NLRB Issues Second Report Reviewing Social Media Enforcement Actions
On January 25, 2012 the National Labor Relations Board (“NLRB”) Office of the General Counsel released a report summarizing fourteen cases that were before the NLRB concerning the “protected and/or concerted nature of employees’ social media postings and the lawfulness of employers’ social media policies and rules” (“Report”). The Report followed up on an earlier report issued by the NLRB Office of the General Counsel on August 18, 2011 and reiterated two main principles set forth in that earlier report:
- Employer policies should not be so broad such that they prohibit, discourage or chill activity that is protected by Section 7 of the National Labor Relations Act (“NLRA”) (e.g., discussion of wages or working conditions). Specifically, the Report made clear that:
- Specific examples of the type of conduct prohibited should be included in any social media policy (i.e., do not disclose “trade secrets”, as opposed to do not post “sensitive information” about the company).
- The policy should carefully carve out and protect employee’s specific rights under NLRA; a general saving clause is insufficient.
- The policy should not use vague terms like “appropriate” or “professional” without providing clear definitions for those terms.
- Employee comments on social media networks generally are not protected if those comments are mere complaints about or general dissatisfaction with the job (e.g., “I hate my job!” or “My boss is mean!”). The comments will be protected if they are associated with an expression of shared concern, such as a dialogue about how bad the work environment is and what employees can do to fix it in response to a single employee’s wall post about the job.
Summaries of each of the cases reviewed in the Report are as follows:
1. Employee Discussion on Facebook Can Be Protected Concerted Activity
- The terminated employed had posted on Facebook about a self-proclaimed demotion that she thought was unfair and unwarranted based upon her performance. Several co-workers with whom she was also “friends” posted their support on Facebook, including comments discussing the employer’s dishonest and unfair practices. The employee was terminated 5 days after making her post for violating the employer’s rule prohibiting “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The NLRB found that this policy was unlawful on the basis that it would “reasonably be construed to restrict Section 7 activity, such as statements that the Employer is, for example, not treating employees fairly or paying them sufficiently.” Further, the NLRB found that the employee’s initial post and the subsequent discussion that it generated fell within the definition of “concerted activity” since the discussion clearly centered on working conditions.
2. Broad Policies That Do Not Provide Examples or Clear Definitions Are Often Found Invalid by the NLRB
- An employer implemented a social media policy “restricting the use of the employer’s confidential and/or proprietary information provided that, in external social networking situations, employees should generally avoid identifying themselves as the employer’s employees, unless there was a legitimate business need to do so or when discuss terms and conditions of employment in an appropriate manner.” The policy did not define what “appropriate” or “inappropriate” meant under the policy and therefore employees could “reasonably interpret the rule to prohibit protected activity, including criticism of employer’s labor policies, treatment of employees and terms and conditions of employment."
- A provision requiring “that social networking site communications be made in in an honest, professional, and appropriate manner, without defamatory or inflammatory comments regarding the employer and its subsidiaries, and their shareholders, officers, employees, customers, suppliers, contractors, and patients.” Without defining broad terms like “professional” and “appropriate” the provision could be construed to prohibit communications protected by NLRA.
3. Policies that Subjectively Infringe on NLRA Section 7 Rights Are Invalid
- ·An employer discharged an employee for violation of a company policy that stated that “insubordination or other disrespectful conduct” and “inappropriate conversation” would be subject to disciplinary action. The NLRB found that this policy “would reasonably be construed by employees to preclude Section 7 activity.”
- An employer’s social media policy “prohibits employees from using social media to engage in unprofessional communication that could negatively impact the employer’s reputation or interfere with the employer’s mission or unprofessional/inappropriate communication regarding members of the employer’s community.” Although the rule contained some clear examples of unprotected conduct (e.g. revealing trade secrets), it also contained examples that could reasonably be read to include protected conduct and, therefore, could “be construed to chill employees in the exercise of their Section 7 rights."
4. Social Media Policies Inhibiting Free Communication Between Employees and Between Employees and Third Parties Are Generally Invalid
The Report discussed the following overbroad provisions from a single social media policy:
- A provision that prohibited employees from “disclosing or communicating information of a confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department” is unlawful because employees have a right to communicate such information to third parties.
- A provision preventing use of the company’s name or service marks outside of the course of business without prior approval of the law department is unlawful because employees have a right to use their employer’s name or logo in conjunction with protected concerted activity, such as to communicate with fellow employees or the public about a labor dispute.
- A provision prohibiting employees from publishing “any representation about the company without prior approval by senior management and the law department” is unlawful because employees have a Section 7 right to make representations about their employer that are “part of and related to an ongoing labor dispute.”
- A provision providing “that employees needed approval to identify themselves as the employer’s employees and that those employees who had identified themselves as such on social media sites must expressly state that their comments are their personal opinions and do not necessarily reflect the employer’s opinions” is unlawful because the provision stifled employees’ ability to locate other employees, thus, inhibiting their ability to organize, a protected right under Section 7.
- A provision “requiring employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination” is unlawful because it inhibits the ability for employees to organize to discuss working conditions.
5. Social Media Policies that Are Adequately Tailored to Uphold Workplace Confidentiality and Discrimination Rules are Lawful
- The policy originally prohibited discriminatory, defamatory, or harassing posts about specific employees, the work environment or work-related issues on social media sites. Broad terms like “defamatory” especially when applied to work-related issues could be construed to apply to protected activity. The amended policy prohibited “the use of social media to post or display comments about coworkers or supervisors or the employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.“ The amended policy, on the other hand, could not reasonably be construed to apply to protected activity as it provides a “list of plainly egregious conduct.”
- The employer’s social media policy provided that “the employer could request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws. [Further,] [i]t prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients, and it also prohibited employees from discussing in any form of social media “embargoed information,” such as launch and release dates and pending reorganizations.” In context, the prohibition applied only to communications that could impact security regulations or disclose proprietary information and, as such, was narrowly tailored and withstood scrutiny.
The Report also provides updated guidance regarding the scope of “concerted activity” under Section 7:
1. Facebook Posts Can Only Be Considered Concerted Activity Where There Is Active Participation from Facebook “Friend” Co-Workers In the Discussion
- The terminated employee (a truck driver) posted to Facebook criticizing the way that the business was run, including, that the company was ‘running off all the good drivers’. No other employees joined the discussion and the employee’s comments did not attempt to induce a group action. The NLRB further noted that there was no “unlawful surveillance” since the employee had invited his supervisor to be his “friend” on Facebook.
- The terminated employee posted criticism of a supervisor on Facebook, including use of the phrase “setting it off”. The employer deemed the phrase to be threatening and inappropriate. The post was not concerted activity, because although the posts addressed terms and conditions of employment he did not intend to initiate or induce coworkers to engage in group action and no “friends” that were co-workers responded to his post.
2. Social Media Postings That Are a Direct Result of Concerted Activity Are Protected
- The terminated employee, an individual to whom other employees confided in about on the job issues, posted about those shared concerns over the terms and conditions of employment. Co-worker responses to her posts contained suggestions for action by the group to change those conditions. Her termination was found to be unlawful because it was directly related to her “involvement in her co-workers’ work-related problems, including her discussions with fellow employees about the terms and conditions of employment.”
- The terminated employee made various online (e.g. on local newspaper message boards) and Facebook posts about the employer’s poor management style, which allegedly included bullying, harassment and abuse of employees that had been ongoing for at least 3 years. Several co-workers posted messages of support on the terminated employee’s Facebook Page, e.g. “Thank you for speaking for us who do not dare.” Since the posts were part of an ongoing labor dispute related to treatment of employees, and the statements were a “logical outgrowth of other employees’ concerns or were made with or on the authority of other employees”, it was clear that they contained unfair labor practice charges, which are protected by Section 7. The NLRB further found that the comments were not unprotected disparagement or defamation.
3. Comments to Facebook Postings Have Equal Protection and Privilege As Original Postings
- The terminated employee posted his frustration on Facebook that another individual was promoted over him and that the promotions were not aligned with the performance. Responses to his post included suggestions that all the good employees should quit. These posts demonstrated “shared concerns about the terms and conditions of employment” and were therefore “concerted activity for mutual aid and protection” and protected activity under Section 7.
- The terminated employee posted on a co-worker’s Facebook wall about his supervisor’s bad attitude and poor management style, and the co-worker agreed responding that she wished she could work elsewhere. The employees had previously complained about the supervisor to a higher up. Protest of supervisory action is protected under Section 7 and NLRB found that the discussion constituted “concerted activity for mutual aid and protection.” The NLRB further found that the comments were not unprotected disparagement or defamation.
As we have previously noted in prior posts about the NLRB’s social media enforcement actions, employers should carefully review and adjust their social media policies and practices in light of the NLRB’s guidance and enforcement. Social media policies must be narrowly tailored so as not to infringe upon employees’ Section 7 rights.
The Legal Implications of Social Networking Part Three: Data Security
In 2011, InfoLawGroup began its “Legal Implications” series for social media by posting Part One (The Basics) and Part Two (Privacy). Well, after 4th quarter year-end madness and a few holidays Part Three is ready to go. In this post, we explore how security concerns and legal risk arise and interact in the social media environment. Again, the intended audience for this blogpost are organizations seeking to leverage social media, and understand and address the risks associated with its use.
As might be expected criminals view social media networks as fertile ground for committing fraud. There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computer devices connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.
Social Media = Social Engineering
One of the biggest social media security risks reveals itself in the name of the medium itself: social media yields social engineering. In short, when it comes to social media attacks, an organization’s own employees may be its worst enemy. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” Social media users may be tricked into downloading applications infected with malware because a posting was “recommended” by a friend. For example, almost immediately after Osama Bin Laden was killed by U.S. troops, one Facebook scam inserted malware on computers using a malicious (and false) link to the “real” Osama Bin Laden dead body photo that looked like it was posted on a friend’s wall. In addition, some scams have used messaging capabilities within social media platforms to initiate computer attacks. Unfortunately, if a company's employee is scammed and downloads malware from a social media network to the company network, it may be the company that faces legal liability.
In addition, fraudsters use the trust users place in the social media platform itself to effectuate security breaches. For example, most would feel fairly comfortable clicking on an advertisement displayed on Facebook. However, in some cases that click could result in a “malvertisement” infection.
Another common attack technique is phishing. Criminals create fake email notices that appear to come from social media sites. Unsuspecting users that click on links in these emails may end up providing sensitive information to fake websites that look like the social media site they belong to, or downloading malware onto a company’s system. Unfortunately, even an employee just giving up his or her personal social media passwords can be risky for a company. Many individuals use the same passwords at multiple sites and disclosing a social media password could also amount to providing the password to the network of an employee’s employer.
There is increasing evidence that criminals are using social media to target key company personnel in order to burrow into company networks and steal trade secrets and other sensitive information. The wealth of personal information users share on social media sites provides ammunition for such attacks. Fraudsters can gather details about a user before engaging in an attack (e.g. employer, address, phone number, friends, affiliated companies, etc.) and then use the details to target the attack specifically at the individual(s) (such as a phishing email). In fact, this very technique appears to have been used in one of the biggest breaches of 2011, the RSA breach.
With regard to legal risk, companies suffering a breach arising out of social media face the same risks for any security breach. If malware infects a system or an employee is tricked into providing his or her login-credentials, and confidential or personal information is stolen, the employer may face lawsuits or regulatory scrutiny. Actions alleging breaches of NDAs may also come from third parties whose trade secrets or other confidential information a company holds. Moreover, if personal information is accessed or acquired due to the social media security breach, notification may be necessary and related costs would have to be incurred by the employer.
Social Media Spoofing and Hijacking
Companies may also face legal liability for failing to detect and notify social media users of scams associated with the company’s social media site or key personnel with social media presences. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social media application that looks like it is sponsored by the organization, legal repercussions could arise. Similarly, fraudsters could create fake profiles of key company personnel in order to commit crimes.
Security and legal risks can also arise if hackers are able to take over a company’s fan page or social media profiles of key company personnel. By creating a fake fan page or profile, or hijacking an existing fan page or profile, fraudsters could send out messages with malware to all of the individuals who joined the fan page or trick customers into disclosing sensitive information. From the legal risk perspective, while case law is sparse, companies that fail to have fake fan pages removed or that fail to warn their customers of scams that look like they come from the company, could face legal liability.
Confidential Information Leakage
Another important business and legal risk arises out of potential confidential information leakage on social media sites.
Imagine a company that is heavily reliant on traditional sales methods and has built up a customer list (a trade secret) with key, difficult-to-find contacts. Oftentimes, companies like this rely on key sales people to bring in large portions of their revenue. Perhaps seeking to be on top of modern marketing practices some of these salespeople establish LinkedIn accounts, and naturally begin linking to dozens or perhaps hundreds of friends, colleagues and customers. On LinkedIn, if settings are not set properly, all of the contacts related to these key salespeople could be publicly viewable. That being the case, it would not be difficult for a competitor to simply view and record those contacts, thereby potentially exposing the company’s customer list and key customer contacts.
Take it one step further. Suppose one of the key sales persons leaves with the customer list and the company sues alleging misappropriation of trade secret. One of the elements for establishing a trade secret are efforts to keep the secret confidential. However, by allowing the sales person to display all of his contacts on LinkedIn, has the company effectively failed to maintain that confidentiality and lost its trade secret protection?
In 2010, we saw an Eastern District of New York case that looked at this issue and ruled that trade secret protection was unavailable for a company where the customer list information at issue could be readily ascertained using sites like Google and by viewing LinkedIn profiles. In contrast, in 2011, the court in Syncsort Incorporated v. Innovative Routines, International, Inc., looked at the issue of whether a trade secret posted on the Internet loses its protection. While the court ruled that trade secret protection was not lost under the facts of Syncsort (where only a portion of the trade secret was available for a limited time), it appears that a different set of facts could yield a decision going the other direction.
The inadvertent disclosure of confidential information by employees may also be problematic for organizations. This problem can arise when employees mistakenly or unknowingly disclosing sensitive information. For example, in September 2011 a Hewlett-Packard executive updated his LinkedIn status and revealed previously undisclosed details of HP's cloud-computing services. If he had instead posted confidential information about one of HP’s clients it may have resulted in legal liability. Moreover, for publicly-traded companies, certain inadvertent disclosures of financial information could lead to violations of securities laws and regulations.
Even if confidential information is not directly put into a single status update or other post, the aggregated social media postings of multiple employees could yield valuable competitive information. Companies (on their own or through third party service providers) are actively data mining social media sites with the hope of gathering enough bits and pieces of information to provide a competitive edge. Employees may be unwittingly posting what they think is a single piece of non-sensitive data. However, when combined with multiple data points from other employees and sources, those innocent disclosures could suddenly reveal company or client confidential information.
Conclusion
In summary, the key security-related legal concerns associated with social media start with the fact that social media provides a rich target environment for criminals. Social media users are literally volunteering information that may be sensitive, and the disclosure of which could lead to legal risk. The culture of sharing present on social media sites itself can lead to over-disclosure by employees, and the pure volume of data that can be mined from social media sites may allow competitors and criminals to connect-the-dots to reveal confidential or sensitive information. Moreover, the sense of trust that comes with social media environments provides an opportunity for criminals to breach security. People may be tricked into providing certain information or downloading malware because they think they are having legitimate communications with colleagues or friends. Finally, the ability to easily spoof or create fake sites or pages in social media sites that look legitimate can lead to increased security risk. With this increased security risk, comes increased legal and liability risk (in an area of law that is very unsettled in terms of who can be liable for a security breach, and to what extent).
How can these risks be addressed and mitigated? First, it is key to understand the social media environment and how the various social media platforms work. The unique characteristics of a particular social media platform may present risks specific to that platform. Second, organizations need to develop a social media strategy to maximize their leveraging of social media while minimizing risk (Are employees allowed to use their social media sites from work computers? Can they talk about the company and its plans on social media sites? What company information can they share on social media sites? Should only a handful of marketing-oriented employees be allowed to post about or on behalf of an organization? Can the company monitor social media usage?) Once strategy is developed, social media policies need to be drafted to reflect the strategy and address risks. In the security context, a big part of minimizing risk is educating and training employees and providing guidance on how to avoid or minimize it. Technology solutions may also exist that can allow for monitoring and tracking of social media usage by employees. Ultimately, however, like social media itself, it comes down to people -- risk can only be addressed appropriately if the individuals using social media are equipped to identify and mitigate against it.
Twitter Followers = Trade Secrets?
Phonedog v. Kravitz, currently pending in the Northern District of California, raises unprecedented issues regarding social media. Is a list of Twitter followers protected as trade secret under California law? What is the value of a Twitter follower? $2.50 per month? I discussed these questions today with Fox News.
InfoLawGroup and ACE USA Social Media Risk Podcast
InfoLawGroup attorneys recently joined risk management professionals from the ACE USA, the U.S.-based retail operating division of the ACE Group, to record a companion podcast to our whitepaper “Social Media: The Business Benefits May be Enormous, But Can the Risks – Reputational, Legal, Operational – be Mitigated?”
The free podcast is available for download at http://infolawgroup.com/files/ACESocialMediaRisks.mp3 or through ACE at http://traffic.libsyn.com/lubetkin/ACESocialMediaRisks.mp3
The white paper was co-authored by Toby Merrill, VP, ACE Professional Risk, Kenneth Latham, VP, ACE Professional Risk, InfoLawGroup Partner David Navetta, Esq., CIPP, and InfoLawGroup Senior Counsel, Richard Santalesa, Esq.
NLRB Holds "Facebook" Firing Justified on Alternative Grounds, but Finds Policy Unlawful
As we have discussed on our blog, the National Labor Relations Board (NLRB) has continued a campaign of enforcement actions against employers who, according to the NLRB, have unlawfully terminated employees for discussing working conditions on social media. As we reported, in the first of such “Facebook” enforcement actions to come before an NLRB administrative judge, the employer was ordered to reinstate five employees and to pay back their wages.
On September 28, 2011, in the second “Facebook” case to reach an NLRB administrative judge, an employer was found to have been justified in terminating an employee car salesman for Facebook postings that mocked the employer and did not concern working conditions.
NLRB Allegations
In this proceeding, the NLRB alleged that the employer – a car dealership – fired a salesman in violation of the National Labor Relations Act (NLRA) for criticizing on Facebook the quality of a dealership sales event. According to the NLRB complaint, the dealership held a sales event to promote a new vehicle model. After the event, the salesman posted photos and commentary on his Facebook page mocking the dealership for serving hot dogs and bottled water at a sales event for a luxury car. Other employees had access to and commented on the Facebook page. The NRLB alleged the dealership managers fired the salesman after they learned of his critical Facebook posts. The NLRB argued that the firing violated Section 8(a)(1) of the NLRA, which deems an unfair labor practice for an employer to interfere with, restrain, or coerce an employee in the exercise of the employee’s NLRA Section 7 right to engage “concerted activities for the purpose of collective bargaining or other mutual aid or protection.”
The dealership argued, however, that it terminated the salesman not for criticizing the sales event, but rather for posting on Facebook pictures of “bloopers” from another dealership owned by the salesman’s employer. The pictures showed a customer’s 13-year old son driving a brand new luxury SUV from the dealership into a pond, which the salesman captioned as “This is your car: This is your car on drugs.”
Decision
Dealership Sales Event
The judge agreed with the NLRB that the salesman’s Facebook posts criticizing the sales event were protected by Section 7 of the NLRA in part because the employees expressed their concerns before the salesman posted the event-related photos and commentary on Facebook. The judge reasoned that “[t]he lone act of a single employee is concerted if it ‘stems from’ or ‘logically grew’ out of prior concerted activity.” The judge also found that the inadequate refreshments offered at the sales event, “could have had an effect on [the salesman’s] compensation,” deeming them an appropriate object of discussion. In finding the activity protected, the judge was undeterred by the posts’ “mocking and sarcastic tone,” noting that the NLRB’s general position is that “unpleasantries uttered in the course of otherwise protected concerted activity do not strip away the [NLRA’s] protection.”
SUV in the Pond
The judge, however, ruled that the firing was nevertheless justified because the salesman’s Facebook posts depicting the luxury SUV in a pond were not entitled to NLRA protection. The judge found that the salesman posted about the accident “as a lark” without any discussion with other employees and, more importantly, the posts had no connection to any of the terms and conditions of the salesman’s employment. Based on testimony from both parties, the judge determined that the dealership fired the employee solely for the accident-related posts and, therefore, did not violate the NLRA.
Employee Policy
The judge also ruled on the NLRB’s allegation that the dealership’s employee policy provisions were overly broad in violation of the NLRA. The NLRB challenged the policy’s statements that: (a) “[a] bad attitude creates a difficult working environment and prevents the [d]ealership from providing quality service to our customers” and (b) “[n]o one should be disrespectful or use profanity or any other language which injures the image or reputation of the [d]ealership.” Paragraphs (c) and (d) broadly prohibited employees from participating in interviews or responding to inquiries concerning employees.
The judge held that paragraph (a) was lawful, as it “would reasonably be read to protect the relationship between [the dealership] and its customers, rather than to restrict the employees’ [NLRA] Section 7 rights.” Noting that the dealership sold luxury cars, the judge held that “a dealer in that situation … has the right to demand that its employees not display a bad attitude toward its customers.”
The judge agreed with the NLRB that paragraph (b) was unlawful because it could reasonably be interpret as curtailing Section 7 rights. The judge cited NLRB precedent finding unlawful a similar employer-created rule that prohibited “insubordination … or other disrespectful conduct” because it chilled employee rights.
As for paragraphs (c) and (d), the judge stated that if employees complied with these restrictions, “they would not be able to discuss their working conditions with union representatives, lawyers, or Board agents.” The judge held that paragraphs (c) and (d) were clearly unlawful as they explicitly restricted activities protected by Section 7 of the NLRA.
Although the dealership had rescinded paragraphs (a) through (d) of their employee policy prior to the hearing, the judge held that simply rescinding the provisions was insufficient to relieve the dealership of liability. Accordingly, the dealership was ordered to post a notice informing employees of their right to engage in protected concerted activity.
Our Take
While ultimately favorable for the employer, the decision in this second Facebook firing case is consistent with the positions on employee rights that the NRLB has articulated in its recent enforcement actions. Another important takeaway from the decision is the judge’s finding that the policies that chill employees’ rights under Section 7 of the NRLA are unlawful on their face, regardless of whether an employer actually enforces the policy or the manner in which the policy is enforced. This ruling further emphasizes the importance of reviewing and, as appropriate, revising employee policies to ensure consistency with the NLRB social media guidance.
The Legal Implications of Social Networking Part Two: Privacy
As social media and networking continue to revolutionize modern-day marketing and become the norm for organizations of all types, shapes and sizes, it is even more important to adequately address the legal risks associated with social media use. In Part One of our Legal Implications series, we laid out some background and identified key areas of legal risk. In the next few posts InfoLawGroup is going to look deeper at some of these risks. In this post we explore some of the privacy legal issues that companies should address if they want to leverage social media.
Background
Why are privacy-related legal issues a key concern in the social media context? The entire marketing model inherent in the use of social media involves direct communication with, and gathering key information about, clients and customers in order to more efficiently and effectively deliver goods and services. The more granular and accurate the information about a social media user, the more valuable to companies seeking to leverage it. Naturally, as they collect and use information about social media users, organizations will come into contact with sensitive personal information about those users. This sensitive information goes beyond “traditional” personally identifiable information, and can include geo-location information, photographs and videos, relationship information (friends of friends), online behavioral information, political viewpoints and more.
The types of information available to a company employing a social media strategy will vary based on the platforms used, the method of interaction within a given platform (e.g. fan page versus company profile), technical constraints and policies, and the nature of the strategy itself. In analyzing privacy legal issues, organizations should ask the following questions:
- What types of personal information will the organization have access to?
- What types of personal information will the organization collect, and how will it use that information?
- What legal restraints exist with respect to the collection and use of the personal information (e.g. regulations, contracts, internal policies, etc.)
While this post focuses on privacy legal risk, it must be noted that the collection and use of personal information derived from social media may pose additional moral, reputational and business issues (which go beyond the scope of this article). As such, even if a practice is legal, the “big picture” must always be taken into account.
Key Privacy Legal Issues
- Social Media Platform Terms of Use
The first place to look for privacy legal obligations are the terms of use of a particular social media platform. Social media platforms attempt to balance privacy concerns of their users against commercial use of user information by laying out specific limitations and conditions related to the collection and use of personal information. For example, for applications built by companies for use in Facebook, organizations may not use a user’s friends list outside of the application, even if a user consents to such a use (organizations, however, may use connections between two users that have both connected to the application). As a general rule, companies can only use the Twitter API to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use Twitter content.
In addition, certain privacy-related terms and conditions may apply depending on the specific social media activities or functionality a company leverages within a social media platform. Organizations seeking to leverage social media need to understand and implement the (sometimes confusing and often very detailed) rules of multiple platforms, and for multiple functionalities and activities within a platform.
For example, on Facebook, organizations that set up a Fan Page are not allowed to collect information from users unless they have obtained their consent. In contrast, companies wishing to develop and launch a Facebook application can only request information from users that is necessary to run the application, but do not need consent for every data collection. Facebook also imposes certain limits on what and how personal information can be collected when using a Facebook application. For example, for all data obtained through the Facebook API except “basic account information,” organizations must obtain explicit consent from the user to use that data for any purpose other than displaying it back to the user in the application. Companies are prohibited by Facebook from soliciting or collecting user profile login information, such as usernames or passwords. Consider the number of platforms and the number of rules within a platform, and the fact that these rules often change, and it becomes apparent that compliance can get tricky.
Unfortunately, the failure to follow these privacy-related terms of use can (and already has) get companies into legal trouble. That trouble can arise directly with the social media platform provider in the form of a banning or a breach of contract action. In addition, a violation of the obligations set forth in a social media platform's terms of the use may be alleged as the basis for lawsuits against companies using social media.
- Regulatory Privacy Issues
An organization’s social media activities may also raise regulatory concerns. In the United States, the FTC has not been shy about bringing actions under the FTC Act for “unfair” or “deceptive” business practices. As with a normal website privacy policy, if an organization does not follow its privacy policy related to a social media application and personal information related thereto, the FTC could allege that such failure is a deceptive trade practice.
A particular area of concern for violations of privacy policies arises when companies integrate social media functionality directly into their websites. Some company websites may embed social media functionality that allows users to comment on a website post or article using Facebook or Twitter’s comment platform. The user comments are displayed both on the website and on the social media platform. The question is to what extent does the website’s general privacy policy apply to the information gathered through the embedded social media platform. The second question is whether the organization’s handling and use of such personal information violates the website’s general privacy policy. As the lines between an organization's general website presence and their social media presence blur even more over time, consistent privacy practices will become increasingly important (note: InfoLawGroup has developed privacy policy language to address this situation).
Beyond general regulatory authority present in consumer protection acts, some specific privacy regulations may apply in the social media context. For example, for employers that use social media to vet potential employment candidates, the information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws (this topic is discussed in more detail in the upcoming part of this series concerning social media and employment issues). In addition, there has been some activity around the Children's Online Privacy Protection Act (COPPA) and social media, including FTC actions against a social media site for children and a mobile phone game developer that created games for children. In fact the FTC recently released proposed revisions to COPPA intended to address social media that is used often by children.
The collection and dissemination of information from social media users may be even more problematic when information concerning European users is at issue. Under the EU Data Protection Directive, personal data is defined as "any information relating to an identified or identifiable natural person”. This definition is generally much broader than most U.S. laws that reference personally identifiable information (those definitions typically require a first name/first initial and last name in combination with other specified data elements such as social security number, financial account number, driver’s license number, etc.). Regulators in Europe have reported that information derived by or from social media sites constitutes personal data under EU law. For example, one German state has indicated that the “Like” button on Facebook is in violation of German privacy law. If the EU Directive does apply to information from a social network, the transmission of personal data of a European resident to the United States could violate various requirements concerning transborder data flow.
Finally, as the definition of personal information expands in the United States (the FTC has defined personal information broadly in the social media context to mean “information respondent collects from or about an individual”), it is likely that information relating to individuals collected from social media activities will be more closely regulated. It is therefore important to keep up with the regulatory environment and legislation being proposed on both the Federal and State levels.
Conclusion
Participation and a presence in the social media context can be very valuable for organizations, and that value is likely to increase significantly in the future. Most organizations will seek to discover as much information about social media users as possible, and as more of our lives (social and commercial) are lived on the Internet, this information will be highly sought after.
This of course will raise significant privacy issues; privacy issues that current law may not fully address. In the U.S., we anticipate an evolution in the social media context that will initially involve regulators utilizing their broad and general regulatory authority (e.g. the FTC Act), and then may result in the passage of more specific laws and regulations. Even without specific regulatory constraints, organizations looking to leverage social networking today should carefully review the social media platform TOUs and their existing privacy policies, and develop policies and practices that address social media where appropriate. In addition, companies should analyze how existing laws in relevant jurisdictions might apply to their collection, processing, storage and distribution of personal information obtained from social media. A reasonable balancing of these privacy legal risks against the commercial advantages to be derived from social media is the best course of action.
Nonprofit Must Rehire Employees Axed for Facebook Complaints
In the first decision of its kind, a National Labor Relations Board (“NLRB” or the “Board”) Administrative Law Judge recently ruled on September 2, 2011 that a nonprofit organization unlawfully discharged employees for complaining about their jobs on Facebook. As we have previously discussed on our blog, the NLRB has been very aggressive in enforcing employees' right to engage in work-related discussions on social media. This is the first case involving Facebook that resulted in an ALJ decision following a hearing. Unlike prior NLRB enforcement actions, this case did not target the organization’s social media policy or involve a unionized workplace.
According to the NLRB decision, the employer Hispanics United of Buffalo fired five employees for criticizing work conditions on a Facebook comment thread. After one of the employees notified the NLRB regional office, NLRB Regional Director Rhonda Ley issued a complaint alleging that Hispanics United conducted unfair labor practices in violation of the National Labor Relations Act by “interfering with, restraining, and coercing employees in the exercise of rights” guaranteed in Section 7 of the NLRA. Section 7 provides in part that employees have the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” The NLRB has interpreted Section 7 rights to apply to both unionized and non-unionized personnel.
Judge Arthur Amchan found that the employees’ were illegally discharged because the Facebook discussion was concerted activity protected under Section 7 of the NLRA. The discussion was protected because it involved a conversation among coworkers about their terms and conditions of employment. Although Hispanics United argued (in part) that the Facebook comments were not protected because persons other than Hispanics United employees may have seen them, Judge Amchan found that “irrelevant” as the first comment in the thread specifically “asked for responses from co-workers.” Furthermore, “just as the protection of Sections 7 and 8 of the Act does not depend on whether organizing activity was ongoing” Judge Amchan noted, “it does not depend on whether the employees herein had brought their concerns to management before they were fired, or that there is no express evidence that they intended to take further action, or that they were not attempting to change any of their working conditions.” The judge determined that the employees had not engaged in any conduct that could have forfeited their Section 7 rights. According to the decision, the comments were related to subject matter the employees had a protected right to discuss, there were no “outbursts,” and the employees had not violated any Hispanic United policies or rules. Although Hispanics United asserted that the employees’ conduct constituted harassment of an employee named on the Facebook comment thread in violation of its “zero tolerance” harassment policy, Judge Amchan found no evidence in the record supporting Hispanics United’s position.
In a first for a case involving employees' rights in the context of social media, the NLRB judge ordered Hispanics United to reinstate the five employees and awarded the employees back pay. Hispanics United was also ordered to “cease and desist from discharging its employees due to their engaging in protected concerted activities” and to post a notice at its Buffalo facility concerning employee rights under the NLRA and the organization's violations of those rights.
On the heels of the NLRB report on social media enforcement, this ruling provides further guidance to employers regarding the NLRB's application of Section 7 to social media and the growing number of NLRB's social media enforcement actions. As we noted both in the context of discussing the NLRB’s recent enforcement actions and the agency's social media report, employers should carefully review and adjust their communications and social media practices and policies to comply with the NLRB's guidance on employees' Section 7 rights.
NLRB Report Reviews Social Media Enforcement Actions
On August 18, 2011, the Associate General Counsel of the National Labor Relations Board (“NLRB” or the “Board”) issued a report analyzing the Board’s recent social media enforcement actions. The report seeks to provide guidance to employers that want to ensure that their social media policies appropriately balance employee rights and company interests.
As we have discussed on our blog, the NLRB has been very active since late 2010 in enforcing employees’ rights to discuss working conditions through social media. The Board's numerous enforcement actions have focused on employees’ work-related statements on social media platforms such as Facebook, Twitter and YouTube. The enforcement actions have addressed employees’ social media activities in the context of their rights under Section 7 of the National Labor Relations Act to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” Employers may not discipline or terminate employees (either unionized or non-unionized) for exercising their Section 7 rights.
The report suggests that the NLRB views as protected a broad scope of social media activity that addresses working conditions. It also suggest that the Board sets a low threshold for finding that such activity is “concerted” – i.e., “undertaken with or on the authority of other employees, and not solely by and on behalf of the employee himself.” While each enforcement action represents a unique set of circumstances, generally, the NRLB has found employees’ social media activity to be protected when the statements expressed employees’ sentiment about working conditions, whether or not the actual postings involved one or more employees. Examples of activities the Board deemed protected include discussions on social media that implicated working conditions and that were initiated by one coworker in an appeal to other coworkers for assistance; postings provoked by a supervisor’s allegedly unlawful activity; and postings that vocalized employees' sentiment about working conditions that the employees expressed in off-line conversations, even where coworkers did not post comments to the initial post by one of the employees.
The report also sets out various employee social media policy provisions that the NLRB found to infringe on employees’ Section 7 rights. According to the report, the NLRB may view as unlawful (often because the Board viewed them as overly broad) social media policies that:
- Prohibit employees from posting pictures of themselves in any media, including the Internet, which depict the company in any way, including posting featuring a company uniform or corporate logo;
- Prohibit employees from making disparaging comments when discussing the company or the employees' superiors, coworkers or competitors;
- Generally prohibit, in the application to social media, offensive conduct and rude or discourteous behavior;
- Prohibit inappropriate discussions about the company, management or coworkers;
- Prohibit any use of social media that may violate, compromise or disrtegard the rights and reasonable expectations as to privacy and confidentiality of any person or entity;
- Prohibit any communications or posts that constitute embarrassment, harassment or defamation of the employer or its employees, officers, board members, representatives or staff members;
- Prohibit statements that lack truthfulness or might damage the reputation or goodwill of the employer, its staff or employees;
- Prohibit employees on their own time from using social media to talk about company business, from posting anything that they would not want their manager or supervisor to see or that would put their job in jeopardy, from disclosing inappropriate or sensitive information about employer, or from posting any pictures or comments involving the company or its employees that could be construed as inappropriate;
- Prohibit employees from using the company name, address or other information on their personal profiles;
- Prohibit employees from revealing personal information regarding coworkers, company clients, partners or customers without their consent; or
- Prohibit the use of employer’s logos and photographs or of the employer’s store, brand or product without written authorization.
As we have previously noted in the context of discussing the NLRB’s social media enforcement actions, the Board’s view of employees’ Section 7 rights in the context of social media requires employers to carefully review and adjust their communications and social media policies and practices. The Board's report further suggests that employers need to tailor their social media policies narrowly to protect company interests without infringing on employees’ rights.
Financial Industry Gets New Guidance on the Use of Social Media
Banks and other financial institutions face unique issues when it comes to the use of social media. Faced with conflicts between social media platform rules, customer expectations, self-regulatory standards, and the strict regulations that govern the industry, guidance has been needed. The industry received some of that guidance recently through a whitepaper issued by BITS, the technology arm of The Financial Services Roundtable whose members are 100 of the largest financial institutions in the U.S.
The report addresses the compliance, legal, operational, and reputational risks – and related mitigation strategies – of using social media in connection with a financial or banking operation. Regarding compliance, the report discusses the myriad of compliance areas relevant to banks, including marketing, privacy and security. For example, because social media web sites and web activities are deemed advertising by regulators, the report warns of the risks of failing to comply with various marketing laws and regulations applicable to the banking industry, including state Unfair and Deceptive Acts or Practices Acts and Prize and Gift Acts, as well as others that require additional steps for financial institutions, such as Truth in Lending, Truth in Savings, and FDIC membership rules. The paper predicts even stronger and more subjective requirements to come under the Dodd–Frank Wall Street Reform and Consumer Protection Act. Risks of non-compliance vary widely – from litigation and reputation risk, regulatory enforcement actions and in some cases civil money penalties.
The report discusses generally the requirement under the FTC’s endorsement guidelines’ that online publishers “disclose relationships with advertisers when they receive free products for review, compensation or other consideration.” The requirement seems simple, but administration and enforcement of it can become complex. So, the report urges financial institutions to develop policies and practices for educating associates, bloggers and other endorsers regarding disclosure requirements, including guidelines about the required disclosure format. These new policies should also be confirmed consistent with the myriad of other policies that likely exists, and even some that may not be entirely obvious, including any Code of Conduct/Ethics Policies, Sarbanes-Oxley Policies, Marketing/Brand/Logo Enforcement Policies, Risk Management Policies, Employment Verification/ Professional Reference Policies and various others.
On the issues of privacy and security, financial institutions walk a tightrope when using social media. The report warns that protected data could be exposed much more readily as consumers interact with bank staff on social networks. The increasingly real-time nature and features of many social media sites pose additional risks because staff must know the report-recommended policies, remember them, and act accordingly – all in near real-time. This is all in addition to the risks of third parties, who could try to use such features to try to expose information and may be more likely to succeed given the conversational nature of the platforms and features. Also, since social media sites and companies often make changes to those policies as they add new features or expand their partnerships with other online companies, the report warns banks to be vigilant in monitoring the privacy policies and practices of the various social media sites they use.
Although it is no substitute for clear rules from the federal banking agencies and other regulators about banks’ use of social media, the BITS report helps summarize the issues to spot when navigating banks’ use of social media and how to begin resolving potential conflicts. The report is targeted to the financial industry, but because it covers use of employees’ information and resolution of institution’s internal policies, it could be a helpful read for those companies outside of the industry, as well. Read the report here.
The Legal Implications of Social Networking: The Basics (Part One)
We are in the midst of a communications revolution. Use of social media for communication purposes continues to grow, while "old school" messaging media like email is on the decline. Facebook reportedly has reached 700 million users worldwide and is putatively valued at $50 billion dollars. Advertising revenue expected to be generated from social media is estimated to reach $8.3 billion dollars annually by 2015. Significantly, according to one survey, 81% of companies have implemented (or plan to implement) social networking in order to enhance their exposure. Seventy-three percent of small and medium businesses reportedly employ social media for marketing purposes.
Much like the “Cloud computing revolution" there is an almost frenzied excitement around social media, and many companies are stampeding to exploit social networking. The promise of increased intimate customer interactions, input and loyalty, and enhanced sales and expanded market share can result in some organizations overlooking the thorny issues arising out of social networking. Many of these issues are legal in nature and could increase the legal risk and liability potential of an organization employing a social media strategy.
Coming on the heels of a white paper we wrote with ACE USA, in this multi-part series the InfoLawGroup will identify and explore the legal implications of social media. This series will help organizations begin to identify some of the legal risks associated with social media so that they may start addressing and mitigating these risks while maximizing their social media strategy.
In Part One of the series, we will provide a high level overview of the legal risks and issues associated with an organization’s use of social media. In subsequent parts members of the InfoLawGroup team will take a deeper dive into these matters, and provide some practical insight and strategic direction for addressing these issues. As always, we view our series as the beginning of a broader conversation between ourselves and the larger community, and we welcome and strongly encourage comments, concerns, corrections and criticisms.
What is Social Media?
For a phenomenon that is taking over the world, one would think that the meaning of social media would be clear. While that may not be the case, we are not going to belabor the issue in this post. Instead we will simply use the definition generated by Wikipedia (itself a form of social media that relies on the collective efforts of its users to come up with the “right” answer):
Social media are media for social interaction, using highly accessible and scalable publishing techniques. Social media use web-based technologies to turn communication into interactive dialogue.
Examples of websites and internet activities that fall into this definition include: LinkedIn, Facebook, Twitter, Digg, Delicious, StumbleUpon,Foursquare, blogging platforms (e.g. WordPress, Drupal, etc.), Wikipedia, bulletin boards (e.g. phpbb.com), Quora and YouTube.
The InfoLawGroup is a heavy user of social media, and the best way that I have been able to explain our social media is by analogy: social media is like a wide-ranging conversation that can be with the entire world, or on a very intimate level with a single individual, and often both. Social media provides a mechanism for finding communities of like-minded (or not) individuals interested in particular topics (and sub-topics). InfoLawGroup uses social media to engage in conversation concerning issues that are important and interesting to us (and others), and by engaging in that conversation in a meaningful way, others begin to recognize and value our input (and we in turn discover experts, influencers, and valuable information resources). Based on our experience, the key attributes of a successful social networking include clear communication, multi-party interaction, trust and intimacy.
How is Social Media Used?
So your organization wants to “use” social networking. Why? For many organizations considering the use of social media a vague idea may exist that they “should” be doing that. However, clear organizational goals may not exist concerning the use of social media. As a threshold issue, before even considering specific legal issues, organizations must have a clear idea of why they want to use social media. Companies should identify the business process or organizational strategy they are seeking to advance by the use of social networking. They should be able to establish goals and metrics in order to measure success and allow for the adjustment of their strategy if it is not proving successful. Of course, when the question of why is answered, then the question of “how” must be addressed (and often the two questions must be considered together).
The process of developing a social media strategy tied to specific business processes and goals will enlighten companies as to the legal implications of their use of social networking. While there may be certain legal concerns baked into “social media” in general, many of the legal risks will arise based on the specific business process and goals surrounding the use of social media. In addition, the characteristics of the social media platform(s) an organization chooses to leverage may also impact the legal risks faced by the organization.
While there are as many social media strategies as there are organizations seeking to employ them (in fact, there are certainly many more), we have laid out some “use cases” that will help us explore the legal implications of social media:
- Direct Interaction. Direct interaction (with customer, "influencers," media, colleagues, etc.) is really the most basic use of social media, it involves an organization using social media to communicate and interact with the general social media population (or subsets of that population). This would happen on various social media platforms such as Facebook, LinkedIn and Twitter, or through a weblog. However, the approach organizations employ to interact may vary, and as discussed later, the differences in approach could impact the legal risks associated with social media. Some approaches for direct interaction include the following: (a) allowing an organization’s general employee population to go out and interact on behalf of the company with little instruction or supervision; (b) allowing an organization’s general employee population to go out and interact on behalf of the company with strict instructions and supervision; (c) identifying a small dedicated group to interact on social media on behalf of the company, including potentially the use of “corporate profiles” not tied to any individual person; and (d) hiring a third party marketing company to interact on social media pursuant to a specific marketing strategy.
- Company Page/Fan Site. Some social media platforms allow organizations to create “fan pages” (e.g. Facebook) or company pages (LinkedIn). In essence these types of pages/site allow an organization to set up a centralized presence or "destination" within a social media platform. Interested individuals can then join or follow postings that occur on the organization’s fan page/site, and those visitors can themselves post and interact on the fan page or site. This allows for interaction in a more centralized fashion.
- Social Media Applications. Some social media platforms may allow organizations to create applications that can be plugged into the social media platform. For example, a mortgage broker with a presence on Facebook could hire an application developer to develop a mortgage interest rate calculator application that Facebook users could operate. This would essentially provide an advertisement for the mortgage company and create goodwill amongst potential customers. In addition, when the application is downloaded by a user, the mortgage company would then get access to certain personal information that is part of the user’s profile. This information can be valuable for targeting prospective customers and data mining purposes.
- Blogging. While it may not be obvious to everybody, most blogs constitute social media. Blogs that allow for comments and interaction between the blogger and his readers (and interaction between the readers themselves) are social media. This interaction typically occurs in the “comments” section of a blog. In addition, many organizations use their blog as the kernel for interaction in other social media platforms. So, an organization with a blog might do a post and tweet it on Twitter, cross-post it on their Facebook fan page and post it in a LinkedIn Group, in order to drive traffic to the company’s blogpost (and ultimately website, product or service).
- Social Plug-ins. Many social media platforms provide “widgets” or “plug-ins” that can be put into a website to allow the content of the website to be commented upon and shared within the social media platform. The plug-in may be in the form of a “button” that allows a website visitor to “like” particular content and have their preference posted in Twitter, Facebook or Digg. Some social medial platforms may be seamlessly integrated into a website in such a manner that makes it virtually invisible. Using these plug-ins can help` spread an organization’s message to a much wider audience and drive traffic to the organization’s website.
- Log-In Credentials. Another interesting way social media platforms are being utilized is to allow website visitors to login to an organization’s website employing the log-in credentials they use to gain access to a social media platform. Under this scenario an organization with a website could allow visitors to access the company's website by logging into their Facebook or Twitter account using the same username and password (this is achieved by utilizing the social media platform’s API). The organization benefits in several ways by employing this practice. First, the visitor gets to avoid setting up a new username and password specific to the website, which can be viewed as time-consuming by some visitors. Second, the user is less likely to forget a username/password from a frequently-used social media platform, and this makes logging in very easy. Last, by linking to the social media platform’s authentication credentials, the organization is able to obtain certain personal information about that visitor that is available on the social media platform.
The forgoing use case scenarios are surely the tip of the iceberg, and new social media platforms and strategies are being developed every day. It is in this dynamic environment that organizations must analyze and understand the legal risks associated with the use of social media.
Social Media Legal Issues
As we work through the various legal implications of social media it hopefully will become increasingly clear that context is very important. While we can (and will) talk about broad categories of legal risks that apply to most (or all) social media, a basic formula can be used to identify and analyze the specific legal risks of a particular social media use. The social media legal risk “formula” can be summarized as follows:
- the inherent characteristics/capabilities/limitations of the social media platform to be leveraged, PLUS
- the organization’s specific intended social media strategy and uses, REVEALS
- the relevant legal issues and level of legal risk present.
With this formula in mind we turn to a short summary of the social medial legal issues that InfoLawGroup will be exploring in detail as part of its multi-part blog series.
Information Security Legal Risk
Organizations that employ social media face several information security legal issues. These legal risks can be broken down into three broad categories: (1) potential liability due to a breach of the organization’s security as the result of an attack originating through the use of social media; (2) potential legal risk associated with social engineering and spoofing attacks against users or “fans” of an organization’s social media presence, persona or application; and (3) legal consequences of leakage of third party confidential information as a result of social media use.
As might be expected organized crime views social networks as fertile ground for committing fraud. One of the biggest risks is in the name of the medium itself. Social media yields social engineering. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” As such social media users are tricked into downloading applications infected with malware because it was “recommended” by a friend, or they click on the link of the “real” Osama Bin Laden dead body photo that looks like it was posted on a friend's wall (and a computer attack occurs), or they visit a site that looks like a brand name company’s fan page and are enticed to provide some of their personal information to criminals. The direct risk to an organization allowing its employees to use social media on company computers is obvious: if malware from social media infects a company computer and steals personal information, credit card numbers or trade secrets, the company may have to provide notice of a security breach and could face lawsuits and regulatory actions arising out of the breach.
Companies may also face liability for failing to detect and notify social media users of scams associated with the company’s name or site. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social application that looks like it is sponsored by the organization, legal repercussions could arise. In the email context we are already aware of lawsuits involving phishing that allege that the defendant should have been aware of scam emails sent to their customers, and should have warned those customers of the scam.
Finally, social media sites and the activities of multiple users for or on behalf of an organization could result in information leakage. If that leakage involves confidential information or trade secrets of an organization’s customer, or perhaps certain financial disclosures in violation of securities laws, liability could arise. The risk of confidential information leakage was recently on display involving the use of LinkedIn. This risk can also be indirect in its nature, and there are several social media corporate intelligence companies that will data mine and aggregate information about competitors in order to discover leaked secrets, plans and trends.
Privacy
For many companies the Holy Grail of social media is in depth and detailed personal information about their current and would-be customers. Social media provides a platform for much more interactive and intimate communications between companies and their customers. In turn companies seek to use this knowledge to sell their products and services back to these customers (in a way that does not erode the trust relationship that is often gained in the social media context). Social media platforms enable the gathering of information, including personal information, in ways that were unimaginable only a few years back. Companies leveraging social media, depending on the platform, can gain access to this personal information. This raises a host of privacy concerns that could increase legal risk. Most social media sites have terms and conditions that may result in legal liability if an organization’s collection or use of personal information violates those terms. Laws such as COPPA may have applicability with respect to an organization’s “fan” page. Finally, to what extent do an organization’s privacy policies apply, if at all, to its social media activities? All of these issues will become increasingly important as use of social media becomes the norm.
IP Infringement
Social media sites allow users and companies to post content, including content that may be copyrighted or trademarked. Posting can be performed not only by employees of organizations using social media, but also fans and visitors to a company’s social media site. Organizations may face infringement claims (direct or based on vicarious liability) due to copyrighted or trademarked materials being posted by them or by third parties.
Disparagement and Defamation
Social media environments provide a forum for defamatory statements to be made about individuals, and disparaging remarks to be made about companies' products and services. Organizations with overzealous employees attempting to get a leg up on competitors may post comments or remarks that may not be fully accurate or true about an individual or a competitor’s products or services. This could lead to a potential lawsuit and liability. Social media sites and blogs that allow comments may also involve such statements made by third parties over which the organization has little to no control. While defenses may exist, including potentially Section 230 of the Communications Decency Act, this area of law is notoriously fact specific and varies by jurisdiction, and it could pose problems for companies.
Employment Law Issues
The use of social media in the employment context raises a lot of tricky legal issues. First, many organizations use social media to vet candidates for employment and as part of background checks. The information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws, and employers may have to obtain an individual’s consent before accessing such information (or may be prohibited from using that information to make employment decisions). During employment, the issue is to what extent an employee may have privacy rights concerning its use of social media while at work, and to what extent the employer may monitor such activities. Overzealous employers that create fake social media accounts to monitor social media activities of their employees could also raise legal issues, including issues under the Stored Communications Act, which is part of the larger Electronic Communications Privacy Act. Finally, using social media activities as the basis for firing or taking disciplinary action against employees may run afoul of the law. Recently, there have been a series of “Facebook Firings” where the National Labor Relations Board has alleged that and employer’s action violated the National Labor Relations Act.
Advertising Law
Organizations that use social media to promote their products and services should also be concerned about advertising laws. For example, some social media activities may amount to a contest or sweepstakes and may need to have appropriate disclaimers and notices. In addition, for social media sites that allow users to rate products or services, an employee that “rates up” the products or services of his or her company may violate advertising laws concerning testimonials and endorsements.
Electronic Discovery and Evidence
Social networks are brimming with social interactions and information generated by and about those interactions. That information may be highly relevant in a litigation context, and the parties in a litigation may seek to obtain this information via discovery or subpoena. Questions arise as to whether obtaining this information for use in court is permissible in light of potential privacy concerns. On the flipside, when litigation begins, how should lawyers advise their clients concerning the preservation of information on social media sites, and what kind of problems may arise if a litigant fails to preserve social media information.
Drafting a Social Media Policy
In the final part of this series, we will take a closer look at one of the key controls to address the legal risk associated with the use of social media: the social media policy. We will look at the key elements and issues that should be addressed in a social media policy, and identify strategies for dealing with this risk. In addition, we will discuss some new technological controls that companies are developing to help organizations understand, monitor and manage social media use and legal risks. Overall, there is much more to come on this topic. Stay tuned!
Facebook Firing III -- NLRB Strikes Twice in May!
Yesterday, we reported that the National Labor Relations Board (NLRB) took enforcement action on May 9, 2011 against against Hispanics United of Buffalo, a nonprofit organization that provides social services to low income clients, for firing employees over Facebook comments.
The NLRB announced today that it took yet another "Facebook firing" enforcement action on May 20, 2011. In this latest action, the NLRB alleged that a Chicago area BMW dealership fired an employee for posting critical photos and comments on Facebook.
The car salesman and coworkers were concerned about the quality of food and beverages at a dealership event promoting a new BMW model. The salesmen complained that their sales commissions could suffer as a result. Following the event, one salesman posted photos and commentary on his Facebook page criticizing the employer for serving only hot dogs and bottled water to customers at the event. Other employees had access to the Facebook page.
The following week, the dealership’s management asked the salesman to remove the posts, and he immediately complied. Nevertheless, shortly after a meeting with managers, the employee was terminated for posting the images and comments on Facebook.
The NLRB alleged that the employee’s Facebook posting was protected concerted activity within the meaning of Section 7 of the National Labor Relations Act, because it involved a discussion among employees about their terms and conditions of employment, and did not lose protection based on the nature of the comments.
The case is scheduled to be heard by an administrative law judge on July 21, 2011 in the Chicago Regional office of the NLRB.
InfoLawGroup Says:
The NLRB's third enforcement action makes a strong statement about the agency's view on the scope of employee social media protections, including the discussion topics the agency views as protected. The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure consistency with the NLRB guidance.
Another Facebook Firing Enforcement Action Brought by NLRB
We previously reported on our blog that a Connecticut ambulance company settled the National Labor Relations Board's (NLRB's) allegations that the company violated an employee’s federal rights by firing her for criticizing a manager on Facebook. The NLRB continues its enforcement blitz with another Facebook firing complaint.
On May 18, 2011 NLRB announced that it filed similar allegations against Hispanics United of Buffalo, a nonprofit organization that provides social services to low income clients. The NLRB alleged that the nonprofit unlawfully discharged five employees after they criticized working conditions, including work load and staffing issues, on Facebook.
According to the NLRB, one employee, in advance of a meeting with management about working conditions, posted to her Facebook page a coworker’s allegation that the organization's employees did not do enough to help clients. Other employees responded on Facebook, defending their job performance and criticizing working conditions, including work load and staffing. After learning of the posts, the employer discharged the five employees who participated in the Facebook exchange. The organization claimed that the employees' comments constituted harassment of the employee originally mentioned in the post.
The NLRB alleged that the Facebook discussion was protected concerted activity within the meaning of Section 7 of the National Labor Relations Act because it involved a conversation among coworkers about their terms and conditions of employment, including their job performance and staffing levels.
The complaint will be the subject of a hearing before an administrative law judge on June 22, 2011, in the Buffalo office of the NLRB.
InfoLawGroup Says:
The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure that the policies balance business needs and employees' rights consistently with federal law and NLRB guidance.
District Ct. Holds Use of Facebook at Work Does Not Violate the CFAA
Every now and then I wonder what goes through the mind of some litigation parties and their respective attorneys. Case in point the ongoing case of Wendi J. Lee v. PMSI, Inc., 8:10-cv-2904, out of the U.S. Middle District of Florida within the 11th Circuit Court of Appeals.
Ms. Lee filed suit against PMSI, her former employer, in Florida state court after being fired from her position as a Proposal Developer in PMSI’s Marketing Department. In her complaint she alleged violations by PMSI of Title VII of the Civil Rights Act and Florida’s analogous Civil Rights Act of 1992 (FCRA), for “discrimination because of pregnancy.”
After removing to federal court, PMSI moved to dismiss count 2 (the FCRA claim), which was denied, and then answered, which was in turn followed by an amended answer with a counterclaim “for violation of the Computer Fraud and Abuse Act, as amended by the Computer Abuse Amendments Act of 1994, 18 U.S.C. §§ 1030 and 2707.” PMSI’s counterclaim maintained that “Lee’s internet usage substantially exceed the usage of her coworkers in the Marketing Department” and that such usage “exceeded her authorization to use the internet by accessing and spending large amounts of paid work time visiting personal websites such as Facebook . . . while on company paid time and from a company owned computer.”
The Court's Order in response struck PMSI's attempted use of the CFAA with prejudice.
In its counterclaim PMSI concluded that Lee's actions violated the Company’s Computer Usage Policy and that as to the necessary CFAA hook “[t]he Company suffered a loss from this unproductive time that Lee spent on these unauthorized websites” which “[a]s a direct and proximate result of the . . . conduct by Lee . . . suffered financial losses in excess of $5,000, due to her lack of productivity, as work that should have been performed by her had to be given to others and in wages paid to her.”
The Court's Order
In response, Ms. Lee moved to dismiss the counterclaim via a Motion to strike Defendant's Untimely Amended Pleading and Counterclaim or Alternativly [sic] to Dismiss Defendant's Counterclaim. In a workmanlike six-page Order, U.S. District Judge Steven D. Merryday granted Ms. Lee’s motion and dismissed PSMI’s counterclaim with prejudice while reinstating PMSI’s original Answer.
Frankly, had the court held otherwise virtually every employee with computer access around the country – or rather, at least within the Middle District of Florida - would have been subject to a CFAA counterclaim if fired and thereafter attempting to sue in response. Judge Merryday’s Order notes that “[t]he CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to ‘access and control high technology processes vital to our everyday lives....’ * * * Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working.”
From this second paragraph of the Order it was all downhill for PMSI. In discussing PMSI’s attempted damages hook as to Lee’s alleged “lost productivity” due to surfing the Internet the court, and I can’t help but applaud the Judge’s ability to maintain a straight face in his prose, stated “[t]he defendant asserts (dubiously) that during her six months of employment, the plaintiff caused the defendant ‘financial losses in excess of $5,000, due to her lack of productivity . . .’ (Doc. 12) The definition of ‘loss’ contemplates damage to a system or data, rather than a lack of productivity.” It’s one thing to argue zealously on behalf of one’s client; it’s quite another to attempt to stretch a statute, flawed as the CFAA is, to such lengths that an Acme Giant Rubber Band of the type favored by Wiley E. Coyote would snap.
In putting PMSI’s counterclaim to bed, the court further observed that:
“PMSI fails to show that the plaintiff ‘exceeded authorized access’ or obtained information from the computer. ‘Exceeds authorized access’ is defined as ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.' 18 U.S.C. § 1030(e)(6). The counterclaim alleges that the plaintiff visited only personal websites. (Doc. 12, Pages 6 and 7) Because the only information Lee allegedly accessed was on the personal websites, not PMSI’s computer system, Lee never ‘obtained or alter[ed] information in the computer.’ Lee accessed her facebook, personal email, and news websites but did not access any information that she was ‘not entitled so to obtain or alter.’"
Applying the final thrust, Lee’s actions may have violated the company’s usage policies, in the court’s view, but PMSI’s attempted shoehorning of her conduct into the CFAA was a distinct no-go. And in a footnote aside, that fairly screamed READ THE STATUTE AND APPLICABLE CASE LAW NEXT TIME, the court dryly quipped, “18 U.S.C. § 1030(a)(2)(C) also requires that the information be obtained from ‘a protected computer’ which is defined as a computer ‘which is used in or affecting interstate or foreign commerce or communication.’ 18 U.S.C. § 1030(e)(2)(B). The defendant fails to allege that the plaintiff accessed a ‘protected computer.’"
And, with a final light touch, Judge Merryday closed with the backhand that “[e]xtension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary. See, e.g., United States v. Rybicki, 354 F.3d 124, 135 (2d Cir. 2003).”
Bottom-Line
As we all know in litigation, to egregiously mangle a metaphor, sometimes the bear gets you and sometimes you get the bear. Here PMSI was more than "gotten" by the bear, as it were. Thankfully so. Still, it's a lesson as to when aggressive or sloppy representation crosses over into mere aggravation for all concerned, particularly when the often troublesome CFAA is involved.
FTC Takes a Big Step in Privacy Enforcement with Google Buzz Settlement
The Google Buzz settlement that the Federal Trade Commission announced on March 30, 2011 is the latest in the line of the Commission’s numerous Section 5 actions related to privacy and data security violations. The Google Buzz settlement, however, is unique in several important ways. The settlement represents:
- The first FTC settlement order has requires a company to implement a comprehensive privacy program to protect the privacy of consumers’ information; and
- FTC’s first substantive U.S.-EU Safe Harbor framework enforcement action.
Let’s dive in (make sure to read the "Action Item" at the conclusion of the post!):
Factual Allegations
The FTC alleged in its complaint that Google violated Section 5 of the FTC Act by engaging in deceptive tactics and violating its own privacy promises to consumers in connection with the launch of the company’s social network, Google Buzz, in 2010. The FTC also alleged that with respect to the data of its European users, Google violated the Notice and Choice principles of the U.S.-EU Safe Harbor self-regulatory framework for cross-border data transfer, in violation of the company’s certification of adherence to the framework.
The FTC alleged that when Google launched Buzz, the company used its customers’ email contact lists to populate the social network. As a result, by default, when Buzz launched, Gmail users became social network “followers” of other users – including those in their email contact lists – and were “followed” by their contacts. While Google's set-up process appeared to provide users with choices not to enroll in Buzz (such as “Nah, go to my inbox” and “Turn off Buzz”), the FTC alleged that selecting those options did not actually opt the users out of Buzz.. Instead, users continued to be followers of and followed by other Gmail users. Gmail users complained that the automatic generation of follower lists resulted, in some cases, in users following and being followed by individuals against whom they obtained restraining orders, abusive ex-spouses, clients of mental health professionals and attorneys, and job recruiters.
The FTC also alleged that Google did not adequately inform users that their previously private information, such as their contact lists and profiles, would become public by default when they used Buzz. According to the FTC, Goggle did not provide clear means for users to change privacy settings to prevent the public disclosure of this information.
The FTC further alleged that the launch of Buzz resulted in the disclosure of personal information that was contrary to the users’ specific choices. For example, if a Gmail user blocked another individual from Google Chat, that individual could still be a follower of the user on Buzz. Further, Buzz users did not have the ability to block followers who did not have a public Google profile. Finally, a flawed design of the Buzz comment reply mechanism resulted in broad disclosure of users’ private email addresses.
Violations of the FTC Act
The FTC alleged that that Google’s handling of privacy settings in connection with the launch of Buzz (as described above) violated the company’s own privacy notices and Section 5 of the FTC Act prohibition against unfair or deceptive acts or practices. Specifically, according to the FTC, Google:
- By using Gmail information to populate Buzz -- failed to abide by the pledge in the company’s privacy policy to use information from consumers signing up for Gmail only for the purpose of providing them with a web-based email service;
- By using Gmail information in connection with Buzz -- failed to abide by the pledge in the company’s privacy policy to seek users’ consent to use their information for a purpose other than that for which the data was collected; and
- By not respecting user’s privacy choices (such as “Nah, go to my inbox” and “Turn off Buzz”), and misleading users about what information in their profiles would become public and which of their contact lists would become public in connection with Buzz – engaged in deceptive acts or practices.
U.S.-EU Safe Harbor Framework Violations
The Google Buzz settlement is the FTC’s first substantive U.S.-EU Safe Harbor framework enforcement action in which the Commission alleged specific violations of the Safe Harbor privacy principles. On several previous occasions, the FTC took enforcement action against companies that claimed to be Safe Harbor certified but were not in fact members of the program. Google maintained an up-to-date Safe Harbor self-certification on the U.S. Department of Commerce Safe Harbor list and stated in its privacy policy that it adhered to the Safe Harbor privacy principles.
The Safe Harbor framework consists of a set of privacy principles developed by the U.S. Department of Commerce in collaboration with the European Commission. The framework is intended to provide U.S. companies with a mechanism for receiving personal information from the European Union, European Economic Area or Switzerland in compliance with the European Commission’s Data Protection Directive 95/46/EC and the Swiss Federal Act on Data Protection. U.S. companies that participate in the Safe Harbor framework are deemed by the European Commission and the Information Commission of Switzerland to provide an “adequate” level of privacy protection, enabling the certified U.S. companies to receive and process European data in the U.S.
Among other provisions, the Safe Harbor privacy principles require companies that receive European personal data in the U.S. to give the individuals to whom the information pertains:
- Notice of how the company uses their personal information (the Notice principle);
- Choice to direct the company to refrain from sharing the information with certain third parties (the Choice principle); and
- The opportunity to opt out of having their information used for purposes incompatible with those for which the information was collected or to which they have consented (also the Choice principle).
In practice, a Safe Harbor-certified company in the U.S. that wishes to use or disclose personal data of European residents for purposes incompatible with the purposes for which the information was collected or to which the users have consented, must (i) provide users with a notice of the proposed new use or disclosure, and (ii) give users an opportunity to direct the company not to use or disclose the information in the proposed manner.
The FTC alleged that Google relied on its Safe Harbor certification to transfer data collected from Gmail users from Europe to the United States for processing. According to the FTC, the company also processed this information in connection with the launch of Buzz. The complaint alleged that Google violated the Notice and Choice principles by not giving European users notice before using their Gmail information in connection with Buzz. Google’s alleged non-compliance with the Safe Harbor Notice and Choice principles constituted a deceptive act or practice in violation of Section 5 of the FTC Act.
Settlement
The FTC has billed this enforcement action as a “tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” The settlement includes several major requirements.
Prohibition Against Misrepresentations
The settlement prohibits Google from misrepresenting the company's privacy practices with respect to “covered information” or the company’s compliance with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor framework. Importantly, the term “covered information” is broader than the term “personal information” that the FTC has used in its previous privacy enforcement consent orders. “Covered information” includes not only the traditional personal information elements (e.g., name, postal or email address, and telephone number), but also an IP address or an individual’s physical location or list of contacts. The broader definition of “covered information” is consistent with the FTC’s increasingly expansive view of the information associated with an individual that warrants protection. For example, in its report on Self-Regulatory Principles For Online Behavioral Advertising: Tracking, Targeting, and Technology, the FTC refused to provide a bright line rule for delineating personal and non-personal information. Instead, the FTC took the position that behavioral advertising principles "should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is 'personally identifiable' in the traditional sense." Similarly, the FTC’s report on “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers ("Privacy Report"), argued for protecting consumer data that can reasonably be linked to a specific consumer, computer or device.
Notice and Consent
The settlement requires Google to provide its users with notice and choice prior to sharing users’ information with third parties in certain circumstances. Specifically, if the proposed disclosure is contrary to the data sharing practices Google represented to be in effect at the time the information was collected, the settlement requires Google to give users a clear and prominent notice of the proposed disclosure and to obtain their “express affirmative consent.” While the settlement does not define “express affirmative consent,” at a minimum, this provision will require Google to offer users a prominent, transparent means for exercising their privacy choices.
Comprehensive Privacy Program
The FTC stated that the Buzz settlement is the first to require a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. The inclusion of his requirement in the settlement appears to be the first application of the “privacy by design” philosophy that the Commission articulated in its Privacy Report. The FTC’s “privacy by design” approach calls on companies to build privacy protections into their business practices. Such protections should include sound mechanisms for allowing consumers to exercise their privacy choices, reasonable security for consumer data, limited collection and retention of consumer data, secure disposal of the data, and reasonable procedures to promote data accuracy. The report also called for companies to implement and enforce procedurally sound privacy practices throughout the organizations, including by assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services.
The settlement requires Google to maintain a written, comprehensive privacy program that is reasonably designed to (i) address privacy risks related to the development and management of new and existing products and services, and (ii) protect the privacy and confidentiality of covered information (as defined above). Goggle must include in its privacy program the privacy controls and procedures appropriate to the company's size and complexity, the nature and scope of its activities, and the nature of covered information.
Specifically, the settlement requires Google to:
- Designate staff responsible for the privacy program;
- Conduct a risk assessment to identify reasonably-foreseeable risks that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;
- Design and implement reasonable privacy procedures to control the risks identified through the privacy risk assessment;
- Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures;
- Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Google;
- Require relevant service providers by contract to implement and maintain appropriate privacy protections; and
- Evaluate and adjust the company's privacy program in light of the results of the testing and monitoring, any material changes to the company's operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the company’s privacy program.
Compliance Requirements
In addition to the specific requirements regarding the company’s privacy practices, the settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, objective and independent third-party professional. The reports must certify, among other things, that:
- Google has in place a privacy program that provides protections that meet or exceed the protections required by the settlement order; and
- Google’s privacy controls are operating with sufficient effectiveness to provide reasonable assurance that the privacy of covered information is protected.
Google must retain the materials relied upon to prepare the third-party assessments for a period of three years from the date of the assessment.
The settlement also requires Google to:
- Retain all “widely disseminated statements” that describe the extent to which the company maintains and protects the privacy and confidentiality of any covered information, along with all materials relied upon in making or disseminating such statements, for a period of three years;
- Retain for a period of six months (i) all consumer complaints directed at Google, or forwarded to Google by a third party, that allege unauthorized collection, use or disclosure of covered information and (ii) any responses to such complaints;
- Retain for a period of five years documents that contradict, qualify or call into question the company’s compliance with the terms of the settlement;
- Disseminate the consent order to the company’s current and future principals, officers, directors and managers, and to all current and future employees, agents and representatives who have supervisory responsibilities relating to covered information; and
- Notify the FTC of changes in the company’s corporate status.
Action Item
As we often note on this blog, privacy enforcement activity is rising exponentially, whether in the format of state and federal regulatory actions, class action suits, media exposés or public admonitions by regulators. This enforcement activity presents a significant risk to companies whose business models rely heavily on the collection, use or disclosure of information associated with individuals. If your company has not already done so, now is the perfect time to review the company’s privacy and information security practices, conduct a privacy and information security assessment, and take steps to ensure that the company’s practices comply with the various privacy and information security requirements, including FTC guidance.
InfoLawGroup's Boris Segalis Interviewed by Fox Live on NLRB Facebook Firing Settlement
Yesterday we wrote on our blog about the NLRB's Facebook firing settlement. I was interviewed on Fox Live this morning about the case, its implications for employees and businesses, and other developments in workplace privacy. You can view the clip by clicking here.
Employer Settles Facebook Firing Suit with NLRB
The National Labor Relations Board (NLRB) has announced that settlement has been reached in the closely watched Facebook firing suit brought by the agency.
We have previously reported that the NLRB filed an administrative complaint against a Connecticut ambulance company alleging that the company violated an employee’s federal rights by firing her for criticizing a manager on Facebook. In the complaint, the NLRB took the position that union and non-union employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in such protected activity. The NLRB also alleged that the company maintained overly-broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees. The complaint asserted that an employee’s right to criticize the employer and management is an extension of the federal right to discuss unionization and form unions.
Under the terms of the settlement approved by the NLRB’s Regional Director Jonathan Kreisberg, the company agreed to revise its policies to ensure that they do not improperly restrict employees from discussing their wages, hours and working conditions with co-workers and others while not at work. The company also committed not to discipline or discharge employees for engaging in such discussions. The allegations involving the employee’s discharge were resolved through a separate, private agreement between the employee and the company.
The NLRB hopes that the action delivers a broader message to employers. According to AP, Mr. Kreisberg stated that the settlement “sends a message about what the NLRB views the law to be.” Mr. Kreisberg viewed as most significant the employer’s agreement to revise its rules to relax the restrictions on the employees’ right to discuss their work conditions with others and with their fellow employees. Mr. Kreisberg added that the NLRB is looking at a growing number of complaints that explore the limits of corporate Internet policies.
The NLRB suit and the settlement do not mean that the right to talk about employers on the Internet or outside of work is absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected. In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law.
The action item for employers is to carefully review and, when appropriate, revise their social media and employee conduct policies to ensure that the policies balance business needs and employees' rights consistently with federal law and NLRB guidance.
Employee Privacy Gains in the United States
2010 arguably was a breakout year for consumer privacy in the U.S., but the year also brought about significant changes to the legal landscape of employee privacy. Federal and state court decisions, state legislation and agency actions suggest that the U.S. may be moving towards a greater level of privacy protection for employees. Employers are well-advised to consider these developments in reviewing and revising policies that affect the privacy of their employees.
Traditionally, in the U.S., employees have enjoyed little privacy in the workplace. With respect to workplace communications, for example, employees generally are deemed not to have “a reasonable expectation of privacy.” With some limitations, this allows employers to freely monitor and review employee communications. Employees in the U.S. often must abide by company rules that limit or prohibit personal use of workplace email and provide for monitoring of all employee electronic communications. Companies also may impose sanctions on employees for criticizing or disparaging the employer outside of work, including on social networking websites. In another example of limited workplace privacy, employers regularly obtain credit reports regarding job applicants or employees being considered for promotions. While obtaining a credit report for employment purposes requires the consent of the individual, applicants and employees often are reluctant to withhold consent for fear of compromising their chances of landing a job or a promotion. Many employers obtain credit reports regardless of whether financial considerations are relevant to the job.
The recent court decisions, laws and agency actions we recap in this blog post are changing the workplace privacy rules. Employers should consider these developments carefully in evaluating their human resources, information technology, electronic communications and other policies that affect employee privacy.
U.S. Supreme Court Offers Guidance on Employee Privacy in City of Ontario, California v. Quon
On June 17, 2010, the U.S. Supreme Court ruled in City of Ontario, California v. Quon that a police department did not violate an officer’s Fourth Amendment rights when the officer’s supervisor reviewed personal text messages the officer sent using a work-issued pager. The Court held that the search of the messages was reasonable, and did not resolve the question of whether the officer had “a reasonable expectation of privacy” in the text messages. The Court stated that it was reluctant to wade into employee privacy debate in light of the novelty of the issue, the implications of opining on emerging technology before its role in the society has become clear, and the risk of making a ruling that is not fully informed.
The Court, however, set out some of the issues it could have considered had it been inclined to make a ruling on the employee’s privacy expectations. The Court observed that in Quon a finding of an expectation of privacy in text messages could have been supported by the ubiquity of mobile communications that makes the communications essential or necessary instruments for self-expression, even self-identification. On the other hand, the Court suggested that the ubiquity of messaging devices also made them generally affordable, so that employees who need mobile devices for personal use can purchase and pay for their own. The Court observed that employee communications policies shape the reasonable expectations of their employees, especially when such policies are clearly communicated to the employees. The Court left open, however, the possibility that a supervisor’s statement guaranteeing the privacy of an employee’s communications, even if contrary to the company policy, may create an expectation of privacy in the communications by the employee. The court also noted the difference between an employer’s review of workplace communications vs. personal communications. Specifically, the Court observed that an audit of messages on an employer-provided device was not nearly as intrusive as a search of an employee’s personal email account or pager would have been.
Lower courts likely will look to the Supreme Court’s views on employee privacy in considering privacy claims. Likewise, employers should consider the Court’s discussion of employee privacy in developing and implementing employee monitoring policies. The key lessons for private employers from Quon are to (i) have a communications policy that is clear and comprehensive in scope and clearly communicated to employees; (ii) train management to follow company policies and not contradict them; (iii) when conducting a review of communications that might be inconsistent with the company’s electronic communications policy, ensure that there is a legitimate business reason for the review and be cautions to review only what is necessary; (iv) stay abreast of changes in privacy laws and relevant court decisions.
New Jersey Supreme Court Upholds Privacy Claims in Stengart v. Loving Care Agency, Inc.
Private employers should pay equal if not greater attention to many state court cases that have dealt with the issue of employee privacy. Unlike Quon, these state court decisions (as well as federal court decisions that apply state law) are directly applicable to private employers. In arguably the most important state decision on employee privacy of 2010, the New Jersey Supreme Court ruled, on March 30, 2010, for the former employee on the employee’s claim that state’s common privacy law protected certain of the employee’s emails from review by her employer.
The New Jersey Supreme Court considered whether the former employee – Ms. Stengart – had a reasonable expectation of privacy in certain emails she exchanged with her attorney. The email exchange took place over Stengart's personal, web-based email account. Stengart, however, used her company-issued computer for the communications. Images of the emails were saved by the employer’s monitoring system, which retained every web page visited on the computer. In the course of subsequent litigation against Stengart, Loving Care – the former employer – retrieved Stengart’s communications with her attorney from the laptop and sought to use the emails in the litigation. Stengart argued that the employer could neither review the emails nor use them in the litigation because she had a reasonable expectation of privacy in the communications. The New Jersey Supreme Court agreed.
The Court found the company’s electronic communications policy to be ambiguous and interpreted the ambiguity against the employer. The policy stated that the company could review any matters on the company’s media systems and services at any time, and that all emails and communications were not to be considered personal or private to employees. The Court found the policy’s disclosure of employee monitoring insufficient because it did not inform employees that the company stored and could retrieve copies of employees’ private web-based emails. The Court also concluded that the policy failed to state expressly that the company would monitor the content of email communications made from employees’ personal email accounts when they were viewed on company-issued computers. The Court held that Stengart had a subjective expectation of privacy in communications she sent using her personal web-based email account, and that the company’s ambiguous boilerplate electronic communications policy did not quash Stengart’s expectation of privacy in the emails.
The Court acknowledged that employers may adopt and enforce lawful policies relating to computer use to protect the assets and productivity of a business. The Court held, however, that an employer may not read the contents of an employee's attorney-client communications sent or received using personal web-based email. The Court held that a policy that allows the employer to review such communications is unenforceable.
Although the decision dealt with attorney-client communications, it also has implications for any personal emails (such as communications regarding health or financial issues) employees send over private web-based email accounts. For example, the court noted that employers that record and review screen shots on workplace computers will need to provide employees with a detailed, specific notice of such monitoring to the extent the screen shots also record emails employees send or receive via private web-based accounts. The Court also cautioned that a policy that permits “occasional personal use” of workplace email systems may create an expectation of privacy by employees with respect to personal emails they send or receive via company email.
NLRB Alleges Firing an Employee for Facebook Comments Violates Federal Law
On November 8, 2010, the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NLRB took the position that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in such protected activity. The terminated employee was a union member, but the NLRB asserted that the right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions.
Employers should consider the NLRB complaint carefully in reviewing their policies regulating social media use and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company “in any way” on Facebook or other social media sites where the employees posted their pictures, or from making disparaging or discriminatory comments when discussing the employer or management. The NLRB action does not mean that the right to talk about employers on the web or outside of work is absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee’s manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law.
States and Federal Regulators Push to Restrict Use of Credit Reports for Employment Purposes
The drive to limit the use of credit reports for employment purposes is in large part a reaction to the damage the continuing economic downturn has inflicted on individuals’ credit histories, creating a barrier to the individuals’ ability to reenter the workforce.
In 2010, Illinois and Oregon enacted legislation that limits the use of credit reports for employment purposes. Similar laws are in place in Hawaii and Washington and are being considered in Connecticut, Illinois, Maryland, Michigan, Missouri, New Jersey, New York, Ohio, Oklahoma, South Carolina, Vermont and Wisconsin. In addition, the federal Equal Employment Opportunity Commission (EEOC) filed an unusual action accusing an employer of discriminating against black job applicants in the hiring process on the basis of using the applicants’ credit histories.
The Illinois law, the Employee Credit Privacy Act, became effective January 1, 2011. The Act makes it illegal for employers to discriminate against job applicants on the basis of their credit histories and outlaws inquiries about applicants’ and employees’ credit histories. The law permits employers to conduct background investigations that do not include a credit history or report. In addition, the Act allows employers to obtain and consider credit reports in connection with jobs that involve (i) bonding or security under state or federal law; (ii) custody of, or unsupervised access to, $2,500 or more in cash or marketable assets; (iii) signatory power over businesses assets of $100 or more per transaction; (iv) management and control of the business; or (v) access to personal, financial or confidential information, trade secrets, or state or national security information. The law includes a private right of action, including the right to sue for injunctive relief and obtain attorneys’ fees.
The Oregon law came into effect on July 1, 2010. With certain exceptions, the law prohibits Oregon employers from using credit history in making hiring decisions or any decision affecting current employees. The law exempts from the prohibition federally-insured banks and credit unions, businesses required by law to consider employee credit history, and police and other public employers when hiring for law enforcement or airport security positions. In addition, the law permits employers to conduct credit checks for “substantially job-related reasons” provided the reasons are disclosed to the employee in writing. The Oregon law gives individuals the right to file an administrative complaint or a private lawsuit, and allows the recovery of attorneys’ fees.
While there is no federal prohibition against the use of credit reports for employment purposes, it appears that federal regulators may be seeking to curtail the practice. Specifically, in December 2010, the Equal Employment Opportunity Commission sued an employer in connection with use of credit reports in the hiring process. The EEOC alleged that the company used the reports in a way that discriminated against black job applicants. Emphasizing the broader reasons for the suit, the EEOC signaled that it believes that employers are denying jobs to applicants with damaged credit histories in cases where creditworthiness does not appear to be directly relevant to the job. The EEOC noted that credit histories are not complied to evaluate responsibility, are often inaccurate, and may not be a good indicator of an individual's qualifications for a particular job. In the suit, the EEOC alleged that rejecting applicants based on credit histories had a significant disparate impact on black applicants. In addition to other relief, the EEOC is seeking a permanent injunction to stop the employer’s use of credit histories in hiring and other employment decisions.
Additional Information Regarding Workplace Privacy Issues
For more information about privacy issues in the workplace, please join us for a webinar on January 27, 2011. The webinar, offered through Park Avenue Presentations, will focus on workplace privacy in the U.S. and Europe. Please email bsegalis@infolawgroup.com for registration details.
Castillo and Phaknikone: Let the Social Network Evidence Begin
Say you commit a crime. Let’s say the crime involves illegal possession of a firearm. Say that in the past you have posted information on Facebook or MySpace or Twitter or Flicker or YouTube or any other social network or Internet site. Say your posts included a photo on MySpace of you wearing a ski mask; holding a semi-automatic AR-15 rifle; making, umm, expletives; threatening your ex-wife; and, to say it as a court would say it, “displaying” your middle finger.
Say your ex-mother-in-law tells the police about your MySpace photo, and you get busted and prosecuted for federal firearms offenses. Can the MySpace photos and information, including you and your assault rifle and finger and threats, be admitted as evidence in the case against you?
Yes, says the United States Court of Appeals for the Eleventh Circuit last week in one of the first appellate opinions on the admissibility of evidence from social networks. United States v. Castillo.
Don’t worry about challenging the authenticity of the photo. That was such a long shot in Castillo that authenticity was not even raised on appeal.
How about arguing that the likelihood that the inflammatory and prejudicial impact of the photo outweighs its probative value? And that the photo is not even relevant because the AR-15 in the photo is not the firearm that you are charged with possessing illegally? The Castillo court held that the trial court was justified in allowing the jury to consider the photo with an instruction to the jury to ignore the finger and threats. The court ruled that possession of any "assault rifle" – even a gun other than the gun involved -- was relevant to the crime charged.
Or take a different case. Say you rob a bunch of banks, and at your criminal trial your MySpace profile page and account information and photographs from your MySpace are offered as evidence. One of the photos shows you holding a handgun. You get caught and prosecuted for bank robbery and weapons charges, and the prosecution offers the MySpace information as evidence. Under these circumstances, in a case that the U.S. Supreme Court declined to review yesterday, the trial court admitted the MySpace information as evidence. Though the Eleventh Circuit held that the MySpace evidence was inadmissible character evidence, the conviction was confirmed because of other overwhelming evidence. U.S. v. Phaknikone.
The messages of Castillo and Phaknikone are both clear and apparently contrary to what most users of social networks believe: you should assume that anything you post on a social network site will be discovered and admitted in any litigation, civil or criminal, in which you become involved.
Social Networking: Setting Boundaries in a Borderless Brave New World
The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.
When I was a kid in Las Vegas, I had a “pen pal” in France. We exchanged the occasional letter, painfully translating into each other’s languages and then trying to figure out how much postage to stick on the envelope. It seems quaint now.
Thanks to Facebook, LinkedIn, and Twitter, I’ve enjoyed meeting people with similar interests and reconnecting with people I knew socially or professionally in years past, in several countries. It’s usually pretty easy to look up people as you think of them, and there’s no postage and little delay.
Those services, and an array of other social media, have become truly international. Some 15% of the world’s Internet users are American, so even successful social media operators in the US naturally look abroad to expand their increasingly monetized networks. Competing with national and regional social networks throughout the world, leading social networking providers in the US, Europe, China, and India have turned social media into a global phenomenon. To take one prominent example, US-based Facebook now translates into more than 100 languages and reported this month at InsideFacebook.com that nearly 70% of its hundreds of millions of users reside outside the United States.
Facebook aggregates users’ self-reported demographic data and sells the information to advertisers, who are understandably eager to tap the advertising possibilities of social media. In several developed countries, a third or more of the population uses Facebook, many on a daily basis.
Facebookers and other social networkers often end up sharing a large amount of personal and professional information over time with friends . . . and friends of friends, and friends of friends of friends, and ultimately with a lot of people they wouldn’t recognize across a restaurant. By some estimates, roughly a third of Facebook users ultimately divulge their home address and current employment to an unknown number of people who are perhaps not all really their friends. New York Senator Charles Schumer recently called on the Federal Trade Commission to develop guidelines for social networking sites, and the FTC has already had occasion to investigate the extent to which identity theft and fraud are attributable to bad hygiene, or bad policies, in social media.
Most of the social networking groups I belong to are professional ones, linking lawyers, business people, inventors, IT managers, academics, and government officials who share certain interests and follow developments in particular fields. Those who participate often share ideas and some personal and career information, and they sometimes comment about their own companies or organizations or the offerings of their competitors.
So, as a lawyer, it strikes me that some social networkers may be exposing themselves not only to embarrassment and unwanted solicitations but also to fraud or identity theft. They also may be setting themselves up for trouble with prospective employers, or with their current employers or business partners who feel the talkative social networker has violated confidentiality policies or nondisclosure agreements (in surveys, many large US employers acknowledge that they have fired or disciplined employees for the contents of their posts or blogs). Advertising thinly disguised as a Tweet or post may not conform to advertising rules in all the relevant states, provinces, or countries. An intemperate rant or sly aside, broadcast to a few hundred of the user’s “closest friends,” raises the potential of liability for defamation or commercial disparagement. Comments about associates or coworkers, especially in the context of social media that blur the lines between personal and professional life, may trigger sanctions under privacy and data protection laws. And thanks to the global nature of social media, the hapless social networker could conceivably run afoul of laws in multiple jurisdictions.
It’s not only the FTC that has started worrying about the dark side of social media. The Article 29 Data Protection Working Party (comprised of EU authorities and European national data protection commissioners) issued a statement this month declaring that Facebook’s new default privacy settings are dangerous. The group has also warned social media applications developers (such as FarmVille) to be careful in their handling of user data. Regulators on both sides of the Atlantic have expressed concern as well about behavioral marketing applications based on gathering information about an individual’s participation in social media.
It’s easy to over-react to the hazards of social media, of course. Some parents forbid their children from joining in (and some teens have created a “safe” MySpace page that their parents can see, while secretly maintaining a more dubious version to share with their peers). Some users decide to drop out entirely, finding the risks, or just the implied obligation to post and respond frequently, unmanageable; there is even a “Quitting Facebook” Community Page on Facebook itself. Reasonably careful social networkers simply look at the privacy policies and options and adjust their settings appropriately to their intended use – and then watch what they say about employers, competitors, and other sensitive types. Some corporations have blocked access to social networking sites from company computers and adopted policies against their employees saying, well, pretty much anything about the company or its competitors or regulators. But other companies have already designated a “director of social media” to help the organization make effective use of social networking, internally and externally.
It seems that the trend is for employers to expand their “acceptable use” policies on email and web browsing to encompass blogging and social media as well. This is a necessary step, but it is also fraught with concerns arising from labor law, privacy law, and rights of association and free expression, and the rules differ across the many jurisdictions that may be at issue.
It is possible to set some boundaries that will pass muster just about anywhere and articulate policies that guide employees toward safe and sensible use of social media. There is much to be learned in the way of evolving best practices, especially among large multinational employers. Just don’t forget to check with a knowledgeable lawyer when crafting such policies and determining how to enforce them.
