Gerald_Ferguson.jpgGerald Ferguson currently serves as the Intellectual Property, Technology and Media Group Coordinator for the firm’s New York office. Mr. Ferguson also serves as the national leader of the firm’s Privacy and Information Security group. He has worked with companies to create national and global privacy policies. He has extensive experience advising companies regarding compliance with state breach notification laws. Mr. Ferguson is able to advise clients regarding notification obligations quickly and efficiently using a state-by-state survey of the 47 jurisdictions with breach notification laws that is regularly updated by Baker Hostetler’s Privacy and Information Security group. As part of his proactive approach to an incident response, he works with forensic consultants to develop the substantive opinions necessary to support a determination that disclosure of a breach is not required when possible. If disclosure is required, he uses a team approach to carefully manage the process in a cost-effective and efficient manner that focuses on minimizing reputational harm.

Mr. Ferguson is Chairman of the Intellectual Property Committee of the New York State Bar Association, International Law and Practice Section.

Practice Strengths:

  • Privacy and Information Security
  • Trademarks, Trade Dress and Domain Names
  • Copyrights
  • IP Litigation
  • Trade Secrets
  • IP Transactions
  • IP Due Diligence
  • Commercial Litigation

Education:

  • J.D., University of Virginia School of Law, 1988
  • B.A., University of Virginia, 1984

Bar/Court Admissions:

  • U.S. Court of Appeals, Second Circuit
  • U.S. District Court, District of New Jersey
  • U.S. District Court, Northern District of New York
  • U.S. District Court, Western District of New York
  • U.S. District Court, Eastern District of New York
  • U.S. District Court, Southern District of New York
  • New York

Entries authored by Gerald Ferguson

Federal Government Expands AML Cybercrime Enforcement

Posted by Gerald Ferguson on June 04, 2013

This Executive Alert was authored by: Lauren J. Resnick and Kaitlyn A. Ferguson

On Tuesday, May 28, 2013, the Department of Justice (DOJ) announced the unsealing of an indictment against Liberty Reserve, S.A. (Liberty Reserve) in the Southern District of New York for operating a $6 billion money laundering scheme. Liberty Reserve and seven of its employees are alleged to have laundered the funds in nearly 55 million transactions since 2006. Based out of Costa Rica, the company, which has been shut down, was a large internet-based payment processor and money transfer system. Despite never registering with the Department of Treasury as a money transmitting business, the company had more than one million customers, 200,000 of which were in the United States. Any customers who were engaged in legitimate business activities have also been unable to access the funds in their Liberty Reserve accounts as a result of the indictment.

Liberty Reserve operated with a digital currency known as LR. Customers were permitted to open accounts under fictitious names with the company, and then, using a third party intermediary known as an "exchanger," deposit funds into their accounts. For small transaction fees, customers would be permitted to move funds between their own accounts and accounts of other Liberty Reserve customers, and withdraw funds. Like deposits, cash withdrawals were not permitted directly through Liberty Reserve, but were, instead, undertaken through a third-party exchanger. Unlike traditional banking institutions that comply with U.S. law, Liberty Reserve did not require accountholders to verify their identities. The lack of identifying information, the use of exchangers and the deliberate concealment of financial transfers by the removal of account numbers from inter-account transfers resulted in a system perfectly designed for money laundering. There was no screening of clients, and fictitious monikers such as "Russian Hacker" and "Hacker Account" were permitted to open accounts and conduct business through the site.

Federal authorities allege that $6 billion was laundered through the site in connection with credit card fraud, identity theft, investment fraud, computer hacking, child pornography and narcotics trafficking, among other illicit activities. Much of the money was moved through shell accounts in at least 17 countries, including Costa Rica, the Netherlands, Spain, Morocco, Sweden, Switzerland, Cyprus, Australia, China, Norway, Latvia, Luxembourg, the United Kingdom, Russia, Canada and the United States.

In addition to the Justice Department's criminal indictment, the Treasury Department also took action on Tuesday by declaring Liberty Reserve a "money laundering organization." This designation under § 311 of the PATRIOT Act bans Liberty Reserve, and those continuing to do business with the company, from the U.S. financial system. This designation by Treasury is the first time the Department has made such a designation against a virtual currency provider. U.S. Attorney Preet Bharara recognized this prosecution as an important step to reign in the "Wild West" of criminal internet banking, noting that "[a]s crime goes increasingly global, the long arm of the law has to get even longer, and in this case, it encircled the earth."

The proliferation of money laundering through cyberspace is an increasing threat. Criminal organizations no longer have to rely on the physical transfer of suitcases of cash across borders to "clean" the proceeds of their unlawful activities. As these organizations become more sophisticated in finding ways to bank their criminally derived proceeds outside of the regulated financial system, many crimes will become increasingly difficult to detect.

Companies utilizing technology to conduct their business activities, whether they are financial institutions, funds transfer processors or users of these services, must develop compliance controls to ensure they do not become vehicles for money laundering and are not doing business with such organizations. Facilitating money laundering has harsh consequences, and even the unwitting use of a money launderer such as Liberty Reserve can result in the freezing of a legitimate company's assets or blockage from the U.S. financial system. Today, more than 74 countries have anti-money laundering statutes, and companies engaged in cross-border activity must ensure that their policies comply not only with the policies of the United States but also with the laws and regulations of other countries where they do business. Companies are advised to vet vendors and other service providers to identify suspicious activity in order to avoid criminal exposure for transaction activity that violates federal law and protect against the commercial consequences of doing business with an entity that becomes the target of government prosecution and forfeiture.

More broadly, as companies increasingly entrust their account and financial information to internet banking services that are vulnerable to data breach, they should have cybersecurity response plans in the event those services are criminally compromised. With legal and consulting specialists advising a company's internal technology team, these threats can be reduced and addressed with cybersecurity contingency plans put in place before the a company's financial information is jeopardized by digital hacking and virtual espionage.

If you have any questions about this alert, please contact Lauren J. Resnick at lresnick@bakerlaw.com or 212.589.4241 or any member of BakerHostetler's White Collar Defense and Corporate Investigations Team.

What You Should Be Doing Now to Prepare for Implementation of the Cybersecurity Executive Order

Posted by Gerald Ferguson on February 25, 2013

Co-Authored by: Theodore J. Kobus III

A tempting response to the Cybersecurity Executive Order (the "Order"), announced by President Obama at his State of the Union address, is to ignore it.  It is vague in key particulars, such as which companies are part of the "critical infrastructure" and therefore subject to the Order.  The only immediate effect of the Order is to require various departments and agencies, led by the Department of Homeland Security ("DHS") to: (i) study issues; (ii) identify powers that can be exercised under existing laws; (iii) and come back with proposed plans of action.  Maybe if we ignore it, it will go away.

But it won't.  If you are a significant player in a regulated industry that that has already been identified by DHS as part of the critical infrastructure (which includes energy, health care, transportation, financial services, heavy manufacturing, food and drugs), if you are a government contractor, or especially if you are both - the Order is a statement of intent that should not be ignored.

The Administration has identified cybersecurity as "one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter."  The Executive Order focuses on two solutions: 1) enhanced security standards; and 2) better sharing of information between government and the private sector.

While the Executive Order describes these security standards as "voluntary," it also directs regulators to identify "incentives" for adopting these standards. Incentives under consideration include potential preferred treatment for government contractors who participate.

With respect to information sharing, the Executive Order only specifically discusses the government sharing information with industry about identified threats. But the Administration has acknowledged that the achieving the goals of the Executive Order "will by necessity involve increased collaboration with the private sector and a whole-of-government approach." Initially this sharing may take the form of responding to questionnaires from the National Institute of Standards (NIST), or requests by the government to a company's security expert. Ultimately, be ready for requests for information related to cybersecurity threats coming from your regulators and government procurement officers.

What should you be doing now to prepare for the impact of the Executive Order on your company?

(1) Review your incident response policies and, if necessary, update them to address the concerns of this Executive Order. Historically, breach reporting obligations have focused on lost personally identifiable information and protected health information because state and federal laws have focused on these losses. The Executive Order focuses on "infrastructure threats" and includes risks posed by trade secret theft, cyber terrorism and hacktivism. Make sure that your policies in place adequately address identifying infrastructure threats and escalating those issues to the appropriate people within your organization. There are going to be "whistleblowers" waiting to assist you with making these disclosures if you are not willing to confront these issues head on.

(2) Look at your vendor lists and contracts. If you are not considered to be critical infrastructure, are your business partners? Are your business partners at risk for certain cybersecurity events like hacktivism and foreign government sponsored attacks? Are your key vendors demonstrating their readiness to you and should you be better protecting yourself in your contracts with these business partners?

(3) Establishing or upgrading security audits should be considered -- not just of your own house, but of your business partners as well. Increasingly government is not just looking at an organization, but an organization's business partners as well.

(4) Finally, develop a regulatory strategy. Just like any other government relationship, figure out how you are going to leverage your existing relationships to guide you through this process and what their expectations are. Government, whether as a regulator or a partner in the war against cyberterrorism, expects transparency, cooperation, and a good attitude. Think about reaching out and starting a dialogue about these challenges and concerns as we figure out how to combat these cyber attacks.

Video Interview: Discussing Facebook's Updated Data Use Policy with LXBN TV

Posted by Gerald Ferguson on November 30, 2012

Following up on my post explaining that Facebook's updated Data Use Policy could lead to them sharing user data with ad agencies, I had the chance to speak with Colin O'Keefe of LXBN on the subject. In the interview, I break down the changes and offer my thoughts on how this compares to Google's policies. 

Facebook Opens Door to Giving Your Personal Information to an Affiliated Ad Agency

Posted by Gerald Ferguson on November 26, 2012

Give Facebook credit for candor. Facebook does not call the policy describing what it does with your personal information a “privacy policy”, but rather a “Data Use Policy”. The nomenclature is appropriate. The Facebook Data Use Policy is not so much about protecting the privacy of the information you share on Facebook as it is about Facebook’s plans for making money from that information. And the latest revision of the Facebook Data Use Policy, scheduled to go into effect this week (the “Proposed Policy”), suggests that Facebook’s plans include buying an ownership interest in an advertising agency and giving your personal information to that agency.

Some of the changes in this Proposed Policy are merely clarification. Changes made earlier this year already provided that Facebook can use information posted about you on Facebook to “personalize” ads displayed to you both on Facebook and outside of Facebook. The latest Policy revisions make it clear that in “personalizing” ads, Facebook may consider using everything you do and say on Facebook and anything others say or display about you when they “tag” you. You may remove your posts and other’s tags from your timeline, but this action does not remove the information from Facebook’s database.

The significant addition to this Policy is an entirely new provision that, for the first time, permits Facebook to engage in unlimited sharing of your personal information with “affiliates” with the following language:

Affiliates

We may share information we receive with businesses that are legally part of the same group of companies that Facebook is part of, or that become part of that group (often these companies are called affiliates). Likewise, our affiliates may share information with us as well. We and our affiliates may use shared information to help provide, understand, and improve our services and their own services.

Legally, an affiliate could include a company in which Facebook owns a minority interest.  Facebook has not announced any new acquisitions, and there is no reason to believe that one is planned for the immediate future. But it is certainly plausible that this Proposed Policy is intended to pave the way for: (i) taking an ownership interest in advertising agency and (ii) immediately commencing complete sharing Facebook data with that advertising agency.

Given how much Facebook knows about its users, such an agency could be much more effective than current online ad networks which serve advertisements based upon your behavior on the Internet (which they deduce through cookies placed on your browser by websites you’ve visited and advertisments you’ve clicked).

But nothing in the Proposed Policy limits Facebook’s use of your information “off Facebook” to on-line advertising. With its facial recognition software and its location tools, Facebook could place a camera at the entrance to a department store to identify you as you enter. Then, a digital sign linked to Facebook’s database could flash to you information about in-store offerings, based on Facebook’s cataloging of your interests and desires.  Oh what a brave new world, indeed.

Data Breach Class Action against Popular Video Game Developer Dismissed for Failure to Plead Adequate Damages

Posted by Gerald Ferguson on November 16, 2012

Authored by: Alan Pate

In a ruling this past Wednesday, November 14th, a Federal Judge in the Western District of Washington dismissed a class action against video game developer Valve Corporation. The class action stemmed from a November 6th, 2011 data breach of Valve’s popular online video game distribution platform, “Steam.” As a result of this breach hackers allegedly gained access to billing addresses, passwords, online handles/ID’s, and credit card information. Plaintiffs, a class of Steam subscribers, brought claims under six separate California causes of action alleging both present and future harm resulting from this breach.

Judge James L. Robart dismissed all of plaintiffs’ claims for failure to adequately plead damages. Judge Robart’s order discussed the legal inadequacy of the pleadings on both the future and present damages claims. As to the future damages, Plaintiffs had pleaded that because of the 2011 data breach they may be forced to spend money at some unspecified time in the future to “protect their privacy.” Citing a string of cases addressing this issue, Judge Robart explained, “when personal information is compromised due to a security breach, there is no cognizable harm absent actual fraud or identity theft.” Alleging only the possibility of future harm was insufficient.

As for present damages, Plaintiffs had pleaded that as a result of the 2011 breach they had “various services and subscription interrupted, loss of data, … an inability to access various gaming networks,” and that they lost money paid to Valve for “products and services.” Judge Robart held that this too was an insufficient plea of damages. Emphasizing the “higher plausibility threshold” that their complaint required due to the size and potential expense of the data breach class action, Judge Robart explained that to overcome a motion to dismiss, the plaintiffs must lay out exactly what services were interrupted, what data was lost, or how exactly money was lost on their Steam subscriptions (a free service).

Plaintiffs’ claims were dismissed without prejudice and they were given leave to amend within 30 days. The case is Grigsby v. Valve, Corp., No. C12-0553 (W.D.Wa. Nov. 14, 2012).

Call Centers Increasingly Targeted in Class Action Lawsuits for Statutory Penalties Under Decades-Old California Law

Posted by Gerald Ferguson on October 23, 2012

Authored by: Paul Karlsgodt

Editor’s Note – This article is a joint submission to BakerHostetler's Class Action Lawsuit Defense blog.

Companies that provide call center services to consumers are increasingly being targeted in class action lawsuits under an arcane section of the California penal code that provides a civil right of action and statutory damages for monitoring or recording of confidential telephone conversations without the other party’s knowledge or consent. Sections 630 et seq. of the California Penal Code were enacted in the 1960s to prevent illegal surveillance of confidential telephone calls. In the past several years, plaintiffs have attempted to use the statute to seek damages against the operator of a customer service call center that fails to include a notice at the beginning of each customer service call that the call “may be monitored or recorded” for training or quality assurance purposes. Since this type of notice is ubiquitous among call centers, the failure to provide the notice can often be the result of a system error or a design flaw in the call system. Plaintiffs’ lawyers have been taking advantage of these errors by filing class actions for statutory damages for each call that was made from California during any time period during which the warning was not provided.

The exposure in these cases can be enormous because the statute provides for $5,000 in statutory damages, an amount that the lawsuits allege is owed for each call. For example, a call center that receives 1,000 calls during a time in which the warning was not provided may find itself defending a $5 million lawsuit, and 10,000 calls means a $50 million lawsuit. The high exposure amounts, coupled with the seemingly low standard that has been adopted by the California state courts to determine what constitutes a “confidential” telephone conversation, has caused many defendants to rush to early settlements rather than face the risks of litigation.

SETTLEMENT MAY NOT BE THE ANSWER!

A defendant should not assume that there is no defense to a case filed under the Privacy Act. Defenses on the merits that have been raised in Privacy Act cases include that the call centers were intended to be exempt from the statute altogether, that the aggregation of statutory penalties violates due process and that customer service calls are not confidential in nature. Individual defenses to the named plaintiff’s claims may also exist. For example, the claims of individual defendants may be susceptible to arguments that 1) the plaintiff signed an arbitration agreement; 2) the circumstances surrounding the plaintiff’s call show that there was no expectation of confidentiality; or 3) the plaintiff knew the call was being recorded despite the lack of express notice.

There are also defenses to class certification based on factual variations, despite the uniform nature of the statutory remedy. Plaintiffs will argue that the fixed nature of the available remedy and the objective standards for determining the expectation of confidentiality and the disclosure of sensitive information simplifies the cause of action and alleviates the need for certain individualized questions. However, in cases involving recorded telephone conversations, there can be significant factual differences from caller to caller on facts ranging from the location of the caller at the time of the call, to the nature of the conversation alleged to be confidential, to the facts bearing on the caller’s knowledge or understanding that the call may be recorded. The California Privacy Act is just one of the various statutes that are increasingly becoming targeted for class action lawsuits because of the availability of a statutory penalty.

Video Interview: Breaking Down the Amazon Cookie Litigation with LXBN TV

Posted by Gerald Ferguson on August 07, 2012

Following up on my post on the subject last week I had the opportunity to speak with Colin O'Keefe of LXBN regarding the recent cookie litigation Amazon was facing. In the brief interview, I explain the case, the lessons from it and how a change may soon be coming for data privacy litigation. 

Lessons For Privacy Advocates and Website Operators From Amazon Cookie Litigation

Posted by Gerald Ferguson on July 30, 2012

A Washington federal district court has dismissed with prejudice class action claims against Amazon alleging that the company’s use of cookies to track consumers’ personal data violated the Consumer Fraud and Abuse Act (CFAA), and has requested further briefing on a claimed violation of the Washington Consumer Protection Act (WCPA). (Del Vecchio v. Amazon). This decision highlights how important it is for website operators to clearly and conspicuously disclose how they use cookies, while raising the question of who should profit from invisible traffic in information that takes place whenever we activate our web browser.

Cookies are small units of code that website operators can send to Internet browsers accessing their sites. While cookies may be set to delete when a browsing session terminates, many cookies remain stored on a user’s browser. Each subsequent time that this browser uploads a webpage on the site, the operator can access data stored in those cookies to customize webpages based on the user’s browsing activities. The most controversial cookies are those that track a user’s activity across the Internet. The European Union has enacted regulations requiring website operators to more fully disclose how websites deploy cookies, and to give users more control over the cookies placed on the browsers. The FTC has issued a white paper calling on industry to adopt similar disclosure practices in the United States.

In Del Vecchio, the plaintiffs complained that Amazon placed cookies on their hard drives against their wishes, even after users had attempted to block cookies with their browser setting. Under the CFAA, a plaintiff can state a civil cause of action where a defendant intentionally accesses a computer without authorization, but only if such conduct causes the plaintiff loss or damages of at least $5,000 over a one-year period. In arguing that they met the damages threshold, the Del Vecchio plaintiffs claimed that Amazon derived substantial financial gain through its use of cookies to gather the plaintiffs’ personal information. Conversely, plaintiffs claimed that they lost the opportunity to realize such gain.

Assuming the factual allegations of the complaint to be true for the purposes of the motion, the court acknowledged that, in theory, a plaintiff’s lost opportunity to sell his computer usage data to marketers could constitute a monetary loss that satisfies the $5,000 damage threshold of the CFAA.  But here, the court found that the plaintiffs’ claims were entirely speculative because they did not allege facts showing that they had the capacity or opportunity to independently monetize their raw computer usage information. As a result, the court granted Amazon’s motion to dismiss for the plaintiffs’ failure to state a claim under the CFAA.

The court further found that the plaintiffs still might have a viable claim under Washington’s Consumer Protection Act (the “WCPA”). The WCPA requires a showing of injury, but, unlike the CFAA, does not require a plaintiff to demonstrate monetary damages in order to satisfy the requirement. In this case, the court stated that in order to allege an injury, the plaintiffs would need to demonstrate that Amazon accessed their computers or their information without authorization.

The court noted that Amazon’s “Conditions of Use and Privacy Notice” notifies visitors to Amazon sites that the company uses cookies and that the terms state that the plaintiffs’ use of Amazon was conditioned on their acceptance of those very terms. The court asked the parties to file additional briefings on the issues of: (1) whether plaintiffs had authorized Amazon’s use of cookies and (2) whether Amazon’s conduct was unfair or deceptive in light of Amazon’s terms.

In light of the Del Vecchio decision, the recent EU cookie regulation, and concerns raised by the FTC regarding cookies, website operators should re-evaluate the manner in which they disclose cookies deployed on their website and obtain consent from users for placing these cookies on users’ browsers. While it appears that the CFAA is not available as a vehicle for privacy class action claims, privacy class action attorneys are continuing to look for other legal bases for such claims, such as the WCDA. Increased regulatory scrutiny of cookie practices is likely to further stir such litigation.

But the Del Vecchio decision also issues a challenge for privacy advocates looking to protect consumer web browsing practices. Under the holding in Del Vecchio, if consumers could sell their web usage information to marketers, then they could invoke the CFAA to prevent third parties from deploying cookies to take this web usage information without their consent. Rather than more class actions, consumers may be better served by the development of marketplaces where they can sell their web usage information for marketing purposes, rather than giving it away to the websites they access.

Reading This Might Just Preserve Your Identity and Reputation

Posted by Gerald Ferguson on June 07, 2012

Authorship Credit: Dave Taylor, Director, Information Technology, Baker & Hostetler LLP

We are seeing a dramatic increase in spam and email phishing schemes once again.  These schemes have become very sophisticated in their ability to mimic the multitudes of legitimate on-line transactions that occur every day.  Please consider the following when reading and reacting to emails.

1. The bad guys love playing off of our emotions.  So they have taken to all manner of “inspiring” a reaction (mouse click) from us.  You have likely seen at least one of the following recently:

  • A purchase confirmation for something you didn’t buy. PayPal, and eBay top the list for spoofs lately.
  • A password reset or other account activity that you didn’t actually do.  American Express, Verizon, Apple iTunes/App Store.
  • A LinkedIn request from someone you don’t know.
  • An enticing “offer” that seems to be based on something about you or that is actually legit or important to you – like a subscription offer to some compelling professional content.  This must be real because this offer is only coming to me because it relates to my profession…
  • A text message or IM that has a web link in it, usually congratulating you on winning $100 or something better!

2. Please keep the following in mind:

  • If your name or email address is not in the To: field of an email, it’s a fake.
  • If there are other names in the To: or Cc: field of the email, it is a fake.  No company is going to send you private account info, receipts, or password reset requests AND send them to anyone else at the same time.
  • No company or web site is going to send you an unsolicited password reset request via email.
  • LinkedIn is being used more and more for phishing AND social engineering attempts.  Even if the LinkedIn request actually takes you to LinkedIn, do not automatically accept invitations or connect with anyone you don’t know.  Even if they appear to be connected with others you may know.  Hackers and cyber criminals are using every means available to them to build a facade of credibility.
  • Blackberry, iPhone, and iPad are not immune to malware and phishing attacks.  In fact, because these devices are MOBILE, the bad guys are expecting that your guard is down when working from them.  Many attacks are now designed to exploit vulnerabilities specific to mobile devices.
  • Text messaging is now being used to launch phishing and malware attacks almost as frequently as email.  And many of the mobile platforms are just now patching vulnerabilities that can be used to steal your personal information.

3. What can I do to protect myself and the firm from hackers and phishers?

  • Pay close attention to any and every email you read.  Train yourself to question the legitimacy of any email that “feels” wrong.
  • Remind yourself to delay reacting to such emails especially from your mobile devices.
  • Look for your name, and JUST your name, in the header of the email.
  • Update your mobile device software frequently.
  • Do not click on links in emails, especially from a mobile device; but if you must, at least …
  • Practice the “hover” …  by hovering your mouse cursor over a link, you will see the actual web address that you will be connected to.  If it appears to be completely unrelated to the content of the email – i.e. does not include even the web site or business name, then it’s a fake.  DO NOT CLICK on any such link.
  • Read web links carefully.  You must scroll to the end of the link to see where it’s actually taking you.  Don’t be fooled by the first part of the web link.  For example, this link is actually not related to American Express in any way …  americanexpress.com.1243abc.badguy.com            The domain in this case is badguy.com.  They are not going to be as obvious as I am !  And from your mobile device, you might not even be able to scroll to the end.  What if you only saw the beginning of that link “americanexpress” or “americanexpress.com” and the rest was not visible because of the window size … It would look completely legitimate to you.  And guess what, the bad guys know this and hope that you don’t!!!

You Are What They Tweet: Why Clear Social Media Policies are Becoming More Critical to Employers in This Tech Age

Posted by Gerald Ferguson on May 31, 2012

Authorship Credit: Tarsha Luke

The recent termination of a top executive of a publicly traded company is another example of some of the perils of mixing personal and workplace social media. The chief financial officer for a women's clothing retailer, Francesca's Holdings, was dismissed for disseminating non-public corporate information to his Twitter followers. After a company board meeting he tweeted about the company's earnings. Using the handle "@theoldcfo," he wrote: "Board meeting. Good numbers=Happy Board." Subsequently, the company's stock jumped fifteen percent. Strictly enforcing its social media policy, the Houston-based company decided to fire its CFO for that tweet, in addition to a series of other posts he sent from his social media accounts since 2010.

This case sheds light on the legal consequences relating to the use of social media in the workplace. Employee Internet posts not only implicate the financial rules of the Securities and Exchange Commission, as was the case for Francesca's, but they can also create compliance issues under the regulations of other agencies, including:

  • Financial Industry Regulatory Authority (FINRA),
  • Federal Trade Commission (FTC),
  • Food and Drug Administration (FDA) and
  • National Labor Relations Board (NLRB), Office of the General Counsel.

Furthermore, rogue social media use can put company trade secrets and client confidences in jeopardy. This is why it is increasingly important for all companies, not just publicly traded companies, to have a social media policy. A good social media policy should address both employee behavior on company-affiliated media, as well as employee behavior that can be traced back and imputed to the company.

Below are some considerations for creating and implementing a social media policy:

  • Almost anything written on the web can be easily traced back to its author, and ultimately the place where he works. This is because online information is backed up repeatedly and often and posts in one forum are usually replicated in other forums through trackbacks, reposts or references. Therefore, social media policies should be applicable to all types of workers including employees, temporary or seasonal workers, independent contractors or anyone with access to a company computer.
  • Companies with employee-generated content on company-branded websites, blogs, wikis or other social networking sites should have formal procedures to review what its employees post on its behalf. When possible, it is best practice to treat all employees' posts on company-branded sites as if they were being published in more traditional media.
  • Nevertheless, a company cannot prevent an employee from using the company's name or trademark for non-commercial purposes on his or her own time to complain about wages, terms and conditions of employment, working conditions or other protected employee rights under Section 7 of the National Labor Relations Act (NLRA).
  • An employer should avoid using vague language in its social media policy, such as "appropriate," "inappropriate" or "professional." Terms should be defined either by using examples or by using language that carves out an exception for employee rights protected under the NLRA.
  • A company should be careful about asking an employee or prospective employee to provide usernames and passwords to personal social networking websites, without first weighing the business concerns of doing so. In addition to potentially facing serious public relations concerns for chosing to implement such a policy, there soon may be legal liability for requesting private social media passwords. Maryland enacted a law prohibiting employers from asking for social media passwords, which will take effect on October 1, 2012. Other states are also rapidly following suit, including Illinois, California, Minnesota, Michigan, Massachusetts, and Ohio. Furthermore, the federal government is also interested in this topic. Two U.S. Senators have asked the Department of Justice and the U.S. Equal Employment Opportunity Commission to look into the issue.

For more information and guidance on this issue, see a recent article published by Labor and Employment Partner Dan Guttman titled: "What Can Management Do to Protect the Organization From Inappropriate Use of Social Media?"