Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Earlier this year, we posted about new laws in Utah and New Mexico that limit employers' ability to access the online accounts of their employees. Since then, Washington and Colorado have joined these and other states, such as Maryland, Illinois, California, Michigan, that have enacted similar laws. Oregon and New Jersey appear to be not far behind regulating employers in this area. 

Increasingly, employers across the country will need to revisit some of the hiring and monitoring practices they may be following, in particular, those of lower level managers and supervisors who may not be aware of these developments. Companies also need to reconsider what role they want employees to play in the businesses' marketing strategies in social media.  

Colorado. Governor John Hickenlooper signed HB 13-1046 into law on May 11, 2013. Under the new law, employers may not "suggest, request or require" or cause employees or applicants to (i) disclose the means of accessing the employees or applicants' personal account or service through the employees or applicants' electronic communication device, or (ii) change their privacy settings for an associated social networking account. An employer also may not compel an employee or applicant to become a friend, contact or connection of the employer or the employer's agent. Employers may not fail or refuse to hire applicants, or discipline or otherwise penalize employees, who refuse to provide access to their personal accounts or add the employers to their contacts.

The good news for employers is that the law does not prohibit them from requiring employees to provide access, including user name and password, to non-personal accounts or services that allow access to employers' information systems. The law also does not prohibit certain employers (those in certain industries (e.g., securities, finance) who have to comply with certain regulatory requirements) from conducting investigations concerning the use of personal websites, web-based accounts or similar accounts by an employee for business purposes. The same is true for investigations involving the unauthorized downloading of employer proprietary or financial information to a personal website, web-based account or similar account.

The new Colorado law does not provide for a private right of action, but injured persons may file a complaint with the Department of Labor and Employment, which may impose fines of up to $1,000 for a first offense, and not more than $5,000 for subsequent offenses.   

Washington. Gov. Jay Inslee signed a similar law (SB 5211) on May 21, 2013, that contains restrictions on employers concerning the personal online accounts of their employees. The law also contains similar exceptions concerning employee investigations. The law becomes effective on July 28, 2013. 

Oregon. Last week, the Oregon legislature sent HB 2654 to the Governor's desk for signature. Like the two measures above, the law would prohibit employers from requiring or requesting access to the personal social media accounts of employees or applicants, as well as prohibiting employers from requiring employees or applicants to make the employer a contact or connection of the employer. Unlike the laws discussed above, the current version of the bill does not include an investigation exception.

New Jersey. Responding to Governor Chris Christie's concerns about a prior version of the bill (such as objecting to a provision that would have made it illegal to ask an employee if he or she has a Facebook account), the New Jersey General Assembly recently approved unanimously modifications to A2878, making it virtually certain to become law in New Jersey in the short term. The Governor has already signed a similar law protecting access to the social media accounts of university students and applicants.

Similar to the laws described above, A2878 would prohibit employers from requiring or requesting employees or applicants to disclose login information for their personal social media accounts. The law also proscribes retaliating or discriminating against any employee or applicant who fails to provide such information, reports a violation of the law, participates in an investigation or otherwise opposes a violation of the law. However, the new version of the law no longer provides for a private right of action, but civil penalties can be imposed for violations - up to $1,000 for the first violation,  $2,500 for each subsequent violation.

• Email This
• Print
• Comments
• Trackbacks

Our colleague John A. Snyder writes on our non-compete blog about the case of Eagle v. Morgan, No. 11-403 (E. D. Pa. March 12, 2013) in which the plaintiff sued her former employer for misappropriating her LinkedIn account and was awarded zero damages.

• Email This
• Print
• Comments
• Trackbacks

A New Jersey District Court has sanctioned a personal injury plaintiff for spoliation following the plaintiff’s deletion of his Facebook account which defendants were trying to access.  

The defendant’s discovery requests asked for documents or records of “wall posts, comments, status updates or personal information posted or made by plaintiff on Facebook and/or any social media website from 2008 through the present.” Later, the defendant sent forms for plaintiff to execute which would authorize Facebook and other sites to release plaintiff’s information. The plaintiff executed all the authorizations except the one for Facebook.

Plaintiff’s failure to execute the Facebook authorization was raised before the Court and the Court ordered plaintiff to execute the authorization.  Plaintiff agreed to enable access by changing his password to a certain word. Thereafter, defense counsel accessed the account to confirm the password change and printed some of the accounts content.  

The following day, Facebook notified plaintiff of the account access from an unknown IP address in New Jersey. Plaintiff notified his counsel who contacted defense counsel to confirm that the records would be sought from Facebook headquarters. Defense  counsel responded, explaining the account was accessed to confirm the password change but would not be accessed again as the authorization was sent to Facebook.

Facebook responded to the authorization advising that the Stored Communications Act barred it from disclosing the data but suggested having plaintiff download the content himself.    Counsel for the parties agreed that plaintiff would do so and turn over a copy, along with a certification that he had made no changes since he was first ordered to execute the authorization. However, plaintiff’s counsel later advised defendants that plaintiff had deactivated the account and could not reactivate it. The plaintiff claimed he deactivated the account because of the notification he received that unknown people were accessing his account without his permission.

The defendants moved for sanctions claiming that the deletion was intentional as postings contained in the deleted account would have helped refute plaintiff’s damages claim. Defendants based this assertion on content printed from the account prior to deactivation.  The Court rejected plaintiff’s argument that the information contained in the account was not intentionally suppressed and found that even if plaintiff did not intend to deprive defendants of the data, he intentionally deleted the account and thereby failed to preserve relevant evidence.

This case, as well as the case discussed here, provide valuable authority for accessing social media content in litigation. 

• Email This
• Print
• Comments
• Trackbacks

Shortly after Utah inked its own law, New Mexico Governor Susana Martinez signed S371 into law on April 5, 2013. Similar to the provisions in other states (such as, California, Illinois, Maryland and Michigan), S371 makes it illegal for employers to request or require applicants to provide a password, or demand access in any manner, to an applicant's social media account or profile. Unlike some of the laws in other states, the New Mexico statute appears to apply only to prospective employees, but not current employees.

Additionally, S371 makes clear that certain activities by employers are not affected by the law, namely:

• having electronic communication policies in the workplace addressing internet use, social networking activity and email,
• monitoring use of the employer’s information systems and networks,
• using information that is publicly available on the Internet, although as noted in prior posts there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

• Email This
• Print
• Comments
• Trackbacks

Prepared by Jason Gavejian and Joseph Lazzarotti

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

1. BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
2. Bans On Requesting Social Media Passwords. As we have previously discussed  fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
3. Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
4. Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
5. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
6. Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
7. International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
9. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
10. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
11. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
12. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
13. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks

Unless you have been living under a rock from the past 24 hours, you are familiar with the story of Notre Dame linebacker, and Heisman Trophy runner up, Manti Te’o.  

As first reported by Deadspin.com it appears that the story of Manti Te’o’s “girlfriend” and her apparent death at the hands of leukemia were an elaborate hoax.  Deadspin’s article seems to imply that Manti Te’o was somehow involved in this hoax, while CNN.com reports that both Te’o and Notre Dame have insisted that he was simply a victim. 

Lennay Kekua, the name of the “girlfriend,” is apparently only known through several social media accounts maintained in that name.  However, Deadspin reports that it was able to locate the woman whose picture was utilized as the profile picture for Kekua.  According to that woman, the picture used was her public Facebook profile shot.  Similarly, she informed Deadspin that other pictures reporting to be “Kekua,” were actual taken from several of her social media accounts.  

While the details of this story continue to unfold, the story highlights one of the biggest risks of information obtained through social media; reliability.   As evidenced by the Te’o story, it is not difficult for someone to obtain a photograph of an individual and begin social media interactions in either that person’s name, or utilizing that person’s likeness.  Although this story illustrates one way such a “hoax” could occur, it is easily conceivable that a “fake” social media account could be utilized to post discriminatory, hurtful, or insensitive comments in the name of another.  While we have previously highlighted some of the issues surrounding an employer’s search of social media for employees or prospective employees, in this instance, “fake” comments could easily cost an individual a job, or a prospective job.  While the individual may lose out on employment, it is also possible that the employer is losing an excellent employee due to false information. 

• Email This
• Print
• Comments
• Trackbacks

In 2012, California took significant steps to increase privacy protections for users of mobile applications (apps) which involved working with companies such as Amazon, Apple, Facebook, Google, Hewlett-Packard, and Microsoft. In July 2012, the Attorney General created the Privacy Enforcement and Protection Unit, with the mission of protecting the inalienable right to privacy conferred by the California Constitution.

These efforts led to the "Privacy on the Go" booklet published this month which sets out a range of helpful recommendations for app developers. Of course, many of the same principles discussed in this booklet would be helpful to any organization seeking to secure personal information. 

• Email This
• Print
• Comments
• Trackbacks

Our Labor colleagues reported on an interesting decision in the context of the National Labor Relations Act and involving Facebook. The decision holds that threats made by union members on Facebook are not treated the same as threats made by those same union members who happened to be on a picket line or in person. Read the full article.

• Email This
• Print
• Comments
• Trackbacks

Written by Jason Gavejian

One of the hottest topics throughout 2012 was the various states which passed, or enacted, legislation which prohibits employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account, such as Facebook or LinkedIn. In fact, this issue was recently featured in an article on nbcnews.com.   

Notably, fourteen states introduced such legislation in 2012, with Michigan becoming the most recent state to enact such legislation when Governor Rick Snyder signed his state’s equivalent law (HB 5523) last Friday. As we have discussed, California, Delaware (dealing with students at colleges and universities), Illinois, Maryland, and New Jersey (pending Governor's signature) also enacted laws on this issue in 2012.

We anticipate that other states will address this issue through legislation in 2013 and beyond. It is essential for businesses to be conscious of these new laws, and to carefully consider this issue whether or not the state in which they operate currently prohibits such conduct.
 

• Email This
• Print
• Comments
• Trackbacks

John A. Snyder posted this article on the Jackson Lewis Non-Compete and Trade Secret Report blog about a dispute involving ownership of a Twitter account.

• Email This
• Print
• Comments
• Trackbacks

As a growing number of states pass laws to restrict employers from gaining access to employees' personal social media accounts, what employees post in social media can be critical evidence in employment-related investigations and litigations. Check out my partner J. Gregory Grisham's recent article in HR Professionals Magazine discussing a recent Sixth Circuit decision concerning this issue in an FMLA context. 

• Email This
• Print
• Comments
• Trackbacks

Have you received this letter? If you did, it is part of Attorney General Kamala D. Harris efforts to formally notify scores of mobile application developers and companies that they are not in compliance with one aspect of California's privacy law. Letters are being sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms. Even if you have not received the letter, you may want to think about whether you need to comply.

The California Online Privacy Protection Act (CalOPPA) requires commercial operators of online services, including websites and mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies should address how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

This enforcement action by Attorney General Harris is directed at mobile and social app platforms, but CalOPPA applies more broadly - to all commercial operators of online services that collect personal identifiable information about Californians.

It also is important to note that CalOPPA is just one of a number of privacy laws that the Privacy Enforcement and Protection Unit is charged with enforcing. Created in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

The establishment of the Privacy Unit and this more recent enforcement of CalOPPA suggests California is stepping up the enforcement of its privacy laws. Privacy officers, security officers, compliance officers, information security officers, risk managers, and others in California and beyond should take stock of their compliance efforts and make adjustments where necessary.

• Email This
• Print
• Comments
• Trackbacks

Here is a link to a post on our sister blog Non-Compete and Trade Secrets Report entitled LinkedIn Account at Center of Lawsuit.  The case involves a dispute over control of a LinkedIn account between a company and its former President. The litigation may portend more disputes between employers and employees over social media accounts in the future.

• Email This
• Print
• Comments
• Trackbacks

New Jersey may become the fourth state, following Maryland, Illinois and California, to place limits on employers' ability to access the social media accounts of employees and applicants, following yesterday's 38-0 vote in the State's Senate. S1915 makes some changes to an Assembly bill that also was overwhelmingly approved. 

The Senate version would provide for a private right of action, in addition to civil penalties starting at $1,000 per violation. Acts by an employer that could lead to a violation include requiring or requesting that an employee or applicant disclose whether he or she has a personal social media account, or that he or she provide access to such account. Assuming the Assembly approves these changes, the measure will head to Governor Chris Christie for signature.   

If approved, the law would take effect on the first day of the fourth month following enactment. The Senate also approved a similar measure affecting college students.

• Email This
• Print
• Comments
• Trackbacks

The Federation of State Medical Boards (FSMB) recently adopted model policy guidelines for the appropriate use of social media and social networking in a medical practice. The model policy guidelines can be viewed here. In its findings, the FSMB reports that 67 percent of 4,000 physicians surveyed use social media for professional purposes and that research indicates 35 percent of practicing physicians have received friend requests from a patient or member of their family, and 16 percent of practicing physicians have visited an on line profile of a patient or patient's family member. This growing on-line connection between doctors and patients requires doctors and their employers to enact policies to ensure compliance with professional, legal, and ethical standards.

The guidelines also point to model social media policies that have been published by the American Medical Association, the Cleveland Clinic and the Mayo Clinic. Other professionals, including lawyers, and their employers can also benefit from consideration of the issues raised by the FSMB's guidelines.

• Email This
• Print
• Comments
• Trackbacks

Two New Jersey defense lawyers face attorney ethics charges in connection with the way they allegedly accessed Facebook. Regardless of how these charges are resolved, the facts in the case should serve as a reminder to attorneys to become more familiar with social media, and perhaps be more specific in the direction they give to their staff.  

The New Jersey Office of Attorney Ethics (OAE) alleges that John Robertelli and Gabriel Adamo caused a paralegal to "friend" the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page that was not publicly available.  The OAE alleges that the conduct violated Rules of Professional Conduct governing communications with represented parties, along with other rules.  Both attorneys deny the charges and claim that they only directed the paralegal to do general internet research, and that they did not tell her to add the plaintiff as a “friend” to gain access to otherwise private information. 

The Facebook access came to light during deposition questioning when the plaintiff was asked very specific questions about his travel, dancing, wrestling, or activities which would tend to disprove his claims as to the seriousness of the injuries he allegedly suffered after being struck by a police cruiser while doing push-ups in a driveway.   

The attorneys are charged with violating RPC 4.2, concerning communications with represented parties; 5.3(a), (b) and (c), failure to supervise a nonlawyer assistant; 8.4(c), conduct involving dishonesty and violation of ethics rules through someone else's actions or inducing those violations; and 8.4(d), conduct prejudicial to the administration of justice. Mr. Robertelli, the supervising partner, is also charged with breaching RPC 5.1(b) and (c), which impose ethical obligations on lawyers for the actions of attorneys they supervise.

While no New Jersey ethics opinion to date addresses “friending” individuals in connection with litigation, the bars of New York, New York City, Philadelphia, and San Diego have deemed it unethical.

These OAE charges, along with other New Jersey legal precedent, highlights the concerns and issues surrounding improper access to otherwise private social media content. 

• Email This
• Print
• Comments
• Trackbacks

Updating an earlier post, California A.B. 1844 is on its way to Gov. Jerry Brown. If signed into law, the bill would update California's Labor Code to significantly limit when employers could ask employees and job applicants for social media passwords and account information. However, the law would still permit employers to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations. This exception would apply so long as the social media is used solely for purposes of that investigation or a related proceeding.

If A.B. 1844 becomes law, it would join Maryland and Illinois which have enacted similar laws.

• Email This
• Print
• Comments
• Trackbacks

The District Court of New Jersey recently denied an employer’s motion to dismiss a former employee’s causes of action for invasion of privacy following a supervisor’s alleged unauthorized access to the employee’s Facebook account. 

In Ehling v. Monmouth-Ocean Hospital Service Corp., the plaintiff, a registered nurse and paramedic, alleged that the defendants engaged in a pattern of retaliatory conduct as soon as she became President of the local union. Specifically, the plaintiff alleged that defendants gained access to her “private” Facebook account by having a supervisor summon another employee, who was “friends” with the plaintiff, into an office and coercing or threatening that employee into accessing their Facebook account so that the supervisor could view those posts which the plaintiff had restricted to only her “friends.”   Plaintiff went on to allege that the supervisor then viewed and copied plaintiff’s Facebook postings. One such post was in regard to a shooting that took place at the Holocaust Museum in Washington, DC and stated:

An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I wasn’t to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a different! WTF!!!! And to the other guards…go to target practice.

Ultimately, in June 2009 the Hospital sent letters regarding the above posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services as it was concerned that Plaintiff’s Facebook posting showed a disregard for patient safety. Plaintiff alleged the letters were malicious and meant to damage her professionally.

The Court dismissed plaintiff’s New Jersey Wiretapping and Electronic Surveillance Control Act (“NJ Wiretap Act”) claim holding that the NJ Wiretap Act only protects those electronic communications which are in the course of transmission or are backup to that course of transmission. As plaintiff’s allegations involve a “live” posting, it did not fall under the purview of the NJ Wiretap Act. 

However, the Court went on to hold that plaintiff’s common law invasion of privacy claim involving defendants’ unauthorized “accessing of her private Facebook postings” could proceed. In relying on another New Jersey district court case which involved a supervisor’s asking an employee to gain access to a private social media account, the Court held that privacy determinations are made on a case-by-case basis, in light of all the facts presented. The Court went on to hold that the plaintiff had a plausible claim for invasion of privacy as she may have had a reasonable expectation that her Facebook posting would remain private, considering that she actively took steps to protect her Facebook page from public viewing.   

As we have mentioned before, legal guidance involving the utilization of social media in employment decisions is ever evolving and employers must remain vigilant as courts continue to develop these cases.  

• Email This
• Print
• Comments
• Trackbacks

Before addressing the privacy of employee social media activity as in Maryland and Illinois, Delaware has become the first state to prohibit public or nonpublic academic institutions from requesting or requiring current students or applicants to "disclose any password or other related account information in order to gain access to the student’s or applicant’s social networking site profile or account by way of an electronic communication device." The law, called the "Higher Education Privacy Act" was signed into law on July 20 by Gov. Jack Markell and becomes effective upon enactment.

• Email This
• Print
• Comments
• Trackbacks

The Washington Post reported on Governor Pat Quinn's signing of HB 3782 on August 1, 2012, at the Illinois Institute of Technology, making Illinois the second state following Maryland to prohibit employers from asking employees or applicants for their Facebook and other social media passwords. The law becomes effective January 1, 2013.

As we reported, HB 3782 amends the State's Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.

However, the law would not limit an employer's right to:

• have policies to regulate employees' use of the employer's electronic equipment, Internet use, social networking site use, and electronic mail use; or
• monitor the employee's use of the employer's electronic equipment and the employer's electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant's family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

• Email This
• Print
• Comments
• Trackbacks

Recruiters are increasingly turning to social media to screen and recruit candidates. Jobvite’s 2012 Social Recruiting Survey found that 92% of respondents plan to use social media for recruiting.  Often, recruiters are viewing and considering information that should not be utilized in the hiring process.  LinkedIn is replete with information that should not be considered when searching for or selecting candidates.  Yet, the same survey found that LinkedIn is the most popular social networking site for recruiters. 

LinkedIn profiles likely contain photos of candidates and other information identifying a candidate’s race, ethnicity, age, disability, pregnancy, or religion.  Federal and state anti-discrimination laws prohibit companies from using such non-work-related information when hiring.  Additionally, the Equal Employment Opportunity Commission (EEOC) has issued regulations for the employment provisions of the Genetic Information Nondiscrimination Act (GINA) that prohibit acquisition of “genetic information” through social media.  

The EEOC also has made clear that it is focusing its litigation efforts on eliminating systemic discrimination, such as discriminatory barriers in recruitment and hiring. The EEOC’s Compliance Manual states that bias is not always conscious, and that actions infected by stereotyped thinking or other forms of less conscious bias are discriminatory.  It further states that it is discriminatory to use a screening procedure that has a significantly disparate impact.

Employers can separate recruiters who screen applicants through social media from individuals who are making the hiring decision.  This would require a recruiter to search applicants online, scrub prohibited information, and deliver scrubbed profiles to a decision maker. This may be difficult for employers to act on without careful attention to details and legal guidance to avoid significant risks.  The process relies heavily upon a recruiter’s knowledge of employment laws to scrub prohibited information. Avoiding the issue because of its burdensomeness is fast being scrubbed as an option for employers.

Companies also can utilize third parties to screen applicants through social media as long as they are aware of the pitfalls.  First, many employers make little or no effort to determine whether the third party recruiters have developed appropriate safeguards.  Second, the Federal Trade Commission (FTC) has stated that employers who rely upon third parties for social media information about candidates must comply with the Fair Credit Reporting Act (FCRA).  

FCRA requires that an employer notify an applicant when it takes adverse actions based upon a consumer report.  Employers also must provide the rejected applicant with notice of his or her right to view the data relied upon as well as give the individual the opportunity to dispute any inaccurate or incorrect information.  Employers failing to comply with FCRA can be subject to tremendous liability.  For example, Spokeo, Inc., a website that collects and sells detailed consumer information by compiling online data, recently agreed to pay $800,000 to settle FTC charges alleging that it violated FCRA in the employment screening context. 

The EEOC, OFCCP (Office of Federal Contract Compliance Programs), and FTC are beginning to scrutinize employers that use social media to screen applicants.  Unfortunately, LinkedIn and other social media sites do not yet maintain a “safe” site for recruiters.  Employers need to anticipate government inquiry and not await the knock on the door.  Recruiters should be restricted from considering prohibited information about applicants, whether they are working on company time or researching an applicant on their own time.  They need appropriate social media guidelines and policies that are compliant with a host of laws.  Further, they need to be properly trained. 

Ignoring this problem or simply outsourcing recruitment to a third party without careful consideration of these issues and a recruiter’s qualifications is a recipe for lawsuits.

• Email This
• Print
• Comments
• Trackbacks

An employee's claim that he did not realize his employer could view posts he made to a co-worker's Facebook wall did not support his claim that the employer intruded upon the employee's seclusion, a Texas Court of Appeals held last week. Sumien v. Careflite (Tex. App. 2012).

In this case, the plaintiff and some of his emergency medical technician co-workers were commenting on Facebook about wanting to "slap" or otherwise constrain patients who are difficult to control while they are being transported. The company terminated Sumien and another technician following the company's Compliance Officer learning of these posts and receiving complaints about the comments.

In addition to wrongful termination and other claims, the plaintiff alleged that the employer's viewing these comments amounted to an impermissible "intrusion upon seclusion." To prove an intrusion upon seclusion claim, the former employee needed to show "(i) an intentional intrusion, physical or otherwise, upon another's solitude, seclusion, or private affairs or concerns that (ii) would be highly offensive to a reasonable person." The court found that not knowing his employer could view his comments did nothing to support the employee's claims that the employer intentionally intruded upon his seclusion, and denied the appeal.

In addition to providing some authority to defend intrusion upon seclusion claims in similar circumstances, this case also shows that employers need to think through whether and to what extent they need to be more involved in controlling and shaping employee activity on social media. This case involved complaints from other employees about the posts, but also could have involved patient complaints relating to disclosures of protected health information under HIPAA. The posts also could have been viewed by the company's business partners or potential business partners in a negative light, adversely affecting the company's reputation. A well-drafted policy, training and consistent enforcement generally are good steps to minimizing these risks.

• Email This
• Print
• Comments
• Trackbacks

Today, the NLRB's Acting General Counsel posted a third report regarding social media issues which have been brought to the agency. The cases discussed in this report should provide further guidance to employers struggling with developing strategies for using social media in their business, developing employee policies regulating activity in social media, and enforcing those policies. In six of the seven cases discussed, the General Counsel's office found some provision of the employer's social media policy to be lawful.  In the other case, the entire policy was found to be lawful.  Look for follow up analysis from us and our Labor Partners.

Please also check out our prior reporting on social media developments. 

• Email This
• Print
• Comments
• Trackbacks

The vote by the Illinois Senate, 55-0, in favor of HB 3782 may put Illinois ahead of California and other states to follow Maryland in making it illegal for Illinois employers to ask employees or applicants for their Facebook and other social media passwords. The bill awaits signature by Governor Pat Quinn, which was overwhelmingly approved by the House in March.

HB 3782 would amend the State's Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.

However, the law would not limit an employer's right to: 

• have policies to regulate employees' use of the employer's electronic equipment, Internet use, social networking site use, and electronic mail use; or
• monitor the employee's use of the employer's electronic equipment and the employer's electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant's family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

• Email This
• Print
• Comments
• Trackbacks

A Virginia district court recently held that an employee’s clicking of the Facebook “like” button is not comparable to speech. Accordingly, the court affirmed the dismissal of First Amendment retaliation claims brought by employees of a Virginia sheriff’s office finding that the employees’ action was insufficient to merit constitutional protection.

Sheriff B.J. Roberts of the Hampton, Virginia Sheriff’s Office was up for re-election in 2009. Employees within the sheriff’s office alleged that Sheriff Roberts learned that the employees were supporting his opponent when the employees “liked” the opponent's Facebook page. After he was re-elected, Sheriff Roberts terminated the employees allegedly due to staff reductions and performance issues.

The employees sued Sheriff Roberts alleging that he violated their First Amendment rights to freedom of speech and freedom of association when he unlawfully fired them for actively supporting his political opponent.

The U.S. District Court for the Eastern District of Virginia rejected the employees' claims because the employees failed to allege that they had engaged in protected expressive speech when they “liked” the opponent's Facebook page. The court explained that without existing speech warranting First Amendment protection, the employees could not prove a violation of the right to freedom of speech occurred. The court held that “merely ‘liking' a Facebook page is insufficient speech to merit constitutional protection. In cases where courts have found that constitutional speech protections extended to Facebook posts, actual statements existed within the record.”

While this case may be helpful in the context of public employees, private employers must still be conscious of several issues including: how they obtain social media information about their employees; potential NLRB issues if an employee’s “likes” could be considered protected concerted activity; and potential state constitutional protections of an employee's right to privacy.

• Email This
• Print
• Comments
• Trackbacks

Not long after Maryland enacted a law prohibiting employers from demanding passwords to employees' or prospective employees' Facebook and certain other social media accounts, the California State Assembly voted 73-0 in favor of A.B. 1844. The California bill would prohibit an employer from requiring: 

an employee or prospective employee to disclose a user name or account password to access a personal social media account that is exclusively used by the employee or prospective employee.

The state's Senate will now need to consider the measure, where a related bill, S. 1349 (named "The Social Media Privacy Act"), would also protect students from having to disclose similar information to school officials. A hearing on S. 1349 is scheduled for May 21. Congress and a number of other states, including, Delaware, Illinois, Michigan, Minnesota, Missouri, New York, and South Carolina are considering similar measures.

Employers will need to monitor these developments carefully and consider how to advise and train their managers and human resources personnel about these new requirements.
 

• Email This
• Print
• Comments
• Trackbacks

UPDATE: Governor Martin O'Malley signed the bills discussed below into law on May 2, 2012.

Maryland will likely become the first state to prohibit employers from demanding usernames, passwords or other means to access any personal account or service through an electronic communication device (computer, phone, PDA, etc.), such as social media sites Facebook or LinkedIn, belonging to employees or job applicants. If signed by Governor Martin O’Mailey, as expected, the new law would become effective October 1, 2012, after being passed unanimously passed in the Senate last week and by a vote of 128-10 in the House. Employers need to monitor developments, as legislatures in other states have taken up similar measures.

S.B. 433/ H.B. 964 applies to any employer engaged in business in Maryland, as well as any unit of state or local government. It also reaches any agent, representative or designee of a covered employer. So, an employer cannot ask a third party to do under the law what the employer cannot do.

Covered employers also are prohibited from discharging, disciplining or otherwise penalizing  employees or applicants (or threatening same) who refuse to comply with the requests for access prohibited above. In addition, employers may not fail or refuse to hire applicants to object to similar requests. However, the Maryland law prohibits employees from making unauthorized downloads of company financial or proprietary data, and permits employers to investigate when it receives information about such activities. 

• Email This
• Print
• Comments
• Trackbacks

Written by Richard Greenberg

• Email This
• Print
• Comments
• Trackbacks

Prepared by Alexander Nemiroff

A number of courts throughout the nation are grappling with disputes between employers and departing employees over the ownership of social media accounts. These employers are attempting to seek ownership over company Twitter and LinkedIn profiles claiming, among other things, that these contain “trade secrets.” Employees dispute these contentions by pointing out that there is nothing “secret” about social media profiles and that employers have no inherent property interests in Twitter and LinkedIn accounts.

For example, in Phonedog v. Kravitz, No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), a federal court in California denied a motion to dismiss where the employer sought damages for each Twitter follower that a departing employee took with him. The employee was given use of and maintained a Twitter account for the employer’s business during his employment. When he left, he changed the Twitter account handle and continued to use the account. Phonedog and its former employee do not have a written agreement pertaining to ownership of the disputed Twitter account. The company alleged several claims against the departing employee, including misappropriation of trade secrets, conversion, and tortious interference with prospective advantage.

Another such pending dispute is Eagle v. Morgan, No. 2:11-cv-04303 (RB) (E.D. Pa., Dec. 22, 2011). A federal court in Pennsylvania denied a motion to dismiss in a dispute over an employee’s LinkedIn account. The disputed LinkedIn account was used for company business and developed by company personnel. As in Phonedog, the parties do not have a written agreement as to ownership of the disputed LinkedIn account. Both the company and the employee brought claims against one another over use of this LinkedIn account.

The above cases are headed into prolonged discovery and extensive litigation. These disputes may have been avoidable had the parties entered into a clear written agreement at or near the inception of the employment relationship. Such an agreement was upheld in Ardis Health, LLC v. Nankivell, No. 1:11-cv-05013 (NRB) (S.D.N.Y., Oct. 19, 2011). A federal court in New York granted a preliminary injunction and required an employee to turn over access to social media sites to her employer pursuant to the obligations under the written Non-Disclosure and Rights to Work Product Agreement between the parties.

All employers who profit from their employees’ use of social media should be aware of and carefully analyze these issues. In many cases, a properly drafted agreement delineating the property interests of employee work product will save employers from time-consuming and expensive litigation over ownership of social media accounts.

• Email This
• Print
• Comments
• Trackbacks

Have you ever reviewed the Facebook or LinkedIn profile or other social media activity of an employee or applicant? How about requiring employees or applicants to provide access to social media activity as a condition of employment. The Maryland and Illinois legislatures would like to limit employers' ability to engage in this kind of activity with new laws that would be the first of their kind in the nation.

UPDATE - Newly enacted Maryland law prohibits employers from demanding access to Facebook or other on line accounts of employees and applicants.

Maryland. Under one version of the law in Maryland, H.B. 364, employers would not be permitted to

• require an employee or applicant . . . to disclose any user name, password, or other means for accessing any internet site or electronic account through an electronic device, or
• require an employee to install on the employee's personal electronic device software that monitors or tracks the content of the electronic device.  

Under this bill, the employer could not discipline the employee or refuse or fail to hire the applicant for not complying with such requests. However, an employer could require an employee to disclose username, password or other means of access to the employer's internal computer or information systems. 

The provision that would prohibit employers from monitoring or tracking content on electronic devices would present a dilemma for employers faced with various legal and ethical obligations to safeguard personal and other confidential data. Many employers are struggling to find ways to track, limit, and in some cases encrypt, personal and other confidential information maintained on portable electroinc devices, including the personal devices of employees. This bill would make that process more challenging, particulalry for businesses with nationwide operations in heavily regulated businesses such as healthcare, insurance, finance and so on.   

Two other bills (H.B. 310, S.B. 434) also are being considered that would prohibit public and nonpublic colleges and universities from making similar demands on students and applicants.

Illinois. The Illinois law being considered (H.B. 3782) would make it unlawful for "any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."

Existing Risks with Searching/Monitoring the Social Media Activity of Employees or Applicants. The Maryland and Illinois laws, if passed, may be the first of their kind, but they certainly are not the first risks employers have faced when engaging in this kind of activity. In fact, there are a range of existing risks employers must consider, such as

• Finding medical information protected under the American with Disabilities Act or the Genetic Information Nondiscrimination Act.
• Acting inconsistently when similar information is found about different applicants/employees/executives.
• Acting on information that is not true.
• Intruding into private areas.  
• Failure to document the steps taken in conducting the search.
• Not realizing the Fair Credit Reporting Act may apply and require consent and notice requirements.
• Unlawfully limiting protected concerted activity under the National Labor Relations Act.

Employers therefore need to proceed carefully when using social media as a tool for making decisions concerning hiring, promotion, discipline, and termination.  Assessing whether to engage in such activity, how and when to do so, who should be authorized to search and monitor in this way, and what training should be provided can go a long way to minimizing these risks.

• Email This
• Print
• Comments
• Trackbacks

In connection with its coverage of national signing day, ESPN.com recently highlighted that social media is increasingly being utilized by coaches to contact, recruit and gather information about players. For players, it's a way to get recruited, control the message and interact with fans and other recruits at unprecedented levels.  And, like in the workplace, misuse of the media can have unfortunate consequences. A New Jersey high school prospect recently found this out when he was expelled from Don Bosco Preparatory after questionable posts were viewed on his Twitter account.  We have noticed similar trends and similar missteps in the employment context, where social media is often being utilized by companies and employees without first being well thought out. 

While the NCAA does provide some social media regulations, online interaction is far less regulated than more “old fashioned” forms of communication. According to Gregg Clifton, Co-chair of the Jackson Lewis’ Collegiate and Professional Sports Industry Group, “The days of face-to-face interaction between coach and recruit have been forever transformed. While the NCAA limits direct phone contact and texting by coaches to recruits, current NCAA regulatory freedom still permits coaches to use social media to contact, recruit, and gather information about players they are considering for their programs.” Similarly, both state and federal employment law struggle to keep up with the ever expanding social media realm.  This was most recently highlighted by the NLRB General Counsel’s report on social media. Consequently, even for employers that do have social media policies, they often do not address key issues such as the company’s presence on-line, regulatory requirements that apply in their industry, and how managers and supervisors should and should not be using the medium. In fact, as shown by many of the NLRB’s rulings discussed in the recent report, many policies contain overbroad proscriptions that violate a variety of laws.  

To keep up with social media, some schools are hiring individuals to monitor the social media of prospective student-athletes and to make sure that improper interaction is not occurring, as well as to ensure confidential information, such as under FERPA, is not being disclosed.  Employers too are seeking to hire individuals to not only assist in utilizing social media for marketing, but also individuals who can monitor how social media is and should be utilized in employment decisions.  This is particularly true for statutes and regulations which one may not necessary link with social media.  For example, employers often don’t realize that they may improperly acquire genetic information in violation of the GINA by “friending” or “following” employees or applicants. 

Of course, schools also are employers…so, while universities and colleges need to institute effective policies and procedures to address their use of social media in recruiting, they also must address social media usage in the employment context.  

• Email This
• Print
• Comments
• Trackbacks

Today, the NLRB's Acting General Counsel posted a second report concerning social media issues and the National Labor Relations Act. The cases discussed in this report should provide further guidance to employers struggling with developing strategies for using social media in their business, developing employee policies regulating activity in social media, and enforcing those policies. Look for follow up analysis from us and our Labor partners.

Check out our prior reporting on related developments.

• Email This
• Print
• Comments
• Trackbacks

The ECRI Institute recently published an excellent summary of key issues for hospitals concerning social media (registration required), a valuable read for any hospital administrator, risk manager or human resources director. ECRI reports that approximately 4,000 U.S. hospitals own social media sites and that number is sure to grow significantly. One of the reasons for this growth will likely be due in significant part to the increasing number of people looking to social media to research health decisions. According to a National Research Corporation survey cited in the summary, 41% of nearly 23,000 respondents said that they used social media for this purpose.

The summary discusses critical areas for healthcare organizations to consider concerning social media, which can be applied to most other industries:

• Understand the medium - what is social media, what are the different venues (Facebook, LinkedIn, FourSquare etc.), what is the competition doing, what new media is coming.
• Determine desired uses - promotion of services/sales, recruiting, reputation management, community involvement, education, and so on. 
• Assess risks - privacy, network security, employment, reputation, regulatory, malpractice, and protecting the brand.
• Develop policies and procedures - control company message and regulate employee activity.
• Implement and train and reevaluate - limit the number of employees who can speak for the organization, train employees on legal risks (such as with HR looking up applicant/employee background information on line), determine whether social media plan is producing desired results

Businesses in all industries are "going social," and should be developing a comprehensive plan before doing so. The ECRI summary provides a good starting point for thinking through some of the issues, particularly for those in healthcare.   

• Email This
• Print
• Comments
• Trackbacks

A Wall Street Journal article on December 2 discusses the National Labor Relations Board's emergence into social media and non-union workplaces. For employers that have not looked at their policies and practices concerning employee activity in social media, this article serves as a good reminder. 

Click here for more information.   

• Email This
• Print
• Comments
• Trackbacks

 As the holidays approach, I am reminded of an employment law attorney I used to know who wrote a column about this time of year about holiday parties. He would warn Human Resources (“HR”) professionals to beware of sexual harassment issues as the punch flows and inhibitions dissipate at the annual office get-together.  How things have changed. In this era of Facebook and I-phones, every day is a holiday party in terms of potential liability. It used to be the only photographic evidence of employee carousal was a black and white photocopy of someone’s derriere. Now, smart phones capture everything in full color pixilation and the evidence is posted instantly. We may never know what Herman Cain and his associates were up to in the 1990s, but if it had happened now, you can bet there would be a text, tweet, or digital photo to add fuel to the Yule log fire.

As 2011 draws to a close, most employers have realized they cannot ignore social media. Social media exponentially increases a company’s opportunity for marketing. But HR folks also know that social media exponentially increases the opportunities for employees to do silly things and get in trouble. More than one fast food franchise has had to respond to digital photos posted on line of teen-aged employees bathing in a restaurant sink. Even folks who ought to know better, including an NFL quarterback and a United States Congressman, allegedly sent digital photos of their sugarplums to women who either did not want them, or did not mind sharing them on the Internet.

Based on my conversations with members of corporate HR departments, in the 2012 New Year they will be facing Social Media 2.0 – Rise of the Smart Phones.  Anyone who does not already have a smart phone will probably get one for Hanukkah or Christmas. All employers should already have a social media policy addressing expectations of privacy, anti-harassment, overtime, trade secret protection, Federal Trade Commission (FTC) restrictions, and exceptions for concerted activity and protected speech under the National Labor Relations Act.  Next year, employers will need to consider whether certain categories of employees should be required to keep smart phones locked away during business hours and will also need to respond to the growing demands by employees that they be allowed to conduct confidential company business on their personal I-phone.

Many employment law attorneys and HR managers may be asking Santa for a respite from the technology onslaught, and may need a drink at the holiday party as much as the next employee.

• Email This
• Print
• Comments
• Trackbacks

Written by Alexander Nemiroff

Employers are beginning to realize that their employees are sending or receiving recommendations on social media sites, such as LinkedIn, that are inconsistent with the employer’s policies, or worse, are false or fraudulent. They need to do something about it.

A large number of social media web sites are allowing users to recommend the work performance or services of co-workers, vendors, and customers. Unfortunately, many employers are not paying attention to this phenomenon. To their chagrin, they are discovering serious problems with these recommendations only when it is much too late.

For many years, attorneys have advised employers that providing positive or negative references for former employees can be problematic. Negative references for employees can often lead to defamation actions. As for positive references, a number of courts have found employers liable who provided false positive references for former employees that employers knew had committed crimes or engaged in other misconduct. As a result, many employers today simply provide neutral references for all former employees.

Unsanctioned recommendations appearing on social media sites also can cause complications for employers. Take, for instance, an ill-timed positive reference published by a manager on a social media site extolling his former employee’s honesty while, at the same time, but unbeknownst to the manager, the employer was contemplating litigation against the former employee for taking trade secrets or other confidential business information as he was leaving. 

Anonymous recommendations or endorsements by employees also may run afoul of the Federal Trade Commission’s Guidelines on the Use of Endorsements and Testimonials in Advertising, 16 C.F.R. § 255. For example, employees anonymously endorsing their own company’s products without full disclosure of their relationship may trigger liability. The Guidelines require not only full disclosure of such relationships, but that employers have procedures in place to prevent such an endorsement from being made.

To avoid these issues, employers should take several steps. First, employers need to amend their written social media and/or reference policies to address unauthorized employee recommendations and references on social media sites. Depending upon the circumstances, barring employees from making such references may be appropriate. However, this is not always practical or prudent for employers who are encouraging employees to promote their businesses through social media. Under these circumstances, employers may require that employees request authorization from their human resources department or other designated individual before making references or recommendations, and to make any necessary disclosures.

Simply amending social media and references policies and procedures, however, may be insufficient. Employers need to be vigilant and proactive in this area. Appointing suitable personnel, and perhaps a social media manager, to monitor public social media sites to ensure that employees are not violating these critical policies, is another measure employers should consider. When monitoring, special care should be taken by governmental entities not to violate an employee’s constitutional right to privacy and by private employers not to infringe upon laws protecting employee off duty or protected concerted activities. 

• Email This
• Print
• Comments
• Trackbacks

Have you hired a social media manager?  A social media guru/wizard/ninja/diva?  Each of these job "titles" are increasingly being used by companies to attract individuals who specialize in marketing a company's brand and/or services in social media.  A recent article in the Chicago Tribune and Los Angeles Times highlights just how prevalent these job titles are becoming corporate America.  

As companies struggle to keep up with the rapidly evolving world of social media, they are turning to hiring to hiring social media managers to handle their social media presence.  However, companies should be leery of the “jump first, look second” approach.  In fact, several key questions should be asked when delving into the realm of social media and hiring a new, typically younger employee with responsibility for a company’s social media existence and, therefore, its brand

Qualifications:

• What qualifications are you looking for?  Often companies seek a younger employee who is "tech-savy."  Traditional employment issues notwithstanding (i.e. age discrimination when an "older" employee is not hired/considered for a position), companies must also consider what their social media mission/focus will be.  For example, to the extent a company utilizes social media as a marketing tool, will you want your social media manager to have a background in marketing?  Similarly, to the extent you wish to utilize social media to handle client/customer complaints, will you want your social media manager to have a background in customer relations? Will you hire an external candidate who is perhaps unfamiliar with your company and its mission, or will you hire an internal candidate?

Responsibilities:

• What products/services will the social media manager be responsible for discussing/marketing?
• Will the social media manager have total freedom to explore and execute social media opportunities? 
• What policies will the social media manager be responsible for implementing?  Will the social media manager have responsibility for implementing the company's social media policy to employees and managers as well?

Training/Protocols: 

• What training will be provided to your social media manager?  For example, will the social media manager be trained on what information he/she should or should not consider when examining posts by customers and/or employees? 
• What policies will govern your social media manager’s employment?  Will the social media manager be permitted to “friend” employees/subordinates on social media or establish policies for employees to follow? 
• What safety protocols will be in place?  For example, if your company has a Facebook page, will you social media manager be responsible for maintaining the password and access to same?  How will the company transition its social media presence if and when the social media manager separates from employment? 

While the above list is by no means exhaustive, it demonstrates some of the additional considerations that must be examined when a company wishes to expand into social media.   Companies are often unaware of the need to consider these questions prior to implementing a social media policy or hiring a social media manager.  However, examining these points will help ensure your company’s social media experience flows more smoothly. 

• Email This
• Print
• Comments (1)
• Trackbacks

In a 23-page report, the Acting General Counsel for the National Labor Relations Board summarizes the Board's positions on social media and labor relations. This report is an interesting read and provides insight into one aspect of drafting social media policies - whether the policy will violate an employee's right to take part in protected concerted activity.

The report notes that:

Recent developments in the Office of the General Counsel have presented emerging issues concerning the protected and/or concerted nature of employees’ Facebook and Twitter postings, the coercive impact of a union’s Facebook and YouTube postings, and the lawfulness of employers’ social media policies and rules. This report discusses these cases, as well as a recent case involving an employer’s policy restricting employee contacts with the media. All of these cases were decided upon a request for advice from a Regional Director.

Social media clearly is an important issue for the Board and this memorandum likely is not its last word on the rules that will shape employer policy concerning the use of this media. The following discussion summarizes the memorandum and its effects on social media policy.

See related articles concerning NLRB activity concerning social media.

• Email This
• Print
• Comments
• Trackbacks

. . . A Potential Headache for Employers of Younger Workers

Written by Lillian Moon

Retail, entertainment, hospitality and other industries that traditionally employ large numbers of younger workers may soon get dragged into criminal proceedings because of “sexting” by their younger workers. Florida has joined 20 other states — Alaska, Arkansas, California, Hawaii, Indiana, Iowa, Kansas, Mississippi, Nevada, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Texas, and Guam — which have all enacted similar legislation addressing teen sexting. Because employees frequently transmit these materials using their employer’s networks, criminal prosecutions under these laws may require employers to respond to discovery requests and subpoenas, or permit searches pursuant to warrants obtained by law enforcement authorities, which, in turn, may unexpectedly trigger disciplinary proceedings.

On June 21, 2011, Florida Governor Rick Scott signed into law H.B.75/S.B. 888. Under this law, which will take effect beginning October 1, 2011, a minor (anyone under the age of 18) commits the criminal act of “sexting” if he or she knowingly uses a computer, cell phone, or other transmission device (1) to transmit or distribute to another minor a photograph or video of any person which depicts nudity; or (2) possesses such photograph or video which was transmitted or distributed by another minor, unless the photograph was unsolicited, the minor took reasonable steps to report the photograph or video to their legal guardian, school official, or law enforcement, and the minor did not transmit or distribute the video or photograph to a third party. A minor’s first offense is considered noncriminal and is punishable by 8 hours or community service or a $60 fine. The minor’s second offense is a misdemeanor in the first degree, punishable with imprisonment not to exceed one year or a $1,000 fine; and the minor’s third offense is a felony of third degree, punishable with up to five years’ imprisonment or a $5,000 fine.

Of course, sexting is not only an issue for minors. It is fast becoming an easy and well-utilized mechanism for sexual and other workplace harassment. Accordingly, employers should review and update their anti-harassment policies to include a prohibition of harassment via e-mail, text messaging, or use of social networking sites; and they should review their electronic communications policies to include a prohibition against using any employer-provided electronic device to transmit or retain any sexually suggestive or explicit pictures, texts, videos or any other derogatory material regarding race, ethnicity, age, disability, religion, or any other protected category. Employers should also educate and train employees on the revised policies and continue to enforce all policies in a fair and consistent manner. At the same time, employers should remain mindful of any limitations on such policies (as written or as applied) that may be imposed under the National Labor Relations Act.
 

• Email This
• Print
• Comments
• Trackbacks

Written by Ron Sgambati

NLRB Acting General Counsel Lafe E. Solomon offered some insight into the NLRB’s interest in Social Media earlier this month when he spoke at the Annual Conference on Labor at New York University. During his presentation, Solomon revealed that every one of the 52 NLRB regional offices across the country has at least one pending case presenting issues about employee use of Social Media or an employee’s policy concerning the use of Social Media.

Solomon noted that his work had reached a higher profile than his predecessor, and he credited it in large part to the NLRB’s attention to social media. Solomon said that the “good part” about the intense publicity the NLRB has received over the past year has been that he has had the “rare privilege” of using media appearances and interviews to explain the rights of employees under the National Labor Relations Act (“NLRA”), which had been unfamiliar or unknown to many Americans.

Solomon’s comments make it apparent he enjoys having the NLRB in the spotlight. His comments also explain what may be the motivation behind the NLRB focus on Social Media - the topic of Social Media provides the Board with an always-available platform from which to reach a public which may not otherwise be interested in hearing what the Board has to say about the NLRA.

Due to the pervasiveness of Social Media cases at all 52 regional offices, it appears certain that the summer months will heat-up with discussion of Social Media issues at the workplace.

• Email This
• Print
• Comments
• Trackbacks

Co-Author:  Joseph J. Lazzarotti

The pervasiveness of social media in professional and everyday communication is a hot button issue (discussed at length here), particularly for private and public employers and organizations.  In fact, many organizations have adopted, or are considering adopting, social media policies for employees and providing training for how employees should interact in cyberspace.  But what should those policies say and what should the training focus on?

To answer those questions, organizations should, among other things, develop and shape their policies, training and discipline concerning social media with an eye toward their particular businesses, regulatory environments, and whether they are in the public or private sectors. A number of recent developments show why this is critical:

·         Two recent Third Circuit opinions handed down on June 13, 2011-- J.S. v. Blue Mountain School District and Layshock v. Hermitage School District (discussed below)-- illustrate the importance of educating employees (teachers and administrators) about student’s First Amendment rights concerning social media and when discipline is appropriate,

·         FTC’s guidelines for endorsement of products or services are important for businesses whose employees are likely to be commenting online about the company’s products and services,

·         The NLRB’s recent actions regarding social media use and the National Labor Relations Act are important for all employers, particularly those in traditionally union-dominated industries,

·         The use of social media in the health care setting is presenting a range of challenges under HIPAA and patient privacy generally.

In addressing the extent to which school officials can regulate student speech, the Third Circuit Court of Appeals has held that school officials violated students’ First Amendment free speech rights by disciplining students for creating, outside of school, “fake” social networking profiles ridiculing their school principals. 

In Blue Mountain School District, 8^th grader J.S., using her home computer, created a MySpace profile in the name of her principal.  The profile was presented as a self-portrayal of a bisexual Alabama middle-school principal named “M-Hoe,” and contained crude and vulgar content. Upon learning of the content, the School District suspended J.S. for 10 days.  The Court held that because J.S. was suspended for speech that caused no substantial disruption in school and that could not reasonably have led school officials to forecast substantial disruption in school, the School District’s actions violated J.S.’s First Amendment free speech rights.  

In Layshock, Justin Layshock, a high school senior, using his grandmother’s computer, also created a MySpace profile in the name of his principal.  The profile included “degrading” content regarding the principal.  Upon learning of the profile, the School District suspended Justin for 10 days.  In analyzing whether a school district may punish a student for expressive conduct that originated outside of the schoolhouse, did not disturb the school environment, and was not related to any school-sponsored event, the Court found the School District was prohibited from reaching beyond the school yard.  

These decisions were based on the Supreme Court’s landmark case on the First Amendment’s application to public schools is Tinker v. Des Moines Indep. Cmty. Sch. Dist., 393 U.S. 503 (1969).  In Tinker, a group of high school students decided to wear black armbands to school to protest the war in Vietnam.  When school officials learned of the plan, they preemptively prohibited students from wearing armbands.  Several students who ignored the prohibition and wore armbands to school were suspended.  Eventually, the students brought suit alleging their First Amendment rights had been violated.  The Supreme Court overruled the district and circuit courts, holding that student expression may not be suppressed unless school officials reasonably conclude that such expression will “materially and substantially" disrupt the work and discipline of the school. 

These cases demonstrate the court's struggle in addressing social media content, especially where there are additional constitutional concerns when a party is a public entity.  For many organizations, First Amendment issues will not be at issue, but there likely will be other considerations.  As each and every industry is impacted by social media, attempting to address it in a one-size-fits-all manner without taking appropriate considerations into account is not only impractical, but in some cases unlawful.  As these developments have shown, efforts to address social media must include an effective industry specific social media policy coupled with training programs to educate employees on the use of social media in all facets of employment and conducting the entity's business. 

• Email This
• Print
• Comments
• Trackbacks

Written by Ron Sgambati

It’s hard to miss the National Labor Relations Board’s recent activity targeting employer decisions based on workers’ use of social media - as it attempts to establish parameters in the work-life balance between social media and rights protected by the National Labor Relations Act. Just when employers understandably may feel compelled to stop basing employment decisions on social media use, a recent Advice Memorandum is giving employers hope.

The Arizona Daily Star had encouraged its reporter to use social media to reach people who might not read the paper and to drive readers to the newspaper’s website. The employee tweeted using his work computer, his company-provided cellphone and his home computer and linked his Twitter account to his Facebook and MySpace pages. Therefore, whenever he tweeted, the same message would be posted on Facebook and MySpace.

In one tweet, the employee criticized the Daily Star’s television staff. The employer warned the employee that his comments were inappropriate, but he continued to post inappropriate tweets, while commenting as a public safety reporter. The tweets included, “What?/?/?/? No overnight homicide? WTF? You’re slacking Tuscon.”

His employer suspended him then terminated his employment. He filed a charge with the NLRB Regional Office claiming he was terminated for engaging in NLRA-protected concerted activity. The Regional Office, as instructed by Office of the General Counsel’s Memorandum dated April 12, 2011, referred the charge to the Division of Advice (“Division”) because the charge involved discipline for engaging in alleged protected concerted activity using social media.
The Division did not find a violation of the NLRA. It instructed the NLRB Regional Office to dismiss the unfair labor practice charge. It determined that after opening a Twitter account and linking it to the Daily Star’s website, the employee engaged in “inappropriate and offensive Twitter postings that did not involve protected concerted activity” and was terminated for engaging in misconduct. This is an important development for employers, perhaps signaling the NLRB’s seemingly aggressive social media stance may not be one-sided.

The victory, however, has been tempered by the NLRB General Counsel’s May 9, 2011, complaint against Hispanics United of Buffalo, a nonprofit organization that provides social services to low-income clients. The complaint alleges the firing of five employees for Facebook postings that criticized working conditions was improper interference with protected concerted activity. It alleged that an employee posted a co-worker’s allegations that employees did not help the company’s clients enough and other employees responded to the post by defending their work and blaming working conditions, including staffing workload issues. The employer fired the five employees after learning of the posts because it found the comments were harassing to the employee who made the original post. A hearing has been scheduled for June 22, 2011.

These latest developments seem to show the NLRB searching for balance between the workplace and social media. The Wall Street Journal reports the Board said it had more than two dozen cases involving worker complaints aired on the social media site Facebook. Stay tuned . . . but in the mean time, employers need to think carefully before acting.
 

• Email This
• Print
• Comments
• Trackbacks

The Maryland Senate recently referred Senate Bill 971 which prohibits Maryland employers from demanding that workers and job applicants turn over their passwords to specific websites or web-based accounts. 

Under the bill, employers would be prohibited from refusing to hire applicants and disciplining, terminating, or taking other adverse employment action against employees who refuse to provide their passwords. The bill also bans employers’ threats of such action.  

The bill was introduced in response to employers’ asking applicants and employees for their passwords as part of background checks to see the content posted by the individuals on social networking sites (e.g., Facebook ). S.B. 971 would, however, permit employers to require workers to disclose their passwords only to the employers’ internal computer systems.  

This proposed Maryland law, and case law from New Jersey, should alert employers that utilizing social media in their hiring, discipline, or termination decisions is under scrutiny.

• Email This
• Print
• Comments
• Trackbacks

A registered nurse terminated from employment for posting on Facebook while dispensing medication to a patient could not collect unemployment benefits in Pennsylvania. Chapman v. Unemployment Comp. Bd. of Review. This case is another example why it is critical to have clear, written electronic communication and social media policies in place that are reasonable and enforced consistently. Without the policy in place, this employer surely would have had a more difficult time defending the unemployment claim.

In this case:

• the employer's policies provided that (i) it may immediately discharge an employee who engages in conduct that could cause a life threatening situation and (ii) cell phone usage is prohibited while on duty;
• the employee was aware of these policies and had previoulsy been warned about them;
• while on duty and dispensing medicine to patients, the employee used her personal cell phone to post comments on her Facebook page about an unpleasant and embarrasing incident experienced by a coworker;
• the nursing director heard other nurses speaking about the Facebook posts in the hall and asked one of the nurses to show them to her; and
• the employer terminated the nurse who made the posts on grounds that her conduct could cause a life threatening situation to patients.  

Reversing an earlier decision that would have allowed the employee to receive unemployment because her actions did not constitute "willful misconduct," Pennsylvania's Unemployment Compensation Board of Review noted that the nurse "was aware of the employer's policy prohibiting the use of cell phones while on duty, yet she violated that policy despite having been previously warned for doing so.” The Pennsylvania Commonwealth Court agreed.

• Email This
• Print
• Comments
• Trackbacks

Written by Ron Sgambati

Seemingly intent on making sure it is perceived as current, if not trendy, today’s National Labor Relations Board (NLRB) has continued to demonstrate an avid interest in social media. Not only is it paying attention to new media in all its forms, but it is also actively participating, with a Facebook page, a YouTube channel and a Twitter feed.

On April 12, 2011, the NLRB General Counsel issued a memorandum (pdf) to NLRB Regional Directors updating the list of matters that must be submitted to the Division on Advice. Included on the list are cases involving:

employer rules prohibiting or discipline of employees for engaging in, protected concerted activity using social media, such as Facebook or Twitter.

This is expected to allow the Board to have an earlier and more uniform oversight of matters involving social media.

The directive comes after the Board’s recent involvement in matters concerning possible protected concerted activity on Facebook and Twitter. In late 2010, the NLRB challenged a company’s Social Media/Facebook policies which the company maintained were lawful. The case settled with the company agreeing to make suggested changes to its policies.

In April, 2011, the NLRB targeted another social medial resource – Twitter. According to the New York Times,  the NLRB had warned a New York news agency that it planned to file a complaint accusing the company of illegally reprimanding a reporter over her criticism of company management in a Twitter posting. The Board asserted the company violated the reporter’s right to discuss working conditions with other employees. The matter was resolved when the union and company - which had been negotiating a new contract - reached a tentative contract on April 28, 2011. According to the New York Times,  the company has agreed to negotiate a new social media policy that would include language that will protect employees’ speech and the right to engage in other concerted activity about working conditions.

The Board again focused on Facebook after issuing its directive. On April 27, 2011, the NLRB reported it had approved a settlement in a case involving a California web-based home improvement retailer. A former employee had claimed she was terminated from her employment in retaliation for having posted comments about the company and possible state labor code violations on Facebook. The case was resolved and as part of the settlement the company agreed to post a notice at the workplace for 60 days stating that employees have the right to post comments about terms and conditions of employment on their social media pages and that they will not be terminated or otherwise punished for such conduct.

It is only a matter of time before there is a litigated case and a court’s ruling addressing these very real and reoccurring issues. Employers should exercise care in how they handle social media issues from a labor relations perspective and treat the recent NLRB scrutiny as an invitation to revisit their own social media policies.

• Email This
• Print
• Comments
• Trackbacks

Trying to keep up with the fast-moving world of social media, the Kentucky Court of Appeals has ruled that “tagged” or captioned photographs posted on Facebook may be admitted as evidence. The ruling in the case has implications for employers.  In LaLonde v. LaLonde, the appellant-wife objected to the trial court’s admitting into evidence photographs taken from Facebook that identified her by “tagging.”  The photographs appeared to show her consuming alcohol in contradiction to the advice of her mental health providers—a key issue in the custody dispute.     

The wife argued the photographs should not be admitted because Facebook allows anyone to post pictures and then “tag” or identify people in the pictures and she never gave permission for the photographs to be published in this manner on.  Rejecting this argument, the appellate court held, “There is nothing in the law that requires permission when someone takes a picture and posts it on a Facebook page.  There is nothing that requires her permission when she was ‘tagged’ or identified as a person in those pictures.”  The Court acknowledged that modern digital photography techniques may allow for alteration of the photograph, but pointed out that the wife never suggested such techniques were used, instead acknowledging the pictures were accurate.

The potential implications of this holding are numerous.  As we have previously discussed, employers may be able to use social media (which arguably includes tagged pictures) to fight emotional distress damages.  Similarly, as we described here, Facebook content has been utilized by employers in disciplinary decisions.   Our Social Media White Paper provides a helpful discussion of this and other issues employers should think about when it comes to social media.

• Email This
• Print
• Comments
• Trackbacks

Co-authored with: John Snyder 

The First Amendment of the U.S. Constitution protects from judicial restraint discussions over matters of public concern, including claims of wide-scale data breaches of social security numbers and other personal information by a former employee on a blog, a New York State Supreme Court justice has ruled. Cambridge Who’s Who Publishing, Inc. v. Sethi, 009175/10, NYLJ 1201482619238, at *1 (Sup. Ct., Nassau Cty. Jan. 25, 2011). Finding no extraordinary circumstance that would overcome the Constitutional protection, the court denied a company’s request to enjoin its former employee from blogging about the company and its products, despite his agreement to maintain the confidentiality of confidential business information.

Relevant Background

Harsharan Sethi was the Director of Management Information Systems for marketing and networking company Cambridge Who’s Who Publishing. When Sethi started working at Cambridge in July 2008, he signed an “employee covenants and non-disclosure agreement.” The agreement prohibited Sethi from using the company’s confidential information, except to pursue Cambridge’s business. Confidential information included “client names, addresses, and credit card numbers.” Cambridge terminated Sethi’s employment in February 2010.

The Blog Post

After Sethi’s termination, Cambridge suspected he was the author of a post on www.cambridgeregistrscam.com, which stated that members might be entitled to a full refund of their membership fees, suggested that members file complaints with the District Attorney and Attorney General, and offered to provide information on management personnel, including “their backgrounds,” “their life styles,” and “their prior run ins with [the] IRS.”

Cambridge viewed the blog post on May 11, 2010, and moved for a preliminary injunction the very next day. It sought to restrain Sethi from: (1) attempting to access Cambridge’s database; (2) contacting Cambridge’s “members” or customers; (3) disclosing customers’ personal information; (4) making any statements about Cambridge that might interfere with its goodwill, including contacting its employees or vendors; and (5) maintaining any blog or website concerning Sethi’s former employment.

The court granted the company’s request for a preliminary injunction, in part, enjoining the solicitation of Cambridge’s customers or disclosing their names or personal information. The court, however, denied Cambridge’s request that Sethi be restrained from making any allegedly defamatory statements regarding the company.

Cambridge later renewed its injunction request, submitting to the court allegedly defamatory statements made by Sethi after the court’s initial ruling. It presented an e-mail from Sethi to the New York Attorney General in which Sethi stated that tapes containing the personal data (including names, addresses, social security numbers, payroll data, checking account and credit card information) of 400,000 Cambridge members were lost or stolen from the company.

The court then granted a temporary restraining order enjoining Sethi from contacting Cambridge’s employees about his former employment or making statements that interfere with Cambridge’s goodwill, including maintaining a website or blog, until the preliminary injunction hearing.

First Amendment Protection

At the hearing, though, Justice Stephen Bucaria finally denied the injunction, holding that the First Amendment of the U.S. Constitution encompasses “at the least the liberty [to] discuss publicly and truthfully all matter of public concern without previous restraint or fear of subsequent punishment.” Finding that the alleged loss of social security numbers and credit card information, among other data, “implicate[] the economic interests of a large number of people” and, therefore, were matters of public concern, the court held that Cambridge had failed to establish “extraordinary circumstances” justifying a prior restraint on speech and warranting the denial of the injunction restraining Sethi from communicating with Cambridge’s customers or law enforcement agencies concerning data loss.

Lessons

Cambridge provides employers with several significant lessons.

• First, it is instructive of the enforceability of a non-solicitation-of-customers provision that it enforced by injunction.
• Second, absent compelling facts constituting “extraordinary circumstances,” courts generally are reluctant to enjoin or restrain speech that may be protected by the First Amendment.
• Third, the decision raises two key points about data security:
  • Companies that experience an unauthorized access to or acquisition of personal information that they possess may be required to report the unauthorized access to affected individuals and certain state agencies. In New York, there are three state agencies that must be notified in cases of certain breaches of personal information: Office of Cyber Security, Attorney General's Office, and Consumer Protection Board.
  • Likewise, companies must take appropriate steps when employees complain about or raise data-security issues. In at least two court decisions, one in New Jersey and the other in California, employees were permitted to proceed with claims of employment retaliation upon asserting they have suffered an adverse employment action after their complaints about data security at their companies.

• Email This
• Print
• Comments
• Trackbacks

Our adversaries are trolling social networks, blogs and forums, trying to find sensitive information they can use about our military goals and objectives. Therefore, it is imperative that all Soldiers and Family members understand the importance of practicing good operations security measures.

-Sgt. Maj. of the Army Kenneth O. Preston

The above quote is contained in the U.S. Army Social Media Handbook, (pdf) published January 2011, which lays out a comprehensive set of guidelines for soldiers participating in social media. According to the the Handbook: The Army encourages members of the Army Family to use social media to connect and tell their stories, but it also advises everyone to do this in a safe
and secure manner.

This move by the Army follows a February 25, 2010, Department of Defense Directive-Type Memorandum (DTM) which provided guidelines for military use of social media and acknowledged
“that Internet-based capabilities are integral to operations across the Department of Defense.”  The DTM clearly indicates that use of social media in the DoD is authorized.

While much of the specific policy governing soldiers' is left to Army leaders, the Handbook provides some familiar advice:

• Take a close look at all privacy settings. Set security options to allow visibility to “friends only.”
• Do not reveal sensitive information about yourself such as schedules and event locations.
• Ask, “What could the wrong person do with this information?” and “Could it compromise the safety of myself, my family or my unit?”
• Geotagging is a feature that reveals your location to other people within your network. Consider turning off the GPS function of your smartphone.
• Closely review photos before they go online. Make sure they do not give away sensitive information which could be dangerous if released.
• Make sure to talk to family about operations security and what can and cannot be posted.
• Videos can go viral quickly, make sure they don’t give away sensitive information.

Many of the technological and personnel issues that concern the Army apply in the private sector, although for obvious reasons there can be far different consequences for the military (and for us). Still, having clear policies and thinking through how social media can affect your business is critical for today's workplace. 

• Email This
• Print
• Comments
• Trackbacks

Co-authored with Marty Payson

The combination of “social media” and the “workplace” raises many traps for the unwary employer:

Can we use social media when hiring? Can employees be prohibited from using social media at work? Can we monitor employees use of social media? What are the essential elements of a social media policy?

As with many issues involving new technology, however, a good part of the analysis typically reverts back to traditional principles of employment law. The same is likely to be true when the use of social media intersects with certain aspects of Labor Law.

Section 7 of the National Labor Relations Act states:

Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, and shall also have the right to refrain from any or all such activities except to the extent that such right may be affected by an agreement requiring membership in a labor organization as a condition of employment as authorized in section 8(a)(3) [section 158(a)(3) of this title].

An employer violates NLRA Section 8(a)(1) by acts and statements reasonably tending to interfere with, restrain, or coerce employees in the exercise of their Section 7 rights. Thus, employers need to remember to consider existing labor principles issues when adopting and enforcing social media policies, discussing social media usage with employees and monitoring usage, and disciplining employees because of their social media usage.

In a recent case (Salon/Spa at Boro, Inc. 9-CA-45349, 9-CA-454426, 9-CA-45538), employees claimed their manager unlawfully threatened them concerning their social media usage. The manager impressed upon the employees that their postings on social networking sites were perhaps more available for public viewing than they realized, and expressed displeasure that certain current employees were choosing to post comments on social network sites belonging to disgruntled former employees. In addition to agreeing with the employer’s statute of limitations arguments, the Administrative Law Judge found the purpose of the manager’s statements concerning publicity to be didactic, not coercive. In regard to the statements about postings on sites belonging to disgruntled employees, the ALJ found no threats, but rather a lawful expression by an employer of opinion, citing NLRB v. Gissel Packing Co., 395 U.S. 575, 617 (1969).

A nonbinding Advice Memorandum from the National Labor Relations Board in Sears Holdings (Roebucks) Case 18-CA-19081 addressed a social media policy and whether it violated Section 7 of the NLRA. The policy stated:

In order to maintain the Company’s reputation and legal standing, the following subjects may not be discussed by associates in any form of social media:

• Company confidential or proprietary information

• Confidential or proprietary information of clients, partners, vendors, and suppliers

• Embargoed information such as launch dates, release dates, and pending reorganizations

• Company intellectual property such as drawings, designs, software, ideas and innovation

• Disparagement of company’s or competitors’ products, services, executive leadership, employees, strategy, and business prospects

• Explicit sexual references

• Reference to illegal drugs

• Obscenity or profanity

• Disparagement of any race, religion, gender, sexual orientation, disability or national origin

The Division of Advice held that while the provision concerning disparagement of the company’s executive leadership, employees, and strategy could “chill” Section 7 activity, the policy should be viewed in context, not by looking at any provision in isolation. The Division of Advice reasoned that the policy does not apply to Section 7 activity because while the statement “could chill the exercise of Section 7 rights if read in isolation, the Policy as a whole provides sufficient context to preclude a reasonable employee from construing the rule as a limit on Section 7 conduct.” This is because virtually all of the other items on the list of proscribed activities in the policy are clearly not protected by Section 7.

These two decisions provide some good news for employers. The bad news is that both of these decisions were made before the significant changes in the make-up of the National Labor Relations Board following Barack Obama’s becoming President. Many believe the current composition of the NLRB is likely to substantially change these results, requiring employers to exercise more care in how they handle social media issues from a labor relations perspective. There also are related issues that may be revisited by the NLRB in the near future, such as Board’s decision in Guard Publishing Co., d/b/a The Register-Guard, 351 NLRB 1110 (2007) (pdf), that a policy prohibiting use of the employer's e-mail system for any "non-job-related solicitations" does not violate the §8(a)(1).

• Email This
• Print
• Comments
• Trackbacks

Confidentiality and non-disparagement clauses are customary in settlement agreements and severance contracts in the employment law context. These days, however, the temptation can be irresistible for disgruntled former employees to trash their former employer on social media sites like Facebook, Twitter, or LinkedIn, on blogs, by text or e-mail or other electronic means.

In the 1800s, Londoners stood on soapboxes at Speaker’s Corner in Hyde Park to air their grievances to small groups of passers-by. But in 2010, with greater permanency and reach, disgruntled employees are more likely to turn to the Internet to share their thoughts to the entire planet. A former software company employee once sent 200,000 e-mails to 35,000 employees complaining of his treatment by a former employer.

For this reason, standard confidentiality and non-disparagement clauses should include a specific prohibition regarding communications on social media and e-mail, along with a liquidated damages provision. This puts the former employee on notice and will make him or her think twice before “tweeting” about the employer. In addition, a court will be more likely to enforce the agreement and award the company damages for a breach if there is specific language addressing this behavior.

In one recent case, a federal court ruled that an employer was relieved from payment obligations under a confidential settlement agreement after the plaintiff texted her friends about the amount of the settlement. In another case, a former CEO and CFO anonymously posted negative comments about a publicly traded company on Yahoo. The company determined their identity by subpoena and sued under a non-disparagement clause, recovering six-figure severance payments. These cases fly under the radar because they are often filed under seal, but they are increasing. 

A claim for breach of a non-disparagement clause is different from a defamation claim in important ways. Most importantly, truth is not necessarily a defense. Damages are generally limited to liquidated damages or compensation damages. Disgorgement of any severance pay is a proper form of contractual damages for a breach.

In City Group, Inc. v. Ehlers, 402 S.E.2d 787 (Ga. Ct. App. 1991), a company’s former president was quoted as saying that he left because of “philosophical differences” and that “[i]t was hard to define the direction of the Company.” The company sued him under a non-disparagement clause. The court held that the comments did not constitute disparagement, noting:   The term, "disparagement," is defined in Webster's Third New Intl. Dictionary (1961) as "diminution of esteem or standing and dignity; disgrace . . ., the expression of a low opinion of something; detraction. . . ."  A “disparaging” term, according to the court, can therefore be broadly viewed as a negative statement, even if true. The Webster’s New Riverside University Dictionary defines “derogatory” as “disparaging.” So the terms seem synonymous.

As employers strive to protect their reputation, good will, and employee morale in the age of social media, non-disparagement clauses are worth a look.

• Email This
• Print
• Comments
• Trackbacks

A UK law firm may find itself subject to significant penalties following reports of a data breach affecting thousands of people.  The recent 2010 ABA Annual Meeting in San Francisco devoted two sessions to the topic, specifically dealing with “cloud computing,” and the risks and ethical issues it raises for law firms. As data privacy and security risks mount for all businesses, they are perhaps even more critical for law firms. 

Law schools in the United States teach their students about a long-standing and fundamental tenet of the legal profession – the attorney-client privilege. It is indeed the general obligation of attorneys to keep client communications confidential. Law schools generally do not teach, at least not nearly to the same degree, how lawyers as law firm business owners ought to protect the personal information of their clients from unauthorized acquisition or access, without hampering their practice.

This primer is intended to provide a brief discussion of the key issues for law firms and some helpful steps for developing a plan to safeguard such information.

• Email This
• Print
• Comments
• Trackbacks

ABC news reported yesterday about an employee fired for statements made on a social networking site – this time Facebook. The employee, Massachusetts high school teacher June Talvitie-Siple, was fired by her school district for statements she made about the community, her students and their parents. The 54-year-old teacher mistakenly thought her statements were being communicated only to her circle of friends on the popular site, not to the entire world. As others have found before her, such a misconception can be costly.

What did Talvitie-Siple say on Facebook? In one post, she referred to the students as “germ-bags,” on account of the multiple times she caught illnesses from them. She also described the community and the parents as “arrogant” and “snobby.”

Whether these are the kinds of posts that warrant termination of employment is beyond the scope of this discussion.

The ABC report shows that the negative consequences of unflattering social media communications are on the rise (even though employees have yet to realize it). Companies need to think through their policies concerning these kinds of electronic communications, made both at and outside of work, particularly regarding the appropriate levels of discipline. A helpful discussion of this and other issues employers should be thinking when it comes to social media can be found here.
 

• Email This
• Print
• Comments
• Trackbacks

All information from plaintiffs’ social networking profiles and postings that relate to their general emotions, feelings, and mental states must be produced in discovery when they allege severe emotional trauma and harassment against their employer, a federal court in Indiana has ruled. (EEOC v. Simply Storage Management LLC, S.D. Ind., No. 1:09-cv-1223, discovery order 5/11/10).

Social networking sites (SNS) such as Facebook and MySpace are fast becoming a hot topic in litigation as they may contain a wealth of potentially relevant information. In Simply Storage, the Equal Employment Opportunity Commission brought suit on behalf of plaintiffs and other similarly situated employees who claimed their employers were liable for a supervisor’s alleged sexual harassment. The EEOC requested a discovery conference because counsel for the parties disagreed as to whether the two named plaintiffs must produce the Internet social networking site profiles, including postings, pictures, blogs, messages, personal information, lists of “friends,” and of causes joined that the user has placed or created online.

The EEOC objected to production of all SNS content (and to similar deposition questioning). It argued the requests were overbroad, not relevant, unduly burdensome (because they improperly infringe on claimants’ privacy), and would harass and embarrass the claimants. Simply Storage countered that discovery of these matters was proper because certain EEOC discovery responses placed the emotional health of particular claimants at issue, beyond that typically encountered in “garden variety emotional distress claims.”

The court weighed ordering complete discovery of the plaintiffs' Facebook and MySpace account information against limiting discovery to content specifically related to the alleged injury.  It found neither alternative satisfactory. According to the court, limiting discovery to posts that specifically referenced the mental issues and harassment alleged by the plaintiffs would be too narrow, while admitting the full profiles would include likely irrelevant—and potentially inflammatory—content. The court held, “It is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”

The court therefore defined the relevant scope of discovery as including “any profiles, postings, or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) … that reveal, refer, or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.”

The court rejected the EEOC’s assertion that broad discovery of this kind would violate the plaintiffs' right to privacy and held that, while potentially relevant content may be embarrassing to the plaintiffs, “this is the inevitable result of alleging these sorts of injuries.” In addressing the argument that the profiles were “private” and password protected, the court held that these protections were insufficient to circumvent discovery. “[A] person's expectation and intent that her communications be maintained as private is not a legitimate basis for shielding those communications from discovery.”

This case illustrates the importance of expanding the traditional thinking behind discoverable information to cover social media. Employers, upon advice of counsel, should consider requesting information of this nature. 

• Email This
• Print
• Comments
• Trackbacks

Whether it be Facebook, MySpace, LinkedIn, Twitter, YouTube or the company blog, employee presence in social media is way, way up, creating risks for employers that are proving difficult to manage without careful planning and appropriate policies.

These risks can take many forms - FTC endorsement issues, inadvertent sharing of confidential company or personal information, harassment claims, blog posts harmful to the company's reputation - to name a few.  The damage can be done whether the employee is posting at home or during working hours.

This white paper (pdf), which takes into account some of our prior posts, is intended to help employers get a better handle on these issues, particulalry in three area: (1) employees’ misuse of social media; (2) monitoring and regulating employees’ social media use; and (3) basing hiring decisions on information obtained from social media.

• Email This
• Print
• Comments
• Trackbacks

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance.  Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

2. Smart Phones Part 1.  Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2.  Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues.  While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008),  The case is now under review by the United States Supreme Court.

5. TMI = Too much information.  An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

• Email This
• Print
• Comments
• Trackbacks

 According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer. 

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities. 

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services. 

• Email This
• Print
• Comments
• Trackbacks

More companies are becoming a part of the social networking community – setting up Facebook pages, “friending” their employees and customers, and so on. Businesses use these sites for a variety of purposes including marketing; client, employee and government relations; and community involvement. With lawmaking bodies and courts just beginning to struggle with the range of issues these new media create, companies should exercise caution and monitor the legal, technical, and other developments that may affect their involvement.

Companies already a part of (or thinking of joining) the social networking community should consider the effects on employee relations. In theory, the risks inherent in interactions between/among the company and/or its employees in a social networking environment are similar to risks the company faces in more traditional workplace settings such as the office or company-sponsored events. Online media, however, create some interesting questions:

• Are all of your employees aware of the company site so as not to feel left out?
• Do employees feel as if they must participate on the site – such as accepting other employees as “friends,” or agreeing with company posts? Do they need to be compensated for participation?
• Does a supervisor accepting some employees as friends and not others raise discrimination risks and morale concerns?
• Are employees free to dissent from company positions on its site? How far can employees go? Disciplining or terminating an individual’s employment with the company for activity on the company’s site or some other online social media can be risky on a number of grounds – such as under whistleblower laws (e.g., Sarbanes-Oxley and state/local laws), the National Labor Relations Act, and anti-discrimination and anti-retaliation laws.
• Does active company management of the site constitute monitoring of employee communications?
• How does the company handle the information about employees (and their dependents, friends and others) it may have access to as part of the employees’ participation in the network?

For sure, there are many areas about which companies need to think through as they consider their direct participation in the social networking community – the services of the social network provider, promoting the company’s presence in the community, consumer protection, copyright protections, and so on. Even the list above only begins to scratch the surface of the range of employment law issues that arise when an employer participates in this media.

• Email This
• Print
• Comments
• Trackbacks