Twitter v. Manhattan DA Fight Unfortunately Ends with a Whimper

Posted by Fernando A. Bohorquez, Jr. on May 24, 2013

This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog.

Last Friday, Twitter’s battle with the Manhattan District Attorney over a subpoena for an Occupy Wall Street protester’s tweets came to an anti-climactic end as the New York appeals court dismissed Twitter’s appeal of a Manhattan Criminal Court’s order to produce the tweets as “academic.” Twitter’s appeal raised important issues of first impression to the social media community and the non-decision decision appears to have been a lost opportunity to bring some clarity to questions concerning the government’s subpoena power.

A little bit of background first. In early 2012, the Manhattan District Attorney served a subpoena on Twitter for Malcolm Harris’ Twitter account information and tweets. Harris - one of the hundreds of Occupy Wall Street protesters – was charged with disorderly conduct by the Manhattan DA for “occupying” the Brooklyn Bridge. The DA served Twitter with a subpoena under the Stored Communications Act for Harris’ Twitter records in connection with the investigation. Consistent with Twitter’s internal policies, Twitter notified Harris of the subpoena and Harris tried to quash it. In an April 20, 2012 order, the Manhattan Criminal Court judge held that Harris had no standing to challenge the subpoena.

Twitter then entered the fray and moved to quash the DA’s subpoena and its motion was similarly denied by the Manhattan Criminal Court in a June 30, 2012 decision. The court reiterated its prior holding that only Twitter - not Harris - had standing to challenge the subpoena and that neither the Fourth Amendment of the U. S. Constitution nor the New York Constitution’s analogue provision required a search warrant. Twitter appealed the decision but in the interim had to produce the records to avoid paying stiff contempt sanctions as its stay of the order was denied.

As we quickly - and arguably irreversibly – move towards a world where we share more and more of our lives on social media, it is growing increasingly important to understand how social media companies respond to government requests for our information and what recourse these companies and their customers may have when faced with such requests. Indeed, in U.S v. Jones – the recent Supreme Court case holding that a GPS tracking device required a warrant under the Fourth Amendment – Justice Sotomayor acknowledged the shifting societal norms and rapidly changing technologies noting in her concurrence that “it may be necessary … to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”

Twitter is no stranger to government subpoenas and in its brief history has developed a robust reputation for protecting customer information from government requests for information. According to the Electronic Frontier Foundation, Twitter scored a six out of six in a ranking of how strongly companies protect customer data. A handful of other social media giants and big tech companies got five out of six, including Dropbox, Google and Linkedin, but only Twitter garnered a perfect score.

Twitter’s refusal to provide Harris’ information to the DA was perhaps the most high profile example of the company’s pro-customer stance. But more importantly, the case was primed to raise at least two important legal questions on appeal:

(1) Whether Twitter users like Harris have standing under the Stored Communications Act (SCA) and the U.S. Constitution to move to quash government subpoenas for their Twitter records; and

(2) Whether the DA’s subpoena for Harris’ non-publicly available tweets violated the Fourth Amendment, i.e., whether Harris had a reasonable expectation of privacy requiring a search warrant from the government as opposed to a civil subpoena under the SCA (for a quick related refresher, SCA discovery basics were previously discussed here).

On May 17, 2013, the NY appellate court decided to pass on answering these questions as moot because Twitter had already produced Harris’ records. Facing contempt sanctions for failure to comply with the Manhattan Criminal Court Order, Twitter not only appealed the Criminal Court’s decision, but also sought to stay the proceedings while the appeal was pending. The Appellate court, however, denied the stay application on September 27, 2012. Twitter produced the materials last fall to avoid paying substantial monetary fines.

To be sure, the Appellate court’s decision was somewhat preordained and even predicted by Twitter itself. In its opposition to show cause before the Criminal Court as to why it should not be fined for contempt for not producing the records, Twitter argued that being forced to produce Harris’ tweets before resolution on appeal would render the issues moot and prevent a full and fair adjudication of the Criminal Court’s order. Unfortunately for social media companies and their customers looking for clarity and guidance on the scope of the government’s subpoena power, that is exactly what happened.

To get both sides of the argument, we recommend that you read the Criminal Court’s June 30, 2012 Order available here and Twitter’s appellate brief of that decision here.

SEC Greenlights Use of Social Media for Publicly Disclosing Company Information

Posted by Fernando A. Bohorquez, Jr. on April 19, 2013

Co-authored by: Jonathan Nowakowski

Recognizing the reality that many investors likely get more information from Facebook and Twitter than a corporate 10-K and that most public companies have a robust social media presence, the U.S. Securities and Exchange Commission (“SEC”) recently weighed in on the use of social media by public companies to disclose material nonpublic information to the general public. The SEC’s guidance was prompted by its investigation of Netflix and its CEO Reed Hastings, specifically Hastings’ post of material nonpublic information on his personal Facebook page in July 2012 concerning Netflix monthly viewing numbers. In its April 2, 2013, report and investigation of whether the post violated the SEC’s corporate disclosure rules and regulations (“April Netflix Report”), the SEC decided not to pursue an enforcement action against Netflix or Hastings and used the incident as an important teaching moment for public companies that may want to use social media to communicate material nonpublic information.

On July 3, 2012, Hastings posted the following message to his personal Facebook page with over 200,000 followers:

“Congrats to Ted Sarados, and his amazing content licensing team. Netflix monthly viewing exceeded 1 billion hours for the first time ever in June. When House of Cards and Arrested Development debut, we’ll blow those records away. Keep going, Ted, we need even more!”

While the congratulatory post may have seemed harmless at the time, Netflix did not file a Form 8-K with the SEC, issue a formal press release, or post the information on Netflix’s webpage – the typical avenues for announcing material nonpublic information. Neither had Netflix previously alerted investors that Hasting’s Facebook page would be used to disclose material information about the company. Hasting’s Facebook post caught the SEC’s eye and in December 2012, the SEC notified Netflix and Hastings that it was considering an enforcement action against them for possibly violating Regulation Fair Disclosure (“Reg FD”).

A quick overview of Reg FD and the SEC’s Reg FD company website guidance: Reg FD requires that the disclosure of material nonpublic corporate information should be distributed in a broad and non-exclusionary manner to the public. Information is considered nonpublic if it has not been disseminated in a manner available to the public generally. Information is considered material if it is reasonably foreseeable that an investor would trade on the basis of that information. Reg FD was adopted to address the concern that issuers were selectively “disclosing important nonpublic information, such as advance warning of earnings results, to securities analysts or selected institutional investors before making full disclosure of the same information to the general public.” Public companies typically comply with Reg FD by disclosing material nonpublic information in SEC filings, through press releases, on the company website, or some combination of all three.

In August 2008, the SEC provided guidance on the disclosure of material nonpublic information via company websites, blogs, and other “push” technologies. 2008 Commission Guidance on the Use of Company Websites, Rel. No. 34-58288 (Aug. 7, 2008), (“2008 Guidance”). The 2008 Guidance explained that whether a company’s website or blog is a “recognized channel of distribution” passing muster under Reg FD depends on the “steps that the company has taken to alert the market to its website and its disclosure practices, as well as the use by investors and the market of the company’s website.” The 2008 Guidance non-exhaustive list of factors for companies to consider include, but are not limited to:

  • whether and how the company lets investors and the market know that the company has a website and that they should look at the company’s website for information;
  • whether the company has made investors and markets aware that it will post important information on its website and whether it has a pattern of doing so;
  • whether the company’s website is designed to lead investors and the market efficiently to information about the company;
  • the extent to which information posted on the website is regularly picked up by the market and media, and is reported;
  • the steps taken by the company to make its website accessible; and
  • the nature of the information being disclosed.

With respect to Hasting’s Facebook post, the SEC ultimately decided not to pursue enforcement proceedings against Netflix or Hastings, namely because the agency concluded that there was a great deal of uncertainty concerning how Reg FD applied to public disclosures via social media. In the April Netflix Report, the SEC made clear that the 2008 Guidance “provide[s] a relevant framework for applying Regulation FD to evolving social media channels of distribution” and applies with “equal force” to the use of social media to disclose material information. Accordingly, moving forward the SEC “expects issuers to examine rigorously the factors indicating whether a particular [social media] channel is a ‘recognized channel of distribution for communicating with their investors.” The SEC also emphasized that the “steps taken to alert the market about which forms of communication a company intends to use for the dissemination of material, nonpublic information, including social media channels … are critical to the fair and efficient disclosure of information.

The April Nextflix Report encourages companies to consider using periodic reports, press releases, and corporate websites to identify specific social media platforms that the company intends to use as well as the types of information it plans to disclose through social media. Further, while the SEC did not go so far as to endorse Facebook and Twitter as recognized channels of distribution in the April Netflix Report, by referencing them as general examples of social media platforms, coupled with each having one billion and 200 million users respectively, it is likely that the SEC would view both social media platforms as recognized channels of distribution so long as the public was adequately alerted of that intended use. Notably, the April Netflix Report found that personal social media sites of company employees – regardless of the amount of followers – would not ordinarily be assumed to be a proper channel for distribution without adequate notice that they will be used for that purpose.

Regulators are increasingly turning a critical eye toward companies' use of social media from everything from advertising to financial disclosures. The April Netflix Report is the latest example of regulators wrestling with the new reality of social media as an information source for the general public and companies increasingly relying on this medium to communicate to investors and consumers. Public companies looking to social media as a possible means to disclose nonpublic material information should take heed of the SEC's April Netflix Report and carefully consider the following steps:

  • revisit and review the company’s existing Reg. FD policy;
  • evaluate the selected social media platform(s) applying the 2008 Guidance factors summarized above;
  • formulate a plan to alert the public of the social media platforms it intends to use and for what purpose through, among other things, its corporate website, periodic reports filed with the SEC and through formal press releases, and do so over an extended period of time with a specific date given for when the company will begin posting material information via the social media platform(s) that the company ultimately chooses;
  • develop a coordinated plan to use designated social media platforms as part of the company’s investor communications along with more traditional venues such as SEC filings, press releases and the company’s website;
  • review and revise electronic communications policies and train employees on the potential consequences of disclosing material nonpublic information on social media;
  • coordinate legal, compliance, and investor relations departments to work together to implement and enforce electronic communications policies as well as review all social media content before it is posted; and
  • ensure compliance with the laundry list of potentially applicable securities laws, which are beyond the scope of this blog, e.g., compliance with antifraud and proxy solicitation regulations, among others.

 The April Netflix Report and 2008 Guidance are available here and here, respectively.

Proposed FFIEC Guidance on Financial Institution Social Media Use

Posted by Craig Hoffman on January 24, 2013

The Federal Financial Institutions Examination Council (FFIEC) released for comment on January 17 its proposed Social Media: Consumer Compliance Risk Management Guidance.  There is a 60-day comment period.  The purpose of the guidance is to help banks, savings associations, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau (CFPB) understand and address the risks created by the applicability of federal consumer protection and compliance laws to activities conducted through social media. 

The guidance begins with the premise that a financial institution’s use of social media to interact with customers can impact the institution’s risk profile, not only through legal and compliance risks, but also related risks of harm to operations and reputation. To address these risks, the FFIEC recommends that financial institutions adopt a risk management program to identify, monitor, and control the risks associated with its use of social media.  The complexity of the program should be commensurate with the risks created by the nature and scope of the institution’s use of social media.  The guidance identified seven components that the social media risk management program should contain: (1) a governance structure; (2) policies and procedures; (3) a vetting and management process for vendors; (4) employee training; (5) monitoring of posts to proprietary social media sites; (6) audit/compliance functions to ensure ongoing compliance; and (7) parameters for reporting on the effectiveness of the program to management. 

The guidance then discusses in greater detail the risks created by social media use.  Under the compliance and legal risk section, there is a summary of laws and regulations that may apply when a financial institution uses social media.  The laws discussed include Truth in Savings, Fair Lending, Fair Housing, Truth in Lending, RESPA, FDCPA, UDAAP, EFTA, BSA/AML, and  privacy (GLBA, COPPA, TCPA, CAN-SPAM).  Under the discussion of reputational risk, there is a recommendation that financial institutions adopt policies to address employee participation in social media, which has employment law implications based on recent NLRB decisions.  The operational risk discussion is brief and essentially says that institutions should safeguard customer data, especially because social media is vulnerable to account takeover and the distribution of malware.  Accordingly, the guidance recommends that an institution’s incident response policy address social media as appropriate.

The FFIEC is specifically seeking comments by March 18 on the following questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?

2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?

3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

Video Interview: Discussing Facebook's Updated Data Use Policy with LXBN TV

Posted by Gerald Ferguson on November 30, 2012

Following up on my post explaining that Facebook's updated Data Use Policy could lead to them sharing user data with ad agencies, I had the chance to speak with Colin O'Keefe of LXBN on the subject. In the interview, I break down the changes and offer my thoughts on how this compares to Google's policies. 

Facebook Opens Door to Giving Your Personal Information to an Affiliated Ad Agency

Posted by Gerald Ferguson on November 26, 2012

Give Facebook credit for candor. Facebook does not call the policy describing what it does with your personal information a “privacy policy”, but rather a “Data Use Policy”. The nomenclature is appropriate. The Facebook Data Use Policy is not so much about protecting the privacy of the information you share on Facebook as it is about Facebook’s plans for making money from that information. And the latest revision of the Facebook Data Use Policy, scheduled to go into effect this week (the “Proposed Policy”), suggests that Facebook’s plans include buying an ownership interest in an advertising agency and giving your personal information to that agency.

Some of the changes in this Proposed Policy are merely clarification. Changes made earlier this year already provided that Facebook can use information posted about you on Facebook to “personalize” ads displayed to you both on Facebook and outside of Facebook. The latest Policy revisions make it clear that in “personalizing” ads, Facebook may consider using everything you do and say on Facebook and anything others say or display about you when they “tag” you. You may remove your posts and other’s tags from your timeline, but this action does not remove the information from Facebook’s database.

The significant addition to this Policy is an entirely new provision that, for the first time, permits Facebook to engage in unlimited sharing of your personal information with “affiliates” with the following language:

Affiliates

We may share information we receive with businesses that are legally part of the same group of companies that Facebook is part of, or that become part of that group (often these companies are called affiliates). Likewise, our affiliates may share information with us as well. We and our affiliates may use shared information to help provide, understand, and improve our services and their own services.

Legally, an affiliate could include a company in which Facebook owns a minority interest.  Facebook has not announced any new acquisitions, and there is no reason to believe that one is planned for the immediate future. But it is certainly plausible that this Proposed Policy is intended to pave the way for: (i) taking an ownership interest in advertising agency and (ii) immediately commencing complete sharing Facebook data with that advertising agency.

Given how much Facebook knows about its users, such an agency could be much more effective than current online ad networks which serve advertisements based upon your behavior on the Internet (which they deduce through cookies placed on your browser by websites you’ve visited and advertisments you’ve clicked).

But nothing in the Proposed Policy limits Facebook’s use of your information “off Facebook” to on-line advertising. With its facial recognition software and its location tools, Facebook could place a camera at the entrance to a department store to identify you as you enter. Then, a digital sign linked to Facebook’s database could flash to you information about in-store offerings, based on Facebook’s cataloging of your interests and desires.  Oh what a brave new world, indeed.

OMG! Does Your Doctor's Facebook Status Violate HIPAA?

Posted by Lynn Sessions on November 05, 2012

Co-authored by: Cory Fox

Recently, the Federation of State Medical Boards (“the Federation”) released its Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Guidelines”). The Guidelines are intended to address how physicians can utilize social media to facilitate patient care while still maintaining the privacy and confidentiality of patient information and the appropriate level of professionalism.

Social media usage, such as Facebook, Twitter, LinkedIn and blogging, has increased amongst healthcare providers. One survey indicates that 87% of physicians use social media websites for personal use and 67% use social media for professional purposes. Another study indicates that 35% of physicians have received friend requests from patients or their family members, and 16%of physicians have visited an online profile of a patient or a family member. The expanded use of social media raises challenging questions for healthcare providers, such as the extent to which physicians can share their work experiences online without violating the privacy and confidentiality of their patients and how to clearly delineate appropriate boundaries of professionalism. An analysis of physician blogs found that nearly 17% included enough information about patients to identify them. The Guidelines state that 92% of state medical boards have reported violations of online professionalism, including Internet use for inappropriate contact with patients, inappropriate prescribing, and misrepresentation of credentials or clinical outcomes. This conduct has serious consequences for physicians, with 44% of disciplinary actions from inappropriate Internet use resulting in medical license revocation.

To address these issues, the Guidelines recommend that physicians abide by the following standards when using social media:

  • Candor: Physicians should disclose any information that could influence patients’ understanding or use of the information, products or services on any website offering health care services or information;
  • Privacy: Physicians should prevent the unauthorized access to, or use of, patient and personal data and to assure that any de-identified data cannot be linked back to the user or patient; and
  • Integrity: Physicians should ensure that the information contained on their websites is truthful, up-to-date, and supported by relevant clinical evidence when necessary.

The Guidelines use these principles to provide guidance on the appropriate use of social media and social networking in the following contexts:

  • Professionalism: Physicians should:
    • Use separate personal and professional social networking sites, profiles, and e-mail accounts and ensure separation between the two;
    • Report any unprofessional behavior to the proper authorities; and
    • Observe the same standards of ethical conduct online that would normally be observed offline.
  • Medical Board Sanctions and Disciplinary Findings: State medical boards have the authority to discipline for inappropriate online conduct, including:
    • Inappropriate communication with patients;
    • Use of the internet for unprofessional behavior;
    • Misrepresentation of credentials;
    • Violations of patient confidentiality;
    • Failure to reveal conflicts of interest;
    • Derogatory remarks regarding a patient;
    • Depiction of intoxication; and
    • The use of discriminatory language or practices.
  • Interacting with Patients: Physicians should refrain from interacting with past or current patients on personal social networking sites like Facebook, and never discuss information pertaining to the physician-patient relationship on personal social networking sites.
  • Privacy/Confidentiality: Patient privacy and confidentiality must be protected at all times, especially on social networking sites. Physicians can discuss their clinical experiences but should refrain from including details that may identify a patient.
  • Disclosure: Physicians may write online about their experience as healthcare professionals, but they must reveal existing conflicts of interest and be honest about their credentials as physicians.
  • Posting Content: Physicians must realize that any information they post online can be disseminated without their consent to a huge audience. The content posted can often be taken out of context and remain online forever.
  • Discussion of Medicine Online: While professional social networking sites designed specifically for physicians can be useful forums for medical discussion, physicians must ensure that the information exchanged on these sites remains confidential and that non-physicians do not rely on the online discussion as medical advice.

The Guidelines recommend that all healthcare providers implement policies and procedures addressing social media and social networking usage in accordance with these recommendations.

The NLRB Finds No Protected Activity Involved Where Employee is Fired for a Facebook Posting

Posted by Craig Hoffman on October 15, 2012

Authorship credit: Jay Seegers 

Like many people, Robert Becker, a salesperson at Karl Knauz Motors’ BMW dealership in Chicago, had his own Facebook page. When the BMW dealership served hot dogs, chips, and bottled water at an event to introduce a new BMW vehicle, Mr. Becker posted sarcastic comments questioning whether the dealership’s choice of cuisine matched the luxury image of the BMW brand. When a Land Rover at another Karl Knauz Motors’ dealership was driven into a pond by the thirteen-year-old son of a customer, Mr. Becker posted pictures and made comments about the absurdity of the accident. Mr. Becker was not laughing, however, when he was subsequently fired. Neither was the Acting General Counsel of the National Labor Relations Board (the “NLRB”), who issued an unfair labor practice complaint against Karl Knauz Motors asserting that Mr. Becker’s Facebook postings were protected concerted activity under the National Labor Relations Act (the “NLRA” or “Act”).

The NLRA prohibits employers from disciplining employees who engage in “protected activity” as defined by Section 7 of the Act. Protected activity includes situations where employees comment on, or expressing concerns about, their terms and conditions of employment. The Acting General Counsel of the NLRB took the position that Mr. Knauz’s Facebook postings were protected expressions of his concerns about workplace compensation and safety issues. At hearing, the Administrative Law Judge agreed that Mr. Knauz’s postings regarding hot dogs and chips, which he discussed with other salespeople, concerned terms and conditions of employment because of the impact the event might have on his ability to make sales and earn commissions. The Administrative Law Judge, however, found that Mr. Becker’s comments regarding the Land Rover accident were not protected because he had not discussed them with other employees and they were not safety-related. In finding that Karl Knauz Motors did not commit an unfair labor practice, the Administrative Law Judge concluded that Mr. Becker’s termination was based solely upon his Facebook comments about the Land Rover accident.

On appeal, the NLRB upheld the Administrative Law Judge’s decision finding that Mr. Becker’s posting regarding the Land Rover accident was the basis for his termination and was intended merely as a “lark” which was unrelated to any rights protected by Section 7 of the NLRA. In reaching its decision, the NLRB did not decide whether it agreed with the Administrative Law Judge’s finding that Mr. Becker’s Facebook postings about the hot dogs and chips were protected activity.

The NLRB’s decision in Karl Knauz Motors, Inc. d/b/a Knauz BMW, 358 NLRB No. 164, demonstrates that employers can still discipline employees for social media postings, including those made on Facebook, as long as the postings do not rise to the level of protected activity as defined by Section 7 of the NLRA. Given the General Counsel’s prior guidance on this issue and the decisions of other Administrative law Judges in social media cases, all of which are very expansive of employee rights, it seems likely that the NLRB would find that Mr. Becker’s other Facebook postings about his employer serving hot dogs and chips at a client event were protected under the NLRA. Going forward, employers will be well advised to tread carefully when looking whether to discipline employee social media postings as it is clear that the NLRB is actively looking to protect employee rights in this area.

NLRB Decision Finds Social Media Provisions Unlawful

Posted by Craig Hoffman on September 25, 2012

Editor's Note: This post is a joint submission to BakerHostetler's Media Law Bytes & Pieces blog.

Since June 2011, the Acting General Counsel (GC) of the National Labor Relations Board has issued three reports outlining the position of his office on the applicability of the National Labor Relations Act (NLRA) to employee policies that set rules for permissible social media use. The positions taken by the GC were considered by some to have been overprotective of employees and advanced without considering the unique issues associated with social media (e.g. the GC's contention that a provision prohibiting disclosure of confidential information was unlawful). Other than identifying the social media policy of one retailer that was deemed acceptable, the three GC reports focused mostly on identifying what provisions were unlawful rather than providing guidance on creating a compliant policy. Review our prior coverage of the GC reports.

The GC's reports caused some employers to modify their social media policies while others waited to see if the GC's arguments were accepted by the NLRB. Until the NLRB issued a decision in the Costco Wholesale Corp. matter on September 7, 2012, however, the NLRB had not addressed any of the positions taken by the GC in a published decision. In the Costco decision, the NLRB found that provisions in an employment agreement that regulated employee use of social media violated the NLRA. The decision has been widely reported as adopting much of the reasoning from the GC reports. Although such reports may be overstated, like the GC, the NLRB's analysis in Costco applied precedent developed to address traditional workplace rules to find broad rules directed at defining impermissible use of social media to be unlawful instead of developing standards specific to the unique nature of social media. Specifically, the NLRB found that the following employee rules that often appear in social media policies violated the NLRA because they could reasonably be seen as chilling employees' exercise of their rights under Section 7: (1) a prohibition on electronically posting statements that damage the company or any person's reputation; (2) prohibiting unauthorized posting, removal or alteration of material on company property; and (3) prohibiting discussing, disclosing or sharing private employee matters or confidential information.

One area where the NLRB and the GC may differ is over the impact of including a "savings" clause. Some social media policies contain a provision stating that the policy will not be construed or applied in a manner that would violate the NLRA. The GC contends that this type of "savings" clause does not save overly broad provisions from violating the NLRA. But the NLRB noted the absence of such a provision as part of its basis for finding policy language to be unlawful.

In the wake of Costco, employers should review their employee handbooks and social media policies to look for issues. We have listed below the specific policy language that was found to violate the NLRA and the NLRB's supporting rationale. When revising or implementing new social media policies, we recommend that employers consider the following:

  1. Include an introductory paragraph that provides an explanation of the nature of issues and business risks unique to social media that the policy is designed to address to provide context for the prohibitions that will follow;
  2. Create separate segments of the policy for different forms of social media use (e.g. personal use, employer-owned) so the prohibitions can be appropriately tailored;
  3. Provide examples of prohibited conduct associated with actions not protected by the NLRA (e.g. prohibiting "verbal abuse" or "abusive and profane language"); and
  4. Include a "savings" clause stating that protected activity is excluded from the scope of the policy.

For more tips on crafting a social media policy, see the following BakerHostetler publications:

Below is a list of the specific policy language and the NLRB's explanation for why it was unlawful:

  • "Any communication transmitted, stored, or displayed electronically must comply with the policies outlined in the Costco Employee Agreement. Employees should be aware that statements posted electronically (such as online message boards or discussion groups) that damage the Company, defame any individual or damage any person's reputation, or violate the policies outlined in the Costco Employee Agreement, may be subject to discipline, up to and including termination of employment."

    The NLRB found that this "broad prohibition against making statements that 'damage the Company, defame any individual or damage any person's reputation' clearly encompasses concerted communications protecting [Costco's] treatment of its employees." The Board was particularly critical of Costco's failure to explicitly exclude from its policy protected activity under the NLRA. Without any exclusion, the Board found that employees would reasonably conclude that the restriction applies to protected communications, such as those critical of Costco.
  • "Sensitive information such as membership, payroll, confidential financial, credit card numbers, social security numbers, or employee personal health information may not be shared, transmitted, or stored for personal or public use without prior management approval. Additionally, unauthorized removal of confidential material from Company premise[s] is prohibited."

    NLRB found that the prohibition against sharing "payroll" information violated the Act. It rejected Costco's argument that the term "payroll" referred only to the "confidential business information component of payroll" (which Costco did not want to share with its competitors). Instead, the NLRB found that the term payroll reasonably referred to the wages and working conditions of its employees, and therefore, violated the Act.
  • "All Costco employees shall refrain from discussing private matters of members and other employees. This includes topics such as, but not limited to, sick calls, leaves of absences, FMLA call outs, ADA accommodations, workers' comp injuries, personal health information, etc."

    The NLRB found that this rule explicitly prohibits protected activity. "Private matters" as defined by the rule, such as sick calls and accommodations, are terms and conditions of employment. Costco's explicit prohibition of employees discussing these matters with anyone -- which the NLRB found would include other employees or union representatives -- is overly broad. The NLRB was not persuaded by Costco's argument that the rule simply tried to avoid the disclosure of medical issues. Instead, the NLRB found that if Costco "intended to prohibit only discussion of private medical information in its files, it could have easily done so."
  • Cause for termination of employment for "Unauthorized posting, distribution, removal, or alteration of any material on Company property."

    The NLRB found that this rule explicitly prohibits protected activity. It rejected Costco's argument that the rule intended to permit distribution in non-working areas during nonworking time.
  • "In the course of our business, we collect from our members and employees a substantial amount of personal information (such as name, address, phone number, e-mail address, social security number, membership numbers and credit card numbers). All of this information must be held strictly confidential and cannot be disclosed to any third party for any reason, unless (1) we have the person's prior consent or (2) a special exception is allowed that has been approved by the legal department."

    In striking this provision, the NLRB found that Costco's definition of "confidential" was overbroad because it included employees' names, addresses, phone numbers and email addresses, which they otherwise have a protected right to share with others, such as unions. Costco's provision did not distinguish between information obtained in the normal course of work versus information obtained from Costco's private or confidential files. The NLRB further criticized the provision because it failed to distinguish between information obtained by employees from contact with or discussion with other employees.

"If you don't have the law, argue the facts..."

Posted by Daniel J. Guttman on July 03, 2012

With the law of privacy in social media communications evolving, the one constant take-away from court cases looking at social media use and monitoring in the workplace is a reliance on fact-dependent judicial decision making.  Even through there is not yet a clear legal standard upon which to judge an employer’s actions, or even a seminal line of cases, what is apparent is a judiciary willing to dig into the facts of a case and fashion remedies that seem objectively fair based upon an employee’s expectation of privacy.  This continues to reinforce the need to develop clear social media policy and then to communicate, train and give examples of what is expected and how the employer will enforce its expectations.

A recent example is the U.S. District Court for the District of New Jersey’s decision in Ehling v. Monmouth Ocean Hosp. Serv. Corp., D.N.J., motion to dismiss granted in part and denied in part 5/30/12, where an employee stated a claim that survived a motion to dismiss for invasion of privacy based on a supervisor's access to the contents of her “friends-only” Facebook page.  This access was gained through one of the employee's Facebook friends who felt compelled by the employer to grant “friend access.”  The claim was based upon a theory of invasion of privacy under New Jersey common law.  The fact-based decision making adopted by the court made the claim unable to be resolved on a motion to dismiss.

What makes the case interesting is that the electronic communications were not publicly accessible, but not entirely private either – as any user of Facebook knows, posts are public but only to “friends.”  The court noted, “what is clear is that privacy determinations are made on a case-by-case basis, in light of all the facts presented.” The court examined what is a reasonable expectation of an employee when it comes to social media privacy, “Privacy in social networking is an emerging, but underdeveloped, area of case law[,]” the court said.

Some cases set no reasonable expectation of privacy for material posted on the public internet, United States v. Gines-Perez, 214 F. Supp.2d 205 (D.P.R. 2002); Yath v. Fairview Clinics NP, 767 N.W.2d 34 (Minn. Ct. App. 2009) (MySpace posting, even to only a handful of authorized “friends,” was “public” for purposes of an invasion of privacy claim based on the publication of private facts.) Others find a privacy expectation, such as Pure Power Boot Camp Inc. v. Warrior Fitness Boot Camp LLC, 587 F. Supp.2d 548 (S.D.N.Y. 2008), finding a reasonable expectation of privacy in personal, password-protected email stored on a third-party server, even though the employee accessed the server while at work.

Understanding that the law of privacy and social media in the workplace is fluid, many courts, such as Ehling here, are refusing to dismiss as a matter of law privacy claims and instead are sending the issues to a jury to determine the reasonableness of the expectation of privacy, “Plaintiff may have had a reasonable expectation that her Facebook posting would remain private, considering that she actively took steps to protect her Facebook page from public viewing[,]” the court held.

The NLRA and Employee Surveillance: Avoiding the Temptations and Pitfalls of Social Media

Posted by Craig Hoffman on June 07, 2012

Authorship Credit: Ellen J. Shadur

The advent of social media and the prevalence of mobile communications devices challenge employers seeking to prevent unlawful conduct in the workplace.  Employees are no longer constrained by the need for physical proximity, or lack of access to a bulletin board, a telephone landline, or a fax machine.  Bullying and harassment, misappropriation of an employer’s trade secret or proprietary information, or  disclosures that run afoul of securities or consumer protection laws, all may take place “away” from the workplace, and without the need for or use of workplace computers or equipment controlled by the employer.

Legitimate concerns about the power of these new media may drive some employers to monitor employee postings or comments via Facebook or Twitter.  In so doing, employers may unwittingly run afoul of the National Labor Relations Act (the "Act").

The Act protects the rights of employees to engage in concerted activities “for the purpose of collective bargaining or other mutual aid or protection . . . ."  The Act further protects the rights of employees to engage in protected concerted activity free from unlawful surveillance by their employers.  This is true whether or not employees are represented by a union or seek to be.  Employees communicating with each other to address a shared concern related to their employment, or trying to encourage concerted activity on a matter related to their employment, may be engaging in activity protected by the Act.

Recent decisions of the National Labor Relations Board (the “Board”) make clear that employers must tread carefully when it comes to monitoring or intercepting employees’ communications via the Internet or social media.  Employers do not have unfettered rights to act upon everything they see.  While the Board’s positions are evolving, the cases do provide some guidance.

Friending – Employees sometimes “friend” their supervisors or otherwise include supervisors in their social network.  Information obtained in this way is fair game for the employer; NLRB decisions have concluded that an employee who “friends” a supervisor is inviting observation by the employer.  See Advice Memorandum dated July 28, 2011 regarding Buel, Inc., Case 11-CA-22936 (summarized in January 24, 2012 Report of the Acting General Counsel Concerning Social Media Cases).  The same may not be true, however, where the supervisor is acting at the direction of the employer.  Thus, employers should not encourage supervisors to seek out employees as social media contacts, such as Facebook friends.   See Id., relying on Donaldson Bros. Ready Mix, Inc. and International Union of Operating Engineers, Local 400 AFL-CIO, 341 NLRB 958, 961 (2004).

Trolling – Employers should not encourage or suffer supervisors to troll employee sites on social media sites such as Facebook or to follow employee Tweets for the sole purpose of monitoring concerted activity by employees. This, too, could be viewed as unlawful surveillance.  Id.

Use of proxies – Creation of an impression of surveillance is also unlawful interference with employees’ rights under the Act.  An impression of surveillance is created where an employer makes a statement from which an employee would reasonably assume that his or her concerted activity was under surveillance. See Target Corporation and United Food & Commercial Workers Local 1500 2012 WL 1830340 (NLRB Div. of Judges, May 18, 2012).  Thus, by way of example, a supervisor may not use employee proxies to collect information and then fail to disclose where the information came from.   Id.  (Employer found to have violated the Act where supervisor told employee that employer was aware of protected activity but would not disclose how employer learned of the conduct).  Employers should not, therefore, encourage non-supervisory employees to do by proxy what employers may not do themselves, nor should they encourage anonymous “tipping” about employee gripes or complaints.

What’s an employer to do?

The bad news for employers is that decisions addressing surveillance have not yet begun to grapple with the power of the Internet and social media.  The good news is that the rules for employers are not more complicated or different simply because employees have new means of communicating with each other.  Thus, employers may use the same tools that have always worked to encourage good employee behavior without employers having to resort to unlawful surveillance.  Following are two examples:

  • Policies that clearly proscribe communications or conduct in a way that does not run afoul of employee rights under the Act.  The Acting General Counsel’s reports on social media cases make clear that such policies must clearly define the context, or need, giving rise to the proscription, and the policy must be narrowly tailored for that context.  By way of example, a policy against unlawful harassment that proscribes “offensive” conduct will pass muster even though a stand-alone policy with the same language would be overly broad and violate the Act.
  • Policies encouraging employees to bring complaints or concerns to their supervisors, and allowing employers to use these policies to evaluate employee behavior.  In a recent decision of the Second Circuit Court of Appeals, the employer used such a practice to show that its decision to terminate a union activist employee did not constitute unlawful retaliation under Section 8(a)(3) of the Act.  See N.L.R.B. v. Starbucks Corp, --- F.3d --- , 2012 WL 1624276 (C.A.2) (May 10, 2012) (employee termination lawful where based on noted deficiencies in “communicating changes in partner attitude (concerns, compliments, complaints) to management”).

In conclusion, employers should avoid the temptation to use social media to monitor employee communications in ways that would be proscribed for other, more traditional types of concerted activity.  The tried and true – well-written, thoughtful policies and good management practices, are still the best means of preventing unlawful employee behavior.

FBI Issues New Warning on Social Networking Risks

Posted by Craig Hoffman on June 06, 2012

Businesses Vulnerable to Employees’ Social Networking Activity

Authorship Credit: Greg Saikin

The FBI has issued a fresh warning to all users of internet-based social networking, informing them that hackers—ranging from con artists to foreign government spies—are looking for every opportunity to exploit the users’ identifying and related personal information.  The FBI reports that these tactics present serious risks to both the users and their workplace.

Per the FBI, hackers are carrying out two general tactics, which are often combined.  Hackers are: (1) exploiting personal connections through social networks—these hackers are also known as “social engineers” for their ability to manipulate users through social interactions over the phone, in writing or in person; and (2) writing and manipulating computer code to gain access or install unwanted software on your computer or phone.

“Once information is posted to a social networking site, it is no longer private,” the FBI warns.  “The more information you post, the more vulnerable you become…The more information shared, the more likely someone could impersonate you and trick one of your friends into sharing personal information, downloading malware, or providing access to restricted sites.”

In many cases, hackers are impersonating social networking users with the intent to target the user’s workplace. “Spear phishing,” for example, occurs when a hacker poses as the user in an email to the user’s co-workers. The hacker’s email contains a link or file with malware and only one recipient needs to open the email’s link or file to launch the malware in the business organization’s network.  In turn, the malware could provide the hacker with valuable information concerning the business’s security measures and trade secrets, as well as give the hacker an even greater ability to “social engineer” other employees within the organization.

In addition to “spear phishing,” the FBI also warns about other hacking schemes, including “baiting,” “click-jacking,” “cross-site scripting,” “doxing,” “elicitation,” and “pharming.”

To protect your business against these schemes, the FBI recommends implementing the following preventative measures:

  • Use multiple layers of security throughout the computer network;
  • Identify ways data has been lost in the past and mitigate those threats by changing behavior of company personnel;
  • Constantly monitor data movement on the company’s network;
  • Establish policies and procedures for intrusion detection systems on company networks;
  • Establish and enforce policies concerning what company information employees can share on personal blogs and web pages;
  • Educate employees about the impact of their behavior on the company and its employees;
  • Provide yearly security training; and
  • Ask employees to immediately report suspicious activity.

View the full FBI report.

You Are What They Tweet: Why Clear Social Media Policies are Becoming More Critical to Employers in This Tech Age

Posted by Gerald Ferguson on May 31, 2012

Authorship Credit: Tarsha Luke

The recent termination of a top executive of a publicly traded company is another example of some of the perils of mixing personal and workplace social media. The chief financial officer for a women's clothing retailer, Francesca's Holdings, was dismissed for disseminating non-public corporate information to his Twitter followers. After a company board meeting he tweeted about the company's earnings. Using the handle "@theoldcfo," he wrote: "Board meeting. Good numbers=Happy Board." Subsequently, the company's stock jumped fifteen percent. Strictly enforcing its social media policy, the Houston-based company decided to fire its CFO for that tweet, in addition to a series of other posts he sent from his social media accounts since 2010.

This case sheds light on the legal consequences relating to the use of social media in the workplace. Employee Internet posts not only implicate the financial rules of the Securities and Exchange Commission, as was the case for Francesca's, but they can also create compliance issues under the regulations of other agencies, including:

  • Financial Industry Regulatory Authority (FINRA),
  • Federal Trade Commission (FTC),
  • Food and Drug Administration (FDA) and
  • National Labor Relations Board (NLRB), Office of the General Counsel.

Furthermore, rogue social media use can put company trade secrets and client confidences in jeopardy. This is why it is increasingly important for all companies, not just publicly traded companies, to have a social media policy. A good social media policy should address both employee behavior on company-affiliated media, as well as employee behavior that can be traced back and imputed to the company.

Below are some considerations for creating and implementing a social media policy:

  • Almost anything written on the web can be easily traced back to its author, and ultimately the place where he works. This is because online information is backed up repeatedly and often and posts in one forum are usually replicated in other forums through trackbacks, reposts or references. Therefore, social media policies should be applicable to all types of workers including employees, temporary or seasonal workers, independent contractors or anyone with access to a company computer.
  • Companies with employee-generated content on company-branded websites, blogs, wikis or other social networking sites should have formal procedures to review what its employees post on its behalf. When possible, it is best practice to treat all employees' posts on company-branded sites as if they were being published in more traditional media.
  • Nevertheless, a company cannot prevent an employee from using the company's name or trademark for non-commercial purposes on his or her own time to complain about wages, terms and conditions of employment, working conditions or other protected employee rights under Section 7 of the National Labor Relations Act (NLRA).
  • An employer should avoid using vague language in its social media policy, such as "appropriate," "inappropriate" or "professional." Terms should be defined either by using examples or by using language that carves out an exception for employee rights protected under the NLRA.
  • A company should be careful about asking an employee or prospective employee to provide usernames and passwords to personal social networking websites, without first weighing the business concerns of doing so. In addition to potentially facing serious public relations concerns for chosing to implement such a policy, there soon may be legal liability for requesting private social media passwords. Maryland enacted a law prohibiting employers from asking for social media passwords, which will take effect on October 1, 2012. Other states are also rapidly following suit, including Illinois, California, Minnesota, Michigan, Massachusetts, and Ohio. Furthermore, the federal government is also interested in this topic. Two U.S. Senators have asked the Department of Justice and the U.S. Equal Employment Opportunity Commission to look into the issue.

For more information and guidance on this issue, see a recent article published by Labor and Employment Partner Dan Guttman titled: "What Can Management Do to Protect the Organization From Inappropriate Use of Social Media?"

Article: "What Can Management Do to Protect the Organization from Inappropriate Use of Social Media?"

Posted by Craig Hoffman on April 24, 2012

Baker Hostetler Partner Dan Guttman published “What Can Management Do to Protect the Organization from Inappropriate Use of Social Media?” in the winter 2012 issue of OHPELRA Update, the labor and employee relations trade publication covering all Ohio’s public employers.

In the article, Mr. Guttman notes that although social media outlets, including Facebook and LinkedIn, provide employers with new and growing opportunities for communication as well as for recruiting and hiring new talent, the use of social media by organizations and their employees also presents numerous challenges and risks, both in terms of efficiency and legal liability.

He also warns employers to proceed with caution and suggests organizations create a social media policy to identify and mitigate their potential sources of legal liability without hampering social media’s potential benefits to the company.  He provides several guidelines consistent with federal and state law to consider and encourages employers to consult legal counsel to formulate a custom tailored social media policy to address their specific needs and their legal environment.