It is a question that many employers think about but do not really address. A federal judge in Philadelphia recently provided a little more insight to the answer.
In Eagle v. Morgan, et al., the plaintiff had been the CEO of a banking education company. While the CEO, plaintiff created a LinkedIn account at the encouragement of the company. According to the complaint, Plaintiff “used her account to promote [defendant] Edcomm's banking education services; foster her reputation as a businesswoman; reconnect with family, friends, and colleagues; and build social and professional relationships.” Edcomm generally followed the policy that when an employee left the company, the company would effectively ‘own’ the Linkedin account and could ‘mine’ the information and incoming traffic, so long as it did not steal that former employee's identity.” Although, it is not clear whether this policy was in writing (I am doubtful).
The dispute started when a company acquiring Edcomm decided to terminate plaintiff. The day after the termination, plaintiff attempted to log into her LinkedIn account but the password had been changed. Edcomm had her password in order to help maintain the LinkedIn account and had changed the password upon plaintiff’s termination. Edcomm then changed the profile information from the plaintiff to that of the new CEO. Plaintiff was denied access to her LinkedIn account for two weeks. However, Plaintiff claimed that she “did not have full access to her account for over twenty two weeks and the messages sent to her during that period of time are lost forever, she was unable to receive ‘invitations to connect, business opportunities and ongoing communications with clients, potential clients and other business and personal contacts.’"
Plaintiff filed a complaint asserting the following eleven causes of action: (1) violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(2)(C); (2) violation ofthe CFAA, 18 U.S.C. §1030(a)(5)(C); (3) violation of Section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a)(l)(A); (4) unauthorized use of name in violation of 42 Pa.C.S. § 8316; (5) invasion of privacy by misappropriation of identity; (6) misappropriation of publicity; (7) identity theft under 42 Pa.C.S. § 8315; (8) conversion; (9) tortious interference with contract; (10) civil conspiracy; and (11) civil aiding and abetting. Judge Buckwalter granted the defendant’s summary judgment as to the CFAA and the Lanham Act claims.
The CFAA defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." The court concluded that plaintiff had not suffered recoverable damages. Plaintiff claimed loss of business opportunity, which the court found did not relate “to lost money because her computer was inoperable or because she expended funds to remedy damage to her computer.” Likewise, the court found that her references to “only generalized loss of ability to speak with some unnamed and unknown ‘clients’ and loss of potential and speculative business opportunities” to be too speculative. The Lanham Act claim failed as there was no likelihood of confusion as the defendant changed the profile to that of the new CEO. People were confused as to who the person associated with the LinkedIn account could change, but not the origin of the information.
Contrary to the headlines of other articles and blogs, the decision did not find the employer was free from liability for its actions. Indeed the state law claims survived and a trial apparently is scheduled for this week. It is not surprising that the lawsuit ensued. However, ordinarily it has been the employer suing the employee. The case pending in California brought by Phonedog against its former employee involving a Twitter account is a good example. http://www.scribd.com/doc/72258605/Phonedog-v-Kravitz-11-03474-N-D-Cal-Nov-8-2011 Note that the employer brought the same causes of action as those asserted by plaintiff above ((1) misappropriation of trade secret, (2) intentional interference with prospective economic advantage, (3) negligent interference with prospective economic advantage, and (4) conversion).
The key to both these cases is the apparent absence of a written company policy. Companies need to eliminate the ambiguity of who owns the account by drafting policies that clearly articulate the guidelines. An obvious starting place is to require that any social media account used for a business purpose (regardless of whether it was created by the employee) belongs to the company and should be registered with the company along with the password. Likewise, any account created using a company email address belongs to the company. Violation of this policy should be subject to the company’s standard disciplinary procedures and the employee should be reminded that the company reserves the right to monitor these accounts.
The above is not a complete solution. Consumerization (no boundaries between personal and work life – here is a great video http://www.youtube.com/watch?v=18gMmFHrVgo&feature=related ) and use of employee owned devices , have blurred the lines between personal and business uses. So how does a business monitor when an employee uses their personal account for a business purpose? This issue is especially complex for those doing business in California, Maryland or Illinois where laws exist to prohibit businesses from demanding social media passwords. (Is violation of company policy “employee misconduct” within the California exception?). http://gov.ca.gov/news.php?id=17759 Addressing these issues requires careful policy drafting, oversight and enforcement. It will be interesting to see if it is such a close call when the business has a strong written policy on ownership of social media accounts.