Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Whether it be Facebook, MySpace, LinkedIn, Twitter, YouTube or the company blog, employee presence in social media is way, way up, creating risks for employers that are proving difficult to manage without careful planning and appropriate policies.

These risks can take many forms - FTC endorsement issues, inadvertent sharing of confidential company or personal information, harassment claims, blog posts harmful to the company's reputation - to name a few.  The damage can be done whether the employee is posting at home or during working hours.

This white paper (pdf), which takes into account some of our prior posts, is intended to help employers get a better handle on these issues, particulalry in three area: (1) employees’ misuse of social media; (2) monitoring and regulating employees’ social media use; and (3) basing hiring decisions on information obtained from social media.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance.  Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

2. Smart Phones Part 1.  Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2.  Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues.  While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008),  The case is now under review by the United States Supreme Court.

5. TMI = Too much information.  An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer. 

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities. 

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

More companies are becoming a part of the social networking community – setting up Facebook pages, “friending” their employees and customers, and so on. Businesses use these sites for a variety of purposes including marketing; client, employee and government relations; and community involvement. With lawmaking bodies and courts just beginning to struggle with the range of issues these new media create, companies should exercise caution and monitor the legal, technical, and other developments that may affect their involvement.

Companies already a part of (or thinking of joining) the social networking community should consider the effects on employee relations. In theory, the risks inherent in interactions between/among the company and/or its employees in a social networking environment are similar to risks the company faces in more traditional workplace settings such as the office or company-sponsored events. Online media, however, create some interesting questions:

• Are all of your employees aware of the company site so as not to feel left out?
• Do employees feel as if they must participate on the site – such as accepting other employees as “friends,” or agreeing with company posts? Do they need to be compensated for participation?
• Does a supervisor accepting some employees as friends and not others raise discrimination risks and morale concerns?
• Are employees free to dissent from company positions on its site? How far can employees go? Disciplining or terminating an individual’s employment with the company for activity on the company’s site or some other online social media can be risky on a number of grounds – such as under whistleblower laws (e.g., Sarbanes-Oxley and state/local laws), the National Labor Relations Act, and anti-discrimination and anti-retaliation laws.
• Does active company management of the site constitute monitoring of employee communications?
• How does the company handle the information about employees (and their dependents, friends and others) it may have access to as part of the employees’ participation in the network?

For sure, there are many areas about which companies need to think through as they consider their direct participation in the social networking community – the services of the social network provider, promoting the company’s presence in the community, consumer protection, copyright protections, and so on. Even the list above only begins to scratch the surface of the range of employment law issues that arise when an employer participates in this media.

• Email This
• Print
• Comments
• Trackbacks
• Share Link