The U.S. District Court for the District of New Jersey ruled on August 20 that non-public Facebook wall posts are covered by the Stored Communications Act (SCA). However, the authorized user exception applied in this case, as a colleague who had legally access to Plaintiff’s Facebook wall had forwarded the controversial post, unsolicited, to their common employer.
The case is Ehling v. Monmouth-Ocean Hospital.
Plaintiff Deborah Ehling was as registered nurse and paramedic working for Defendant Monmouth-Ocean Hospital Service Corp. (MONOC). In June 2009, she posted a message on her account, implying that the paramedics who took care of the man who had killed a security guard outside the U.S. Holocaust Memorial Museum in 2009 should have let him die.
The privacy settings of Ehling’s Facebook account limited access to her Facebook wall to her Facebook friends. No MONOC managers were her Facebook friends, but several of her MONOC coworkers were, including Tim Ronco, who apparently decided on his own to provide screenshots of the controversial Ehling’s Facebook post to a MONOC manager.
Plaintiff was then suspended with pay and was told that her comment reflected a “deliberate disregard for patient safety.” Plaintiff then filed a complaint with the National Labor Relations Board (NLRB) which found that MONOC had not violated Ehling’s privacy as the post had been sent unsolicited to management.
Plaintiff was eventually fired, and filed an action against MONOC, but the court granted defendant’s motion for summary judgment. I will only talk about the violation of the SCA.
Stored Communications Act
Plaintiff claimed that Defendant had violated the SCA when accessing the messages posted on her Facebook wall.
The SCA, 18 U.S.C. § 2701, is part of the Electronic Communications Privacy Act (ECPA) of 1986. The SCA forbids unlawful access to stored communications, that is,“(1)intentionally access[ing]s without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceed[ing] an authorization to access that facility.”
According to the Ehling court, Facebook wall posts are indeed electronic communications as defined by 18 U.S.C. § 2510(12) that is,“any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”
Facebook’s users transmit data over the Internet, from their devices to Facebook’s servers, and thus their posts are electronic communications within the meaning of the SCA. No new issue here. The New Jersey court cited the 2010 Central District Court of California case, Crispin v. Audigier, which stated that Facebook and MySpace were electronic communications providers. Again, nothing new.
Finally, Facebook posts are saved on its servers indefinitely, thus backing them up. Therefore, Facebook wall posts are in electronic storage within the meaning of the SCA, 18 U.S.C. § 2510(17)(B), which defines the storage of electronic communications for purposes of backing them up. We are all set, the SCA applies in this case.
Public Electronic Communications/Private Electronic Communications
The controversial issue was instead whether Plaintiff’s Facebook posts were public or private. This is important, as the ECPA only protects private communications. The Ninth Circuit had noted in the 2002 case Konop v. Hawaaiian Airlines, Inc. that “the legislative history of the [SCA} suggests that Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards.”
But a completely public BBS is not protected by the SCA. Indeed, the SCA legislator wrote that:
“the bill does not for example hinder the development or use of electronic bulletin boards or other similar services where the availability of information about the service, and the readily accessible nature of the service are widely known and the service does not require any special access code or warning to indicate that the information is private. To access a communication in such a public system is not a violation of the Act, since the general public has been ‘authorized’ to do so by the facility provider”. (S. REP. NO. 99-541, at 36)
Konop was cited in Crispin v. Audigier, where the court reasoned that “there is no basis for distinguishing between a restricted-access BBS and a user’s Facebook wall or MySpace comments.” The New Jersey District court cited Audigier to conclude that non-public Facebook wall postings are covered by the SCA.
As the privacy settings of Plaintiff’s Facebook account prevented non-Facebook friends to access the messages on her wall, these messages were not really “public” and therefore the SCA applied to them. However, the authorized user exception of the SCA applied in this case.
Why the SCA’s Authorized User Applied in this Case
There is no liability under the SCA if access “[is] authorized … by a user of that service with respect to a communication of or intended for that user,” 18 U.S.C. § 2701(c)(2).
The court cited its own 2009 Pietrylo v. Hillstone Rest. Grp. case which had found that there is no violation of the SCA if the access to an electronic communication has been authorized. In the Pietrylo case, the manager of a restaurant had accessed the MySpace account of an employee, accessible only by invitation, by asking another employee to provide him the password. In Ehling, one of Plaintiff’s colleagues had voluntarily forwarded the electronic communication to the employer “without any coercion or pressure.” Therefore, the access was authorized. The difference is there, asking/coercing for access, or learn about the communication from an unsolicited third party.
Take away
Case law is consistent in this issue. While employers should not coerce or pressure employees to provide them access to the social media account of another employee, it is not illegal for them, under the SCA, to access a social media post if a third party willingly shares this information with them.
As for providing access to one’s own social media account to one’s employer, New Jersey recently enacted a law prohibiting employers to ask for user names, passwords, or other means for accessing employee’s electronic communications devices. Several states have similar laws, but New York is not one of them yet.
Image is Facebook wall courtesy of Flickr user Marcin Wichary pursuant to a CC BY 2.0 license.
by 
