Posted: May 24, 2010
As use of social networking websites continues to explode, employers need to remain vigilant against the potential liability stemming from employee misuse of these sites. Picture this: an employee uses a company’s computer system to obtain personal information about a customer and then posts this information on a social networking site. A recent case sheds light on how businesses may be able to mitigate the liability stemming from such employee behavior.
In this case (Yath v. Fairview Clinics, et al.), an employee at a medical clinic read private medical records about an acquaintance and learned that the acquaintance had an STD and an extra-marital friend. The employee then shared this information with others, and eventually, the information was posted on Myspace.com. Once the acquaintance learned of the breach of her medical information, she sued a number of defendants, including the meddlesome employee’s employer, on a number of legal theories, including invasion of privacy.
Although posting the information on a social networking site was deemed “publicity” for purposes of state tort liability, the employer was still granted summary judgment on the plaintiff’s invasion of privacy claims. The employer was able to show that the employee was acting outside of the scope of her employment when she accessed the plaintiff’s medical records. Also, the employer was able to show that the subsequent posting on Myspace.com could not have been done at the employer’s place of business because employees are blocked from accessing these sites.
The lessons from this case are pretty plain. Businesses that maintain and keep protected personal information such as medical data or other personally identifiable information (like social security numbers) should ensure that appropriate physical, technical, and administrative safeguards are in place to protect such information and that employees receive training with regard to such safeguards. Which safeguards are appropriate will change over time, especially as technology evolves and cultural trends emerge. But safeguards like criminal background checks, monitoring of electronic communications, and periodic auditing of employee conduct may be appropriate. Employers may also choose to prohibit or restrict access to social networking sites. Since some potential safeguards carry their own risk, employers should consider restrictions on their own conduct and judge any potential safeguard in light of applicable legal constraints.