Jump to Navigation | Jump to Content
American Bar Association

Living in a Cyber World: Avoiding Pitfalls While Using Social Media in Investigations

By Lily Chinn – August 24, 2016

Social media are an integral part of everyday life. Thus, they provide a source of significant information that companies can use in a variety of ways, from screening candidates for employment to conducting internal investigations. Unfortunately, there is no single federal law governing privacy concerns, third-party access, and ethical issues related to the use of social media by companies or their lawyers. Instead, there is a patchwork of federal statutes, agency rulings, bar opinions, terms of use for specific sites, and state laws addressing various aspects of the use of social media. Though this lack of continuity presents challenges, there are proactive steps counsel and companies can take to avoid pitfalls when conducting investigations involving social media. Of critical importance, these steps include identifying key legal boundaries in accessing social media and best practices to implement in light of new legal rulings and changing technology.


What Are Social Media?
Social media are any electronic medium that allows users to create, share, or view user-generated content, such as videos, photographs, blogs, podcasts, messages, emails, and web profiles. The most recognized and commonly used social media include Facebook, Twitter, LinkedIn, Google+, Instagram, Pinterest, Tumbler, YouTube, Vine, SnapChat, Reddit, Kik, and WhatsApp. There are, however, countless others, with new technology being developed every day.


Technology is now a primary means by which we communicate with each other, voice complaints, and share important aspects of our personal lives. Social media, in particular, are relatively unrestricted, fast-paced, and widely disseminated, and they promote informal and spontaneous communications. According to a study by Pew Research Center, 65 percent—almost two-thirds—of American adults use social networking sites. Andrew Perrin, Pew Research Ctr., Social Media Use: 2005–2015 (Oct. 8, 2015). Another Pew Research Center study found that last year 36 percent of smartphone users used messaging apps, such as WhatsApp, Kik, or iMessage, and 17 percent used apps that automatically delete sent messages, such as Snapchat or Wickr. Maeve Duggan, Pew Research Ctr., Mobile Messaging and Social Media 2015 (Aug. 19, 2015). Indeed, the “tech world” never rests: in January 2016 alone, 50,750 new apps were submitted to the iTunes App Store. Statista, Number of Newly Developed Apps/Games Submitted for Release to the iTunes App Store from 2012 to 2016. As technology evolves, the methods by which we communicate also evolve, raising new legal, privacy, and ethical concerns, and creating new sources of information about individuals who use social media sites.


Common Uses in Internal Investigations
Social media contain a wealth of potentially relevant information that can inform companies about prospective, current, and former employees. For this reason, social media are commonly used by companies and their counsel in internal investigations to fact-find, explore compliance with workers’ compensation, corporate policies, and other claims, as well as obtain evidence of criminal behavior and ascertain the mental, physical, or emotional state of an applicant or employee. It can even be used, for example, to investigate an applicant and verify aspects of his or her application. Last year, 52 percent of employers reported researching job candidates via their social networking sites, up from 43 percent in 2014 and 39 percent in 2013. Matt Tarpey, “More Employers Checking Out Candidates on Social Media,” Hiring Site Blog, May 14, 2015.
Avoiding Potential Social Media Pitfalls
Social media are undoubtedly a useful tool that should be used in the course of a properly conducted investigation. The use of social media in this context, however, raises legal, privacy, ethics, and litigation concerns that are addressed—to a varying extent—through federal statutes, agency rulings, bar opinions, and terms of use for specific sites. This patchwork of regulation presents challenges in identifying the appropriate use of social media. Below are some key guideposts for companies and counsel looking to make use of social media in the context of an internal investigation:


Familiarize yourself with the social media laws for the states where the company’s employees are located. Because states are at the forefront of protecting employee privacy with regard to social media, companies should track the requirements of the states in which their employees are located. In the absence of overarching federal legislation, 23 states have already adopted laws directed at employer access to social media of applicants and employees, all with varying requirements. Nat’l Conference of State Legislatures, State Social Media Privacy Laws (July 6, 2016). For instance, many states prohibit an employer from requiring an employee to disclose the username or password to a personal social media account; alter the privacy settings on personal social media sites; or add an employee, supervisor, or administrator to the employee’s social network. Some states, including California (Cal. Lab. Code § 980), Michigan (Internet Privacy Protection Act), and Washington (Wash. Rev. Code § 49.44.200), even prohibit an employer from requiring the employee to access social media in the employer’s presence. However, certain states—including California (Cal. Lab. Code § 980), Colorado (Colo. Rev. Stat. § 8-2-127), Maryland (Md. Code. Ann., Lab. & Empl. § 3-712), Oregon (Or. Rev. Stat. ch. 659A), and Washington (Wash. Rev. Code § 49.44.200)—provide limited exceptions to social media laws for certain types of investigations, the extent of which varies by state. Generally, though, the exceptions provide that employees may volunteer access to their social media accounts or may choose to “friend” work associates, including their superiors. If an employee provides a company access to his or her social media account in the course of an investigation, the company should document that such information was provided voluntarily.


Keep apprised of developing federal law. While Congress has yet to pass a specific law that addresses social media concerns directly, there are a number of federal laws or agency opinions that deal with different aspects of social media relevant to investigations. For example, the Stored Communications Act (SCA) sets forth requirements for obtaining user information and content from third-party providers and has been applied to social media companies like Facebook by district courts. The Computer Fraud and Abuse Act (CFAA), on the other hand, prohibits unauthorized access to a computer, including mobile devices, used in interstate commerce. In contrast, the National Labor Relations Act (NRLA) protects an employee’s right to freely discuss working conditions.


  • Privacy protections in the SCA vary with respect to the type of social media content and privacy settings for the site. See, e.g., Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010) (quashing a subpoena for Facebook and MySpace messages and remanding for inquiry into privacy settings with respect to wall postings and comments). The SCA prevents private parties from issuing a subpoena to social media sites to obtain content from a user’s account that is protected by the site’s privacy settings, though this content may still be discoverable by requesting that the user provide the information through normal channels of discovery.
  • Likewise, the CFAA requires user authorization to access information on a computer used in interstate commerce. It has been used both by employers to limit employee use of social media (Lee v. PMSI, Inc., 2011 WL 1742028 (M.D. Fla. 2011) (dismissing employer suit over employee’s excessive use of company computers to access Facebook and personal email because employer could not allege access to or damage of company information)) and by employees to claim damages from an employer’s unauthorized access to an employee’s computerized information (Eagle v. Morgan, 2011 WL 6739448 (E.D. Pa. 2011) (granting summary judgment on employee’s CFAA claims against employer relating to the employer’s acquisition of her LinkedIn account because employee had not shown a legally cognizable loss or damages suffered)).
  • There is a circuit split over whether liability under the CFAA extends to employees who violate employers’ computer-use policies. The First, Fifth, Seventh, and Eleventh Circuits permit suits under the CFAA arising out of violations of a computer-use policy. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).
  • The Fourth and Ninth Circuits, however, do not. See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).
  • The Second Circuit also recently interpreted the CFAA in a narrow manner, holding that an employee does not violate the CFAA if, when granted access to a database for one purpose, he or she uses it for another, unauthorized purpose. See United States v. Valle, 2015 WL 7774548 (2d Cir. 2015).
  • Bear in mind that employers are entitled to access publicly available information on employees’ social media sites because a user has no expectation of privacy for publicly available information. Some social media sites provide privacy setting options to their users. Others, like Twitter, have no options for privacy settings.
  • The National Labor Relations Board has issued guidance and rulings on limits to company restrictions on employees’ use of social media. The NLRB and Social Media (fact sheet). For instance, in Triple Play Sports Bar & Grille, 361 N.L.R.B. 31 (2014), aff’d, No. 14-3284 (2d Cir. 2015) (summary order), the board held that the company’s “Internet/Blogging” policy discouraging online communications involving “inappropriate discussions about the company, management, and/or co-workers” violated the National Labor Relations Act. More generally, in In Durham School Services, L.P., 360 N.L.R.B. 85 (2014), the board found that a social media policy that threatened discipline for publicly sharing information “related to the company or any of its employees or customers,” without indicating what the employer considers appropriate or inappropriate conduct, was unreasonably broad and vague and infringed on an employee’s “right to communicate freely with fellow employees and others regarding work issues and for their mutual aid and protection.”


Be aware of other privacy considerations. Employers should be aware of employee privacy concerns when accessing employee personal email or social media content from both company-issued devices and employee-owned mobile devices used for work purposes. The SCA prohibits access to a user’s email account without his or her permission, and at least one court has held that social media account passwords saved in an electronic device used at work does not constitute implied consent to access email under the SCA. See, e.g., Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio 2013) (denying a motion to dismiss a complaint under the SCA on the basis that the employer reviewed personal email on an employer-issued mobile device using auto-saved passwords for Gmail). Similar arguments could also be made under the CFAA. Moreover, employees have sued employers for damages under state invasion of privacy laws, state hacking laws, or other torts for unauthorized access to their personal email or social media accounts.


Consult your state and local bars’ ethics rules and opinions. Communications by counsel via social media, like any other type of communication, are subject to rules of ethical conduct and apply both to lawyers and non-lawyer investigators under their direction. ABA Model Rule of Professional Conduct 4.2 prohibits a lawyer from communicating with an individual a lawyer knows is represented by counsel without the prior consent of the individual’s counsel. Rule 8.4(a) prevents counsel from engaging in “conduct involving dishonesty, fraud, deceit, or misrepresentation.” More specifically, the New York City Bar Association has held that an attorney or the attorney’s agent may use his or her real name and profile to send a “friend request” to obtain information from an unrepresented witness without disclosing the reasons for making the request but may not use deception or trickery to gain access to an individual’s social media site. Ass’n of the Bar of the City of N.Y., Comm. on Prof’l Ethics, Formal Op. 2010-2 (Sept. 2010). By contrast, the San Diego County Bar Association held that attorneys should disclose why they are requesting to connect with an unrepresented witness via a social media connection. San Diego Cty. Bar Ass’n, Legal Ethics Op. 2011-2 (May 24, 2011). An attorney should consult the state and local bar ethics rules and opinions in his or her jurisdiction to determine the bounds of ethical conduct when seeking information from a user’s social media sites.


The Takeaway
What steps can a company take to proactively address privacy concerns and litigation risk in the face of constantly changing social media technology? One important action is the implementation of company policies that provide transparency about employees’ privacy rights. Policies clearly outlining whether employees retain privacy rights when accessing social media or personal email from company-owned equipment and networks or employee-owned devices used for work purposes can reduce some of the risk identified above. Clear policies are especially important now that more and more companies are adopting “bring your own device” (BYOD) policies and allowing the use of personal mobile devices that access company-owned information, which can blur the line between work and personal information. In fact, a January 2016 survey by Tech Pro Research found that 59 percent of organizations have BYOD device policies and another 13 percent plan to initiate BYOD policies within the next 12 months. Teena Maddox, “BYOD, IoT and Wearables Thriving in the Enterprise,” Tech Pro Research, Jan. 4, 2016. It is also important to coordinate implementation of these policies with human resources and information technology departments because they often interact with employees and their computer equipment in the normal course of business. Finally, each company should consider whether its policy on disclosure and access to employees’ social media information is consistent with its corporate philosophy and culture as well as the company’s own use of social media for business purposes.


There is a lot to consider when addressing social media in the corporate context. Because technology is evolving faster than the law can respond, it is important for companies to keep abreast of changing technology and regularly consult with counsel about the implication that technology may have on a company’s legal and ethical obligations.


Keywords: litigation, minorities, social media, investigation, privacy laws, attorney ethics


Lily Chinn is a partner at Katten Muchin Rosenman LLP in San Francisco, California.

Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).