Skip to content Skip to footer

Table of contents

This Massachusetts Human Resources Manual is offered to you for free. Find state specific laws and regulations below.

Social media — Massachusetts

The Internet has transformed the workplace in recent years. In many ways, the Internet has enhanced productivity by providing employees with fast, easy access to information, efficient means to communicate internally and externally and the ability to work remotely from locations outside the workplace at all hours. Without appropriate regulation and surveillance, however, the Internet may be a source of liability for an employer. The Internet has also affected the job search and hiring process. Many employers use the Internet as their primary or even sole recruiting tool, and many use it as a tool to facilitate the delivery and completion of pre-employment paperwork and other on-boarding tasks.

Most employees now have access to a relatively unregulated digital domain and may view content on office computers that is unrelated to work and, at times, inappropriate in the workplace. Accordingly, employee Internet use may distract employees from their jobs or may be the basis for claims of discrimination and harassment. Moreover, email communications have replaced memoranda, letters, telephone conversations and in-person meetings. Oftentimes, employees do not think carefully before sending emails, which may lead to unprofessional communications. The recipient of an unprofessional email may preserve it and use it in a later legal claim.

The Internet may also create privacy issues for an employer. An employee may inadvertently disclose internal company business or confidential matters on a personal blog. A disgruntled former employee may deliberately engage in such conduct. Employers also encounter issues of copyright and trademark infringement claims by establishing company websites. In short, the benefits of the Internet also bring with it significant risks. With appropriate Internet policies, an employer will be able to manage these risks. This chapter outlines best practice tips for an employer operating a company in the Internet age.

Surveillance techniques

A prudent employer uses surveillance techniques to monitor its employees’ Internet use. Internet surveillance guards against employee disloyalty, theft, unprofessional Internet conduct and countless other issues. However, an employer must be aware of the privacy concerns and potential liability of using surveillance techniques.

Proponents of electronic surveillance techniques believe that it is the only effective tool to combat employee misconduct on the Internet. It also may be the only means for an employer to gather documents to defend itself in a legal claim. Opponents, however, contend that this form of monitoring interferes with employee privacy interests.

Whatever position an employer takes on the issue of surveillance, it must communicate to its employees the proper use of workplace computers and its expectations concerning Internet use. Most importantly, an employer must alert its employees that they have no expectation of privacy in their workplace computers and that the employer has the right to monitor such use. The employer should include this language in a written Internet policy in its handbook.

Employee privacy and acknowledgment

Massachusetts has a rigorous privacy law that comes into play when an employer seeks to monitor its employees. The privacy law protects employees from unreasonable interferences with privacy. To determine whether there is a violation, the court balances the employer’s business interest in the intrusion against the nature of the interference with privacy. The court weighs the competing interests, as well as any alternative means that the parties could use to satisfy their interests.

An employer may avoid privacy claims by clearly notifying employees of its computer surveillance and requiring its employees to sign a written acknowledgment that they have no reasonable expectation of privacy in communications and activity on workplace computers.

Video display terminals and computers

Employers now have the ability to monitor display terminals. Technology is available that allows employers to monitor when an employee turns the monitor on or off, the number and sequence of keystrokes and other cues. Many employers also review Internet “histories” to determine whether employees visit only work-related sites.

Employers also employ industry-specific monitoring tools to measure performance. Some employers track the number of sales made by employees with computer programs. Trucking companies sometimes monitor their drivers’ speed and duration of stops by computer surveillance. Employers use building security cards to determine when employees arrive and leave work.

Telephone calls

Listening to employees’ business-related telephone calls is one of the most common forms of workplace monitoring. Some companies regularly listen in on employees’ telephone calls to evaluate the quality of their interactions with the public.

Video and audio surveillance

Employers use video and audio equipment to monitor employee activity on the floor or production line, in break rooms and in the workplace generally. Video and audio surveillance is used by employers not only for the purpose of investigating thefts but also to prevent employees from tampering with equipment or engaging in unlawful harassment. In addition, some employers use this type of surveillance to monitor work performance.

Employers may film an employee in public areas as part of an investigation of the employee’s claim for workers’ compensation. Courts have rejected employees’ claims that filming activities outside of work constitute an invasion of privacy, because employees should expect claims of injury to be investigated. Therefore, when an employer conducts surveillance in a reasonable and unobtrusive manner, it will not give rise to liability for invasion of privacy.

Employees do have a reasonable expectation of privacy in rooms such as workplace bathrooms, locker rooms, changing areas and inside their own homes. Therefore, an employer should not apply its video surveillance to any of these areas.

For more information on the risks of monitoring employees, see Privacy rights.

Protecting wire and oral communications

Congress enacted the federal Wiretap Act as part of the Omnibus Crime Control and Safe Streets Act in an effort to protect wire and oral communications of individuals. As more advanced methods of communication became available, Congress amended the Wiretap Act with the Electronic Communications Privacy Act (ECPA) to prohibit the intentional interception, access, disclosure or use of electronic communications.

The Wiretap Act forbids “interception of wire or oral or electronic communication through the use of an electronic, mechanical or other device” and establishes a civil cause of action for any such violation. Interception broadly includes any acquisition of the contents of a wire, electronic or oral communication through the use of any electronic, mechanical or other device. The Wiretap Act does not apply to video surveillance, but it does apply to oral communication intercepted in connection with such surveillance.

Significantly, liability under this law only applies when the communicator reasonably expects that his communication is private and free from interception. Employees may expect that conversations uttered in a normal tone of voice will be overheard by those standing nearby, so there would be no liability under the Wiretap Act in those situations. On the other hand, an employee would not expect that his employer would electronically intercept and monitor his conversations from another part of the building or another location. Therefore, without specific notification from the employer, liability under the Wiretap Act is a real possibility when an employer uses electronic surveillance.

Wire communication

A wire communication includes “any communication made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable or other connection.” Telephone calls are wire communications.

Oral communication

An oral communication is defined as “any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation.” Therefore, any oral communication is protected under the act, so long as the speaker has a reasonable expectation of privacy. If the communication is protected, then the interception of the conversation by something such as a hidden microphone may give rise to a cause of action.

Electronic communication

The EPCA defines an electronic communication as “any transfer of signs, signals, writings, images, sound, data or intelligence of any nature transmitted in whole or in part of a wire, radio, electromagnetic, photoelectronic or photo optical system.” This includes email and text messages, among other things.

Prior consent

No violation of the act occurs where one of the parties to the communication has given prior consent. The consent should be in writing and signed by the employee. Courts have rejected employers’ arguments that employee consent is implied in the workplace.

Ordinary course of business exception

The prohibition against wiretapping does not apply to monitoring of telephone calls in the “ordinary course of business.” The interception must be for a legitimate business purpose, routine and with notice. Employers may continue to monitor an employee’s call only as long as the employer has determined that it is, in fact, a business call. After determining that it is a personal call, the monitoring is no longer “in the ordinary course of business.” In such a case, the monitoring is unlawful eavesdropping.

Employer access to electronically stored information

The ECPA allows employers to retrieve electronically stored information, such as employee email communication. Not many lawsuits have arisen under this section, because the employer’s legal right to retrieve information is fairly broad and clear. The court has rejected employee arguments that an employer commits an unlawful “interception” by retrieving messages from storage before they are sent or by searching employee email messages.

Common-law privacy claims

Generally, employers may monitor employee activities to analyze performance or investigate misconduct. However, an employer should be aware of its employee’s privacy interests under Massachusetts law and should adjust its monitoring techniques accordingly.

As a general rule, an employer should confine its monitoring to public areas. For instance, monitoring an employee doing yard work while on workers’ compensation leave may be permissible. However, monitoring employees after they have entered their home is not.

Computer and communication policy

Employees now have access to many types of communication devices, including computers, networks, emails, pagers, the Internet and phone systems with voicemail messaging capabilities. To regulate use of these devices, an employer should implement a “computer and communication policy,” which states that the purpose of such communication devices is to facilitate company business. The employer may also want to include the following other points:

  • The company’s communication systems are not to be used for any business other than the company’s business. The policy may also provide that incidental and limited non-business use of communications systems is acceptable, but that this privilege should not be abused.
  • Third parties should always be prohibited from using a company’s communication systems.
  • A specific description of acceptable and appropriate uploading and downloading of information onto a computer and/or network to prevent virus infiltration.
  • The use of passwords and any restrictions associated with passwords.
  • The employees’ appropriate use of email. The policy should address:
    • what steps an employee should take if an email message is inadvertently sent to a third party
    • the appropriate tone and content used in emails
    • a prohibition against chain letters or emails with illegal purposes
    • a strong statement against the use of email or any other form of communication for purposes of sending, accessing or storing any material of an insensitive, discriminatory, obscene or harassing nature.
  • A statement that employees should not transmit copies of documents in violation of copyright laws or copy or use any software in violation of copyright laws.
  • A warning to employees that the company has a right to inspect, review and monitor use of its computers and communication systems. The company should state that information contained in computers, email or voicemail that is incidental or of a personal nature is not treated differently from other information. Therefore, employees have no reasonable expectation of privacy in the company’s computer network or telephone system.


Considerations for employers concerning emojis

Employers should pay attention to emoji use in the workplace for more reasons than employees’ potential reliance on them in a harassment or hostile work environment claim. Human resource professionals observe anecdotally that emojis and other digital communications in the workplace can impact relationships, lead to morale issues and prompt internal complaints, even if those complaints never reach a courthouse.

Part of what makes emojis so prone to misunderstandings and hurt feelings is that, in the digital world, everyday symbols take on new meaning. A peach is not just fruit, an eggplant is not only a vegetable, an octopus may be a request for a virtual hug, and a devil emoji may signify a desire to engage in sexual activity. These double entendres, coupled with the fact that a single workplace often includes employees from vastly different backgrounds, including different cultures and generations, can lead to ambiguous messages, misunderstandings and conflict. Emojis and other digital tools are not simply a Gen-Z or millennial problem but pervasive in instant messaging platforms that have become commonplace during the COVID-19 pandemic.

Steps to help mitigate risks associated with emoji use

Employers can periodically review their employee handbooks to ensure the policies contained in them adequately account for the day and age in which they are doing business. For example, policies concerning professionalism and communication can address not just traditional forms of communication but also more recent developments, including the use of emojis. Because COVID-19 has greatly impacted the way individuals think of “work,” and more employees work remotely than ever before, it is important that employers provide training that makes clear that the same rules that apply within the confines of the traditional office apply equally to employees working remotely. As part of a company’s training with respect to emojis, it should point out the special dangers of ambiguity and misinterpretation that emojis carry and the need for carefully avoiding communications that could be interpreted as insulting or racially or sexually harassing.

Regular training and e-mail blasts reminding employees of key company policies are also helpful tools. Employers might also consider partnering with their third-party vendors to restrict the types of emojis that may be used in chat platforms, offering a customized array of choices that excludes some of the most controversial ones.

Preparing for and dealing with a data security breach

The convenience and other benefits that attend the electronic storage of the personal information and other data about their employees that employers collect and maintain also come with risks. Perhaps the most dangerous and potentially costly of those risks is the potential for a data security breach resulting in the loss of control over and possible dissemination of the personal information about employees that the employer has stored and maintained in electronic form.

The legal consequences of such a breach can be severe, and there are a number of state and federal laws that attempt to address the privacy and other implications of breaches compromising the private data that individuals provide to their employers and other organizations. On the federal level, although there is not yet a broad-based data privacy and security statute that applies to private-sector employees, there are a number of laws that address some aspect of private data protection. Those include the following:

  • The Health Insurance Portability and Accountability Act (HIPAA), which requires the protection of private health information about individuals that is created or received by a healthcare provider, health plan or employer.
  • The Family and Medical Leave Act (FMLA), which requires that the records and documents that an employer receives concerning medical certifications or medical histories in connection with FMLA leave (or a request for such leave) must be maintained as confidential and protected.
  • The Americans with Disabilities Act (ADA), which requires that an employee medical records be kept confidential.
  • The Fair Credit Reporting Act (FCRA), which requires employers that obtain consumer information about individuals provided by a third-party consumer reporting agency who conducts a background check subject to the FCRA must take reasonable measures to protect against unauthorized access and possession of the information.

Depending on the type of information at issue, a data breach may implicate (or entail a violation of) one or more of these federal laws.

On the state level, nearly all states now have enacted laws that impose requirements for safeguarding certain types of personal information about individuals (such as Social Security numbers), as well as penalties for failing adequately to safeguard that information. Most of these states also have laws requiring notification of local law enforcement, state law enforcement agencies and the affected individuals. Massachusetts law requires that notice must be provided as soon as possible (and without unreasonable delay) to the state’s attorney general, to its director of consumer affairs and business regulation and to affected residents of Massachusetts. The notice provided to affected residents may not include the nature of the breach or the number of affected Massachusetts residents; and it must include notice of the consumer’s right to obtain a police report, how a consumer may request a security freeze and the fees required to be paid to any of the consumer reporting agencies.

In addition to potential statutory penalties and liability, of course, an employer may face liability to affected employees on common-law negligence claims to the extent that it fails to take reasonable precautions to protect against a security breach and an individual suffers damages as a result.

In light of the dangers and potential liabilities, it is essential that employers who maintain personal information about their employees in electronic form prepare in advance for the possibility of a data security breach. Such preparations should include the following:

  • identifying and training a team of first responders, led by a representative of the company’s legal department or its chief privacy officer (if it has one) and including representatives from its information technology, legal, human resources, customer service, security and public relations departments, to take action in the event of a breach
  • tasking the IT department with mapping out where sensitive data is housed on the network and keeping that map that updated as the organization’s systems and the type of sensitive data it maintains evolves
  • tasking the security and IT members of the response team with evaluating and ensuring the adequacy of the organization’s physical and data security measures on an ongoing basis and in keeping up-to-date on the evolving threats to data security in particular
  • tasking the legal department member of the team with keeping him or her updated on the laws governing data security breaches and on any changes to those laws
  • developing and implementing policies for data security, including the use of mobile devices by its employees, updating those policies as needed and communicating them to employees
  • implementing IT controls on the type of data that employees can access, so that employees can access only the private data that they need to access in order to perform their jobs.

The effect of e-signatures

Since 2000, the Electronic Signatures in Global and National Commerce Act (ESIGN) has permitted parties to sign online documents with digital signatures that carry the same legal weight as handwritten signatures. The breadth of ESIGN cannot be overstated. The law allows, for instance, parties to carry out real estate transactions across the world, without the requirement that the parties attend closings or fax documents to each other.

ESIGN technology has been in place for several years. The technology allows a party to permanently affix a signature onto an online document, much like an ink signature and transfer the signature with the document wherever the party sends it.

Intellectual property

Business method patents

Business method patents are patents that cover new methods of doing business, whether those methods are online or not. Whenever a company starts to create an online presence, it should check business method patents to avoid infringement claims. Because this is a new and complex area of law, companies should consult with a competent patent attorney about these issues before seeking to create an online presence.

Shop rights

Where an employee develops an invention during the course of employment (on the employer’s time, using the employer’s money, property and labor), a “shop right” arises. A shop right gives the employer the nonexclusive right to use an invention for its own business purposes. The employer may neither assign this right to another party, nor prevent others (including the employee/inventor) from using the invention.

Generally, the inventions of an employee belong to that employee. However, an employer gains entitlement to all or part of these inventions through agreement or contract with the employee. Even absent an agreement, an employer may be entitled to free, nonexclusive “shop rights” for use of the invention if the employee conceived it during employment with the employer’s resources or where the employer hired the employee to create the invention. The resources utilized by the employee must be substantial.

The ownership of the patent remains with the employee, and he or she retains ownership even after termination of the employment relationship. If the employer has a shop right, then it may continue to exercise that right after the employee has left the company.

These “shop rights” are based on equity. An employer spends money to assist in the invention, so it is therefore fair to allow it to reap the rewards of this expenditure. However, the employer’s rights are, in essence, a nonexclusive license, so that the employee may also benefit from his or her work. In a situation where the employer has not contributed to the invention, it would be contrary to equity to allow it to benefit from the employee’s invention simply because the employee worked for the company at the time of the invention.

Combating disparagement on the Internet

One major risk to employers in recent years is that current or former employees may use the Internet to harm their employers. A disgruntled employee has the ability to malign a company by posting unfavorable information on consumer-rating websites or by making disparaging comments in Internet forums or on blogs. Sometimes the information posted on the Internet may be confidential and contain proprietary company information that should not be disclosed outside the workplace. The identity of the person who discloses such information, however, may be difficult to determine, because Internet users often use aliases or pseudonyms when posting comments on Internet sites.

Taking legal action to protect the company

Employers that believe an employee has violated their legal rights by posting untrue information or confidential information on an Internet site may seek legal recovery. If the employer does not know the identity of an Internet user (because the user has an anonymous screen name), the employer may file a lawsuit against an unknown person, identified as “John Doe.” After it files the lawsuit, the employer may then seek identifying personal information from the Internet host or Internet service provider through a subpoena.

It is important for employers to act quickly to trace the origin of an offensive posting or improper email, because many website hosts and Internet service providers retain identifying information for a very short timeframe, oftentimes for only 30 to 60 days. If the employer does not serve the subpoena within that time, it may never access the information.

Once the employer knows the identity of the person who has posted the improper comments, the employer may determine whether the employee violated an obligation to the employer to protect confidential data, breached a duty of loyalty or made false and disparaging statements about the employer.

Anti-blogging policies

Employers should adopt policies in employment handbooks that prohibit employees from hosting or contributing content concerning the employer to Internet blogs or chat rooms if doing so discloses confidential information about the employer or is adverse to its interests provided that the policy does not bar employees from discussing the terms or conditions of their employment.

Social-networking policies

With the consistent increase in users on Facebook, Instagram and Twitter, and the continuous appearance of new social media platforms popping up, employers should strongly consider implementing social-networking policies. An employer should tailor its social-networking policy to the individual needs of the organization.

In some organizations, active use of social-networking websites may be part of the job. In other organizations, Internet use may be discouraged altogether.

Nonetheless, every employer should incorporate three broad points into a social-networking policy:

  1. The employer should state in its policy that employees have no expectation of privacy in any content that they post on a social-networking site. This statement notifies employees that the employer may view their public postings to Facebook and other websites, and it may consider how the content reflects the employee’s character.
  2. The employer should warn employees that its general prohibition against harassment and discrimination extends to employee use of social-networking websites.
  3. Depending the employer’s circumstances, it should notify employees of the limits on their use of these websites in the workplace. An employer may entirely prohibit access to these websites at work, or it may simply state that it regularly views employee Internet use at work and reserves the right to discipline employees based on their surveillance.

The employer should consider its goal and draft a policy that reflects its unique business needs.

Bring your own device (BYOD) policies

The concept of allowing employees to bring their own devices (such as PCs, laptops and phones) to work is a growing trend. This trend is primarily the result of the fact that the IT revolution is now growing faster with consumers that it is with traditional IT departments. With the introduction of newer, better, less expensive and faster technology, employees may have newer and better devices and equipment than the devices or equipment that their employers can provide.

Some of the benefits of a BYOD program include:

  • Shifting the cost of providing updated equipment to the employee/user - The costs associated with an employee’s purchase and use of their own personal devices is borne out by the employee. Many employees are willing to spend their own money if they can purchase the item of their choice and use it for both business and personal needs.
  • Worker satisfaction - As employees become more used to using mobile devices, they develop strong preferences concerning the type of device that they want to use. Also, many employees do not want to carry around two different devices, one for work and one for personal use. Allowing employees to use their personal devices for work-related reasons can increase an employee’s overall satisfaction.
  • Enhanced productivity - Allowing employees to have access to work-related materials on their mobile devices can lead to overall enhanced productivity. Employees are able to deal with time-sensitive issues in a more expeditious manner.

The potential risks and drawbacks of BYOD programs include:

  • Managing security - This is one of the riskier aspects of a BYOD program. When creating a BYOD policy, employers must consider the security risks and implement appropriate required security measures. For instance, employers should consider in advance what-will happen if an employee loses his or her phone with sensitive or confidential client information on it; and it should develop a policy requiring the immediate remote wiping of all content on the phone or other device in the event that a BYOD phone or other devices is lost.
  • Controlling acceptable use - If an employer allows its employees to use their own devices, they lose control over appropriate use of the technology. A BYOD policy can and should set reasonable limits and expectations in this regard.
  • Retrieving data - The BYOD policy should address what happens when an employee who has a personal device with work-related content on it is terminated from or otherwise leave his or her employment with the company.

Policy drafting suggestions

Every employer is different and for that reason, BYOD policies can and should differ. Merely copying a template, while tempting is not suggested. It is a good idea for an employer to look at a number of different templates in drafting its policy to see what works for them. When drafting a policy, an employer should gather a team of individuals from the organization, including from IT, finance, security and any major departments whose employees will be using the devices. Questions that should be addressed in the planning stage include:

  • Which web browser employees should use?
  • Which security tools offer the best protection for the types of devices that the employees will be using?
  • What devices will be allowed?
  • What devices will not be allowed?
  • What-will the employer do to increase security?
  • To what extent is the IT group going to be involved?

An example of the types of issues that should be included in a policy includes:

  • Define acceptable business use of personal devices.
  • Describe which devices can and cannot be used.
  • Indicate whether cameras can be used or should be disabled while on site.
  • State what apps are allowed.
  • Indicate which applications employees can access on their personal devices – calendars, email, contacts, documents, etc.
  • Set out a zero-tolerance policy for texting or emailing while driving.
  • Define appropriate devices and the support that the company will provide.
  • Discuss reimbursement if any, for the cost of the device or the amount towards a phone or data plan. Will the company pay roaming charges and under what circumstances?
  • Discuss security issues.
  • Require password protection.
  • Explain what a strong password policy is and that the company requires a strong password.
  • Require that the device lock itself within a specific time period and requires a PIN to access.
  • Create rules regarding downloading of apps.
  • State that rooted or jail broken devices are strictly forbidden from accessing the network.
  • Indicate that an employee’s access to company data is limited based on user profiles defined by the company and automatically enforced.
  • Explain that the company will remotely wipe (erase) the device if the device is lost, the employee terminates his or her employment and the company detects a data or policy breach, a virus or similar threat to the security of the company’s data and technology infrastructure.
  • Set out the risks/liabilities and disclaimers.
  • Suggest that the employee back up his or her personal items, including personal photos or videos, in the event that the device must be wiped.
  • Reserve the right for the company to disconnect or disable services without notice.
  • Set out a rule for the amount of notice an employee must give if the device is lost or stolen.
  • If the employee is personally liable for costs associated with the device, let him or her know.
  • Indicate who has liability for risks, such as the loss or destruction of the device or the loss of company and personal data due to an operating system crash, error, virus, malware and/or other software or hardware failure or programming error that renders the devise unusable.
  • Indicate that the company will take appropriate disciplinary action, up to and including termination for noncompliance with the policy.
  • Inform employee that he or she may have litigation hold obligations to protect and save content on mobile devices if the company is sued.

Social Media

Social media – particularly web-based networking sites such as Facebook, Instagram, Twitter and LinkedIn – have exploded in popularity in recent years. Facebook alone has more than 2.32 billion monthly active users. The popularity of such social media is not limited to teenagers and college students. Moreover, many of these users access these websites during the workday, unbeknownst to their employers. In fact, a 2016 study showed that 62% of employees access social media sites during work hours.

The popularity of social media raises a host of new workplace issues, both positive and negative. On the one hand, social media offers new and affordable marketing opportunities. It also facilitates networking, recruiting, and professional connections, and allows businesses to stay connected to customers in new ways. On the other hand, social media presents some thorny workplace issues. In particular, social media has the potential to expand the concept of the workplace as it relates to discrimination and harassment issues. It also allows an easy avenue for a disgruntled employee to circulate negative information about his or her employer, and presents unique, new issues with respect to the circulation of confidential and/or proprietary information. This chapter addresses what employers may and may not do with respect to common social media issues that arise in the workplace.

The effect on employment issues

Given the popularity of social media, employers are turning increasingly to social networking websites and information on public websites as a way to gain information about prospective and current employees. Studies report that roughly 35% of employers do Internet research on job applicants, including “Googling” applicants, as part of the hiring process; and 23% of employers also review social networking sites to screen job applicants. Employers report that roughly one-third of job applicants are rejected based on information learned from these types of searches.

In general, there is no legal prohibition on employers reviewing publicly accessible information, such as information on social networking sites or general public websites. Employers may want to review social networking sites to discover whether a job applicant’s postings reflect poor judgment, reveal information about illegal drug use or otherwise contain insight into an applicant’s character. For existing employees, employers may be interested in reviewing Internet postings to determine whether an employee has engaged in any inappropriate conduct, such as harassing statements about co-workers, defamatory remarks about the employer, or disclosure of confidential or protected information of the employer.

The review of such information, however, does come with some legal risks. As an initial matter, the use of Internet searches to screen job applicants may give an employer access to personal information about an applicant that the law prohibits an employer from using in employment decisions. An employer may not make employment decisions – such as hiring, promotion or termination – based on protected characteristics of an employee, such as race, familial status, disability, age or religion, among others. As a result, the law prohibits an employer from seeking out this information during the application process. 

Even when an employer does not learn personal information about an applicant intentionally, the applicant may later contend that the discovery of the information affected the employer’s decision. For instance, an employer may review a job applicant’s Facebook page and learn that the applicant has a disability. When the employer later decides not to hire the applicant based on a lawful reason, the employer may encounter difficulties arguing that the decision had no connection to its discovery of the disability. 

Employers encounter the same issues when they research current employees. When an employer “Googles” a current employee, it risks a claim that any later adverse action – such as not being promoted – was based on the information the employer learned about the employee’s protected characteristic. 

There are other pitfalls to conducting Internet searches on employees and applicants. Among other things, employers must be aware of legal privacy interests of employees, avoid discriminatory or potentially discriminatory practices in conducting social media review, be cognizant of how the law protects certain employee activities on the Internet, and be mindful of the potential inaccuracy of information on the Internet. Each of these limitations is discussed in more detail below.

Limitations and duties for employers

It is helpful to start by looking at some of the basic legal limitations and duties applicable to the social media world for both employers and employees. These guidelines are useful for evaluating when it is appropriate to monitor employee use of social media and when it is appropriate to discipline an employee for such use.

As a general rule, so long as an employer limits its review of social media and Internet sites to those that are publicly accessible, no law prohibits the employer from reviewing such information about applicants or employees. Moreover, an at-will employer has the right to terminate the employment of an employee for no reason or for any reason that is not discriminatory or otherwise prohibited by law. Accordingly, under many circumstances, an employer may terminate the employment of an employee based on the information it uncovers on a publicly accessible website. Employers, however, should be cognizant of the following limitations to this basic rule.

Making discriminatory employment decisions

Employment discrimination laws prohibit an employer from making employment decisions – such as hiring, promotion, and termination – based on protected personal characteristics of an employee, such as race, ethnicity, citizenship, religion, marital status, sex, sexual orientation, pregnancy, age, disability, genetic information, military service or association with members of these classes. Employers also may not base employment decisions on certain protected conduct, such as carrying out important societal duties (i.e., jury duty) or conduct protected by well-established public policies. 

In reviewing social media websites, it is improper for employers to seek out information about protected characteristics of potential or existing employees. Employers also should apply uniform and consistent policies when reviewing employee Internet activity to avoid discrimination claims.

An employee may contend later that a review was discriminatory because of the employee’s membership in a protected class if an employer only reviews the social media postings of that specific employee.

To avoid discrimination claims, employers should adopt and enforce social media review policies that set out when a review is conducted and which employees are included within the scope of the review.

At the hiring stage

If an employer elects to review social media as part of the hiring process, it should conduct such a review consistently for all applicants, rather than selectively for only certain applicants. The EEOC issued an opinion letter that serves as a guidance regarding electronic resumes with video clips. In this guidance, the EEOC states that it is not illegal for an employer to learn the race, gender, disability or other protected class status of an individual prior to an interview. Nevertheless, the EEOC cautions strongly that this type of knowledge about an individual at the hiring stage increases the risk of discrimination or the appearance of discrimination. To avoid this risk, employers should always focus only on the applicant’s qualifications for the job – especially when researching online. 

Additionally, with respect to an employer’s EEO recordkeeping duties, the EEOC has clarified that such duties do not begin until a job seeker becomes an “applicant.” The EEOC and Department of Labor Office of Federal Contract Compliance Programs have drafted a guideline that defines this term. The guideline is available online at:

The guideline clarifies that, for purposes of recordkeeping, the term “applicant” in the context of Internet and related data processing technologies “depends upon the user’s recruitment and selection procedures. The concept of an applicant is that of a person who has indicated an interest in being considered for hiring, promotion, or other employment opportunities.”

To be an applicant, the following must have occurred:

  • the employer has acted to fill a particular position
  • the individual has followed the employer’s standard procedures for submitting applications
  • the individual has indicated an interest in the particular position.

At the employment stage

Employers should be cautious about potential discrimination claims for targeting certain employees for review of social media use. If an employer elects to review the social networking site of a particular employee because of a belief that the employee has engaged in some form of misconduct, the reasons for that belief and the selective search should be documented to avoid potential discrimination allegations. Employers may not access an employee’s password protected site without specific authorization from the employee to do so. Employers should also be careful about asking other employees who have access to a password-protected site to gain access for the employer. These actions could violate the Stored Communications Act (SCA) (see Privacy rights).

As described above, an employer may avoid claims by adopting and enforcing a policy concerning when it conducts social media reviews and which employees are included within the scope of the review. The policy should be enforced uniformly.

Not making employment decisions based on protected conduct 

Employers also should be aware that employee social networking and blogging may involve speech protected under the National Labor Relations Act (NLRA). One right protected under the NLRA – in both union and non-union settings – is the right of employees to engage in concerted activity relating to the terms and conditions of employment. If employees are using social networking sites or blogs to discuss issues relating to their work environment or conditions with other employees, then that speech is protected and may not be the basis for adverse employment decisions. There are reported decisions holding employers liable for violating the NLRA based on the discipline and dismissal of employees who posted on public websites and were found to have engaged in protected activity under the NLRA. As a result, employers should exercise caution before disciplining or dismissing an employee who has used social media to discuss workplace issues with other employees.

Not violating privacy rights of employees

Employers also should be mindful of employee privacy rights when reviewing social media. Massachusetts law recognizes that employees have a right to privacy in personal information and that employers may violate that right under certain circumstances. Massachusetts courts employ a balancing test to determine whether an employer has violated the privacy right of an employee. The court weighs the employer’s legitimate business interest in seeking the information against the employee’s reasonable expectation of privacy.  

As a general rule, no invasion of privacy occurs when an employer simply observes information that is “out in the open” or publicly available. An employer, however, may violate an employee’s privacy interests if the employer intrudes on an area for which the employee may have a legitimate expectation of privacy. Moreover, if the employer lacks a legitimate reason for seeking the information, the court may find that its actions are an invasion of privacy. For that reason, the employer should have clear policies reserving its rights to monitor use of employer-owned electronic devices or networks and should enforce those policies consistently. Specifically, the employer should inform employees that they have no reasonable expectation of privacy in electronic communications through the employer’s networks. The employer also should limit any monitoring efforts to Internet sites that publicly available.

Accessing electronic information without authorization

In addition to privacy interests protected by Massachusetts law, employers should be aware of the limitations imposed by federal law. The Stored Communications Act (SCA) prohibits third parties from intentionally accessing electronically stored communications, including emails or entries on private websites, without proper authorization. There are reported cases of employers facing liability for intentionally accessing employees’ private social networking accounts without authorization. 

Decisions based on an employee's report of a violation 

Employers should be cautious when responding to an employee’s report of a violation of law on social media sites. Most states, including Massachusetts, have laws to protect an employee’s ability to report violations of law.

Limitations and duties for employees 

Employees also are constrained by legal duties and limitations concerning social media use. An employee generally owes his or her employer certain basic duties. When an employee uses social media to violate any of these duties, an employer may impose disciplinary action. While the following list is not exhaustive, it includes the most widely recognized duties that employees owe employers.


It is a longstanding rule that employees owe their employers a duty of loyalty. Actions that violate this duty – such as acting against the interests of the employer or disparaging the employer on social networking sites or in personal blogs – may be valid grounds for disciplinary action in many circumstances. An employer should exercise caution, however, because some types of employee speech are protected under the law and may not form the basis for any disciplinary action. For instance, an employee has the right to protest employer actions or policies when the employee reasonably believes the actions or policies violate employment laws (such as laws concerning anti-discrimination, wage and hour, and safety). Also, as noted, the NLRA protects the right of employees to engage in concerted activity relating to the terms and conditions of employment.


An employee’s duty of loyalty includes a duty to protect confidential information of the employer. Many employers reinforce this general rule with written policies and, in some cases, contracts to prohibit employees from disclosing confidential information. If an employee discloses confidential workplace information on a social networking site or personal blog, an employer is well within its rights to impose disciplinary action. Indeed, such action may be necessary to minimize potential liability for the employer. For instance, when an employer uses the court system to enforce a written confidentiality agreement, it must show the court that it took reasonable steps to protect its confidential information. Evidence that the employer disciplined employees based on breaches of confidential information is an example of such reasonable steps.

Duty to preserve trade secrets

Many businesses go to great lengths to protect the confidentiality of trade secrets. Because of the importance of trade secrets, employers frequently have specific policies or employment contracts to prohibit the disclosure of trade secrets. Revelation of trade secrets in the course of employee social media use is another area that not only warrants employee discipline, but also requires it to ensure continued trade secret protection. If an employer seeks a restraining order in court to prevent an employee from disclosing trade secrets, it is helpful to show the court that the employer took disciplinary action against employees who breached its policies regarding the disclosure of trade secrets. Such action is evidence of the employer’s interest in protecting trade secrets.

Duty not to harass, retaliate or discriminate against other employees

Anti-discrimination laws prohibit discrimination, harassment, and retaliation by employers and employees. An employee violates its employer’s policies and the law by using social media to engage in these actions toward other employees.

However, an employer must be cognizant of its own legal responsibilities with respect to discrimination issues in the social media context. Social networking sites have expanded the concept of the “workplace,” so that employer liability for this type of conduct may arise outside the physical facility or office. Such liability may attach if an employer becomes aware that an employee is using social media (or of any other electronic communication, such as email or text messaging) to discriminate or harass other employees. As a result, employers should take disciplinary action against employees in such circumstances.

Duty to maintain a violence-free workplace

The use of social media to carry out threats of violence is another serious workplace concern. If an employee uses social media as an outlet to express threats against co-workers or threats of workplace violence, employers should take immediate action.

Best practices and policies for employers 

Employers best protect themselves from the risks and liabilities involved with social media by adopting sound policies and using best practices. Although each employer should tailor its policies and practices to its unique circumstances and should consult with legal counsel, the following list provides some basic guidelines that employers should consider adopting.

Adopt written policies

Given the prevalence of social media use, it is wise for most employers to adopt written policies for employee use of social networking and Internet sites. A total prohibition of social media use usually is not practical, but employers should set out a list of prohibited conduct related to social media and blogging. The policy should inform employees of:

  • the duty to refrain from disclosing confidential or proprietary information
  • the duty to refrain from harassing or posting derogatory comments about co-workers, customers, or competitors
  • the instruction to refrain from posting company logos, images, or any comments suggesting that the employee is representing the company in any way or engaging any conduct that potentially could harm the employer’s reputation or interests.

Employee use of employer-owned electronic devices and networks

Employers also should adopt written policies that state clearly that the employer reserves the right to monitor employer-owned or employer-provided electronic devices or networks. Such policies should state that an employee has no reasonable expectation of privacy in communications sent on employer-owned electronic devices and networks.

Among other things, employers may want to reserve the right to monitor employees’ use of the Internet, instant messaging, email, or text messaging on employer-owned or employer-provided devices. Employees also should be reminded that emails and instant messages are business records that may be used in litigation, audits, and investigations. 

Employers also should adopt clear guidelines about permissible use of employer-owned electronic devices. For instance, an employer may want to adopt a policy prohibiting employees from accessing pornography or other offensive sites from the employer-owned electronic devices. Similarly, an employer may want to require that employees use respectful and professional language in all electronic communications. Employers should notify employees that violation of employer policies will lead to discipline, up to and including termination of employment.

Don't forget text messaging

As part of a global electronic communication policy, an employer should also include information restricting the use of text messages during the work hours. A well-drafted policy will convey the same restrictions that apply to social media sites, such as not sending sexually explicit emails to co-workers or clients, anti-discrimination warnings, and warnings against texting or tweeting about sensitive company information or trade secrets.

Apply the policies 

If an employer notifies employees that it will monitor its electronic communication devices, it must follow through with the policy in order to overcome the employee’s right of privacy. Many employers enforce these policies by setting up a process to randomly check these devices on an ongoing basis. At all times, an employer should document its method and its follow-through.

Follow best practices 

Employers should follow best practices in using social media in the employment context.

  • Employers should document online monitoring and should ensure that all applicants or employees are screened or treated the same way.
  • To minimize risk of discrimination claims, employers should screen job applicants using social media sites only after meeting the applicant face-to-face and only after the applicant has successfully gotten through the interview process.
  • If an employer intends to periodically review blogs or social networking sites, it should inform its employees of the practice and apply it uniformly to all employees.
  • If an employer selects a particular employee for screening or review of online activity or social media use because of concerns of misconduct, it should document its reasons for the action.
  • Be aware that information posted on the Internet is not subject to any accuracy or verification requirements.

Potential litigation

Electronic communications – including emails, blogs, text messages, posting on social media sites, and personal websites – are more and more frequently becoming an important part of discovery in litigation for both employers and employees. Accordingly, an employer should be aware of the potential for such materials to be used in litigation and use caution in its own electronic communications.