Employer Takeover of Employee's LinkedIn Account Does Not Violate Federal Computer Hacking Law, Question of Ownership Remains
Given the popularity of Facebook, Twitter, and LinkedIn, more and more organizations are resorting to social media sites to promote their brands and manage their public profiles. Employers are also encouraging employees to open social media accounts to carry out marketing and networking objectives. As corporate and professional social media use increases, so is the frequency of lawsuits challenging just who owns such social-networking accounts and content—the company or the employee who maintains them. A federal judge is being asked to address this very issue in a case involving a Pennsylvania woman’s claim that her former employer violated the Computer Fraud and Abuse Act (CFAA) when it took control of her LinkedIn account after she was fired (pdf).
Linda Eagle was co-founder and president of Edcomm, a bank consulting and training company. In 2008, Eagle created a LinkedIn profile; she used the profile to promote Edcomm’s services, foster her reputation, reconnect with friends and colleagues, and build her personal and professional network. Eagle shared the account password with another employee, who assisted Eagle in maintaining the LinkedIn profile. In 2011, following a change in ownership, Eagle was fired. After her termination from Edcomm, Eagle attempted to access her LinkedIn account, but was unsuccessful. Edcomm, using Eagle’s password, had accessed her account and changed her password so as to restrict Eagle’s access. In addition, Edcomm removed Eagle’s name and picture and posted information on the new executive who was hired in her place. Three weeks later, Eagle was able to regain access to her LinkedIn account.
Eagle then sued, claiming that the unauthorized takeover of her LinkedIn account violated the CFAA, caused her to lose potential business contacts and future revenue, and damaged her reputation. In response, Edcomm filed a counterclaim alleging that it had maintained and monitored the LinkedIn profile for the company’s benefit, that it was the rightful owner of the account, and that Eagle misappropriated the account for personal use.
Earlier this month, the judge ruled that Eagle could not continue with her CFAA claim and that it should be dismissed before trial. In rejecting Eagle’s claim, the judge noted Edcomm’s general policy that “when an employee left the company, the company would effectively ‘own’ the LinkedIn account and could ‘mine’ the information and incoming traffic, so long as it did not steal the former employee’s identity.” In addition, the judge reasoned that Eagle’s claims for potential business relationships and opportunities that she was denied while unable to access her account were too speculative to entitle her to compensation under the CFAA. Finally, the judge held that there was no damage to Eagle’s reputation in the short period of time during which she was denied access to her account.
Although the judge rejected Eagle’s federal claims, she is permitted to proceed to trial under various state law causes of action, including misappropriation of publicity, identity theft, tortious interference with contract, and civil conspiracy. Edcomm’s own misappropriation claim—and the ultimate issue of who owns the LinkedIn account—is also outstanding. A final decision on these claims is not expected any time soon.
In the meantime, employers can protect themselves and their social media profiles by crafting effective social media policies and practices. Where company social media accounts are maintained by employees, employers should adopt a written policy that the account and all posted content belongs to the employer. The policy also should require that company-branded social media accounts, including login information and passwords, be returned at the end of employment. Employees should be required to agree in writing to these policies before they are given access to company social networking accounts.