This is the second of a two-part paper by ACE’s Toby Merrill and Kenneth Latham, InfoLawGroup’s David Navetta and Richard Santalesa, now of The Sm@rtedgeLaw Group.
Miss Part 1? Get it here.
What Are the Reputational, Legal and Operational Risks of Social Media Participation?
“Social media has changed how people communicate and interact, how marketers sell products, how governments reach out to citizens, [how universities recruit students], even how companies operate. It is altering the character of political activism, and in some countries it is starting to affect the processes of democracy itself.” David Kirkpatrick, The Facebook Effect
As mentioned earlier, social media makes a whole new world of privacy, security, intellectual property,
employment practices, and other legal risks possible. It is important to understand the considerable downside that exists hand-in-hand with the remarkable upside of using social media for a variety of business aims, which can occur in three major areas of risk: reputational, legal, and operational.
Reputational
The reputational risks of social media can easily equal or exceed the reputational benefits, for one simple reason. The vast reach of social media platforms — on which millions, globally, communicate
every second of every day and night — offer not only a vast frontier of promotional opportunity, but a vast uncharted “sinkhole” of risk.
In April 2009, two employees of a national pizza delivery chain made a prank video in which one of them tainted a sandwich, ostensibly intended for delivery to customers. When they posted their video on YouTube, it drew over a million viewers. Because of that extreme degree of interest, word of the video trended on Twitter, and within 48 hours, consumer perception of the pizza chain had pivoted 180 degrees — from positive to negative.
The company attempted to perform damage control by quickly launching its own Twitter account to counter rumors and answer questions, while its CEO took to YouTube to personally address the public’s concerns. By that time, however, any online search for the pizza chain’s name turned up references to the prank video story on the first page of search results – a true PR nightmare.
But there are less dramatic and drastic ways that employees can harm a company’s image. General “bad behavior” by employees, or the posting of embarrassing information, has the potential to reflect poorly on the company. Ironically, as discussed below, employees who praise their company’s products or services can unintentionally get their employer in hot water, too.
Legal
The legal risks associated with social media should be carefully considered prior to engaging in a social
media strategy. The main risks include: employment, privacy, security, intellectual property and media
risks. Business managers who want to implement a social media legal strategy should consult with inside and outside counsel who understand information technology law. While these legal risks can be significant, with forethought and planning, they can be managed. In this part of the paper, we will provide an overview of the key risks.
The following are some common situations in which social media can be the occasion for legal action:
Employment Risks:
• The practice of investigating potential and existing employees through social media is widespread.
Employers who hire outside vendors to investigate either an applicant’s or an employee’s social media activities and content may be required by law to get written consent from those individuals. The information collected from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act (FCRA). If so, the employer seeking to acquire such information must, in some cases, obtain an individual’s consent before the employer may acquire the “consumer report” (e.g., credit report) regarding that individual. In addition, the FCRA would require employers to provide information to individuals as to how they may dispute the accuracy of the report with the company that furnished the report. This requirement, however, applies only when the employer takes an adverse action based
on the report (such as not hiring or promoting the person in question). In addition, a number of states, including Illinois, Oregon, Hawaii, and Washington prohibit employers (with certain exceptions) from using consumer reports in the hiring and promotion processes.
• Impermissible discrimination in hiring based on social media research can subject a company to investigation by the EEOC, as well as possible action for alleged violations of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, the Americans with Disabilities Act, and many other federal and state statutes.
• Companies whose employees participate in conversations on social media platforms while using company computers may want to monitor their employees’ social media communications. Such monitoring is not without its legal dangers, though, as an employer may then be subject to liability under the Stored Communications Act (part of the larger Electronic Communications Privacy Act), if an employer accesses the content of non-public communications not stored on the company’s own server. In addition, if employees and/or managers engage in unprofessional exchanges online, that can lead to harassment claims against the company.
• Social media legal risks may also be present if an employer decides to fire employees based on their Facebook interactions with other employees in the organization. In one incident, where an employee was fired for negative comments about her supervisor posted on a Facebook page shared with other employees, the National Labor Relations Board (NRLB) said that employer’s action violated the National Labor Relations Act (NLRA). In the NRLB’s view, the firing interfered with employee rights under the NLRA stipulation relating to union organizing — which allows employees to discuss wages, hours, and working conditions with co-workers and others, while not at work. In another case, an employee alleged that a company’s social media policy restrictions on employee communications about the company were a violation of the NLRA. The first case settled and the second complaint was resolved for an undisclosed amount, along with an agreement to revise the company’s social media rules.
Security Risks:
• Social media sites pose potentially increased security risks, and if a security breach arises from social media activities, the organization may face liability. Security breaches may occur because of malware downloaded onto an organization’s website through the use of social media. This can happen when an employee downloads an application, or is a victim of “phishing” or “click-jacking” 20 on a social media site while using a company computer. If the organization’s social media-related security policies, procedures, and technical safeguards are inadequate, it may be held liable for a breach arising from the surreptitiously acquired malware. In addition, social engineering within social media sites, as well as “spoofed” social media profiles or pages, provide other points of entry for attackers and pose more legal risks for organizations. A spoofed site is one where criminals have set up profiles or fan pages to look exactly like an organization’s own page. If a customer or employee is tricked into providing company information, personal information, or sensitive information (such as usernames and passwords), it could pose legal liability risks to the organization whose profile or fan page was spoofed, or replicated in a fake version.
Intellectual Property and Media Risks:
• PR News warns, “Make sure your social media team understands what they can and can’t do with the intellectual property of others. If your employees post or re-post information [belonging to others] without permission, this can lead to infringement claims against your company.” It could also result in potential contractual breach claims, if the intellectual property belongs to an existing client. Companies may be held directly liable for hosting material on their website in circumstances where the safe harbor protections of the Digital Millennium Copyright Act may be unavailable — or vicariously liable for employee actions on third-party sites that infringe the copyright, trademark, or other intellectual property rights of others.
• Furthermore, employee discussions on social media sites could disclose third-party trade secrets that the company is legally required to protect, and that can lead to misappropriation and other contractual and tort claims. Companies are generally legally responsible for any financial statements on social media sites made by them, or on their behalf, through the antifraud provisions of securities laws.
• As mentioned earlier, employees who praise or promote their organization’s products and services may create legal liability. The FTC may regard positive statements by employees as “improper advertising.” For example, if an employee were to publish a fake positive review of its employer’s products or services, or encourage others to do the same, it could violate section 255.5 of the FTC’s Endorsement and Advertising Guidelines.
Defamation Risks:
• Defamation is yet another common claim that may result from social media activities, and companies need to be aware that they face potential liability for defamatory statements made by their employees about competitors, and for defamatory statements made by the public on the companies’ third-party social networking pages.
Privacy Risks:
• Companies may have an obligation to protect the privacy of members of the public who join their social networking pages on third-party sites, or who provide personal information through social media sites – just as they do, in many cases, when the public provides personal information on the company’s own website. For example, not only do companies need to guard against violating the Children’s Online Privacy Protection Act (COPPA), they need to conform to the privacy regulations and terms of use of those third-party sites. Facebook, for instance, has stringent guidelines surrounding company promotions on their site. Finally, companies may run into legal trouble if their social media activities violate their own privacy policies.
• Lastly, there are several ways in which social media activity might compromise or leak sensitive company information (or client information) that could have legal consequences. These are: through crowdsourcing sites (the company posts a problem and asks for solutions from the public, with the unintended consequence that trade secrets are indirectly revealed); through inadvertently compiled client lists (a vice president’s contacts on LinkedIn, say, could equate to a complete client list, visible by competitors); and through the inadvertent disclosure of “competitive intelligence” while discussing products, customers, and strategic decisions on various social networking sites.
***
Toby Merrill is a vice president in ACE USA’s Professional Risk division, where he is the national product manager of the Network Security, Privacy, Technology and Media Liability products.
Kenneth Latham is vice president of ACE Professional Risk, and product manager for Employment Liability and Fiduciary Insurance.
David Navetta is one of the founding partners of the Information Law Group.
Richard Santalesa is founder of Sm@rtedgeLaw Group. He was formerly senior counsel at InforLawGroup.
