Log-on and Password to Opponent?
A few cases have required a social media user to give his password, user name and log in ID to an opponent for ediscovery. In these cases, the user was an individual. But what if the user were an enterprise?
In Zimmerman v. Weis Markets Inc., an employee claimed he suffered great injury from a workplace accident, so he sued his employer. But the public portions of his Myspace and Facebook sites contradicted some of his claims. His employer surmised that non-public portions of his social sites would reveal more information relevant to his injury.
No Expectation of Privacy?
The Pennsylvania court compelled the employee to give to the employer his Myspace and Facebook passwords, user names and log in names. The court dismissed the employee’s claims to privacy, saying, “Zimmerman voluntarily posted all of the pictures and information on his Facebook and Myspace sites to share with other users of these social network sites, and he cannot now claim he possesses any reasonable expectation of privacy to prevent [his employer] from access to such information.”
What Do Social Media Privacy Policies Say?
Although the privacy policies at those sites are very complex, the court did not engage in an in-depth analysis of the precise words in those policies.
Access to Email and Chat Messages?
Further, the court did not consider that those log-on credentials will grant access to the content of private, one-on-one chat or email messages, or messages that are the equivalent to private email.
Historically, in civil ediscovery, it has been more common to require an email user to turn over relevant messages -- one-by-one –- not to turn over his log-on credentials so the opponent can access all messages in his email account.
The configuration of social media sites is complex, and privacy for particular bits of information can often be adjusted with a fine degree of precision. For example, in Google Plus, a user can “post” information on his page, but make it viewable by only one friend. In effect, the “post” is analogous to a private email message to that friend.
Enterprise Data in the Cloud
Could the logic of Zimmerman be applied against an enterprise in a civl lawsuit? Could it lead to a requirement that an enterprise turn over full administrator access credentials for a social networking facility the enterprise uses with its employees and select trading partners such as vendors and customers?
It is becoming common for firms to use services like Yammer or Chatter, third-party, cloud-based services, to provide “internal” social networking.
Imagine this scenario: The opponent of a corporation shows a court that public postings of the corporation, sent in connection with a service like Yammer, are inconsistent with claims the corporation makes in litigation. The “internal” part of the service shares information among the corporation, its employees and selected “business associates.” In the “internal” service, varying degrees of access are granted to different people for different bits of information.
Further imagine that the confidentiality terms of the service provider do not guarantee absolute confidentiality under all circumstances. (A service provider cannot make such a guarantee.)
Under the logic of Zimmerman, I can imagine the corporation’s opponent arguing that it should be given powerful log-on credentials so it can broadly view the part of the service used “internally” by the corporation.
What is a corporation using services like Yammer to do? One step would be to liberally post terms and banners requiring users of the internal service to agree that the contents of the service are confidential and shall not be disclosed. That step will not defeat all of the Zimmerman logic, but it will help to distance this corporate scenario from the facts of the Zimmerman case. In Zimmerman, the employee did not post a notice on the private portions of his social sites requiring viewers to maintain confidentiality.
Mr. Wright teaches the law of data security and investigations at the SANS Institute.
Related Post: Social Network terms of service applicable to forensic investigation?