Stored Communications Act

Article courtesy of Morrison & Foerster’s MoFo Tech

As financial institutions and investors turn to social media to instantly share snippets of news and potential clues about market trends, the FBI and SEC are monitoring such postings for evidence of insider trading and improper investment information. Companies must comply with pre-Internet federal securities laws covering antifraud, advertising, record keeping, and more, even though the use of Facebook and Twitter is far outpacing the development of federal regulations aimed at social media.

Late last year, two FBI agents told Reuters that they see social media as a breeding ground for insider trading and securities fraud. “If there is any way to exploit it, these individuals will,” one agent said. The FBI also began a public search for an application that would scan social media for national security threats. “In trying to establish whether a trader who made significant gains in advance of market-moving news got nonpublic information from a company insider, the FBI might be interested in a list of the trader’s friends and contacts on social media sites,” says J. Alexander Lawrence, a Morrison & Foerster partner who works in securities law. “Evidence on Facebook, LinkedIn, or other sites could help the FBI connect the dots.”

Government investigators have been pursuing insider traders with growing intensity, according to Morrison & Foerster’s 2012 Insider Trading Annual Review. One reason could be the relative lack of success in bringing cases related to the financial crisis. “While the SEC and DOJ have been criticized, fairly or not, for not bringing more cases arising from the financial crisis—especially against individuals—both agencies have received abundant praise for their crackdown on insider trading,” the report concluded.

When communicating information through social media channels, companies have had to carefully consider whether material nonpublic information is being selectively disclosed in violation of Regulation FD. The SEC recently clarified its views regarding the applicability of Regulation FD to social media in a Report of Investigation which concluded that disclosure of material nonpublic information on the personal social media site of an individual corporate officer, without advance notice to investors that the social media site may be used for this purpose, is unlikely to qualify as an acceptable method of disclosure under the securities laws.

However, the SEC indicated that companies using social media to communicate information could apply existing guidance on the use of corporate websites in determining if that information is adequately being disseminated through social media channels so that a company won’t run afoul of Regulation FD, which would include taking steps to notify the market that material information about the company can be gleaned from those social media channels.

There are legal uncertainties about how far investigators can go in seeking information that is not publicly available on social media. Courts have ruled that certain messages sent on social media are protected under the Stored Communications Act, which limits the government’s power to force Internet service providers to disclose customer information. In addition, “friending” someone for the sole purpose of uncovering evidence may go against Facebook’s terms of service. States differ as to whether investigations led by attorneys can use deception, such as “friending” someone to uncover evidence, says Carl H. Loewenson Jr., a Morrison & Foerster partner and co-chair of the firm’s Securities Litigation, Enforcement, and White-Collar Defense Group. “If a prosecutor directs agents to do that, there is the risk of ethical violations resulting from engaging in misrepresentation under some state bar rules,” he says.

A March 23, 2013 decision from the U.S. District Court for the District of New Jersey serves as a cautionary tale for litigants. As a result of some arguably poor decisions by the plaintiff and likely miscommunication between the parties regarding access to the plaintiff’s Facebook account, the Court sanctioned the plaintiff for causing his account to be deleted.

In Gatto v. United Air Lines, Inc., plaintiff Frank Gatto, a ground operations supervisor at JFK International Airport, sued defendants United Air Lines and Allied Aviation Services. Gatto claimed that a United aircraft caused a set of fueler stairs operated by Allied to crash into him. Gatto claimed the accident left him permanently disabled, limiting his physical and social activities and rendering him unable to work.

Defendants sought discovery of Gatto’s social networking sites and other online services. Although the parties clearly agreed that Gatto would change his account password and provide it to defense counsel, Gatto apparently claimed that the parties had not agreed that defense counsel could directly access his Facebook account. In any event, defense counsel logged into Gatto’s account, purportedly to confirm that the password had been changed, and printed out portions of Gatto’s Facebook page. Defense counsel also sent a signed authorization to Facebook to access Gatto’s account, but Facebook objected and recommended that defense counsel have Gatto download his own account information.

After defense counsel logged into his account, Facebook notified Gatto that his account had been accessed from an unfamiliar IP address. Explaining later that his account had previously been hacked during an acrimonious divorce, Gatto deactivated his account. At some point after deactivation, the account contents were deleted and could no longer be retrieved. Claiming that the printed-out portions of Gatto’s account showed him engaged in physical and social activities inconsistent with his claimed injuries, the defendants brought a motion for spoliation sanctions. Specifically, the defendants sought an adverse inference instruction and expenses, including fees, incurred in filing the motion.

To issue sanctions, the court held that it needed to find four factors: (1) the evidence was within Gatto’s control; (2) the evidence was actually suppressed or withheld by Gatto; (3) the destroyed evidence was relevant to claims or defenses in the case; and (4) Gatto should have reasonably foreseen that the evidence would be discoverable. The court found that the first, third and fourth factors were clearly present.

With respect to the second factor, Gatto argued that he did not intentionally destroy anything. Gatto claimed he reasonably deactivated his account because of his prior experience with it being hacked. Gatto claimed that he had no idea that defense counsel had accessed his account. He also claimed that he had later tried to reactivate his account but that he had not acted quickly enough to save the data from being deleted.

The court found Gatto’s arguments unavailing, noting that the purpose of an adverse inference instruction is to “level[] the playing field” when one party has been prejudiced by the destruction, thus rendering the issue of an alleged spoliator’s culpability “largely irrelevant.” Gatto’s actions clearly prejudiced the defendants. This alone merited sanctions against Gatto. The court, however, found these sanctions sufficient and denied fees and costs.

There are two main takeaways from the Gatto case. First, as we have previously noted, commentators disagree about whether providing direct account access to an opposing party in discovery is wise. Gatto illustrates some of what can go wrong from providing such direct access. At least one commentator has called the “password exchange” a “terrible solution to Facebook discovery issues.” Nor, as we have previously reported, was a subpoena to Facebook necessarily the right approach, as Facebook objected in Gatto to providing certain information due to its concerns about violating the Stored Communications Act. Facebook recommended that Gatto download the contents of his account to obtain the information, an approach that at least one commentator has approved.

The second lesson is simple. If you are involved in litigation where social media evidence within your control may be relevant, don’t delete the data or deactivate the account, which could lead to deletion. This is not the first time a party has been sanctioned for spoliation of social media-related evidence, and it won’t be the last.

We have written before about cases involving disputes between employers and employees over work-related social media accounts, but a new case out of Arizona federal court raises issues that appear to be unlike those we have addressed previously.

In Castle Megastore Group, Inc. v. Wilson, plaintiff Castle Megastore Group (CMG), a retailer of novelty and adult-themed merchandise, brought suit against three former employees for various causes of action related to the employees’ alleged misuse of CMG’s confidential information. Among its allegations, CMG claimed that one of the defendants, Michael Flynn, uploaded a video of a confidential CMG managers’ meeting to Flynn’s private Vimeo account and shared access to this video with the other two defendants (who had both been fired from CMG prior to the sharing of the video). CMG also alleged that Flynn, after having been fired, changed the username and password of the Facebook page he created for CMG while employed as CMG’s Social Media Specialist.

CMG appears to have brought its social media-related claims solely under the Stored Communications Act (SCA), a federal statute that provides for a cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided; or intentionally exceeds an authorization to access that facility, and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system.”

The SCA protects individuals’ privacy in their electronic communications by making it criminally punishable for hackers and other unauthorized individuals to obtain, alter or destroy such communications. The statute, however, also provides relief to aggrieved parties in civil causes of action. The SCA has, for instance, been invoked by employees whose employers have improperly accessed, and read messages from, the employees’ private email accounts.

CMG alleged that Flynn violated the SCA when he posted the managers’ meeting on his Vimeo account and when he shared access to the site with the other two defendants. CMG also alleged that the other two defendants violated the SCA when they accessed the posted video.

In its ruling on the defendants’ motions to dismiss, however, the court found that, while Vimeo might be an “electronic communication service” within the meaning of the SCA, CMG failed to allege that Flynn lacked authority to authorize others to view his Vimeo account, a required element for SCA liability. Accordingly, CMG failed to state a claim that the two former employees with whom Flynn shared access to the video violated the SCA. Further, while CMG alleged that Flynn was not authorized to have or to share the video, it did not allege that Flynn obtained the video through unauthorized access of an electronic communication service—also necessary to state a claim under the SCA. The court therefore dismissed CMG’s SCA claims related to the uploading and accessing of the managers’ meeting video.

Regarding Flynn’s alleged changing of the Facebook account password, the court held that CMG failed to allege facts about the company’s use of the Facebook page from which the court could conclude that the page was an electronic communication service under the SCA. The court therefore dismissed the claim, finding that “[t]he threadbare statement that Flynn changed the Facebook password . . . does not state a claim under the SCA.”

With the dismissal of the plaintiff’s SCA claims (the only federal law claims brought in the action), the court declined to exercise supplemental jurisdiction over the remaining state law claims, and granted the defendants’ motions to dismiss the action. In dismissing the case, however, the court granted CMG leave to file an amended complaint. Will CMG be able to re-state its SCA claims so as to address the court’s concerns?  Stay tuned.

As the Occupy Wall Street protests fade from memory, a related discovery battle between Twitter and the New York County District Attorney rages on.

Earlier this year, we discussed the District Attorney’s efforts to subpoena user information and tweets of criminal defendant Malcolm Harris, an Occupy Wall Street protester charged with disorderly conduct for allegedly occupying the roadway of the Brooklyn Bridge.  In a setback for Twitter, the Criminal Court of the City of New York recently denied Twitter’s motion to quash the District Attorney’s subpoena; Twitter has announced its decision to appeal the court’s decision.  In this article, we take a look at the court’s decision rejecting Twitter’s motion, and discuss key issues to be addressed on appeal.

As noted, the dispute emerges from the District Attorney’s criminal prosecution of Harris.  Believing that Harris had tweeted information inconsistent with his anticipated defense, the District Attorney sought from Twitter the user information and tweets associated with the account @destructuremal—the Twitter account allegedly used by Harris.  Harris filed a motion to quash, and Twitter refused to comply with the subpoena pending the results of Harris’s motion.

The court found that Harris lacked standing to quash the third-party subpoena on Twitter, because Harris had neither a proprietary interest nor a privacy interest in the user information or tweets associated with the @destructuremal account.  The court observed that no search warrant was required to obtain Harris’s tweets, as no Fourth Amendment privacy rights are implicated when information is sought from a third party, such as Twitter.  Rather, in a criminal case, the Stored Communications Act (SCA) permits the government to subpoena subscriber and session information directly from a social media site.  The court ordered Twitter to comply with the subpoena.

Twitter then filed its own motion to quash the subpoena.  Twitter argued that, under its Terms of Service, Harris in fact retained his rights to any content that he submitted, posted or displayed on or through the Twitter service; and that denying Harris’s standing to oppose the subpoena placed an undue burden on Twitter.  In a decision handed down on June 30, 2012, the court disagreed.  The court noted that the general rule in New York is that “only the recipient of a subpoena in a criminal case has standing to quash it,” and reiterated that Harris had no Fourth Amendment privacy right in his tweets.  Twitter has objected to the court’s decision, and, as noted, will be filing an appeal; a review of the court’s decision highlights key issues to be addressed on appeal.

No Privacy Violation

Proving a violation of the Fourth Amendment requires a showing of either (1) a physical intrusion onto personal property or (2) a violation of a reasonable expectation of privacy.  The court found that, due to Harris’s publication of his tweets to third parties, neither showing could be made here.

No Physical Intrusion

With regard to physical intrusion, the court stated simply that there had been no physical intrusion into Harris’s Twitter account.  Unlike the contents of someone’s home or car, the contents of Harris’s Twitter account had been “purposely broadcast to the entire world [and] into a server 3,000 miles away.”

No Reasonable Expectation of Privacy

With regard to any expectation of privacy, the court likened posting a tweet to screaming out of an open window.  According to the court, “If you post a tweet, just like if you scream it out the window, there is no reasonable expectation of privacy.  There is no proprietary interest in your tweets, which you have now gifted to the world.”  The court distinguished a tweet, however, from a “private” Internet dialogue, such as one conducted via private email, private direct message, or private chat.  Accessing relevant information from such private Internet dialogues “would require a warrant based on probable cause.”  A tweet, however, is not like an email sent to a single party, and “[t]here can be no reasonable expectation of privacy in a tweet sent around the world.”

A Tweet Is a “Public Posting”

The court based its decision on its finding that a tweet is a “public posting.”  In the court’s view, “It is the act of tweeting or disseminating communications to the public that controls.”  The court supported its finding by citing Twitter’s Privacy Policy, which states that “[o]ur Services are primarily designed to help you share information with the world.  Most of the information you provide us is information you are asking us to make public.”  As further evidence of the public nature of a tweet, the court also cited Twitter’s 2010 agreement with the Library of Congress, under which every public tweet since Twitter’s inception is to be archived; several Internet sites through which deleted tweets remain accessible; and a National Geographic Channel project that has collected tweets and intends to broadcast them into space this August.

The court likened the third-party recipient of a tweet to a witness on the street who overhears something screamed out of an open window.  As the court put it, “today, the street is an online, information superhighway, and the witness can be the third-party providers like Twitter, Facebook, Instagram, Pinterest, or the next hot social media application.”  A tweet, like a scream out the window, has been made public, and “[t]here is no reasonable expectation of privacy for tweets that the user has made public.”

No Undue Burden on Twitter

Twitter argued that denying standing to Harris placed an undue burden on Twitter, who was thereby forced to either comply with, or move to quash, each such subpoena seeking information of a Twitter user that it receives.  The court flatly disagreed, noting that “that burden is placed on every third-party respondent to a subpoena and cannot be used to create standing for a defendant where none exists.”

No Undue Burden Under the Stored Communications Act

A court issuing an order under Section 2703(d) of the SCA, “on a motion made promptly by the service provider,” may quash or modify the order if it finds that the information or records sought are “unusually voluminous” or if compliance with the order “otherwise would cause an undue burden” on the service provider.  In this case, the order requires Twitter to provide all user information associated with the @destructuremal Twitter account, including all tweets posted from it between September 15, 2011, and December 31, 2011.  The court declined to find that this order placed an undue burden on Twitter under the SCA, stating instead that “it does not take much to search and provide the data to the court.”

Warrant Required for Tweets in Electronic Storage for Less Than 180 Days

The only data associated with the @destructuremal account that the court did not order Twitter to produce were those tweets sent out from the account on December 31, 2011.  This is because, under the SCA, the court may compel either an Electronic Communications Service (ECS) or a Remote Computing Service (RCS) to disclose non-content information, and may compel an RCS to disclose its contents; but the court may only compel an ECS to disclose content that has been in electronic storage for more than 180 days.  At the time that the June 30, 2012 order was issued, the court did not have the proper authority under the SCA to order disclosure of tweets made on December 31, 2011.  The court, accordingly, modified its previous order with respect to the ECS content that was less than 180 days old—removing that portion of the order that would have required Twitter to produce tweets placed from the @destructuremal account on December 31, 2011.

What Next?

The Criminal Court of the City of New York ordered Twitter to disclose all non-content information, as well as all content information from September 15, 2011, to December 30, 2011.  As noted, Twitter has announced its intention to appeal, rather than to comply with, the decision.  Twitter will not have to turn over the December 31, 2011 tweets unless the government obtains a search warrant.  Will Twitter have to turn over the other @destructuremal tweets?  We’ll keep you posted.

In past Socially Aware posts, we have discussed using subpoenas in civil litigation to obtain evidence from social media sites, including whether individuals have a privacy interest in this information and how the Stored Communications Act may limit the use of subpoenas in civil cases.  Until now, we have not discussed these issues in the context of a criminal case.  Does the prosecutor have to get a search warrant to obtain information about someone’s social media use?  Does the Stored Communications Act limit the government’s authority in this area?  A decision from the Criminal Court of the City of New York arising out the Occupy Wall Street movement, People of the State of New York v. Malcolm Harris, sheds some light on these questions. 

On October 1, 2011, protesters marched on the Brooklyn Bridge as part of an Occupy Wall Street demonstration.  Malcolm Harris, along with hundreds of other protesters, was charged with disorderly conduct for allegedly occupying the roadway of the Brooklyn Bridge.  The District Attorney expected Harris to claim as a defense that he stepped onto the roadway because the police led him there.  The District Attorney, however, asserted that Harris, while on the Bridge, may have tweeted statements inconsistent with his anticipated defense.

The District Attorney issued a third-party subpoena on Twitter, seeking user information and tweets associated with the account @destructuremal, allegedly used by Harris.  Harris notified Twitter that he would move to quash the subpoena, and Twitter took the position that it would not comply with the subpoena absent a ruling by the Court.  The District Attorney opposed the motion.

The Court found that Harris lacked standing to quash the third-party subpoena on Twitter.  The Court found that Harris had neither a proprietary interest nor a privacy interest in the user information and tweets associated with the account.  The Court denied Harris’s motion to quash, and ordered Twitter to comply with the subpoena.

No Proprietary Interest in Tweets

First off, according to the Court, Harris’s tweets were not his tweets.  When registering a Twitter account, the user must agree to Twitter’s Terms of Service, which includes a grant to Twitter of a “worldwide, non-exclusive, royalty-free license to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute” user content posted to Twitter.  The Court found that Twitter’s license to use Harris’s tweets meant that the tweets posted by Harris “were not his.”  In the Court’s view, Harris’s “inability to preclude Twitter’s use of his [t]weets demonstrates a lack of proprietary interest in his [t]weets.” 

No Privacy Interest in Tweets 

The Court went on to reject Harris’s contention that he had a privacy interest in his tweets.  Twitter’s Terms of Service also state that submitted content “will be able to be viewed by other users of the Service and through third party services and websites,” and Twitter’s Privacy Policy states that the Twitter’s service is “primarily designed to help you share information with the world.”  Twitter makes no assurances of privacy.  Rather, Twitter notifies its users that their tweets (at least on default settings) will be available for the world to see.  Thus, the Court found that tweets are “by definition public.”

No Search Warrant Required

The Court further held that Harris’s Fourth Amendment rights were not at issue, because the internet is not a physical “home.”  While service providers may refer to a user’s space on the site as a “virtual home,” the Court took the position that this “home” is no more that “a block of ones and zeros stored somewhere on someone’s computer.”  Thus, while Twitter users may think that the Fourth Amendment protections that apply in their physical homes will also apply to their Twitter accounts, “in reality, the user is sending information to the third party, Twitter.” 

No Stored Communications Act Protection

Finally, the Court held that, unlike in a civil case, the Stored Communications Act permits the government in a criminal case to subpoena subscriber and session information directly from the social media site.  The Court held that, unlike private litigants in civil litigation, prosecutors may obtain such information using any federal or state grand jury, trial or administrative subpoena by showing “specific and articulable facts showing that there are reasonable grounds to believe” that the tweets “are relevant and material to an ongoing criminal investigation.”   The Court held that the District Attorney clearly made this showing in the case.

In short, the Court has made it clear that users of social media who also find themselves charged with a criminal offense should have no expectation that potentially relevant information will be considered private or beyond the reach of a subpoena.

Reaction to Decision

The Court’s decision has been criticized by tech blogs and the American Civil Liberties Union, and, on May 7, 2012, Twitter filed a motion to quash the Court’s order, arguing that among other errors in the Court’s decision, under Twitter’s Terms of Service, Harris in fact retained his rights to any content that he submitted, posted or displayed on or through the Twitter service.  We will keep in eye on further developments in this case.

As we reported last month, the safe harbor in Section 230 of the Communications Decency Act (“CDA”) immunizes social media providers from liability based on content posted by users under most circumstances, but not from liability for content that the providers themselves generate.  But what about when providers block Internet traffic such as “spam” – does the CDA immunize service providers from liability for claims related to messages not reaching their intended recipients?

In two recent unpublished cases, Holomaxx Techs. Corp. v. Microsoft Corp. and Holomaxx Techs. Corp. v. Yahoo! Inc., Judge Fogel of the Federal District Court for the Northern District of California held that the CDA does provide immunity in such circumstances.  (Notably, Judge Fogel also decided earlier this year that Facebook postings qualify as “commercial electronic mail messages” regulated under CAN-SPAM, the federal anti-spam statute.)  The Holomaxx holdings did not break new ground, but the cases clearly show that Section 230 of the CDA provides immunity not just with respect to user-posted content, but also for service providers’ blocking and restriction of messages.

Plaintiff Holomaxx Technologies runs an email marketing and ecommerce business development service.  After what it alleged was MSN’s and Yahoo!’s continued refusal to deliver its legitimate emails, Holomaxx sued both companies for state law tort claims alleging interference with contract and business advantage, defamation, false light, and unfair competition, and for federal claims under the Wiretap Act, the Computer Fraud and Abuse Act, and the Stored Communications Act.  Seeking both damages and an injunction, Holomaxx claimed that MSN and Yahoo! “knowingly relie[d] on faulty spam filters” and that it was “entitled to send legitimate, permission-based emails to its clients’ customers now.”

In its complaints against Microsoft and Yahoo!, Holomaxx explained that it delivers for its customers ten million email messages a day, including three million to Hotmail/MSN users and six million to Yahoo! users.  Holomaxx claimed that it sent only legitimate, requested emails to consenting users and complied with CAN-SPAM.  According to Holomaxx, MSN’s and Yahoo!’s email filtering systems began blocking, rerouting, and/or throttling Holomaxx-generated emails to MSN and Yahoo! users, and MSN and Yahoo! ignored its requests to be unblocked and failed to identify specific problems with Holomaxx’s emails.  Also according to Holomaxx, MSN and Yahoo! users acted in bad faith because they did not work with Holomaxx in the manner prescribed by the abuse desk guidelines of the Messaging Anti-Abuse Working Group, to which both companies belong and which Holomaxx characterized as an “industry standard.”  Finally, Holomaxx claimed that anticompetitive purposes drove MSN’s and Yahoo!’s blocking, and that the fact that the two companies had initially resumed delivery of Holomaxx emails and then stopped again showed that the companies acted in bad faith.

MSN and Yahoo! moved to dismiss, citing CDA Section 230(c)(2), which on its face immunizes service providers for “any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers … objectionable,” and arguing that the facts that Holomaxx alleged were insufficient to overcome this statutory immunity.

Agreeing, Judge Fogel called CDA immunity “robust” and, citing the Ninth Circuit’s opinion in Fair Housing Council v. Roommates.com, LLC, noted that “all doubts must be resolved in favor of immunity.”  The court cited Zango v. Kaspersky, where the Ninth Circuit explained that the CDA “plainly immunizes” providers that “make[s] available software that filters or screens material that the user or the provider deems objectionable.”  In Zango, the Ninth Circuit affirmed the district court’s dismissal of a software maker’s suit against an anti-adware security firm for allegedly making it difficult for users who had installed the security firm’s anti-adware tools to use the plaintiff’s software.  However, the Ninth Circuit explained that a provider might lose immunity where it “block[s] content for anticompetitive purposes or merely at its malicious whim.”  Under that standard, the question was whether Holomaxx alleged sufficient facts to show that MSN and Yahoo! acted in an “absence of good faith” when they blocked Holomaxx’s emails.

The answer was no.  The court discounted Holomaxx’s reliance on the MAAWG guidelines because Holomaxx had not shown them to be an industry standard.

The fact that the companies temporarily resumed delivery of Holomaxx’s emails did not demonstrate an anticompetitive motive because the CDA gives providers wide discretion in deeming content objectionable.  As to alleged malice, the court explained that, “[T]o permit Holomaxx to proceed solely on the basis of a conclusory allegation that Yahoo! acted in bad faith essentially would rewrite the CDA.”  (Note:  On its face, the CDA did not apply to Holomaxx’s Wiretap Act and Stored Communications Act claims; the court dismissed those claims because it found that Holomaxx failed to adequately allege how MSN or Yahoo! had violated those statutes.)

A leading commentator has noted that the Ninth Circuit’s Zango case provided website operators a “high degree of freedom to make judgments about how to best serve their customers.”  The Holomaxx dismissals confirm that point.  With social media spam on the rise even  as email spam decreases and web-based email in general declines, both the Holomaxx and Zango cases could assist social media providers in their efforts to prevent unsolicited messages and abuse while at the same time maintaining the instant, social, viral qualities that keep users engaged and advertisers paying.

One final point – as one observer notes, Holomaxx’s compliance with CAN-SPAM, described in great detail in each of the complaints, did not matter to Judge Fogel’s holding.  That is, the mere fact that Holomaxx’s marketing messages were legal, did not compel Microsoft or Yahoo! to either deliver those messages or lose CDA immunity.  Thus, the court rejected an argument that might have resulted implicitly in the requirements of CAN-SPAM setting a ceiling, rather than a floor, for service providers’ anti-abuse efforts.

With the exponential growth in the use of social media by individuals and corporations, civil discovery questions inevitably follow.  Courts and litigants have been left to grapple with questions regarding the discoverability of data on social media sites and the appropriate scope of such discovery.  Although the law will surely evolve in this area, some trends have started to appear.  Here are four critical items to keep in mind:

First, no one seriously questions that photos, postings, messages, and other information stored on social media sites are open to discovery.  Courts have consistently allowed discovery of data on social media sites in cases presenting a range of issues.  Although, as discussed in previous issues of this newsletter, seeking to subpoena data directly from Facebook, Twitter, or other social media providers may in many instances run afoul of the Stored Communications Act, courts have allowed discovery directly from parties to litigation where such data is relevant and available.

Second, content from a party on a social media site may be discoverable even if such party has adjusted privacy settings so that only select individuals can view the content.  Simply because you believe the information is private, does not mean it is protected from discovery.

For example, in a 2010 federal court case in the Southern District of Indiana, EEOC v. Simply Storage Management, LLC, the claimants alleged that they suffered from post-traumatic stress disorder as a result of employment discrimination.  At the defendant’s request, the court ordered the claimants to produce all relevant “profiles, postings, or messages . . . and . . . applications” as well as photographs and videos on their social media sites.  The court found that “a person’s expectation and intent that her communications [on a social media site] be maintained as private is not a legitimate basis for shielding those communications from discovery.”  The court considered this simply “the application of basic discovery principles in a novel context.”

Similarly, in a New York case also from 2010, Romano v. Steelcase Inc., the court granted the defendants access to the plaintiff’s “current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information.”  The court concluded that allowing the plaintiff to “hide behind self-set privacy controls on a website, the primary purpose of which is to enable people to share information about how they lead their social lives, risks depriving the opposite party of access to material that may be relevant to ensuring a fair trail.”

Third, the fact that a party to litigation maintains profiles on social media sites does not give the opposing party carte blanche to compel broad discovery of the contents of those sites.  When it comes to social media sites, courts have been especially wary of providing a license for a fishing expedition.  If you are seeking data stored on a social media site, you will probably need to present some basis to suggest that the information is relevant.

For instance, in another recent New York case, Habib v. 116 Central Park South  Condominium, the defendant condominium in a slip and fall case sought an order compelling the eighty-year-old plaintiff “to provide authorizations for Facebook, MySpace and/or Twitter” accounts that he maintained.  The court, however, refused to compel discovery into this tech-savvy octogenarian’s social media usage, finding the defendant did “not offer a reasonable explanation as to why they believe that material information would appear on plaintiff’s social network pages [and that without] the explanation, the requested authorization is a fishing expedition.”

Likewise, in the New York case McCann v. Harleysville Insurance Company of New York, the court affirmed an order denying a motion to compel discovery into a litigant’s social media data, finding “defendant essentially sought permission to conduct a ‘fishing expedition’ into plaintiff’s Facebook account based on the mere hope of finding relevant evidence.”  Although the universe of reported cases involving discovery from social media sites is rather small, courts have been quick to cut off litigants who simply want to snoop around the opposing party’s social media sites.

In contrast, where a party has been able to establish that the private portion of an opposing party’s social media website is relevant, courts have been willing to permit discovery.  For instance, in a Pennsylvania case from earlier in 2011, Zimmerman v. Weis Markets, Inc., the defendant in a personal injury case sought access to the non-public portions of the plaintiff’s Facebook and MySpace pages to refute the plaintiff’s claim that a forklift accident caused serious and permanent impairment to his health and ability to enjoy life.  A review of the public portions of the plaintiff’s Facebook page reflected that his interests included “ridin” [sic] and “bike stunts” and included recent photographs of the plaintiff “with a black eye and his motorcycle before and after an accident.”  Unsurprisingly, the court permitted the discovery to proceed.

Likewise, in Romano v. Steelcase Inc., the court granted a motion to compel discovery of the private portions of the plaintiff’s Facebook site where plaintiff’s “public profile page on Facebook shows her smiling happily in a photograph outside the confines of her home despite her claim that she has sustained permanent injuries and is largely confined to her house and bed.”

Thus, keep in mind that courts may not look favorably on a request to engage in discovery of social media sites without some indication that they are likely to include relevant information.  If you seek to obtain discovery regarding the private portions of the other side’s social media website, you may need to establish that the discovery is warranted.  This could be established using public portions of the social media site or perhaps an affidavit from an individual who is a “friend” of the other party and who has had access to the private portions of the website.  Establishing such relevance may not be possible in all cases, but you should make every effort to present a detailed showing as to why the discovery is necessary in your case.

Finally, if you receive a demand from your adversary for information available on a social media site, merely arguing that all of the data is – or once was – publicly available may not be sufficient.  Recent case law suggests that the party maintaining the social media site has the burden of capturing and producing any relevant content, even when that content is publicly available.

In a recent trade dress infringement case in New Jersey federal district court, The Katiroll Co., Inc. v. Katiroll and Platters, Inc., the plaintiff moved for spoliation sanctions against the defendants after the individual defendant removed his Facebook profile picture, which showed the allegedly infringing trade dress, without preserving the appearance of his Facebook page prior to the change.  The defendants argued that a finding of spoliation was unwarranted because the Facebook page was public and the plaintiff could have printed any relevant evidence at any time.  The court disagreed, finding “public websites to be within the control of parties who own them” and calling the defendants’ argument “an attempt to ‘pass the buck’ to Plaintiff to print websites that Defendants are obligated to produce.”  In this same vein, because of potential hurdles in getting printouts from publicly available social media websites admitted into evidence, you may want to insist on receiving the other party’s social media data directly from that party, even if such data are publicly available.