Employee Internet Use – Blogs, Security, Trade Secrets
So far this chapter has examined the legal consequences for companies arising from employee monitoring, including privacy issues concerning monitoring policies and possible vicarious liability for failing to monitor. There may be, however, consequences of failure to monitor and regulate employee internet use. Employees, armed only with their e-mail and internet, can do incalculable harm by disclosing trade secrets, by reducing productivity, harming the reputation of the company, or subjecting the company to liability for defamation, libel, slander, or regulatory violations. Further, a newer development in employee internet use has magnified these potential problems’”the “blog.”
B. Productivity and Network Security Issues.
Most managers and executives admit to some personal internet use while at work, whether it is shopping for shoes or looking at reviews of a vacation resort. This may lead to a somewhat lax view by companies when it comes to monitoring and discipline for inappropriate internet use. Companies, however, probably underestimate the amount of company time and money employees waste on the internet.
A survey of 10,000 employees by Burstek, a provider of employee internet management solutions, had some disquieting results. On average, employees spent 20.42% of their online time on the internet managing personal affairs. Similarly, 22.39% of all web pages visited are for personal use. This translates into lost profits, insofar as 21.28% of all work bandwidth costs can be attributed to employees using the internet for personal reasons.
Apart from this, the study found that 72.34% of personal use consisted of “employee productivity draining web sites.” These types of sites include shopping, entertainment, personal e-mails, sports, chat rooms, job searches, and game playing. These types of sites account for 93.99% of the bandwidth cost required for personal internet use.
Perhaps the most shocking result of the study was the data showing that 8.23% of personal use of the World Wide Web involves visiting web sites that could expose an employer to liability, such as pornography, gambling, and dating websites. If this were not bad enough, 19.42% of personal internet use involves activities that result in threats to a company’s network security, such as file sharing, the use of malicious code, and spyware.
C. Trade Secrets Issues.
Employees who develop, use, or transmit confidential information may use company equipment to disseminate trade secrets to competitors or other third parties. While illegal, frequently companies are not aware of such conduct until after the damage is done. The facts behind People v. Eubanks, 44 Cal. Rptr. 2d 846 (Cal. Ct. App. 1995), illustrate this threat. While cleaning out a former employee’s computer, management discovered that the employee had been sending trade secrets to his new company via e-mail. Although a criminal case was brought against the employee, it was dismissed on technical grounds.
Companies that permit employees to post confidential or proprietary information on the internet may lose trade secret protection for the information. In Religious Tech. Ctr. v. Netcom On-Line Commc’ns Servs, Inc., 907 F. Supp. 1361 (N.D. Cal 1995), an employer alleged trade secret violations against a former minister who posted its “Advanced Technology Works” on the Internet. In response, the former minister charged that the Works previously were posted on the Internet by others and consequently were in the public domain before his alleged posting. The district court ultimately held that the posting of the Works by others restricted the Center’s trade secret rights in the material just as publication of the information typically would. Hence, if employees inadvertently post or make propriety information accessible on the internet, its protection may be forever lost.
1. Legal risks related to blogs ‘“ disclosure and trade secrets issues.
A blog, or weblog, is a website in which statements can be posted by one or several administrators and are displayed in reverse chronological order. There are several types of blogs, including news blogs, photography blogs, video blogs, and music blogs. Most often, however, blogs take the form of an online diary, where a person might post anything from what she had for lunch that day to how her son is enjoying college. Employee blogs have become a popular way for employees to share their everyday experiences at work with co-workers, friends, and strangers. Since blogging is a relatively recent phenomenon, companies are still grappling with how to respond.
Employees have access to all sorts of information the disclosure of which would violate the law. Blogs offer employees a means to publish this information quite literally at the push of a button. Employees may disclose trade secrets or not-yet-patented technology that could put the company at a competitive disadvantage. If a company is publicly traded, employees might disclose insider information that could alter the price of the company’s stock.
A 2006 California case held that employees who disclose trade secrets for publication on a third party blog are afforded First Amendment protection, insofar as the recipient blog need not disclose the identity of its source.
In O’Grady v. Superior Court of Santa Clara County, 139 Cal. App. 4th 1423 (Cal. Ct. App. 2006), Apple Computer sought the e-mail records of Jason O’Grady, the publisher of a blog known as “PowerPage.” Apple believed that its employees had stolen and e-mailed information concerning a not-yet-released audio device known as “Asteroid.” The lower court ruled that Apple could subpoena O’Grady’s e-mail provider to determine the source of the leak. The appeals court, however, reversed, stating that bloggers, as online journalists, enjoy the same rights as conventional journalists. The court held that allowing such a subpoena would violate the SCA, the California reporter’s shield, and the conditional constitutional privilege against disclosure of confidential sources. The court stated that it could think of “no workable test” to distinguish “illegitimate” and “legitimate” news, and that attempts to do so would be contrary to the First Amendment.
The exact effect of O’Grady remains to be seen. Companies should be concerned that their employees who run blogs are effectively “journalists” in addition to their primary occupations. At the very least, O’Grady demonstrates the risk of disclosure that extends to blogs run by third parties. The vast popularity of blogs has made it easier for employees to disclose trade secrets while insulating themselves from company discipline. Why would an employee publish a trade secret on his or her rarely read personal blog when he or she could publish it on a more popular blog and avoid getting discharged?
Indeed, the advent of the blog has presented judges with a serious conundrum. Companies’ rights in private information collide head-on with protections for public speech provided by the First Amendment. Perhaps no case demonstrates this issue better than the recent debacle surrounding the website “Wikileaks.org”. A federal district court judge in San Francisco issued an injunction ordering the shut down of the website Wikileaks.org after a Swiss bank complained that the site contained confidential and misleading documents taken from the bank. See Bob Egelko, Whistle-Blower Web Site Ordered Shut Down, S.F. CHRONICLE, Feb. 20, 2008, at B2. The order produced an outcry from free speech advocates.
Less than a month later, the same federal judge dissolved his own injunction against “Wikileaks.org” in part because the judge was unsure if his ruling was constitutional. See Bob Egelko, S.F. Judge Dissolves His Wikileaks Injunction, S.F. CHRONICLE, Mar. 1, 2008, at B1. The judge commented that he saw “a definite disconnect between the evolution of our constitutional jurisprudence and modern technology.”
2. Employer liability for employees’ internet speech.
While some courts have balked at the idea of regulating internet speech in light of First Amendment concerns, other courts have used the growth of the internet to justify expanding protections for private citizens against malicious online attacks. For example, in Welling v. Weinfeld, 113 Ohio St. 3d 464 (2007), the Ohio Supreme Court recently overturned a long line of precedent, recognizing the tort of false light invasion of privacy for the first time. One of the primary justifications for this policy reversal was the rapid growth of online communication. The court stated that “today, thanks to the accessibility of the Internet, the barriers to generating publicity are slight, and the ethical standards regarding the acceptability of certain discourse have been lowered. As the ability to do harm has grown, so must the law’s ability to protect the innocent.”
Increased willingness to allow suits for false light invasion of privacy and defamation may benefit companies to some degree, allowing them to pursue employees and others that disparage the company. On the other hand, increased liability for internet speech also raises the risk that companies will be held responsible for the speech of their employees. The company might be made to answer for the employee’s defamatory speech under theories of agency and respondeat superior, negligent retention and supervision, ratification, or apparent authority. See Craig Cornish, Fear and Loathing of Employee Blogging: Private Employer Censorship of Employee Blogs, AMERICAN BAR ASS’N EMPLOYMENT RIGHTS & RESPONSIBILITIES COMM., 2007, available at http://www.abanet.org/labor/flash/07may/cornish.pdf.
A recent case illustrates many of the problems potentially facing companies with blogging employees. At the heart of the dispute is a much followed, (once) anonymously authored blog about patent law, “Patent Troll Tracker.” The blog followed the American patent law scene, sharing news and views of the author. Its focus was the subject of so-called “patent trolls,” shell entities that purchase patents not to produce products but rather to aggressively enforce the patent rights and extort settlements from companies that do produce products. The author was highly critical of those he considered “trolls,” so much so that one plaintiff’s patent attorney, Raymond Niro of Niro, Scavone, Haller, and Niro, offered a $10,000 “bounty” for the author’s identity.
After being threatened with being outed involuntarily, the author revealed himself as Rick Frenkel, a former litigator at Irell & Manella and currently Vice President of Intellectual Property at Cisco. That revelation hardly seemed consistent with the author’s original stance that he was “just a lawyer, interested in patent cases, but not in publicity.” Indeed, through his blog Frenkel had commented numerous times about cases involving Cisco without ever mentioning that he gained this information because he was intimately involved with the company.
Beyond any damage that Frenkel’s revelation may have had on Cisco’s image for transparency, the situation produced almost immediate legal difficulties for Cisco. Frenkel had made some particularly serious allegations regarding attorneys representing plaintiffs against Cisco in a case in Texas federal court. Frenkel made thinly veiled accusations that the attorneys and federal judges were conspiring to alter the filing date of a patent infringement action to match the date of the patent filing and allow jurisdiction in Texas rather than Connecticut, where Cisco had filed. In addition, Frenkel disparaged the court itself, referring to it as the “Banana Republic of East Texas.”
Less than a week after his identify was revealed, Frenkel and Cisco were named as defendants in a defamation action by the attorneys from the Texas patent case. See Ward v. Cisco Systems, Inc., No. 08-4022 (W.D. Ark. March 13, 2008). Cisco’s potential liability in the case hinges on the fact that his supervisor was aware of his blogging activity as well as the fact that certain members of Cisco management had passed along the blog to others without bothering to mention that the anonymous author was actually Frenkel. Thus far, Cisco has remained supportive of Frenkel; however, Cisco did amend its blogging policy to require that employees identify their affiliation with the company when blogging about company business with which they are involved.
The Troll Tracker debacle may represent the first major case in which a company is sued because of what its employee has blogged on the internet. Complicating the case is the fact that Frenkel was blogging about issues that are intimately related to his role at Cisco. Thus, even if Cisco is not held liable for Frenkel’s alleged defamation of the Texas attorneys, it will remain unclear what a company’s liability is when its employees blog about subjects that are less tied to their role in the company or to which it is less apparent that the company has given sanction.
3. Employee blogs’ effects on company image and permissible company actions for negative employee blogs.
Some claim that employee blogs actually have some positive effects. For instance, employee blogs can give a human face to large corporations. Employee blogs can also enhance the sense of community at a company and can increase employee morale by providing an outlet for employees’ creative talents. Popular companies, particularly companies in the tech sector, often have large numbers of employee bloggers including high ranking executives.
But while blogs may give personality to a corporation, companies cannot regulate what sort of personality it is. The public may be exposed to employee squabbles with management or each other. Additionally, employees might use their blogs to complain about any aspect of the company or degrade competitors. Stories of employee’s terminated for blogging contents are increasingly common. Some have even risen to near legendary status. Often, disciplinary action by the company is likely to result in further public relations fallout.
Mark Jen was an employee at Google when he posted disparaging comments about the company, including its benefits programs. Google terminated Jen. The result was a one-two punch to the company’s image. Jen’s postings rebutted the commonly held idea that Google treated its employees well, and Jen’s firing damaged the company’s image as a corporation that promoted freethinking and expression.
Ellen Simonetti, a Delta Airlines flight attendant, had someone take sexually provocative photographs of her in her Delta uniform posing in an empty airplane. Simonetti posted the pictures on her blog, in which Simonetti assumed the persona “Queen of Sky.” The Queen was de-throned when Delta deemed the pictures “inappropriate” and terminated her employment. She later filed suit for violations of the Railway Labor Act and Title VII, stating that male employees were not terminated for posting pictures. The Queen of Sky incident had effects similar to Google’s firing of Jen. Upon being discharged, Simonetti’s blog, which still contained the pictures in question, saw its traffic increase dramatically, and Delta, fairly or not, received the reputation for prying into its employees’ private lives.
Michael Hanscom, a Microsoft employee, thought it was amusing when he noticed a shipment of Apple computers being delivered to Microsoft. So amusing that he decided to take some pictures of the delivery and post them on his blog. His employer failed to get the joke however, firing Hanscom for violating his duty of loyalty. Indeed, being fired for negative blog postings has become so common that there is a term for it, being “dooced”, named after fired web designer Heather Armstrong’s blog Dooce.com.
Even the top brass is not above the fray. In 2007, during the contentious acquisition of Wild Oats by rival Whole Foods, it was revealed that Whole Foods CEO, John Mackey, had been posting negative comments about Wild Oats under an online pseudonym for years. This led to massive speculation regarding Mackey’s motivation for making the comments, with some critics accusing him of trying to drive down the price of Wild Oats to make acquisition easier.
Private employees who cross the line in their blogs by posting information that is offensive or detrimental to their companies will find that they have limited protections. There appears to be no case where a court has found termination for detrimental blogging to be unlawful. In most states, employees are “at-will” unless they are under contract for a stated duration with the company, meaning that their employment can be terminated at any time, for any reason (unless the reason is unlawful, like discrimination). In other words, a company can discipline ‘“ or discharge ‘“ employee bloggers who publish harmful content.
Despite the protection at-will employment offers companies when employee blogs go too far, most will wish to prevent such postings in the first place rather than institute damage control after the fact. One strategy used by a growing number of companies, like Cisco, is to offer a company-operated venue for employee bloggers. The benefits of such a course are two-fold. First the company reaps the insight of open communication and goodwill created by positive employee comments. Second, the company retains a level of direct control over the medium of communication, allowing the company to catch and filter out problematic blogging quickly.
4. Should companies have a blogging policy?
Personal electronic communication by employees can expose companies to a variety of legal and non-legal problems. Many companies may believe that existing general company policies sufficiently cover the issues presented by employee blogging and other personal electronic communications. However, as the scenarios discussed previously illustrate, the continued evolution of digital media presents new challenges for companies that often require a more focused solution.
Virtually every expert in the field agrees that companies should formulate a separate policy regarding employees use of electronic communications. Expert Nancy Flynn notes that an effective policy involves three distinct elements: formulation of a comprehensive policy, education of employees regarding the policy, and enforcement of the policy. See Jesse Greenspan, Increasingly, ‘Big Brother’ Is the Boss, EMP. LAW 360, June 11, 2008, available at http://employment.law360.com; see also Jennifer A Klear & Helen Tuttle, Protecting Employers from Negative Employee Blogs, NEW JERSEY BUSINESS, February 2007, at 66.
Company policies on electronic communication by employees vary widely, from basic suggestions to “use common sense” to detailed provisions outlining what types of communications are acceptable. A variety of factors will influence the complexity of a company’s policy: the size of the company, the nature of the company’s business, the sensitivity of information possessed by employees, the type of clients or customers dealt with, applicable legal obligations and regulation, location, and other special considerations. Moreover, there are some affirmative steps that companies can take to reduce risks even before employees start typing
The suggestions below are not exhaustive. Circumstances may require that a company modify its approach one a particular issue. Nonetheless, the next two sections will attempt to address some of the most common issues presented by employee electronic communications.