Posted on January 30, 2012 by Shannon Harell

NLRB Issues Second Report Reviewing Social Media Enforcement Actions

On January 25, 2012 the National Labor Relations Board (“NLRB”) Office of the General Counsel released a report summarizing fourteen cases that were before the NLRB concerning the “protected and/or concerted nature of employees’ social media postings and the lawfulness of employers’ social media policies and rules” (“Report”). The Report followed up on an earlier report issued by the NLRB Office of the General Counsel on August 18, 2011 and reiterated two main principles set forth in that earlier report:

  • Employer policies should not be so broad such that they prohibit, discourage or chill activity that is protected by Section 7 of the National Labor Relations Act (“NLRA”) (e.g., discussion of wages or working conditions). Specifically, the Report made clear that:
    • Specific examples of the type of conduct prohibited should be included in any social media policy (i.e., do not disclose “trade secrets”, as opposed to do not post “sensitive information” about the company).
    • The policy should carefully carve out and protect employee’s specific rights under NLRA; a general saving clause is insufficient.
    • The policy should not use vague terms like “appropriate” or “professional” without providing clear definitions for those terms.
  • Employee comments on social media networks generally are not protected if those comments are mere complaints about or general dissatisfaction with the job (e.g., “I hate my job!” or “My boss is mean!”). The comments will be protected if they are associated with an expression of shared concern, such as a dialogue about how bad the work environment is and what employees can do to fix it in response to a single employee’s wall post about the job.

Summaries of each of the cases reviewed in the Report are as follows:

1.       Employee Discussion on Facebook Can Be Protected Concerted Activity

  • The terminated employed had posted on Facebook about a self-proclaimed demotion that she thought was unfair and unwarranted based upon her performance. Several co-workers with whom she was also “friends” posted their support on Facebook, including comments discussing the employer’s dishonest and unfair practices. The employee was terminated 5 days after making her post for violating the employer’s rule prohibiting “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The NLRB found that this policy was unlawful on the basis that it would “reasonably be construed to restrict Section 7 activity, such as statements that the Employer is, for example, not treating employees fairly or paying them sufficiently.” Further, the NLRB found that the employee’s initial post and the subsequent discussion that it generated fell within the definition of “concerted activity” since the discussion clearly centered on working conditions.

2.   Broad Policies That Do Not Provide Examples or Clear Definitions Are Often  Found Invalid by the NLRB

  • An employer implemented a social media policy “restricting the use of the employer’s confidential and/or proprietary information provided that, in external social networking situations, employees should generally avoid identifying themselves as the employer’s employees, unless there was a legitimate business need to do so or when discuss terms and conditions of employment in an appropriate manner.” The policy did not define what “appropriate” or “inappropriate” meant under the policy and therefore employees could “reasonably interpret the rule to prohibit protected activity, including criticism of employer’s labor policies, treatment of employees and terms and conditions of employment."
  • A provision requiring “that social networking site communications be made in in an honest, professional, and appropriate manner, without defamatory or inflammatory comments regarding the employer and its subsidiaries, and their shareholders, officers, employees, customers, suppliers, contractors, and patients.” Without defining broad terms like “professional” and “appropriate” the provision could be construed to prohibit communications protected by NLRA.

3.       Policies that Subjectively Infringe on NLRA Section 7 Rights Are Invalid

  • ·An employer discharged an employee for violation of a company policy that stated that “insubordination or other disrespectful conduct” and “inappropriate conversation” would be subject to disciplinary action. The NLRB found that this policy “would reasonably be construed by employees to preclude Section 7 activity.”
  • An employer’s social media policy “prohibits employees from using social media to engage in unprofessional communication that could negatively impact the employer’s reputation or interfere with the employer’s mission or unprofessional/inappropriate communication regarding members of the employer’s community.” Although the rule contained some clear examples of unprotected conduct (e.g. revealing trade secrets), it also contained examples that could reasonably be read to include protected conduct and, therefore, could “be construed to chill employees in the exercise of their Section 7 rights."

4. Social Media Policies Inhibiting Free Communication Between Employees and Between Employees and Third Parties Are Generally Invalid

The Report discussed the following overbroad provisions from a single social media policy:

  • A provision that prohibited employees from “disclosing or communicating information of a confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department” is unlawful because employees have a right to communicate such information to third parties.
  • A provision preventing use of the company’s name or service marks outside of the course of business without prior approval of the law department is unlawful because employees have a right to use their employer’s name or logo in conjunction with protected concerted activity, such as to communicate with fellow employees or the public about a labor dispute. 
  • A provision prohibiting employees from publishing “any representation about the company without prior approval by senior management and the law department” is unlawful because employees have a Section 7 right to make representations about their employer that are “part of and related to an ongoing labor dispute.” 
  • A provision providing “that employees needed approval to identify themselves as the employer’s employees and that those employees who had identified themselves as such on social media sites must expressly state that their comments are their personal opinions and do not necessarily reflect the employer’s opinions” is unlawful because the provision stifled employees’ ability to locate other employees, thus, inhibiting their ability to organize, a protected right under Section 7.
  • A provision “requiring employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination” is unlawful because it inhibits the ability for employees to organize to discuss working conditions.

5.       Social Media Policies that Are Adequately Tailored to Uphold Workplace Confidentiality and Discrimination Rules are Lawful

  • The policy originally prohibited discriminatory, defamatory, or harassing posts about specific employees, the work environment or work-related issues on social media sites. Broad terms like “defamatory” especially when applied to work-related issues could be construed to apply to protected activity. The amended policy prohibited “the use of social media to post or display comments about coworkers or supervisors or the employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.“ The amended policy, on the other hand, could not reasonably be construed to apply to protected activity as it provides a “list of plainly egregious conduct.”
  • The employer’s social media policy provided that “the employer could request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws. [Further,] [i]t prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients, and it also prohibited employees from discussing in any form of social media “embargoed information,” such as launch and release dates and pending reorganizations.” In context, the prohibition applied only to communications that could impact security regulations or disclose proprietary information and, as such, was narrowly tailored and withstood scrutiny.

The Report also provides updated guidance regarding the scope of “concerted activity” under Section 7:

1.   Facebook Posts Can Only Be Considered Concerted Activity Where There Is Active Participation from Facebook “Friend” Co-Workers In the Discussion

  • The terminated employee (a truck driver) posted to Facebook criticizing the way that the business was run, including, that the company was ‘running off all the good drivers’. No other employees joined the discussion and the employee’s comments did not attempt to induce a group action. The NLRB further noted that there was no “unlawful surveillance” since the employee had invited his supervisor to be his “friend” on Facebook.
  • The terminated employee posted criticism of a supervisor on Facebook, including use of the phrase “setting it off”. The employer deemed the phrase to be threatening and inappropriate. The post was not concerted activity, because although the posts addressed terms and conditions of employment he did not intend to initiate or induce coworkers to engage in group action and no “friends” that were co-workers responded to his post. 

2.   Social Media Postings That Are a Direct Result of Concerted Activity Are Protected

  •  The terminated employee, an individual to whom other employees confided in about on the job issues, posted about those shared concerns over the terms and conditions of employment. Co-worker responses to her posts contained suggestions for action by the group to change those conditions. Her termination was found to be unlawful because it was directly related to her “involvement in her co-workers’ work-related problems, including her discussions with fellow employees about the terms and conditions of employment.”
  • The terminated employee made various online (e.g. on local newspaper message boards) and Facebook posts about the employer’s poor management style, which allegedly included bullying, harassment and abuse of employees that had been ongoing for at least 3 years. Several co-workers posted messages of support on the terminated employee’s Facebook Page, e.g. “Thank you for speaking for us who do not dare.” Since the posts were part of an ongoing labor dispute related to treatment of employees, and the statements were a “logical outgrowth of other employees’ concerns or were made with or on the authority of other employees”, it was clear that they contained unfair labor practice charges, which are protected by Section 7. The NLRB further found that the comments were not unprotected disparagement or defamation.

3. Comments to Facebook Postings Have Equal Protection and Privilege As Original Postings

  • The terminated employee posted his frustration on Facebook that another individual was promoted over him and that the promotions were not aligned with the performance. Responses to his post included suggestions that all the good employees should quit.  These posts demonstrated “shared concerns about the terms and conditions of employment” and were therefore “concerted activity for mutual aid and protection” and protected activity under Section 7.
  • The terminated employee posted on a co-worker’s Facebook wall about his supervisor’s bad attitude and poor management style, and the co-worker agreed responding that she wished she could work elsewhere.  The employees had previously complained about the supervisor to a higher up. Protest of supervisory action is protected under Section 7 and NLRB found that the discussion constituted “concerted activity for mutual aid and protection.” The NLRB further found that the comments were not unprotected disparagement or defamation.

As we have previously noted in prior posts about the NLRB’s social media enforcement actions, employers should carefully review and adjust their social media policies and practices in light of the NLRB’s guidance and enforcement. Social media policies must be narrowly tailored so as not to infringe upon employees’ Section 7 rights.

 

 
Tags: , , , , , , , , , , , , , ,
Posted on January 9, 2012 by David Navetta

The Legal Implications of Social Networking Part Three: Data Security

In 2011, InfoLawGroup began its “Legal Implications” series for social media by posting Part One (The Basics) and Part Two (Privacy). Well, after 4th quarter year-end madness and a few holidays Part Three is ready to go. In this post, we explore how security concerns and legal risk arise and interact in the social media environment. Again, the intended audience for this blogpost are organizations seeking to leverage social media, and understand and address the risks associated with its use.

As might be expected criminals view social media networks as fertile ground for committing fraud. There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computer devices connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.

Social Media = Social Engineering

One of the biggest social media security risks reveals itself in the name of the medium itself: social media yields social engineering. In short, when it comes to social media attacks, an organization’s own employees may be its worst enemy. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” Social media users may be tricked into downloading applications infected with malware because a posting was “recommended” by a friend. For example, almost immediately after Osama Bin Laden was killed by U.S. troops, one Facebook scam inserted malware on computers using a malicious (and false) link to the “real” Osama Bin Laden dead body photo that looked like it was posted on a friend’s wall. In addition, some scams have used messaging capabilities within social media platforms to initiate computer attacks.  Unfortunately, if a company's employee is scammed and downloads malware from a social media network to the company network, it may be the company that faces legal liability.

In addition, fraudsters use the trust users place in the social media platform itself to effectuate security breaches. For example, most would feel fairly comfortable clicking on an advertisement displayed on Facebook. However, in some cases that click could result in a “malvertisement” infection.

Another common attack technique is phishing. Criminals create fake email notices that appear to come from social media sites. Unsuspecting users that click on links in these emails may end up providing sensitive information to fake websites that look like the social media site they belong to, or downloading malware onto a company’s system.  Unfortunately, even an employee just giving up his or her personal social media passwords can be risky for a company. Many individuals use the same passwords at multiple sites and disclosing a social media password could also amount to providing the password to the network of an employee’s employer.

There is increasing evidence that criminals are using social media to target key company personnel in order to burrow into company networks and steal trade secrets and other sensitive information.  The wealth of personal information users share on social media sites provides ammunition for such attacks. Fraudsters can gather details about a user before engaging in an attack (e.g. employer, address, phone number, friends, affiliated companies, etc.) and then use the details to target the attack specifically at the individual(s) (such as a phishing email).  In fact, this very technique appears to have been used in one of the biggest breaches of 2011, the RSA breach.

With regard to legal risk, companies suffering a breach arising out of social media face the same risks for any security breach. If malware infects a system or an employee is tricked into providing his or her login-credentials, and confidential or personal information is stolen, the employer may face lawsuits or regulatory scrutiny.  Actions alleging breaches of NDAs may also come from third parties whose trade secrets or other confidential information a company holds. Moreover, if personal information is accessed or acquired due to the social media security breach, notification may be necessary and related costs would have to be incurred by the employer.

Social Media Spoofing and Hijacking

Companies may also face legal liability for failing to detect and notify social media users of scams associated with the company’s social media site or key personnel with social media presences. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social media application that looks like it is sponsored by the organization, legal repercussions could arise. Similarly, fraudsters could create fake profiles of key company personnel in order to commit crimes.

Security and legal risks can also arise if hackers are able to take over a company’s fan page or social media profiles of key company personnel. By creating a fake fan page or profile, or hijacking an existing fan page or profile, fraudsters could send out messages with malware to all of the individuals who joined the fan page or trick customers into disclosing sensitive information.  From the legal risk perspective, while case law is sparse, companies that fail to have fake fan pages removed or that fail to warn their customers of scams that look like they come from the company, could face legal liability.

Confidential Information Leakage

Another important business and legal risk arises out of potential confidential information leakage on social media sites.

Imagine a company that is heavily reliant on traditional sales methods and has built up a customer list (a trade secret) with key, difficult-to-find contacts. Oftentimes, companies like this rely on key sales people to bring in large portions of their revenue. Perhaps seeking to be on top of modern marketing practices some of these salespeople establish LinkedIn accounts, and naturally begin linking to dozens or perhaps hundreds of friends, colleagues and customers. On LinkedIn, if settings are not set properly, all of the contacts related to these key salespeople could be publicly viewable. That being the case, it would not be difficult for a competitor to simply view and record those contacts, thereby potentially exposing the company’s customer list and key customer contacts.

Take it one step further. Suppose one of the key sales persons leaves with the customer list and the company sues alleging misappropriation of trade secret. One of the elements for establishing a trade secret are efforts to keep the secret confidential. However, by allowing the sales person to display all of his contacts on LinkedIn, has the company effectively failed to maintain that confidentiality and lost its trade secret protection?

In 2010, we saw an Eastern District of New York case that looked at this issue and ruled that trade secret protection was unavailable for a company where the customer list information at issue could be readily ascertained using sites like Google and by viewing LinkedIn profiles. In contrast, in 2011, the court in Syncsort Incorporated v. Innovative Routines, International, Inc., looked at the issue of whether a trade secret posted on the Internet loses its protection. While the court ruled that trade secret protection was not lost under the facts of Syncsort (where only a portion of the trade secret was available for a limited time), it appears that a different set of facts could yield a decision going the other direction.

The inadvertent disclosure of confidential information by employees may also be problematic for organizations. This problem can arise when employees mistakenly or unknowingly disclosing sensitive information. For example, in September 2011 a Hewlett-Packard executive updated his LinkedIn status and revealed previously undisclosed details of HP's cloud-computing services. If he had instead posted confidential information about one of HP’s clients it may have resulted in legal liability. Moreover, for publicly-traded companies, certain inadvertent disclosures of financial information could lead to violations of securities laws and regulations.

Even if confidential information is not directly put into a single status update or other post, the aggregated social media postings of multiple employees could yield valuable competitive information. Companies (on their own or through third party service providers) are actively data mining social media sites with the hope of gathering enough bits and pieces of information to provide a competitive edge. Employees may be unwittingly posting what they think is a single piece of non-sensitive data.  However, when combined with multiple data points from other employees and sources, those innocent disclosures could suddenly reveal company or client confidential information.

Conclusion

In summary, the key security-related legal concerns associated with social media start with the fact that social media provides a rich target environment for criminals. Social media users are literally volunteering information that may be sensitive, and the disclosure of which could lead to legal risk. The culture of sharing present on social media sites itself can lead to over-disclosure by employees, and the pure volume of data that can be mined from social media sites may allow competitors and criminals to connect-the-dots to reveal confidential or sensitive information. Moreover, the sense of trust that comes with social media environments provides an opportunity for criminals to breach security. People may be tricked into providing certain information or downloading malware because they think they are having legitimate communications with colleagues or friends. Finally, the ability to easily spoof or create fake sites or pages in social media sites that look legitimate can lead to increased security risk. With this increased security risk, comes increased legal and liability risk (in an area of law that is very unsettled in terms of who can be liable for a security breach, and to what extent).

How can these risks be addressed and mitigated? First, it is key to understand the social media environment and how the various social media platforms work.  The unique characteristics of a particular social media platform may present risks specific to that platform. Second, organizations need to develop a social media strategy to maximize their leveraging of social media while minimizing risk (Are employees allowed to use their social media sites from work computers? Can they talk about the company and its plans on social media sites? What company information can they share on social media sites? Should only a handful of marketing-oriented employees be allowed to post about or on behalf of an organization? Can the company monitor social media usage?) Once strategy is developed, social media policies need to be drafted to reflect the strategy and address risks. In the security context, a big part of minimizing risk is educating and training employees and providing guidance on how to avoid or minimize it.  Technology solutions may also exist that can allow for monitoring and tracking of social media usage by employees. Ultimately, however, like social media itself, it comes down to people -- risk can only be addressed appropriately if the individuals using social media are equipped to identify and mitigate against it.
Tags: , , , , , , , , , ,
Posted on October 17, 2011 by David Navetta

The Legal Implications of Social Networking Part Two: Privacy

As social media and networking continue to revolutionize modern-day marketing and become the norm for organizations of all types, shapes and sizes, it is even more important to adequately address the legal risks associated with social media use. In Part One of our Legal Implications series, we laid out some background and identified key areas of legal risk.   In the next few posts InfoLawGroup is going to look deeper at some of these risks. In this post we explore some of the privacy legal issues that companies should address if they want to leverage social media.

Background

Why are privacy-related legal issues a key concern in the social media context? The entire marketing model inherent in the use of social media involves direct communication with, and gathering key information about, clients and customers in order to more efficiently and effectively deliver goods and services. The more granular and accurate the information about a social media user, the more valuable to companies seeking to leverage it. Naturally, as they collect and use information about social media users, organizations will come into contact with sensitive personal information about those users. This sensitive information goes beyond “traditional” personally identifiable information, and can include geo-location information, photographs and videos, relationship information (friends of friends), online behavioral information, political viewpoints and more.

The types of information available to a company employing a social media strategy will vary based on the platforms used, the method of interaction within a given platform (e.g. fan page versus company profile), technical constraints and policies, and the nature of the strategy itself. In analyzing privacy legal issues, organizations should ask the following questions:

  • What types of personal information will the organization have access to?
  • What types of personal information will the organization collect, and how will it use that information?
  • What legal restraints exist with respect to the collection and use of the personal information (e.g. regulations, contracts, internal policies, etc.)

While this post focuses on privacy legal risk, it must be noted that the collection and use of personal information derived from social media may pose additional moral, reputational and business issues (which go beyond the scope of this article). As such, even if a practice is legal, the “big picture” must always be taken into account.

Key Privacy Legal Issues

  • Social Media Platform Terms of Use

The first place to look for privacy legal obligations are the terms of use of a particular social media platform. Social media platforms attempt to balance privacy concerns of their users against commercial use of user information by laying out specific limitations and conditions related to the collection and use of personal information. For example, for applications built by companies for use in Facebook, organizations may not use a user’s friends list outside of the application, even if a user consents to such a use (organizations, however, may use connections between two users that have both connected to the application). As a general rule, companies can only use the Twitter API to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use Twitter content.

In addition, certain privacy-related terms and conditions may apply depending on the specific social media activities or functionality a company leverages within a social media platform.   Organizations seeking to leverage social media need to understand and implement the (sometimes confusing and often very detailed) rules of multiple platforms, and for multiple functionalities and activities within a platform.

For example, on Facebook, organizations that set up a Fan Page are not allowed to collect information from users unless they have obtained their consent.  In contrast, companies wishing to develop and launch a Facebook application can only request information from users that is necessary to run the application, but do not need consent for every data collection. Facebook also imposes certain limits on what and how personal information can be collected when using a Facebook application. For example, for all data obtained through the Facebook API except “basic account information,” organizations must obtain explicit consent from the user to use that data for any purpose other than displaying it back to the user in the application. Companies are prohibited by Facebook from soliciting or collecting user profile login information, such as usernames or passwords.  Consider the number of platforms and the number of rules within a platform, and the fact that these rules often change, and it becomes apparent that compliance can get tricky.

Unfortunately, the failure to follow these privacy-related terms of use can (and already has) get companies into legal trouble. That trouble can arise directly with the social media platform provider in the form of a banning or a breach of contract action. In addition, a violation of the obligations set forth in a social media platform's terms of the use may be alleged as the basis for lawsuits against companies using social media.

  • Regulatory Privacy Issues

An organization’s social media activities may also raise regulatory concerns. In the United States, the FTC has not been shy about bringing actions under the FTC Act for “unfair” or “deceptive” business practices. As with a normal website privacy policy, if an organization does not follow its privacy policy related to a social media application and personal information related thereto, the FTC could allege that such failure is a deceptive trade practice.

A particular area of concern for violations of privacy policies arises when companies integrate social media functionality directly into their websites. Some company websites may embed social media functionality that allows users to comment on a website post or article using Facebook or Twitter’s comment platform. The user comments are displayed both on the website and on the social media platform. The question is to what extent does the website’s general privacy policy apply to the information gathered through the embedded social media platform. The second question is whether the organization’s handling and use of such personal information violates the website’s general privacy policy.   As the lines between an organization's general website presence and their social media presence blur even more over time, consistent privacy practices will become increasingly important (note:  InfoLawGroup has developed privacy policy language to address this situation).

Beyond general regulatory authority present in consumer protection acts, some specific privacy regulations may apply in the social media context. For example, for employers that use social media to vet potential employment candidates, the information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws (this topic is discussed in more detail in the upcoming part of this series concerning social media and employment issues). In addition, there has been some activity around the Children's Online Privacy Protection Act (COPPA) and social media, including FTC actions against a social media site for children and a mobile phone game developer that created games for children.  In fact the FTC recently released proposed revisions to COPPA intended to address social media that is used often by children.

The collection and dissemination of information from social media users may be even more problematic when information concerning European users is at issue. Under the EU Data Protection Directive, personal data is defined as "any information relating to an identified or identifiable natural person”. This definition is generally much broader than most U.S. laws that reference personally identifiable information (those definitions typically require a first name/first initial and last name in combination with other specified data elements such as social security number, financial account number, driver’s license number, etc.). Regulators in Europe have reported that information derived by or from social media sites constitutes personal data under EU law.  For example, one German state has indicated that the “Like” button on Facebook is in violation of German privacy law. If the EU Directive does apply to information from a social network, the transmission of personal data of a European resident to the United States could violate various requirements concerning transborder data flow.

Finally, as the definition of personal information expands in the United States (the FTC has defined personal information broadly in the social media context to mean “information respondent collects from or about an individual”), it is likely that information relating to individuals collected from social media activities will be more closely regulated.  It is therefore important to keep up with the regulatory environment and legislation being proposed on both the Federal and State levels.

Conclusion

Participation and a presence in the social media context can be very valuable for organizations, and that value is likely to increase significantly in the future. Most organizations will seek to discover as much information about social media users as possible, and as more of our lives (social and commercial) are lived on the Internet, this information will be highly sought after.

This of course will raise significant privacy issues; privacy issues that current law may not fully address. In the U.S., we anticipate an evolution in the social media context that will initially involve regulators utilizing their broad and general regulatory authority (e.g. the FTC Act), and then may result in the passage of more specific laws and regulations. Even without specific regulatory constraints, organizations looking to leverage social networking today should carefully review the social media platform TOUs and their existing privacy policies, and develop policies and practices that address social media where appropriate. In addition, companies should analyze how existing laws in relevant jurisdictions might apply to their collection, processing, storage and distribution of personal information obtained from social media.  A reasonable balancing of these privacy legal risks against the commercial advantages to be derived from social media is the best course of action.
Tags: , , , , , , ,
Posted on September 8, 2011 by Nicole Friess

Nonprofit Must Rehire Employees Axed for Facebook Complaints

In the first decision of its kind, a National Labor Relations Board (“NLRB” or the “Board”) Administrative Law Judge recently ruled on September 2, 2011 that a nonprofit organization unlawfully discharged employees for complaining about their jobs on Facebook. As we have previously discussed on our blog, the NLRB has been very aggressive in enforcing employees' right to engage in work-related discussions on social media. This is the first case involving Facebook that resulted in an ALJ decision following a hearing. Unlike prior NLRB enforcement actions, this case did not target the organization’s social media policy or involve a unionized workplace.

According to the NLRB decision, the employer Hispanics United of Buffalo fired five employees for criticizing work conditions on a Facebook comment thread. After one of the employees notified the NLRB regional office, NLRB Regional Director Rhonda Ley issued a complaint alleging that Hispanics United conducted unfair labor practices in violation of the National Labor Relations Act by “interfering with, restraining, and coercing employees in the exercise of rights” guaranteed in Section 7 of the NLRA. Section 7 provides in part that employees have the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” The NLRB has interpreted Section 7 rights to apply to both unionized and non-unionized personnel.

Judge Arthur Amchan found that the employees’ were illegally discharged because the Facebook discussion was concerted activity protected under Section 7 of the NLRA. The discussion was protected because it involved a conversation among coworkers about their terms and conditions of employment. Although Hispanics United argued (in part) that the Facebook comments were not protected because persons other than Hispanics United employees may have seen them, Judge Amchan found that “irrelevant” as the first comment in the thread specifically “asked for responses from co-workers.” Furthermore, “just as the protection of Sections 7 and 8 of the Act does not depend on whether organizing activity was ongoing” Judge Amchan noted, “it does not depend on whether the employees herein had brought their concerns to management before they were fired, or that there is no express evidence that they intended to take further action, or that they were not attempting to change any of their working conditions.” The judge determined that the employees had not engaged in any conduct that could have forfeited their Section 7 rights. According to the decision, the comments were related to subject matter the employees had a protected right to discuss, there were no “outbursts,” and the employees had not violated any Hispanic United policies or rules. Although Hispanics United asserted that the employees’ conduct constituted harassment of an employee named on the Facebook comment thread in violation of its “zero tolerance” harassment policy, Judge Amchan found no evidence in the record supporting Hispanics United’s position.

In a first for a case involving employees' rights in the context of social media, the NLRB judge ordered Hispanics United to reinstate the five employees and awarded the employees back pay. Hispanics United was also ordered to “cease and desist from discharging its employees due to their engaging in protected concerted activities” and to post a notice at its Buffalo facility concerning employee rights under the NLRA and the organization's violations of those rights.

On the heels of the NLRB report on social media enforcement, this ruling provides further guidance to employers regarding the NLRB's application of Section 7 to social media and the growing number of NLRB's social media enforcement actions. As we noted both in the context of discussing the NLRB’s recent enforcement actions and the agency's social media report, employers should carefully review and adjust their communications and social media practices and policies to comply with the NLRB's guidance on employees' Section 7 rights.
 
Tags: , , , , , , , , , , , , , , ,
Posted on August 31, 2011 by Boris Segalis

NLRB Report Reviews Social Media Enforcement Actions

On August 18, 2011, the Associate General Counsel of the National Labor Relations Board (“NLRB” or the “Board”) issued a report analyzing the Board’s recent social media enforcement actions. The report seeks to provide guidance to employers that want to ensure that their social media policies appropriately balance employee rights and company interests.

As we have discussed on our blog, the NLRB has been very active since late 2010 in enforcing employees’ rights to discuss working conditions through social media. The Board's numerous enforcement actions have focused on employees’ work-related statements on social media platforms such as Facebook, Twitter and YouTube. The enforcement actions have addressed employees’ social media activities in the context of their rights under Section 7 of the National Labor Relations Act to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” Employers may not discipline or terminate employees (either unionized or non-unionized) for exercising their Section 7 rights.

The report suggests that the NLRB views as protected a broad scope of social media activity that addresses working conditions. It also suggest that the Board sets a low threshold for finding that such activity is “concerted” – i.e., “undertaken with or on the authority of other employees, and not solely by and on behalf of the employee himself.” While each enforcement action represents a unique set of circumstances, generally, the NRLB has found employees’ social media activity to be protected when the statements expressed employees’ sentiment about working conditions, whether or not the actual postings involved one or more employees. Examples of activities the Board deemed protected include discussions on social media that implicated working conditions and that were initiated by one coworker in an appeal to other coworkers for assistance; postings provoked by a supervisor’s allegedly unlawful activity; and postings that vocalized employees' sentiment about working conditions that the employees expressed in off-line conversations, even where coworkers did not post comments to the initial post by one of the employees.

The report also sets out various employee social media policy provisions that the NLRB found to infringe on employees’ Section 7 rights. According to the report, the NLRB may view as unlawful (often because the Board viewed them as overly broad) social media policies that:

  • Prohibit employees from posting pictures of themselves in any media, including the Internet, which depict the company in any way, including posting featuring a company uniform or corporate logo;
  • Prohibit employees from making disparaging comments when discussing the company or the employees' superiors, coworkers or competitors;
  • Generally prohibit, in the application to social media, offensive conduct and rude or discourteous behavior;
  • Prohibit inappropriate discussions about the company, management or coworkers;
  • Prohibit any use of social media that may violate, compromise or disrtegard the rights and reasonable expectations as to privacy and confidentiality of any person or entity;
  • Prohibit any communications or posts that constitute embarrassment, harassment or defamation of the employer or its employees, officers, board members, representatives or staff members;
  • Prohibit statements that lack truthfulness or might damage the reputation or goodwill of the employer, its staff or employees;
  • Prohibit employees on their own time from using social media to talk about company business, from posting anything that they would not want their manager or supervisor to see or that would put their job in jeopardy, from disclosing inappropriate or sensitive information about employer, or from posting any pictures or comments involving the company or its employees that could be construed as inappropriate;
  • Prohibit employees from using the company name, address or other information on their personal profiles;
  • Prohibit employees from revealing personal information regarding coworkers, company clients, partners or customers without their consent; or
  • Prohibit the use of employer’s logos and photographs or of the employer’s store, brand or product without written authorization.

As we have previously noted in the context of discussing the NLRB’s social media enforcement actions, the Board’s view of employees’ Section 7 rights in the context of social media requires employers to carefully review and adjust their communications and social media policies and practices. The Board's report further suggests that employers need to tailor their social media policies narrowly to protect company interests without infringing on employees’ rights.
Tags: , , , , , , , , , , , ,
Posted on June 11, 2011 by David Navetta

The Legal Implications of Social Networking: The Basics (Part One)

We are in the midst of a communications revolution.   Use of social media for communication purposes continues to grow, while "old school" messaging media like email is on the decline.  Facebook reportedly has reached 700 million users worldwide and is putatively valued at $50 billion dollars. Advertising revenue expected to be generated from social media is estimated to reach $8.3 billion dollars annually by 2015. Significantly, according to one survey, 81% of companies have implemented (or plan to implement) social networking in order to enhance their exposure.  Seventy-three percent of small and medium businesses reportedly employ social media for marketing purposes.

Much like the “Cloud computing revolution" there is an almost frenzied excitement around social media, and many companies are stampeding to exploit social networking.  The promise of increased intimate customer interactions, input and loyalty, and enhanced sales and expanded market share can result in some organizations overlooking the thorny issues arising out of social networking.  Many of these issues are legal in nature and could increase the legal risk and liability potential of an organization employing a social media strategy.  

Coming on the heels of a white paper we wrote with ACE USA, in this multi-part series the InfoLawGroup will identify and explore the legal implications of social media. This series will help organizations begin to identify some of the legal risks associated with social media so that they may start addressing and mitigating these risks while maximizing their social media strategy.

In Part One of the series, we will provide a high level overview of the legal risks and issues associated with an organization’s use of social media. In subsequent parts members of the InfoLawGroup team will take a deeper dive into these matters, and provide some practical insight and strategic direction for addressing these issues.   As always, we view our series as the beginning of a broader conversation between ourselves and the larger community, and we welcome and strongly encourage comments, concerns, corrections and criticisms.

What is Social Media?

For a phenomenon that is taking over the world, one would think that the meaning of social media would be clear. While that may not be the case, we are not going to belabor the issue in this post. Instead we will simply use the definition generated by Wikipedia (itself a form of social media that relies on the collective efforts of its users to come up with the “right” answer): 

Social media are media for social interaction, using highly accessible and scalable publishing techniques. Social media use web-based technologies to turn communication into interactive dialogue.

Examples of websites and internet activities that fall into this definition include: LinkedIn, Facebook, Twitter, Digg, Delicious, StumbleUpon,Foursquare, blogging platforms (e.g. WordPress, Drupal, etc.), Wikipedia, bulletin boards (e.g. phpbb.com), Quora and YouTube.

The InfoLawGroup is a heavy user of social media, and the best way that I have been able to explain our social media is by analogy: social media is like a wide-ranging conversation that can be with the entire world, or on a very intimate level with a single individual, and often both. Social media provides a mechanism for finding communities of like-minded (or not) individuals interested in particular topics (and sub-topics).    InfoLawGroup uses social media to engage in conversation concerning issues that are important and interesting to us (and others), and by engaging in that conversation in a meaningful way, others begin to recognize and value our input (and we in turn discover experts, influencers, and valuable information resources). Based on our experience, the key attributes of a successful social networking include clear communication, multi-party interaction, trust and intimacy. 

How is Social Media Used?

So your organization wants to “use” social networking. Why? For many organizations considering the use of social media a vague idea may exist that they “should” be doing that. However, clear organizational goals may not exist concerning the use of social media. As a threshold issue, before even considering specific legal issues, organizations must have a clear idea of why they want to use social media.    Companies should identify the business process or organizational strategy they are seeking to advance by the use of social networking. They should be able to establish goals and metrics in order to measure success and allow for the adjustment of their strategy if it is not proving successful.   Of course, when the question of why is answered, then the question of “how” must be addressed (and often the two questions must be considered together).

The process of developing a social media strategy tied to specific business processes and goals will enlighten companies as to the legal implications of their use of social networking. While there may be certain legal concerns baked into “social media” in general, many of the legal risks will arise based on the specific business process and goals surrounding the use of social media. In addition, the characteristics of the social media platform(s) an organization chooses to leverage may also impact the legal risks faced by the organization.

While there are as many social media strategies as there are organizations seeking to employ them (in fact, there are certainly many more), we have laid out some “use cases” that will help us explore the legal implications of social media:

  • Direct Interaction. Direct interaction (with customer, "influencers," media, colleagues, etc.) is really the most basic use of social media, it involves an organization using social media to communicate and interact with the general social media population (or subsets of that population).    This would happen on various social media platforms such as Facebook, LinkedIn and Twitter, or through a weblog.   However, the approach organizations employ to interact may vary, and as discussed later, the differences in approach could impact the legal risks associated with social media. Some approaches for direct interaction include the following: (a) allowing an organization’s general employee population to go out and interact on behalf of the company with little instruction or supervision; (b) allowing an organization’s general employee population to go out and interact on behalf of the company with strict instructions and supervision; (c) identifying a small dedicated group to interact on social media on behalf of the company, including potentially the use of “corporate profiles” not tied to any individual person; and (d) hiring a third party marketing company to interact on social media pursuant to a specific marketing strategy.
  • Company Page/Fan Site. Some social media platforms allow organizations to create “fan pages” (e.g. Facebook) or company pages (LinkedIn). In essence these types of pages/site allow an organization to set up a centralized presence or "destination" within a social media platform.   Interested individuals can then join or follow postings that occur on the organization’s fan page/site, and those visitors can themselves post and interact on the fan page or site. This allows for interaction in a more centralized fashion.
  • Social Media Applications. Some social media platforms may allow organizations to create applications that can be plugged into the social media platform. For example, a mortgage broker with a presence on Facebook could hire an application developer to develop a mortgage interest rate calculator application that Facebook users could operate. This would essentially provide an advertisement for the mortgage company and create goodwill amongst potential customers. In addition, when the application is downloaded by a user, the mortgage company would then get access to certain personal information that is part of the user’s profile. This information can be valuable for targeting prospective customers and data mining purposes.
  • Blogging. While it may not be obvious to everybody, most blogs constitute social media.   Blogs that allow for comments and interaction between the blogger and his readers (and interaction between the readers themselves) are social media. This interaction typically occurs in the “comments” section of a blog. In addition, many organizations use their blog as the kernel for interaction in other social media platforms. So, an organization with a blog might do a post and tweet it on Twitter, cross-post it on their Facebook fan page and post it in a LinkedIn Group, in order to drive traffic to the company’s blogpost (and ultimately website, product or service).
  • Social Plug-insMany social media platforms provide “widgets” or “plug-ins” that can be put into a website to allow the content of the website to be commented upon and shared within the social media platform. The plug-in may be in the form of a “button” that allows a website visitor to “like”  particular content and have their preference posted in Twitter, Facebook or Digg. Some social medial platforms may be seamlessly integrated into a website in such a manner that makes it virtually invisible. Using these plug-ins can help` spread an organization’s message to a much wider audience and drive traffic to the organization’s website.
  • Log-In Credentials. Another interesting way social media platforms are being utilized is to allow website visitors to login to an organization’s website employing the log-in credentials they use to gain access to a social media platform. Under this scenario an organization with a website could allow visitors to access the company's website by logging into their Facebook or Twitter account using the same username and password (this is achieved by utilizing the social media platform’s API). The organization benefits in several ways by employing this practice. First, the visitor gets to avoid setting up a new username and password specific to the website, which can be viewed as time-consuming by some visitors. Second, the user is less likely to forget a username/password from a frequently-used social media platform, and this makes logging in very easy. Last, by linking to the social media platform’s authentication credentials, the organization is able to obtain certain personal information about that visitor that is available on the social media platform.

The forgoing use case scenarios are surely the tip of the iceberg, and new social media platforms and strategies are being developed every day.   It is in this dynamic environment that organizations must analyze and understand the legal risks associated with the use of social media.

Social Media Legal Issues

As we work through the various legal implications of social media it hopefully will become increasingly clear that context is very important. While we can (and will) talk about broad categories of legal risks that apply to most (or all) social media, a basic formula can be used to identify and analyze the specific legal risks of a particular social media use. The social media legal risk “formula” can be summarized as follows:

  • the inherent characteristics/capabilities/limitations of the social media platform to be leveraged, PLUS
  • the organization’s specific intended social media strategy and uses, REVEALS
  • the relevant legal issues and level of legal risk present.

With this formula in mind we turn to a short summary of the social medial legal issues that InfoLawGroup will be exploring in detail as part of its multi-part blog series.

Information Security Legal Risk

Organizations that employ social media face several information security legal issues.   These legal risks can be broken down into three broad categories: (1) potential liability due to a breach of the organization’s security as the result of an attack originating through the use of social media; (2) potential legal risk associated with social engineering and spoofing attacks against users or “fans” of an organization’s social media presence, persona or application; and (3) legal consequences of leakage of third party confidential information as a result of social media use.

As might be expected organized crime views social networks as fertile ground for committing fraud. One of the biggest risks is in the name of the medium itself.  Social media yields social engineering. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” As such social media users are tricked into downloading applications infected with malware because it was “recommended” by a friend, or they click on the link of the “real” Osama Bin Laden dead body photo that looks like it was posted on a friend's wall (and a computer attack occurs), or they visit a site that looks like a brand name company’s fan page and are enticed to provide some of their personal information to criminals. The direct risk to an organization allowing its employees to use social media on company computers is obvious: if malware from social media infects a company computer and steals personal information, credit card numbers or trade secrets, the company may have to provide notice of a security breach and could face lawsuits and regulatory actions arising out of the breach.

Companies may also face liability for failing to detect and notify social media users of scams associated with the company’s name or site. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social application that looks like it is sponsored by the organization, legal repercussions could arise. In the email context we are already aware of lawsuits involving phishing that allege that the defendant should have been aware of scam emails sent to their customers, and should have warned those customers of the scam.

Finally, social media sites and the activities of multiple users for or on behalf of an organization could result in information leakage. If that leakage involves confidential information or trade secrets of an organization’s customer, or perhaps certain financial disclosures in violation of securities laws, liability could arise. The risk of confidential information leakage was recently on display involving the use of LinkedIn.  This risk can also be indirect in its nature, and there are several social media corporate intelligence companies that will data mine and aggregate information about competitors in order to discover leaked secrets, plans and trends.

Privacy

For many companies the Holy Grail of social media is in depth and detailed personal information about their current and would-be customers. Social media provides a platform for much more interactive and intimate communications between companies and their customers. In turn companies seek to use this knowledge to sell their products and services back to these customers (in a way that does not erode the trust relationship that is often gained in the social media context).   Social media platforms enable the gathering of information, including personal information, in ways that were unimaginable only a few years back.   Companies leveraging social media, depending on the platform, can gain access to this personal information. This raises a host of privacy concerns that could increase legal risk. Most social media sites have terms and conditions that may result in legal liability if an organization’s collection or use of personal information violates those terms.    Laws such as COPPA may have applicability with respect to an organization’s “fan” page.    Finally, to what extent do an organization’s privacy policies apply, if at all, to its social media activities?   All of these issues will become increasingly important as use of social media becomes the norm.

IP Infringement

Social media sites allow users and companies to post content, including content that may be copyrighted or trademarked. Posting can be performed not only by employees of organizations using social media, but also fans and visitors to a company’s social media site. Organizations may face infringement claims (direct or based on vicarious liability) due to copyrighted or trademarked materials being posted by them or by third parties.

Disparagement and Defamation

Social media environments provide a forum for defamatory statements to be made about individuals, and disparaging remarks to be made about companies' products and services. Organizations with overzealous employees attempting to get a leg up on competitors may post comments or remarks that may not be fully accurate or true about an individual or a competitor’s products or services. This could lead to a potential lawsuit and liability. Social media sites and blogs that allow comments may also involve such statements made by third parties over which the organization has little to no control. While defenses may exist, including potentially Section 230 of the Communications Decency Act, this area of law is notoriously fact specific and varies by jurisdiction, and it could pose problems for companies.

Employment Law Issues

The use of social media in the employment context raises a lot of tricky legal issues. First, many organizations use social media to vet candidates for employment and as part of background checks. The information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws, and employers may have to obtain an individual’s consent before accessing such information (or may be prohibited from using that information to make employment decisions). During employment, the issue is to what extent an employee may have privacy rights concerning its use of social media while at work, and to what extent the employer may monitor such activities. Overzealous employers that create fake social media accounts to monitor social media activities of their employees could also raise legal issues, including issues under the Stored Communications Act, which is part of the larger Electronic Communications Privacy Act. Finally, using social media activities as the basis for firing or taking disciplinary action against employees may run afoul of the law. Recently, there have been a series of “Facebook Firings” where the National Labor Relations Board has alleged that and employer’s action violated the National Labor Relations Act.

Advertising Law

Organizations that use social media to promote their products and services should also be concerned about advertising laws. For example, some social media activities may amount to a contest or sweepstakes and may need to have appropriate disclaimers and notices. In addition, for social media sites that allow users to rate products or services, an employee that “rates up” the products or services of his or her company may violate advertising laws concerning testimonials and endorsements.

Electronic Discovery and Evidence

Social networks are brimming with social interactions and information generated by and about those interactions. That information may be highly relevant in a litigation context, and the parties in a litigation may seek to obtain this information via discovery or subpoena. Questions arise as to whether obtaining this information for use in court is permissible in light of potential privacy concerns. On the flipside, when litigation begins, how should lawyers advise their clients concerning the preservation of information on social media sites, and what kind of problems may arise if a litigant fails to preserve social media information.

Drafting a Social Media Policy

In the final part of this series, we will take a closer look at one of the key controls to address the legal risk associated with the use of social media:  the social media policy. We will look at the key elements and issues that should be addressed in a social media policy, and identify strategies for dealing with this risk. In addition, we will discuss some new technological controls that companies are developing to help organizations understand, monitor and manage social media use and legal risks. Overall, there is much more to come on this topic. Stay tuned! 
Tags: , , , , , , , , , , , , , , , , ,
Posted on April 8, 2011 by Tanya Forsheit

InfoLawGroup Profiled in Los Angeles Daily Journal: "The Social (Law Firm) Network"

InfoLawGroup was recently profiled in the Los Angeles Daily Journal.  "The Social (Law Firm) Network" is reprinted here with permission from the Daily Journal.  We wish all of our clients, friends, and readers a great weekend.

Tags: , , , , , , , , , ,
Posted on April 6, 2011 by Boris Segalis

FTC Takes a Big Step in Privacy Enforcement with Google Buzz Settlement

The Google Buzz settlement that the Federal Trade Commission announced on March 30, 2011 is the latest in the line of the Commission’s numerous Section 5 actions related to privacy and data security violations. The Google Buzz settlement, however, is unique in several important ways. The settlement represents:

  • The first FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information; and

Let’s dive in (make sure to read the "Action Item" at the conclusion of the post!):

Factual Allegations

The FTC alleged in its complaint that Google violated Section 5 of the FTC Act by engaging in deceptive tactics and violating its own privacy promises to consumers in connection with the launch of the company’s social network, Google Buzz, in 2010. The FTC also alleged that with respect to the data of its European users, Google violated the Notice and Choice principles of the U.S.-EU Safe Harbor self-regulatory framework for cross-border data transfer, in violation of the company’s certification of adherence to the framework.

The FTC alleged that when Google launched Buzz, the company used its customers’ email contact lists to populate the social network. As a result, by default, when Buzz launched, Gmail users became social network “followers” of other users – including those in their email contact lists – and were “followed” by their contacts. While Google's set-up process appeared to provide users with choices not to enroll in Buzz (such as “Nah, go to my inbox” and “Turn off Buzz”), the FTC alleged that selecting those options did not actually opt the users out of Buzz. Instead, users continued to be followers of and followed by other Gmail users. Gmail users complained that the automatic generation of follower lists resulted, in some cases, in users following and being followed by individuals against whom they obtained restraining orders, abusive ex-spouses, clients of mental health professionals and attorneys, and job recruiters.

The FTC also alleged that Google did not adequately inform users that their previously private information, such as their contact lists and profiles, would become public by default when they used Buzz. According to the FTC, Goggle did not provide clear means for users to change privacy settings to prevent the public disclosure of this information.

The FTC further alleged that the launch of Buzz resulted in the disclosure of personal information that was contrary to the users’ specific choices. For example, if a Gmail user blocked another individual from Google Chat, that individual could still be a follower of the user on Buzz. Further, Buzz users did not have the ability to block followers who did not have a public Google profile. Finally, a flawed design of the Buzz comment reply mechanism resulted in broad disclosure of users’ private email addresses.

Violations of the FTC Act

The FTC alleged that Google’s handling of privacy settings in connection with the launch of Buzz (as described above) violated the company’s own privacy notices and Section 5 of the FTC Act prohibition against unfair or deceptive acts or practices. Specifically, according to the FTC, Google:

  • By using Gmail information to populate Buzz -- failed to abide by the pledge in the company’s privacy policy to use information from consumers signing up for Gmail only for the purpose of providing them with a web-based email service;
  • By using Gmail information in connection with Buzz -- failed to abide by the pledge in the company’s privacy policy to seek users’ consent to use their information for a purpose other than that for which the data was collected; and
  • By not respecting user’s privacy choices (such as “Nah, go to my inbox” and “Turn off Buzz”), and misleading users about what information in their profiles would become public and which of their contact lists would become public  in connection with Buzz – engaged in deceptive acts or practices.

U.S.-EU Safe Harbor Framework Violations

The Google Buzz settlement is the FTC’s first substantive U.S.-EU Safe Harbor framework enforcement action in which the Commission alleged specific violations of the Safe Harbor privacy principles. On several previous occasions, the FTC took enforcement action against companies that claimed to be Safe Harbor certified but were not in fact members of the program. Google maintained an up-to-date Safe Harbor self-certification on the U.S. Department of Commerce Safe Harbor list and stated in its privacy policy that it adhered to the Safe Harbor privacy principles.

The Safe Harbor framework consists of a set of privacy principles developed by the U.S. Department of Commerce in collaboration with the European Commission. The framework is intended to provide U.S. companies with a mechanism for receiving personal information from the European Union, European Economic Area or Switzerland in compliance with the European Commission’s Data Protection Directive 95/46/EC and the Swiss Federal Act on Data Protection. U.S. companies that participate in the Safe Harbor framework are deemed by the European Commission and the Information Commission of Switzerland to provide an “adequate” level of privacy protection, enabling the certified U.S. companies to receive and process European data in the U.S.

Among other provisions, the Safe Harbor privacy principles require companies that receive European personal data in the U.S. to give the individuals to whom the information pertains:

  • Notice of how the company uses their personal information (the Notice principle);
  • Choice to direct the company to refrain from sharing the information with certain third parties (the Choice principle); and
  • The opportunity to opt out of having their information used for purposes incompatible with those for which the information was collected or to which they have consented (also the Choice principle).

In practice, a Safe Harbor-certified company in the U.S. that wishes to use or disclose personal data of European residents for purposes incompatible with the purposes for which the information was collected or to which the users have consented, must (i) provide users with a notice of the proposed new use or disclosure, and (ii) give users an opportunity to direct the company not to use or disclose the information in the proposed manner.

The FTC alleged that Google relied on its Safe Harbor certification to transfer data collected from Gmail users from Europe to the United States for processing. According to the FTC, the company also processed this information in connection with the launch of Buzz. The complaint alleged that Google violated the Notice and Choice principles by not giving European users notice before using their Gmail information in connection with Buzz. Google’s alleged non-compliance with the Safe Harbor Notice and Choice principles constituted a deceptive act or practice in violation of Section 5 of the FTC Act.  

Settlement

The FTC has billed this enforcement action as a “tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” The settlement includes several major requirements.

Prohibition Against Misrepresentations

The settlement prohibits Google from misrepresenting the company's privacy practices with respect to “covered information” or the company’s compliance with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor framework. Importantly, the term “covered information” is broader than the term “personal information” that the FTC has used in its previous privacy enforcement consent orders. “Covered information” includes not only the traditional personal information elements (e.g., name, postal or email address, and telephone number), but also an IP address or an individual’s physical location or list of contacts. The broader definition of “covered information” is consistent with the FTC’s increasingly expansive view of the information associated with an individual that warrants protection. For example, in its report on Self-Regulatory Principles For Online Behavioral Advertising: Tracking, Targeting, and Technology, the FTC refused to provide a bright line rule for delineating personal and non-personal information. Instead, the FTC took the position that behavioral advertising principles "should apply to data that could reasonably be associated with a particular consumer or computer or other device, regardless of whether the data is 'personally identifiable' in the traditional sense." Similarly, the FTC’s report on “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers ("Privacy Report"), argued for protecting consumer data that can reasonably be linked to a specific consumer, computer or device.

Notice and Consent

The settlement requires Google to provide its users with notice and choice prior to sharing users’ information with third parties in certain circumstances. Specifically, if the proposed disclosure is contrary to the data sharing practices Google represented to be in effect at the time the information was collected, the settlement requires Google to give users a clear and prominent notice of the proposed disclosure and to obtain their “express affirmative consent.” While the settlement does not define “express affirmative consent,” at a minimum, this provision will require Google to offer users a prominent, transparent means for exercising their privacy choices. 

Comprehensive Privacy Program

The FTC stated that the Buzz settlement is the first to require a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. The inclusion of his requirement in the settlement appears to be the first application of the “privacy by design” philosophy that the Commission articulated in its Privacy Report. The FTC’s “privacy by design” approach calls on companies to build privacy protections into their business practices. Such protections should include sound mechanisms for allowing consumers to exercise their privacy choices, reasonable security for consumer data, limited collection and retention of consumer data, secure disposal of the data, and reasonable procedures to promote data accuracy. The report also called for companies to implement and enforce procedurally sound privacy practices throughout the organizations, including by assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services.

The settlement requires Google to maintain a written, comprehensive privacy program that is reasonably designed to (i) address privacy risks related to the development and management of new and existing products and services, and (ii) protect the privacy and confidentiality of covered information (as defined above). Goggle must include in its privacy program the privacy controls and procedures appropriate to the company's size and complexity, the nature and scope of its activities, and the nature of covered information.

Specifically, the settlement requires Google to:

  • Designate staff responsible for the privacy program;
  • Conduct a risk assessment to identify reasonably-foreseeable risks that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;
  • Design and implement reasonable privacy procedures to control the risks identified through the privacy risk assessment;
  • Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures;
  • Develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from Google;
  • Require relevant service providers by contract to implement and maintain appropriate privacy protections; and
  • Evaluate and adjust the company's privacy program in light of the results of the testing and monitoring, any material changes to the company's operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the company’s privacy program.

Compliance Requirements

In addition to the specific requirements regarding the company’s privacy practices, the settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, objective and independent third-party professional. The reports must certify, among other things, that:

  • Google has in place a privacy program that provides protections that meet or exceed the protections required by the settlement order; and
  • Google’s privacy controls are operating with sufficient effectiveness to provide reasonable assurance that the privacy of covered information is protected.

Google must retain the materials relied upon to prepare the third-party assessments for a period of three years from the date of the assessment. 

The settlement also requires Google to:

  • Retain all “widely disseminated statements” that describe the extent to which the company maintains and protects the privacy and confidentiality of any covered information, along with all materials relied upon in making or disseminating such statements, for a period of three years;
  • Retain for a period of six months (i) all consumer complaints directed at Google, or forwarded to Google by a third party, that allege unauthorized collection, use or disclosure of covered information and (ii) any responses to such complaints;
  • Retain for a period of five years documents that contradict, qualify or call into question the company’s compliance with the terms of the settlement;
  • Disseminate the consent order to the company’s current and future principals, officers, directors and managers, and to all current and future employees, agents and representatives who have supervisory responsibilities relating to covered information; and
  • Notify the FTC of changes in the company’s corporate status.

Action Item

As we often note on this blog, privacy enforcement activity is rising exponentially, whether in the format of state and federal regulatory actions, class action suits, media exposés or public admonitions by regulators. This enforcement activity presents a significant risk to companies whose business models rely heavily on the collection, use or disclosure of information associated with individuals. If your company has not already done so, now is the perfect time to review the company’s privacy and information security practices, conduct a privacy and information security assessment, and take steps to ensure that the company’s practices comply with the various privacy and information security requirements, including FTC guidance.
Tags: , , , , , , , , , , , , , , , , , , , , , , ,