Everybody in the modern workforce is involved in social media in one way or another.  Think about it.  Even if your company does not utilize social media (which is becoming less and less likely), it is almost certain that your company’s employees do.

Whether or not your company has a policy regarding social media is another matter.  As is recommended, more than half of all employers now have formal social media policies in place. Sometimes these policies are simple, and state only that employees are not to engage in social media activities (i.e., surfing Facebook) while on company time. Other policies are more comprehensive, and dictate what employees may or may not say about their employer, or reveal about their employer, via social media.  It is the latter type of policy that has some employers running afoul of the National Labor Relations Board (the “Board”).

Trade Secrets, Social Media, and the Board

The problem arises when a company’s policy dictates that employees may not communicate, via social media, confidential or proprietary company information.

As a refresher, the Board is the federal agency that enforces the National Labor Relations Act, or “NLRA.”  The NLRA grants nearly all private-sector employees (regardless of whether they are unionized or non-unionized) the right to act together to improve their wages or working conditions.
More specifically, the Board protects the rights of employees to engage in “concerted activity,” which is when two or more employees take action for their mutual aid or protection regarding terms and conditions of employment.  A single employee may also engage in protected concerted activity if he or she is acting on the authority of other employees, bringing group complaints to the employer’s attention, trying to induce group action, or seeking to prepare for group action.

From the Board’s website, some examples of protected concerted activities are:

• Two or more employees addressing their employer about improving their pay;
• Two or more employees discussing work-related issues beyond pay, such as safety concerns, with each other; and
• An employee speaking to an employer on behalf of one or more co-workers about improving workplace conditions.

Amazingly, the Board has taken the position that many social media policies, which are (in part) intended to protect company trade secrets and confidential information from dissemination via social media, could be interpreted as prohibiting employees from discussing and disclosing information regarding their own conditions of employment, as well as the conditions of employment of employees other than themselves – activities that are  protected by Section 7 of the NLRA.

Board’s Third Report on Social Media

The Board restates this position via its most recent effort to clarify its stance on social media. On May 30, 2012, the Board’s Acting General Counsel Lafe Solomon released a third Report summarizing seven different cases involving employers’ social media policies, confidentiality, privacy, protection of employer information, and intellectual property.

In the first six policies reviewed, the Report concludes that at least some of the provisions in the employers' policies and rules are overbroad, and therefore unlawful under the NLRA. Only one social media policy out of seven included in the Report is found to be entirely lawful.

As pointed out by various blogs and legal experts, the Report contradicts itself in dictating what policy verbiage violates the NLRA.  For example, the Board finds (on page 8 of the Report) that a social media policy prohibiting employees from disseminating “[Employer] Secret, Confidential or Attorney-Client Privileged information” is lawful.  In comparison, the Report finds the following policies to be in violation of the NLRA:

• “Don’t release confidential guest, team member or company information…” (p. 4).
• “Make sure someone needs to know. You should never share confidential information with another team member unless they have a need to know the information to do their job.” (p. 5).
• “[D]o not reveal non-public company information on any public site.” (p. 7). 
• “[E]mployees [are prohibited] from posting information regarding the Employer that could be deemed ‘material non-public information’ or ‘confidential or proprietary.’” (p. 13).

How to Protect Trade Secrets While Keeping a Lawful Social Media Policy

So how can an employer draft a social media policy that protects its confidential, proprietary, and trade secret information, while simultaneously complying with the NLRA?  Notably, the Report does find one policy entirely lawful.  Why was it lawful?  According to the Board, the policy:

• Clarifies and restricts its scope by including examples of clearly illegal or unprotected conduct;
• Provides sufficient examples of prohibited conduct so that employees cannot reasonably interpret the policy to prohibit Section 7 activity;
• Specifically requires employees to maintain the confidentiality of the Employer’s trade secrets and private and confidential information (because employees have no protected right to disclose trade secrets); and
• Provides sufficient examples of prohibited disclosures (i.e., information regarding the development of systems, processes, products, know-how, technology, internal reports, procedures, or other internal business-related communications) for employees to understand that the policy does not prohibit communications about working conditions.
(A copy of the lawful policy is attached to the Report on page 22.)

To summarize, the Board seems to have a problem with ambiguous, all-encompassing policies that, while drafted with the lawful intention of protecting trade secret or otherwise protected information, could be interpreted as prohibiting employees from engaging in concerted activity. 

Thus, if drafting a social media policy, it should be specific, use numerous examples, keep a narrow scope, and make it abundantly clear to employees what is being prohibited and why.  It would also be wise to utilize direct quotes from the policies included in the Report that the Board found to be lawful.

The debate rages on concerning the scope and extent of the federal Computer Fraud & Abuse Act.  In simple terms, the CFAA makes it unlawful to access a protected computer without authorization (or in excess of one's authorization) and to damage the computer or obtain information that one is not entitled to obtain.  Originally a criminal statute, the CFAA also provides for a civil claim if certain conditions are met.  Courts have long debated whether the statute applies in the context of an alleged faithless employee who accesses an employer's information contained on a computer for an improper competitive purpose.  Regardless of the varied judicial opinions addressing this point, the United States District Court for the Middle District of Florida recently rejected as "dubious" a somewhat novel argument that an employee violated the CFAA by accessing Facebook and her personal email at work.  (A copy of the Court's opinion is available in pdf format below.)

In Wendi Lee v. PMSI, Inc., Lee sued her former employer, PMSI, for pregnancy discrimination.  PMSI counterclaimed under the CFAA stating that Lee engaged in "excessive internet usage" and "visit[ed] personal websites such as Facebook and monitor[ed] and [sent] personal email through her Verizon web mail account."  In its opinion dismissing the CFAA claim, the Court began by noting the CFAA is originally a criminal statute designed to target hackers who access computers to steal information.  The Court noted that some courts have permitted CFAA claims against employees who send an employer's trade secrets or proprietary information via email.  Lee citing Shurgard Storage Centers v. Safeguard Self Storage (W.D. Wash. 2000).  Notwithstanding these cases, the Court concluded that "[b]oth the letter and spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working."

The Court's conclusion was based on more than it's impression of the purpose underlying the CFAA.  The Court examined the statute and observed that a CFAA violation occurs if a defendent damages a computer or obtains information to which the employee is not entitled.  In this case, PMSI failed to allege that Lee somehow damaged its computers or accessed its information.  The Court also recognized that a civil claim under the CFAA only exists if the alleged wrongful conduct causes a loss to one or more persons during a one-year period aggregating at least $5,000 in value.  18 USC. 1030(c)(4)(A)(i)(l).  Despite PMSI's creative argument, the Court held that the "statute does not contemplate 'lost productivity' of an employee" as the type of loss required to sustain a CFAA claim.

No doubt, the debate over the scope and applicability of the CFAA will continue to unfold in courts across the country.  Employers will continue to use the CFAA as a tool to protect their confidential and trade secret information, and eventually, the Supreme Court or Congress will likely address the split of opinion.  Wherever the line may be drawn eventually, for now, at least, the line has not been so broadly drawn as to apply the statute to employees who spend too much time on the internet at work.  Employers who seek to address this problem should do so through appropriately tailored written policies and careful implementation.

As always, we welcome your thoughts and input in the comment section below.  Let us know your reaction to this Court's opinion.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed. 

Lee v. PMSI.pdf (29.40 kb)