Approach With Caution: Conducting Background Checks Using Facebook, MySpace or the Internet

Employers are becoming more and more aware of the information obtainable via the internet about their current employees as well as applicants.  Many are looking up prospective and current employees' Facebook and MySpace pages to glean more information about the individual.  As the the Fox News video below shows, current employees need to be careful what they tell their bosses to get the day off of work, versus the information posted on their Facebook page.


While the information posted on the Internet on social networking sites is usually public for everyone to see, employers need to be aware of potential claims against them.  The law is behind in the times and there are many uncertainties in this area.  Listed below are some potential pitfalls that employers need to be aware of when using the Internet to conduct background checks.

Federal and State Discrimination Claims


Because people are becoming so comfortable in sharing private information on social networking sites, employers may learn too much information about an applicant that would not and could not have been discovered through an interview. Discovery of this personal information is not unlawful – it is likely that the employer would find out many of these traits at the first in-person interview with the applicant anyway. However, employers cannot base its employment decisions upon a protected category, such as race or gender.   By learning about this type of information of an applicant via their on-line profile, the employer may have to explain that the information did not enter into the hiring decision. 

Invasion of Privacy Claims

Though one might argue that members of social networking sites have no expectation of privacy (since they’re posting information to the world) some applicants or employees might argue that the employer overstepped its legal bounds by using profile data in employment decisions. Arguably, the terms of service agreement may create expectation of privacy for users of site.
 
State Law Privacy Claims
Employees could potentially argue that using Facebook, MySpace or similar site to conduct background checks violate state statutory law. For example, California and New York have statutes that prohibit employers from interfering with employee’s off-duty private lives. Employees may attempt to argue a public policy violation has occurred in violating a state statute that protects off-duty conduct from employer’s control.

State common law could also create liability. Generally, there are four common law torts for invasion of privacy:
  1. intrusion upon seclusion,
  2. public disclosure of private facts causing injury to one's reputation,
  3. publicly placing an individual in a false light, and
  4. appropriation of another's name or likeness for one's own use or benefit.
As explained by one court, the tort of unreasonable intrusion upon the seclusion of another, "depends upon some type of highly offensive prying into the physical boundaries or affairs of another person. The basis of the tort is not publication or publicity. Rather, the core of this tort is the offensive prying into the private domain of another." (citing Restatement (Second) of Torts § 652B, comments a, b, at 378-79 (1977)). Generally, the invasion of privacy must consist of (1) highly offensive intrusion (deceitful means to obtain information); and (2) prying into private information (information placed on the web is most likely not private).

Fair Credit Reporting Act

An employer’s use of social networking sites may implicate the FCRA, which places additional disclosures and authorization requirements on employers. In enacting the FCRA, Congress stated its underlying purpose was to ensure that decisions affecting extension of credit, insurance, and employment, among other things, were based on fair, accurate, and relevant information about consumers. The FCRA is intended to provide employee with notice of the background check, authorization to conduct the check in certain circumstances, and disclosure to the employee if the information is used in the employment context.

FCRA Definitions:
  • A “consumer report” is defined at as information (oral, written, or other communication) provided by a “consumer reporting agency” about credit matters as well as about a person’s “character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for…employment purposes.”
  • Another kind of “consumer report,” called an “investigative consumer report” contains information on a consumer’s character, general reputation, personal characteristics, or mode of living that is obtained through personal interviews with friends, neighbors, and associates of the consumer.
  • A “consumer reporting agency,” is defined as “any person who regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.”
Employers who conduct the background checks internally do not qualify as a “consumer reporting agency” and therefore the FCRA does not apply. Employers still need to be careful, however, because state law may apply. For example, California Investigative Consumer Reporting Agencies Act is more restrictive than the FCRA.

Terms of Service Violations

Facebook, MySpace, and similar sites have terms of service posted on their pages that generally prohibit use of their content for “commercial purposes.” Violation of the terms of service would not automatically create a cause of action in and of itself. However, as discussed above, it may be a way for a plaintiff to argue that there is an expectation of privacy in using the site and everyone who signs up to use the site is agreeing to abide by those terms.

The Electronic Communications Privacy Act of 1986

The ECPA was intended to expand wiretapping protections to electronic communications.

Title I of the ECPA provides that “any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication ... shall be punished ... or shall be subject to suit ...."

Title II, known as the Stored Communications Act (SCA), focuses on communications in storage (e-mails, blogs, electronic bulletin or similar message boards) and most likely social networking sites. The Store Communications Act provides that "whoever (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished ...."

However, the SCA exempts from liability, ``conduct authorized ... by a user of that service with respect to a communication of or intended for that user.´´ A virtual community that has some type of privacy protection can create liability for an employer who provides false information or assumes an identity to gain access to the site.

Therefore, employers need to stay away from pretexting in order to gain access to an applicant's or employee's on-line profile. Also, websites and social networking sites open to the public are not covered by the SCA. Courts have indicated that a terms of service agreement, and nothing more, would not be enough to create a private webpage. There needs to be more protections taken by the publisher of the on-line content in order for the individual to prevail in asserting the site was “private” under the ECPA.  

Conclusion
Generally, under Federal law, employers may utilize social networking sites to conduct background checks on employees if:
  1. The employer and/or its agents conduct the background check themselves;
  2. The site is readily accessible to the public;
  3. The employer does not need to create a false alias to access the site;
  4. The employer does not have to provide any false information to gain access to the site; and
  5. The employer does not use the information learned from the site in a discriminatory manner or otherwise prohibited by law.