify of the individuals with whom the user may have been corresponding. Although the law is not particularly well settled on this issue, there are cases that have upheld significant consequences for employers who monitor, intercept, and/or access emails between an employee and his attorney. Thus, it seems potentially risky for the agency to have disregarded "the individuals with whom the user may have been corresponding."

There are potential consequences beyond the issue of attorney-client privilege, though. We'll have to wait to see what the legal consequences are, if any. I don't suppose we'll ever know what the real impact is on morale, although I can imagine only that it won't be a very positive one.

The New Jersey Assembly passed that State's version of a password-privacy law yesterday by a vote of 77-0. The Bill, AB 2878, is now sent to the State's Senate, reports NJ.com. Much like the Delaware Workplace Privacy Act, which currently is pending in the Delaware House of Representatives, the New Jersey Bill has some significant flaws.

Like Delaware's Bill, and similar Bills pending in States across the country, the New Jersey Act is being promoted as a "password-privacy" law, intended to prevent employers from asking employees and applicants for their passwords in order to access the individual's social-networking site, such as Facebook or Twitter. However, as I have written about the Delaware Bill, the proposed law goes much farther than that.

In the case of New Jersey's Bill, employers would be prohibited from asking not only for an individual's password, but also for his or her user name and even whether the individual even has a social-networking site in the first place. Even more bizarre is the provision of the law that would prohibit an employer from requiring whether an employee or applicant to provide the employer with "access" to the individual's social-networking site "in any way." It is not clear whether this provision would prohibit a supervisor from sending a Facebook friend request or an invitation to connect via LinkedIn.

This lawmaking trend continues to make the news, despite the continued absence of any stories of employers who engage in the practice. Maryland was the first State to sign a similar law into effect. Illinois was the second State to pass a similar law, which now awaits the Governor's signature. You are welcome to join me for a free webinar on the topic, sponsored by the Employment Law Alliance, on Thursday, July 12.

Delaware’s version of the “password-privacy” laws currently pending in state legislatures across the country lives to see another day.  H.B. 308, titled the “Workplace Privacy Act,” was released from Committee last month and made it to the House a few weeks ago. It’s slowly been making its way to the top of the agenda and closer to a vote by the House of Representatives.

Last week, I presented on social media at the monthly meeting of Delaware SHRM and, no surprise, the proposed law was a topic on the agenda.  I discussed my concerns with the law as drafted—specifically, the prohibition on an employer asking an employee to show the employer his or her social-networking site for purposes of a legitimate workplace investigation.  (For a more detailed discussion of the potential implications, see my post about a hypothetical allegation and investigation in the education setting). 

After the SHRM meeting, I was approached by several members about what steps should be taken to address the flaws in the legislation as drafted.  I worked with Delaware SHRM to draft a letter for members to submit to their State Representatives about the concerns employers have with H.B. 308.  The letter went out today.

Perhaps as a matter of sheer coincidence, perhaps not, H.B. 308 was amended yet again today. The most critical provision for employers is Section (e) which contains the “permitted acts” for employers. Of most interest in this amendment is the new version of Section (e)(5), which was pitched as the “solution” to the concerns I’ve been raising.  The section, unfortunately, contains several sentences that don’t particularly belong together, which makes it even more confusing.  I’ll do my best to unravel the mystery one sentence at a time.

This Act shall not prohibit any employer from barring employees from accessing social networking sites while performing work for the employer.

Good gracious, let’s hope not!  Of course an employer is allowed to prohibit its employees from using its equipment and/or technology to engage in social networking or anything else unrelated to work during working time.

Employers are permitted to access electronic communication devices which are the property of the employer for the purpose of investigating employee wrongdoing, or otherwise serving the employer’s business purposes.

Again, I think this is pretty obvious, though maybe less so than the previous sentence. In short, it says that an employer is allowed to “access” the smartphones, laptops, tablets, etc., that they provide to employees. In other words, the company can access its own property. 

Notably, though, the Bill purports that an employer may do so lawfully only for the “purpose of investigating employee wrongdoing” or “otherwise serving the employer’s business purposes.”  Supposedly, a charitable purpose or at the request of the employee would not be considered a “permitted act” under the amended Bill.

Where an employer has credible information indicating imminent workplace violence, the employer may question the subject employee as to alleged social network site postings.

Try to not to laugh—it’s not funny.  According to this sentence, in the event there is a credible threat of imminent workplace violence, the employer may “question” a “subject employee” (whoever that is), about his or her social-network-site postings.  Wow.  That’s it? 

Employers are also permitted to access an employee’s social networking site profile or account which is public and non-restricted.

And, finally, an employer is permitted to look at publicly available information that is posted online.  Well, yes.  Of course employers are allowed to look at the Internet and the public information posted online. 

It’s pretty clear to me that this “amendment” may constitute a changed version of the Bill but not an improved version and certainly not the answer to the problems that I’ve discussed previously. 

If you are not a SHRM member but want your voice to be heard on this legislation, I’ve uploaded a modified version of the SHRM letter, which I would encourage you to use as a template for your own letter.  But act soon, there are just two sessions left before the summer recess and the Bill could be voted on as early as tomorrow.

I had the honor of serving as moderator for the CLE program at Delaware's Annual Bench and Bar conference,the largest annual gathering of lawyers and judges. The program was titled, Privacy 3.0: Legal and Ethical Implications in the Courtroom, in the Workplace, and in Public. I was amazed at the quality of the presentations and speakers.

Privacy In the Courtroom: Jurors
The first session, Privacy in the Courtroom, was presented by two super-stars. First up was Thaddeus Hoffmeister, whose blog, Juries, is, hands down, the go-to source for the latest news relating to the impact of new technology on jurors. Thaddeus led a fascinating discussion about the privacy rights of jurors. Some of the questions that he raised were:

Do lawyers have a duty to conduct online research about potential jurors? Do lawyers have a duty to monitor jurors' online activity once empaneled? What constitutes "contact" in this context? For example, if you follow a juror on Twitter and he gets an email notification of it, this would be considered "contact" and you'd be running afoul of the ethics rules. And, finally, when must a lawyer disclose to the other side and to the court information that the lawyer finds that indicates juror online misconduct?

Thaddeus' presentation was amazingly current. Several attendees noted that he discussed several cases and opinions that were issued in the past two weeks! To learn more about these cutting-edge topics, check out his top-notch blog.

Privacy In the Courtroom: Journalists
Next up was Sean O'Sullivan. Sean has been reporting on Delaware's federal and state courts for more than a decade. Although Thaddeus was a tough act to follow, Sean absolutely rose to the challenge. In fact, Sean really impressed me--not only is he an all-star reporter but, apparently, an equally outstanding public speaker! Sean spoke about the current rules (written and unwritten) for reporters. He addressed the following issues:

Should there be live blogging and tweeting from the courtroom? If yes, should it be considered a privilege limited to journalists? And, if so, who is a "journalist" in today's world of new media?

Sean told attendees about an interesting development in the Sandusky trial. As reported in the major news networks late last week, the judge in the case announced that he would permit tweeting from the courtroom but with the caveat that the tweets could not include actual quotations.

Journalists moved the court to clarify what that meant--surely the court did not mean that only inaccurate quotations? Did the court mean that journalists had to paraphrase any tweets? In response to the motion, the court changed its mind and ordered that it would not permit live tweeting from the courtroom after all.

Further proving how current the speakers were, Thaddeus has written about the juror-investigation issue in the Sandusky trial.

Privacy In the Workplace
I was lucky enough to co-present this session with Steve Hirschfeld. Steve is the CEO of the Employer's Law Alliance, the world's largest network of employment and labor lawyers. Steve is an incredible speaker but it was his international experience is what really made the session outstanding.

Steve and I talked about the challenges facing employers that have led them to consider the use of social media, particularly in the hiring process. Then we reviewed some of the several ways employers are using social media as cyber-screening tools and gave our (somewhat diverging) thoughts on the pros and cons of those tools. In that context, we reviewed the legal implications of those tools. And, finally, we discussed the recent movement in several states to legislate these strategies, including, as you may have guessed, my thoughts on the unfortunately worded Delaware effort in this regard, H.B. 308.

Privacy In Public
The speakers for this session were the A-listers of the program. Sharon D. Nelson and John Simek of Sensei Enterprises presented a captivating story about how law enforcement used digital forensics to catch the Craigslist killer. Both Sharon and John are real pros behind the podium and everyone was so riveted by their storytelling that we hardly noticed how much substantive knowledge they had imparted.

Undoubtedly, my biggest take-away from their presentation was that there is no privacy in public--particularly when the government wants to know what you're doing, where you're doing it, and when you're doing it. For additional doses of disturbing reality regarding the lack of privacy, check out Sharon's award-winning blog, Ride the Lightning.

A Round of Applause
I can't thank the speakers enough for their participation in yesterday's event. It was a tremendous success as a result of the quality of all of the speakers who were so generous to donate their time and travel to Delaware for the event. Thanks, also, to all of the attendees for their insightful questions and discussion after the CLE.