A Paralegal’s Burden: Social Media’s Threat to Personal Privacy

Guest Blog by Fiona Causer

With the convenience and popularity of social interaction online comes critical and well-founded concerns regarding the right of citizens to personal privacy.  Given that the right to privacy and freedom of speech are foundational values to promoting a free, American life, the widespread popularity of social media presents new challenges to legal professionals to defend and uphold these values.   Law schools, traditional paralegal training programs and even online paralegal training programs are now burdened with the task of properly educating their students to approach and tackle these privacy issues head-on.  Social networks will only continue to grow in popularity, and being that they are for-profit ventures, the public cannot depend on them to protect its privacy.

Most social networks include in their Terms of Service agreements provisions for ownership of data. More often than not, companies that own social networks own the user data published and accessed through them. The data in question could be as innocuous as friend lists, interests as they relate to advertising and patterns of Internet activity. However, the ownership by social media companies of other, more personal data presents complications regarding First and Fourth Amendment rights.

When a Facebook user establishes an account, their date of birth, relationship status and partner (and therefore, sexual orientation), contact information and work history are requested. Input of each of these identifiers is optional, but in the context of interacting with friends and family, the request seems harmless enough.

However, disclosing this information can lead to legal challenges down the road. When a user uploads a photo, mentions a problem at work or admits to witnessing or committing a crime, identifying information can be used by employers and law enforcement to conduct an investigation without knowledge of the investigated, presenting two issues of legal concern: unnecessary search and seizure, and impingement on Freedom of Speech.

Questions about social media and free speech first gained national attention in cases where employees of private institution faced punishment or termination for comments made or pictures posted on social sites, including Twitter, Facebook and MySpace. First Amendment rights are limited in the private sector, and companies have no obligation to protect Freedom of Speech as it relates to the workplace, as addressed in an article on the Employment-at-Will Doctrine by the University of Washington Law Review. But recent cases involving teachers at public institutions have raised questions regarding the use of social media to identify teachers with controversial views and target them.

Viki Knox, a New Jersey teacher was recently investigated for making anti-gay comments on her personal Facebook page, directed at the general public and not toward any student or member of her school’s administration. According to Huffington Post, the speech was protected by a New Jersey anti-bullying law because the comments did not interfere with her teaching of students. But the school board pursued the investigation, ultimately seeking to terminate the tenured Knox.

A “Teacher of the Year” award recipient named Jerry Buell was reassigned then suspended from his position at a high school in Florida for posting homophobic comments to his personal Facebook page, according to Huffington Post. Buell returned to the classroom several months later.

Employers, both public and private, are increasingly turning to social media to investigate current and prospective employees. While standard background check solutions like E-Verify and credit bureau requests are still common, searching Google and popular social networks offers a quick turnaround and a level of granularity not possible with more traditional investigatory methods.

Though most social network data is owned by the site(s) hosting it, the free access of data presents problems in that information irrelevant to a given investigation may be used to determine employment eligibility: Sexual orientation, marital status, personal interests, activities during personal time, and many other traits can be used improperly by public and private employers to disqualify job candidates or target existing employees for termination. Proving in a court of law that information, legally obtained, has been improperly used in the termination of an employee is close to impossible without the testimony of witnesses present during the collection of data.

Fiona Causer is currently a student pursuing her bachelor’s degree in Legal Studies.  She enjoys writing and seeks to use it as a vehicle to convey ideas and engage others in conversation about important issues of our current day and age. She may be reached at fiona.causer1@gmail.com.


CFAA only for hacking – at least in the West

In U.S. v. Nosal __ F.3d __ (2012), the Ninth Circuit made clear that it considers the scope of the Computer Fraud and Abuse Act to be focused specifically on computer hacking rather than more broadly related to violations of corporate policies and terms of service agreements.

The case arose out of a minor bit of corporate espionage – and the hubris and stupidity that often accompanies such activities. David Nosal, former employee at the executive search firm of Korn/Ferry, “convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business.”  The Korn/Ferry employees used their access to the system to download confidential information, including source lists, names and contact, which they emailed to Nosal. They were all caught. The government indicted Nosal was on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA.

Although Nosal did not violate the CFAA, he was charged with aiding and abetting those former colleagues who did. The aiding and abetting count rests on whether the conduct of Nosal’s former colleagues violated the CFAA when they used their authorized access to the confidential database to violate the terms of confidentiality and theft of trade secrets.

Writing a clear, rather stinging rebuke of the government’s position, Judge Kozinski explained that the section of the CFAA is limited to computer hacking, not every violation of use.

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[] authorized access” if he looks at the customer lists.

Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

… The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.

… Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. … Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

There are a number of subsections of the CFAA and the government takes the position that the broad interpretation this provision is limited by the need to prove an intent to defraud. In those other sections of the CFAA where intent to defraud is not required, the statute’s scope can still be more limited. But the Ninth Circuit points out that the language of the offense is the same such that a different scope in the same statute for the same phrase is unworkable.

The Ninth Circuit remains at odds with decisions in other circuits. Eventually either Congress or the Supreme Court will need to reconcile this increasingly important tension in the CFAA. For now, one’s exposure to federal criminal prosecution depends, at least in part, on where one accesses the computer.

LII Presents Ethics in Informatics Program on proposed changes to ABA guidelines and SEC Technology Guidance

Information and registration for our next even is now available.

Ethics in Informatics:

Changing Ethics Rules and New SEC Guidance Redefine the Competency of the Lawyer


Dean Dennis R. Honabach, Chair of the ABA’s Standing Committee on Professionalism

Professor Jon M. Garon, Director of the NKU Chase Law & Informatics Institute

Friday, May 4, 2012

Cincinnati, Ohio

The practice of law has largely gone digital in the past decade.  In response, the American Bar Association’s Commission on Ethics 20/20 is examining technology’s impact on the legal profession.  It has proposed a revision to the Model Rules of Professional Responsibility to make explicit the affirmative duty to prevent “the unintended disclosure of, or unauthorized access to, information relating to the representation of a client” to data privacy, security and reliability.  Not to be outdone, the Corporate Finance Division of the Securities and Exchange Commission has taken steps of its own to require greater awareness, disclosure and reporting of issues relating to technological knowledge held by a company – including its lawyers.

This program provides attendees guidance on three key areas:

  • The existing and proposed ethical rules regarding technologically mediated client confidentiality;
  • The lawyer’s role in assisting clients meet their affirmative duties of disclosure; and
  • The lawyer’s duties regarding social media and cloud computing in the context of client communications, ex parte communications, and interactions with the judiciary in social media and cyberspace.
Date: Friday, May 4, 2012
Time: 7:30 a.m. to 9:35 a.m.
Continental Breakfast will be served from 7:30 a.m. to 8:00 a.m.
Location: Wood, Herron & Evans, Floor 36, 441 Vine Street, Cincinnati, OH 45202
Registration fee: $99.00 for general public and $89.00 for alumni
CLE credits: 1.5 Ethics CLE in Ohio & KY
For more information: www.lawandinformatics.org/breakfastseries
Online registration: Register online
Fax Registration: Download a fax registration form
Call in registration: (859) 572-7853 to reach Admin. Dir. Lindsey Jaeger

Dean Dennis R. Honabach is the co-author of D&O Liability Handbook and the Proxy Rules Handbook. He has published law review articles on topics ranging from managerial liability and Enron to toxic torts and legal education. Dean Honabach is the chair of the ABA’s Standing Committee on Professionalism, the co-chair of the Business Law Education Committee of the ABA’s Business Law Section and a member of the Misconduct and Irregularities Subcommittee of the LSAC.

Jon M. Garon is an attorney and professor of informatics, entertainment, intellectual property and business law. He has extensive practice experience in the areas of entertainment law (including film, music, theatre and publishing), data privacy and security, business planning, copyright, trademark, and software licensing.

“Ethics in Informatics” is the first presentation in the Law & Informatics Breakfast Series, which will address various topics on privacy, data security, social media and ethics. These programs will be hosted in downtown Cincinnati. We are very grateful to the law firms of Wood Herron & Evans LLP, Frost Brown Todd LLC, Baker & Hostetler LLP and Dinsmore & Shohl LLP for their support as hosts for this coming year’s program.