Log-on and Password to Opponent?

Corporate Social Media | Civil Lawsuit E-Discovery
December 30, 2011

A few cases have required a social media user to give his password, user name and log in ID to an opponent for ediscovery. In these cases, the user was an individual. But what if the user were an enterprise?

In Zimmerman v. Weis Markets Inc., an employee claimed he suffered great injury from a workplace accident, so he sued his employer. But the public portions of his Myspace and Facebook sites contradicted some of his claims. His employer surmised that non-public portions of his social sites would reveal more information relevant to his injury.

No Expectation of Privacy?

The Pennsylvania court compelled the employee to give to the employer his Myspace and Facebook passwords, user names and log in names. The court dismissed the employee’s claims to privacy, saying, "Zimmerman voluntarily posted all of the pictures and information on his Facebook and Myspace sites to share with other users of these social network sites, and he cannot now claim he possesses any reasonable expectation of privacy to prevent [his employer] from access to such information."

What Do Social Media Privacy Policies Say?

The court went on to say, "All the authorities recognize that Facebook and Myspace do not guarantee complete privacy. Facebook’s privacy policy explains that users post any content on the site at their own risk and informs users that this information may become publicly available."

Although the privacy policies at those sites are very complex, the court did not engage in an in-depth analysis of the precise words in those policies.

Access to Email and Chat Messages?

Further, the court did not consider that those log-on credentials will grant access to the content of private, one-on-one chat or email messages, or messages that are the equivalent to private email.

Historically, in civil ediscovery, it has been more common to require an email user to turn over relevant messages -- one-by-one –- not to turn over his log-on credentials so the opponent can access all messages in his email account.

The configuration of social media sites is complex, and privacy for particular bits of information can often be adjusted with a fine degree of precision. For example, in Google Plus, a user can "post" information on his page, but make it viewable by only one friend. In effect, the "post" is analogous to a private email message to that friend.

Enterprise Data in the Cloud

Could the logic of Zimmermanbe applied against an enterprise in a civl lawsuit? Could it lead to a requirement that an enterprise turn over full administrator access credentials for a social networking facility the enterprise uses with its employees and select trading partners such as vendors and customers?

It is becoming common for firms to use services like Yammer or Chatter, third-party, cloud-based services, to provide "internal" social networking.

Imagine this scenario: The opponent of a corporation shows a court that public postings of the corporation, sent in connection with a service like Yammer, are inconsistent with claims the corporation makes in litigation. The "internal" part of the service shares information among the corporation, its employees and selected "business associates." In the "internal" service, varying degrees of access are granted to different people for different bits of information.

Further imagine that the confidentiality terms of the service provider do not guarantee absolute confidentiality under all circumstances. (A service provider cannot make such a guarantee.)

Under the logic of Zimmerman, I can imagine the corporation’s opponent arguing that it should be given powerful log-on credentials so it can broadly view the part of the service used "internally" by the corporation.

Non-Disclosure Terms

What is a corporation using services like Yammer to do? One step would be to liberally post terms and banners requiring users of the internal service to agree that the contents of the service are confidential and shall not be disclosed. That step will not defeat all of the Zimmermanlogic, but it will help to distance this corporate scenario from the facts of the Zimmerman case. In Zimmerman, the employee did not post a notice on the private portions of his social sites requiring viewers to maintain confidentiality.

Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.


source: http://legal-beagle.typepad.com/wrights_legal_beagle/2011/12/enterprise-social-network.html