The Legal Implications of Social Networking Part Three: Data Security
In 2011, InfoLawGroup began its “Legal Implications” series for social media by posting Part One (The Basics) and Part Two (Privacy). Well, after 4th quarter year-end madness and a few holidays Part Three is ready to go. In this post, we explore how security concerns and legal risk arise and interact in the social media environment. Again, the intended audience for this blogpost are organizations seeking to leverage social media, and understand and address the risks associated with its use.
As might be expected criminals view social media networks as fertile ground for committing fraud. There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computer devices connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.
Social Media = Social Engineering
One of the biggest social media security risks reveals itself in the name of the medium itself: social media yields social engineering. In short, when it comes to social media attacks, an organization’s own employees may be its worst enemy. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” Social media users may be tricked into downloading applications infected with malware because a posting was “recommended” by a friend. For example, almost immediately after Osama Bin Laden was killed by U.S. troops, one Facebook scam inserted malware on computers using a malicious (and false) link to the “real” Osama Bin Laden dead body photo that looked like it was posted on a friend’s wall. In addition, some scams have used messaging capabilities within social media platforms to initiate computer attacks. Unfortunately, if a company's employee is scammed and downloads malware from a social media network to the company network, it may be the company that faces legal liability.
In addition, fraudsters use the trust users place in the social media platform itself to effectuate security breaches. For example, most would feel fairly comfortable clicking on an advertisement displayed on Facebook. However, in some cases that click could result in a “malvertisement” infection.
Another common attack technique is phishing. Criminals create fake email notices that appear to come from social media sites. Unsuspecting users that click on links in these emails may end up providing sensitive information to fake websites that look like the social media site they belong to, or downloading malware onto a company’s system. Unfortunately, even an employee just giving up his or her personal social media passwords can be risky for a company. Many individuals use the same passwords at multiple sites and disclosing a social media password could also amount to providing the password to the network of an employee’s employer.
There is increasing evidence that criminals are using social media to target key company personnel in order to burrow into company networks and steal trade secrets and other sensitive information. The wealth of personal information users share on social media sites provides ammunition for such attacks. Fraudsters can gather details about a user before engaging in an attack (e.g. employer, address, phone number, friends, affiliated companies, etc.) and then use the details to target the attack specifically at the individual(s) (such as a phishing email). In fact, this very technique appears to have been used in one of the biggest breaches of 2011, the RSA breach.
With regard to legal risk, companies suffering a breach arising out of social media face the same risks for any security breach. If malware infects a system or an employee is tricked into providing his or her login-credentials, and confidential or personal information is stolen, the employer may face lawsuits or regulatory scrutiny. Actions alleging breaches of NDAs may also come from third parties whose trade secrets or other confidential information a company holds. Moreover, if personal information is accessed or acquired due to the social media security breach, notification may be necessary and related costs would have to be incurred by the employer.
Social Media Spoofing and Hijacking
Companies may also face legal liability for failing to detect and notify social media users of scams associated with the company’s social media site or key personnel with social media presences. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social media application that looks like it is sponsored by the organization, legal repercussions could arise. Similarly, fraudsters could create fake profiles of key company personnel in order to commit crimes.
Security and legal risks can also arise if hackers are able to take over a company’s fan page or social media profiles of key company personnel. By creating a fake fan page or profile, or hijacking an existing fan page or profile, fraudsters could send out messages with malware to all of the individuals who joined the fan page or trick customers into disclosing sensitive information. From the legal risk perspective, while case law is sparse, companies that fail to have fake fan pages removed or that fail to warn their customers of scams that look like they come from the company, could face legal liability.
Confidential Information Leakage
Another important business and legal risk arises out of potential confidential information leakage on social media sites.
Imagine a company that is heavily reliant on traditional sales methods and has built up a customer list (a trade secret) with key, difficult-to-find contacts. Oftentimes, companies like this rely on key sales people to bring in large portions of their revenue. Perhaps seeking to be on top of modern marketing practices some of these salespeople establish LinkedIn accounts, and naturally begin linking to dozens or perhaps hundreds of friends, colleagues and customers. On LinkedIn, if settings are not set properly, all of the contacts related to these key salespeople could be publicly viewable. That being the case, it would not be difficult for a competitor to simply view and record those contacts, thereby potentially exposing the company’s customer list and key customer contacts.
Take it one step further. Suppose one of the key sales persons leaves with the customer list and the company sues alleging misappropriation of trade secret. One of the elements for establishing a trade secret are efforts to keep the secret confidential. However, by allowing the sales person to display all of his contacts on LinkedIn, has the company effectively failed to maintain that confidentiality and lost its trade secret protection?
In 2010, we saw an Eastern District of New York case that looked at this issue and ruled that trade secret protection was unavailable for a company where the customer list information at issue could be readily ascertained using sites like Google and by viewing LinkedIn profiles. In contrast, in 2011, the court in Syncsort Incorporated v. Innovative Routines, International, Inc., looked at the issue of whether a trade secret posted on the Internet loses its protection. While the court ruled that trade secret protection was not lost under the facts of Syncsort (where only a portion of the trade secret was available for a limited time), it appears that a different set of facts could yield a decision going the other direction.
The inadvertent disclosure of confidential information by employees may also be problematic for organizations. This problem can arise when employees mistakenly or unknowingly disclosing sensitive information. For example, in September 2011 a Hewlett-Packard executive updated his LinkedIn status and revealed previously undisclosed details of HP's cloud-computing services. If he had instead posted confidential information about one of HP’s clients it may have resulted in legal liability. Moreover, for publicly-traded companies, certain inadvertent disclosures of financial information could lead to violations of securities laws and regulations.
Even if confidential information is not directly put into a single status update or other post, the aggregated social media postings of multiple employees could yield valuable competitive information. Companies (on their own or through third party service providers) are actively data mining social media sites with the hope of gathering enough bits and pieces of information to provide a competitive edge. Employees may be unwittingly posting what they think is a single piece of non-sensitive data. However, when combined with multiple data points from other employees and sources, those innocent disclosures could suddenly reveal company or client confidential information.
Conclusion
In summary, the key security-related legal concerns associated with social media start with the fact that social media provides a rich target environment for criminals. Social media users are literally volunteering information that may be sensitive, and the disclosure of which could lead to legal risk. The culture of sharing present on social media sites itself can lead to over-disclosure by employees, and the pure volume of data that can be mined from social media sites may allow competitors and criminals to connect-the-dots to reveal confidential or sensitive information. Moreover, the sense of trust that comes with social media environments provides an opportunity for criminals to breach security. People may be tricked into providing certain information or downloading malware because they think they are having legitimate communications with colleagues or friends. Finally, the ability to easily spoof or create fake sites or pages in social media sites that look legitimate can lead to increased security risk. With this increased security risk, comes increased legal and liability risk (in an area of law that is very unsettled in terms of who can be liable for a security breach, and to what extent).
How can these risks be addressed and mitigated? First, it is key to understand the social media environment and how the various social media platforms work. The unique characteristics of a particular social media platform may present risks specific to that platform. Second, organizations need to develop a social media strategy to maximize their leveraging of social media while minimizing risk (Are employees allowed to use their social media sites from work computers? Can they talk about the company and its plans on social media sites? What company information can they share on social media sites? Should only a handful of marketing-oriented employees be allowed to post about or on behalf of an organization? Can the company monitor social media usage?) Once strategy is developed, social media policies need to be drafted to reflect the strategy and address risks. In the security context, a big part of minimizing risk is educating and training employees and providing guidance on how to avoid or minimize it. Technology solutions may also exist that can allow for monitoring and tracking of social media usage by employees. Ultimately, however, like social media itself, it comes down to people -- risk can only be addressed appropriately if the individuals using social media are equipped to identify and mitigate against it.
Twitter Followers = Trade Secrets?
Phonedog v. Kravitz, currently pending in the Northern District of California, raises unprecedented issues regarding social media. Is a list of Twitter followers protected as trade secret under California law? What is the value of a Twitter follower? $2.50 per month? I discussed these questions today with Fox News.
The Legal Implications of Social Networking Part Two: Privacy
As social media and networking continue to revolutionize modern-day marketing and become the norm for organizations of all types, shapes and sizes, it is even more important to adequately address the legal risks associated with social media use. In Part One of our Legal Implications series, we laid out some background and identified key areas of legal risk. In the next few posts InfoLawGroup is going to look deeper at some of these risks. In this post we explore some of the privacy legal issues that companies should address if they want to leverage social media.
Background
Why are privacy-related legal issues a key concern in the social media context? The entire marketing model inherent in the use of social media involves direct communication with, and gathering key information about, clients and customers in order to more efficiently and effectively deliver goods and services. The more granular and accurate the information about a social media user, the more valuable to companies seeking to leverage it. Naturally, as they collect and use information about social media users, organizations will come into contact with sensitive personal information about those users. This sensitive information goes beyond “traditional” personally identifiable information, and can include geo-location information, photographs and videos, relationship information (friends of friends), online behavioral information, political viewpoints and more.
The types of information available to a company employing a social media strategy will vary based on the platforms used, the method of interaction within a given platform (e.g. fan page versus company profile), technical constraints and policies, and the nature of the strategy itself. In analyzing privacy legal issues, organizations should ask the following questions:
- What types of personal information will the organization have access to?
- What types of personal information will the organization collect, and how will it use that information?
- What legal restraints exist with respect to the collection and use of the personal information (e.g. regulations, contracts, internal policies, etc.)
While this post focuses on privacy legal risk, it must be noted that the collection and use of personal information derived from social media may pose additional moral, reputational and business issues (which go beyond the scope of this article). As such, even if a practice is legal, the “big picture” must always be taken into account.
Key Privacy Legal Issues
- Social Media Platform Terms of Use
The first place to look for privacy legal obligations are the terms of use of a particular social media platform. Social media platforms attempt to balance privacy concerns of their users against commercial use of user information by laying out specific limitations and conditions related to the collection and use of personal information. For example, for applications built by companies for use in Facebook, organizations may not use a user’s friends list outside of the application, even if a user consents to such a use (organizations, however, may use connections between two users that have both connected to the application). As a general rule, companies can only use the Twitter API to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use Twitter content.
In addition, certain privacy-related terms and conditions may apply depending on the specific social media activities or functionality a company leverages within a social media platform. Organizations seeking to leverage social media need to understand and implement the (sometimes confusing and often very detailed) rules of multiple platforms, and for multiple functionalities and activities within a platform.
For example, on Facebook, organizations that set up a Fan Page are not allowed to collect information from users unless they have obtained their consent. In contrast, companies wishing to develop and launch a Facebook application can only request information from users that is necessary to run the application, but do not need consent for every data collection. Facebook also imposes certain limits on what and how personal information can be collected when using a Facebook application. For example, for all data obtained through the Facebook API except “basic account information,” organizations must obtain explicit consent from the user to use that data for any purpose other than displaying it back to the user in the application. Companies are prohibited by Facebook from soliciting or collecting user profile login information, such as usernames or passwords. Consider the number of platforms and the number of rules within a platform, and the fact that these rules often change, and it becomes apparent that compliance can get tricky.
Unfortunately, the failure to follow these privacy-related terms of use can (and already has) get companies into legal trouble. That trouble can arise directly with the social media platform provider in the form of a banning or a breach of contract action. In addition, a violation of the obligations set forth in a social media platform's terms of the use may be alleged as the basis for lawsuits against companies using social media.
- Regulatory Privacy Issues
An organization’s social media activities may also raise regulatory concerns. In the United States, the FTC has not been shy about bringing actions under the FTC Act for “unfair” or “deceptive” business practices. As with a normal website privacy policy, if an organization does not follow its privacy policy related to a social media application and personal information related thereto, the FTC could allege that such failure is a deceptive trade practice.
A particular area of concern for violations of privacy policies arises when companies integrate social media functionality directly into their websites. Some company websites may embed social media functionality that allows users to comment on a website post or article using Facebook or Twitter’s comment platform. The user comments are displayed both on the website and on the social media platform. The question is to what extent does the website’s general privacy policy apply to the information gathered through the embedded social media platform. The second question is whether the organization’s handling and use of such personal information violates the website’s general privacy policy. As the lines between an organization's general website presence and their social media presence blur even more over time, consistent privacy practices will become increasingly important (note: InfoLawGroup has developed privacy policy language to address this situation).
Beyond general regulatory authority present in consumer protection acts, some specific privacy regulations may apply in the social media context. For example, for employers that use social media to vet potential employment candidates, the information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws (this topic is discussed in more detail in the upcoming part of this series concerning social media and employment issues). In addition, there has been some activity around the Children's Online Privacy Protection Act (COPPA) and social media, including FTC actions against a social media site for children and a mobile phone game developer that created games for children. In fact the FTC recently released proposed revisions to COPPA intended to address social media that is used often by children.
The collection and dissemination of information from social media users may be even more problematic when information concerning European users is at issue. Under the EU Data Protection Directive, personal data is defined as "any information relating to an identified or identifiable natural person”. This definition is generally much broader than most U.S. laws that reference personally identifiable information (those definitions typically require a first name/first initial and last name in combination with other specified data elements such as social security number, financial account number, driver’s license number, etc.). Regulators in Europe have reported that information derived by or from social media sites constitutes personal data under EU law. For example, one German state has indicated that the “Like” button on Facebook is in violation of German privacy law. If the EU Directive does apply to information from a social network, the transmission of personal data of a European resident to the United States could violate various requirements concerning transborder data flow.
Finally, as the definition of personal information expands in the United States (the FTC has defined personal information broadly in the social media context to mean “information respondent collects from or about an individual”), it is likely that information relating to individuals collected from social media activities will be more closely regulated. It is therefore important to keep up with the regulatory environment and legislation being proposed on both the Federal and State levels.
Conclusion
Participation and a presence in the social media context can be very valuable for organizations, and that value is likely to increase significantly in the future. Most organizations will seek to discover as much information about social media users as possible, and as more of our lives (social and commercial) are lived on the Internet, this information will be highly sought after.
This of course will raise significant privacy issues; privacy issues that current law may not fully address. In the U.S., we anticipate an evolution in the social media context that will initially involve regulators utilizing their broad and general regulatory authority (e.g. the FTC Act), and then may result in the passage of more specific laws and regulations. Even without specific regulatory constraints, organizations looking to leverage social networking today should carefully review the social media platform TOUs and their existing privacy policies, and develop policies and practices that address social media where appropriate. In addition, companies should analyze how existing laws in relevant jurisdictions might apply to their collection, processing, storage and distribution of personal information obtained from social media. A reasonable balancing of these privacy legal risks against the commercial advantages to be derived from social media is the best course of action.
The Legal Implications of Social Networking: The Basics (Part One)
We are in the midst of a communications revolution. Use of social media for communication purposes continues to grow, while "old school" messaging media like email is on the decline. Facebook reportedly has reached 700 million users worldwide and is putatively valued at $50 billion dollars. Advertising revenue expected to be generated from social media is estimated to reach $8.3 billion dollars annually by 2015. Significantly, according to one survey, 81% of companies have implemented (or plan to implement) social networking in order to enhance their exposure. Seventy-three percent of small and medium businesses reportedly employ social media for marketing purposes.
Much like the “Cloud computing revolution" there is an almost frenzied excitement around social media, and many companies are stampeding to exploit social networking. The promise of increased intimate customer interactions, input and loyalty, and enhanced sales and expanded market share can result in some organizations overlooking the thorny issues arising out of social networking. Many of these issues are legal in nature and could increase the legal risk and liability potential of an organization employing a social media strategy.
Coming on the heels of a white paper we wrote with ACE USA, in this multi-part series the InfoLawGroup will identify and explore the legal implications of social media. This series will help organizations begin to identify some of the legal risks associated with social media so that they may start addressing and mitigating these risks while maximizing their social media strategy.
In Part One of the series, we will provide a high level overview of the legal risks and issues associated with an organization’s use of social media. In subsequent parts members of the InfoLawGroup team will take a deeper dive into these matters, and provide some practical insight and strategic direction for addressing these issues. As always, we view our series as the beginning of a broader conversation between ourselves and the larger community, and we welcome and strongly encourage comments, concerns, corrections and criticisms.
What is Social Media?
For a phenomenon that is taking over the world, one would think that the meaning of social media would be clear. While that may not be the case, we are not going to belabor the issue in this post. Instead we will simply use the definition generated by Wikipedia (itself a form of social media that relies on the collective efforts of its users to come up with the “right” answer):
Social media are media for social interaction, using highly accessible and scalable publishing techniques. Social media use web-based technologies to turn communication into interactive dialogue.
Examples of websites and internet activities that fall into this definition include: LinkedIn, Facebook, Twitter, Digg, Delicious, StumbleUpon,Foursquare, blogging platforms (e.g. WordPress, Drupal, etc.), Wikipedia, bulletin boards (e.g. phpbb.com), Quora and YouTube.
The InfoLawGroup is a heavy user of social media, and the best way that I have been able to explain our social media is by analogy: social media is like a wide-ranging conversation that can be with the entire world, or on a very intimate level with a single individual, and often both. Social media provides a mechanism for finding communities of like-minded (or not) individuals interested in particular topics (and sub-topics). InfoLawGroup uses social media to engage in conversation concerning issues that are important and interesting to us (and others), and by engaging in that conversation in a meaningful way, others begin to recognize and value our input (and we in turn discover experts, influencers, and valuable information resources). Based on our experience, the key attributes of a successful social networking include clear communication, multi-party interaction, trust and intimacy.
How is Social Media Used?
So your organization wants to “use” social networking. Why? For many organizations considering the use of social media a vague idea may exist that they “should” be doing that. However, clear organizational goals may not exist concerning the use of social media. As a threshold issue, before even considering specific legal issues, organizations must have a clear idea of why they want to use social media. Companies should identify the business process or organizational strategy they are seeking to advance by the use of social networking. They should be able to establish goals and metrics in order to measure success and allow for the adjustment of their strategy if it is not proving successful. Of course, when the question of why is answered, then the question of “how” must be addressed (and often the two questions must be considered together).
The process of developing a social media strategy tied to specific business processes and goals will enlighten companies as to the legal implications of their use of social networking. While there may be certain legal concerns baked into “social media” in general, many of the legal risks will arise based on the specific business process and goals surrounding the use of social media. In addition, the characteristics of the social media platform(s) an organization chooses to leverage may also impact the legal risks faced by the organization.
While there are as many social media strategies as there are organizations seeking to employ them (in fact, there are certainly many more), we have laid out some “use cases” that will help us explore the legal implications of social media:
- Direct Interaction. Direct interaction (with customer, "influencers," media, colleagues, etc.) is really the most basic use of social media, it involves an organization using social media to communicate and interact with the general social media population (or subsets of that population). This would happen on various social media platforms such as Facebook, LinkedIn and Twitter, or through a weblog. However, the approach organizations employ to interact may vary, and as discussed later, the differences in approach could impact the legal risks associated with social media. Some approaches for direct interaction include the following: (a) allowing an organization’s general employee population to go out and interact on behalf of the company with little instruction or supervision; (b) allowing an organization’s general employee population to go out and interact on behalf of the company with strict instructions and supervision; (c) identifying a small dedicated group to interact on social media on behalf of the company, including potentially the use of “corporate profiles” not tied to any individual person; and (d) hiring a third party marketing company to interact on social media pursuant to a specific marketing strategy.
- Company Page/Fan Site. Some social media platforms allow organizations to create “fan pages” (e.g. Facebook) or company pages (LinkedIn). In essence these types of pages/site allow an organization to set up a centralized presence or "destination" within a social media platform. Interested individuals can then join or follow postings that occur on the organization’s fan page/site, and those visitors can themselves post and interact on the fan page or site. This allows for interaction in a more centralized fashion.
- Social Media Applications. Some social media platforms may allow organizations to create applications that can be plugged into the social media platform. For example, a mortgage broker with a presence on Facebook could hire an application developer to develop a mortgage interest rate calculator application that Facebook users could operate. This would essentially provide an advertisement for the mortgage company and create goodwill amongst potential customers. In addition, when the application is downloaded by a user, the mortgage company would then get access to certain personal information that is part of the user’s profile. This information can be valuable for targeting prospective customers and data mining purposes.
- Blogging. While it may not be obvious to everybody, most blogs constitute social media. Blogs that allow for comments and interaction between the blogger and his readers (and interaction between the readers themselves) are social media. This interaction typically occurs in the “comments” section of a blog. In addition, many organizations use their blog as the kernel for interaction in other social media platforms. So, an organization with a blog might do a post and tweet it on Twitter, cross-post it on their Facebook fan page and post it in a LinkedIn Group, in order to drive traffic to the company’s blogpost (and ultimately website, product or service).
- Social Plug-ins. Many social media platforms provide “widgets” or “plug-ins” that can be put into a website to allow the content of the website to be commented upon and shared within the social media platform. The plug-in may be in the form of a “button” that allows a website visitor to “like” particular content and have their preference posted in Twitter, Facebook or Digg. Some social medial platforms may be seamlessly integrated into a website in such a manner that makes it virtually invisible. Using these plug-ins can help` spread an organization’s message to a much wider audience and drive traffic to the organization’s website.
- Log-In Credentials. Another interesting way social media platforms are being utilized is to allow website visitors to login to an organization’s website employing the log-in credentials they use to gain access to a social media platform. Under this scenario an organization with a website could allow visitors to access the company's website by logging into their Facebook or Twitter account using the same username and password (this is achieved by utilizing the social media platform’s API). The organization benefits in several ways by employing this practice. First, the visitor gets to avoid setting up a new username and password specific to the website, which can be viewed as time-consuming by some visitors. Second, the user is less likely to forget a username/password from a frequently-used social media platform, and this makes logging in very easy. Last, by linking to the social media platform’s authentication credentials, the organization is able to obtain certain personal information about that visitor that is available on the social media platform.
The forgoing use case scenarios are surely the tip of the iceberg, and new social media platforms and strategies are being developed every day. It is in this dynamic environment that organizations must analyze and understand the legal risks associated with the use of social media.
Social Media Legal Issues
As we work through the various legal implications of social media it hopefully will become increasingly clear that context is very important. While we can (and will) talk about broad categories of legal risks that apply to most (or all) social media, a basic formula can be used to identify and analyze the specific legal risks of a particular social media use. The social media legal risk “formula” can be summarized as follows:
- the inherent characteristics/capabilities/limitations of the social media platform to be leveraged, PLUS
- the organization’s specific intended social media strategy and uses, REVEALS
- the relevant legal issues and level of legal risk present.
With this formula in mind we turn to a short summary of the social medial legal issues that InfoLawGroup will be exploring in detail as part of its multi-part blog series.
Information Security Legal Risk
Organizations that employ social media face several information security legal issues. These legal risks can be broken down into three broad categories: (1) potential liability due to a breach of the organization’s security as the result of an attack originating through the use of social media; (2) potential legal risk associated with social engineering and spoofing attacks against users or “fans” of an organization’s social media presence, persona or application; and (3) legal consequences of leakage of third party confidential information as a result of social media use.
As might be expected organized crime views social networks as fertile ground for committing fraud. One of the biggest risks is in the name of the medium itself. Social media yields social engineering. Fraudsters leverage the central component of social media that makes it so attractive: trust between “friends.” As such social media users are tricked into downloading applications infected with malware because it was “recommended” by a friend, or they click on the link of the “real” Osama Bin Laden dead body photo that looks like it was posted on a friend's wall (and a computer attack occurs), or they visit a site that looks like a brand name company’s fan page and are enticed to provide some of their personal information to criminals. The direct risk to an organization allowing its employees to use social media on company computers is obvious: if malware from social media infects a company computer and steals personal information, credit card numbers or trade secrets, the company may have to provide notice of a security breach and could face lawsuits and regulatory actions arising out of the breach.
Companies may also face liability for failing to detect and notify social media users of scams associated with the company’s name or site. If an organization becomes aware of a spoofed fan page that looks like its own, or a criminal disseminating a malware-infested social application that looks like it is sponsored by the organization, legal repercussions could arise. In the email context we are already aware of lawsuits involving phishing that allege that the defendant should have been aware of scam emails sent to their customers, and should have warned those customers of the scam.
Finally, social media sites and the activities of multiple users for or on behalf of an organization could result in information leakage. If that leakage involves confidential information or trade secrets of an organization’s customer, or perhaps certain financial disclosures in violation of securities laws, liability could arise. The risk of confidential information leakage was recently on display involving the use of LinkedIn. This risk can also be indirect in its nature, and there are several social media corporate intelligence companies that will data mine and aggregate information about competitors in order to discover leaked secrets, plans and trends.
Privacy
For many companies the Holy Grail of social media is in depth and detailed personal information about their current and would-be customers. Social media provides a platform for much more interactive and intimate communications between companies and their customers. In turn companies seek to use this knowledge to sell their products and services back to these customers (in a way that does not erode the trust relationship that is often gained in the social media context). Social media platforms enable the gathering of information, including personal information, in ways that were unimaginable only a few years back. Companies leveraging social media, depending on the platform, can gain access to this personal information. This raises a host of privacy concerns that could increase legal risk. Most social media sites have terms and conditions that may result in legal liability if an organization’s collection or use of personal information violates those terms. Laws such as COPPA may have applicability with respect to an organization’s “fan” page. Finally, to what extent do an organization’s privacy policies apply, if at all, to its social media activities? All of these issues will become increasingly important as use of social media becomes the norm.
IP Infringement
Social media sites allow users and companies to post content, including content that may be copyrighted or trademarked. Posting can be performed not only by employees of organizations using social media, but also fans and visitors to a company’s social media site. Organizations may face infringement claims (direct or based on vicarious liability) due to copyrighted or trademarked materials being posted by them or by third parties.
Disparagement and Defamation
Social media environments provide a forum for defamatory statements to be made about individuals, and disparaging remarks to be made about companies' products and services. Organizations with overzealous employees attempting to get a leg up on competitors may post comments or remarks that may not be fully accurate or true about an individual or a competitor’s products or services. This could lead to a potential lawsuit and liability. Social media sites and blogs that allow comments may also involve such statements made by third parties over which the organization has little to no control. While defenses may exist, including potentially Section 230 of the Communications Decency Act, this area of law is notoriously fact specific and varies by jurisdiction, and it could pose problems for companies.
Employment Law Issues
The use of social media in the employment context raises a lot of tricky legal issues. First, many organizations use social media to vet candidates for employment and as part of background checks. The information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws, and employers may have to obtain an individual’s consent before accessing such information (or may be prohibited from using that information to make employment decisions). During employment, the issue is to what extent an employee may have privacy rights concerning its use of social media while at work, and to what extent the employer may monitor such activities. Overzealous employers that create fake social media accounts to monitor social media activities of their employees could also raise legal issues, including issues under the Stored Communications Act, which is part of the larger Electronic Communications Privacy Act. Finally, using social media activities as the basis for firing or taking disciplinary action against employees may run afoul of the law. Recently, there have been a series of “Facebook Firings” where the National Labor Relations Board has alleged that and employer’s action violated the National Labor Relations Act.
Advertising Law
Organizations that use social media to promote their products and services should also be concerned about advertising laws. For example, some social media activities may amount to a contest or sweepstakes and may need to have appropriate disclaimers and notices. In addition, for social media sites that allow users to rate products or services, an employee that “rates up” the products or services of his or her company may violate advertising laws concerning testimonials and endorsements.
Electronic Discovery and Evidence
Social networks are brimming with social interactions and information generated by and about those interactions. That information may be highly relevant in a litigation context, and the parties in a litigation may seek to obtain this information via discovery or subpoena. Questions arise as to whether obtaining this information for use in court is permissible in light of potential privacy concerns. On the flipside, when litigation begins, how should lawyers advise their clients concerning the preservation of information on social media sites, and what kind of problems may arise if a litigant fails to preserve social media information.
Drafting a Social Media Policy
In the final part of this series, we will take a closer look at one of the key controls to address the legal risk associated with the use of social media: the social media policy. We will look at the key elements and issues that should be addressed in a social media policy, and identify strategies for dealing with this risk. In addition, we will discuss some new technological controls that companies are developing to help organizations understand, monitor and manage social media use and legal risks. Overall, there is much more to come on this topic. Stay tuned!
Privacy Enforcement Update: FTC Settles with Twitter and Chitika
As we have previously reported on our blog, 2011 has seen a whirlwind of privacy enforcement activity. The FTC, NLRB, EEOC, HHS and FINRA have all taken privacy enforcement actions this year. This March, the FTC has announced privacy settlements with Chitika and Twitter.
Chitika – FTC Alleges Deceptive Behavioral Targeting Opt-Outs
On March 14, 2011, the FTC announced that Chitika, an online advertising company, has entered into a settlement over allegations that the company did not respect consumers’ choice to opt out of receiving targeted ads online. According to the FTC complaint, Chitika buys ad space on websites and contracts with advertisers to place cookies on those websites. Chitika also uses cookies to tracks consumers’ activities on the web, including searches and visited sites.
The company displays ads to consumers based on their online activities. Chitika’s privacy policy said that consumers could opt out of having cookies placed on their browsers and receiving targeted ads. According to the FTC, however, Chitika’s opt-out lasted only 10 days. After that time, Chitika placed tracking cookies on browsers of consumers who had opted out and displayed targeted ads to them again.
The FTC charged that Chitika engaged in a deceptive practice in violation of Section 5 of the FTC Act by tracking consumers’ online activities even after they used Chitika’s opt out mechanism to direct the company to stop tracking them online and serving targeted ads.
The settlement bars Chitika from making misleading statements about the company’s data collection practices and the extent to which consumers can control the collection, use or sharing of their data. The settlement also requires that every targeted ad Chitika displays include a link to a clear opt-out mechanism that allows a consumer to opt out for a period of at least five years. It also requires that Chitika destroy all identifiable user information collected when the defective opt out was in place. Finally, Chitika must alert consumers who previously tried to opt out that their attempt was not effective, and they should opt out again to avoid receiving targeted ads through the company.
Twitter – FTC Alleges Failure to Safeguard Personal Information
On March 11, 2011, the FTC announced final settlement with Twitter over allegations that the company deceived consumers and put their privacy at risk by failing to safeguard the security of their personal information. The FTC alleged that serious lapses in the company’s data security practices allowed hackers to obtain unauthorized administrative control of Twitter and access users’ personal information and tweets that users designated as private. The hackers also gained the ability to send tweets from any account. The FTC complaint alleged that hackers were able to gain administrative control of Twitter on at least two occasions.
According to the FTC, Twitter’s website privacy notice stated that the company “employ[s] administrative, physical, and electronic measures designed to protect your information from unauthorized access.” In addition, Twitter offered its users privacy settings that enabled them to designate their tweets as private. The FTC alleged that Twitter’s representations that the company (i) used reasonable and appropriate security measures to prevent unauthorized access to nonpublic user information, and (ii) honored users’ privacy choice were deceptive and violated Section 5 of the FTC Act.
The settlement prohibits Twitter from misleading consumers about the extent to which the company protects the security, privacy and confidentiality of nonpublic consumer information, including the extent of the measures the company takes to prevent unauthorized access to the information. Twitter also must honor the privacy choices made by consumers and establish and maintain a comprehensive information security program. The program must be assessed by an independent auditor every other year for 10 years.
Lessons Learned
With privacy enforcement on the rise, companies are well advised to take proactive approach to compliance with privacy and information security laws, regulations, guidelines and best practices. The FTC expects businesses to collect, use, disclose and process personal information in a fair and transparent way, and to accurately represent their privacy and security practices to consumers. Take a look at these Fair Information Practice Principles and think how your business can apply them to its personal information practices.
Castillo and Phaknikone: Let the Social Network Evidence Begin
Say you commit a crime. Let’s say the crime involves illegal possession of a firearm. Say that in the past you have posted information on Facebook or MySpace or Twitter or Flicker or YouTube or any other social network or Internet site. Say your posts included a photo on MySpace of you wearing a ski mask; holding a semi-automatic AR-15 rifle; making, umm, expletives; threatening your ex-wife; and, to say it as a court would say it, “displaying” your middle finger.
Say your ex-mother-in-law tells the police about your MySpace photo, and you get busted and prosecuted for federal firearms offenses. Can the MySpace photos and information, including you and your assault rifle and finger and threats, be admitted as evidence in the case against you?
Yes, says the United States Court of Appeals for the Eleventh Circuit last week in one of the first appellate opinions on the admissibility of evidence from social networks. United States v. Castillo.
Don’t worry about challenging the authenticity of the photo. That was such a long shot in Castillo that authenticity was not even raised on appeal.
How about arguing that the likelihood that the inflammatory and prejudicial impact of the photo outweighs its probative value? And that the photo is not even relevant because the AR-15 in the photo is not the firearm that you are charged with possessing illegally? The Castillo court held that the trial court was justified in allowing the jury to consider the photo with an instruction to the jury to ignore the finger and threats. The court ruled that possession of any "assault rifle" – even a gun other than the gun involved -- was relevant to the crime charged.
Or take a different case. Say you rob a bunch of banks, and at your criminal trial your MySpace profile page and account information and photographs from your MySpace are offered as evidence. One of the photos shows you holding a handgun. You get caught and prosecuted for bank robbery and weapons charges, and the prosecution offers the MySpace information as evidence. Under these circumstances, in a case that the U.S. Supreme Court declined to review yesterday, the trial court admitted the MySpace information as evidence. Though the Eleventh Circuit held that the MySpace evidence was inadmissible character evidence, the conviction was confirmed because of other overwhelming evidence. U.S. v. Phaknikone.
The messages of Castillo and Phaknikone are both clear and apparently contrary to what most users of social networks believe: you should assume that anything you post on a social network site will be discovered and admitted in any litigation, civil or criminal, in which you become involved.
