Reprinted from the North Carolina Bar Association’s Employment Law Newsletter, September 2010
Employers and employees are continuing to grapple with the use of social media in the workplace. On the one hand, social media can be a powerful online marketing tool that provides access to 500 million users (and that number accounts for Facebook users, alone). On the other hand, social media is also a demonstrated leading contributor to security incidents and data leaks. This article presents several recent developments and perhaps overlooked legal constraints that bear on the use of social media in the office.
Vetting Job Applicants
Human resources staff may be in the habit of reviewing applicants’ Facebook, MySpace, or LinkedIn pages, or using those sites to recruit new hires. Applicants’ posts to social media often reveal “personal characteristics” and “modes of living,” which constitute “consumer reports” governed by the federal Fair Credit Reporting Act (FCRA). As a result, assembling reports about applicants based on social media content and regularly disseminating those reports to third parties (including affiliates) can render an organization a “consumer reporting agency.” When such reports are used in connection with making employment-related decisions, both the reporting agency and the user of the report can face potential liability if the reporting and decision making was not performed in compliance with the FCRA.
Monitoring and Discovering Employee Use
Monitoring employees’ use of the Internet and electronic communications always presents legal risks and compliance is often uncertain, given the maze of case law on the subject. Monitoring employee use of social media has only more recently become the subject of litigation, but some cases have been decided that are beginning to illuminate the boundaries of employer monitoring. In Pietrylo v. Hillstone Restaurant Group, (D.N.J. June 16, 2009), a jury entered a verdict against an employer that accessed a private MySpace user group established by employees for the sole purpose of venting about their employer. This “venting” was allegedly done all on personal time. Management became aware of the user group when a hostess with authorized access to the page showed it to a supervisor at a party. The hostess was subsequently asked to provide her log-in credentials to a second supervisor (she later testified that she complied out of fear for negative job-related repercussions). Two members of the user group were fired and then filed suit, alleging violations of their common law right to privacy, their freedom of speech, the federal Stored Communications Act (SCA), and the New Jersey statute on unlawful access to stored communications. The plaintiffs were successful on the latter two charges, as the jury found that the defendants violated the SCA and the state law equivalent by intentionally accessing the MySpace page (and communications made on it) without authorization.
In Crispin v. Christian Audigier Inc. (C.D. Calif. May 26, 2010), a similar result was produced when a federal district court determined that the SCA applies to social media posts, provided that the poster had established privacy settings intended to keep other users from viewing the content without authorization. In this case, the defendant sought access in discovery to any communications made by the plaintiff using MySpace and Facebook if those communications in any way referred to the defendant. Although a magistrate initially sided with the defendant, the district court ultimately reversed, finding that the SCA applied to the communications because the social media site providers were electronic communication services. Accordingly, the content in question was electronically stored within the meaning of the SCA and thus could not be accessed without authorization. As a result, messages sent using the sites and content posted but visible only to a restricted set of users (i.e., Facebook friends) were both subject to the SCA and the court disallowed the defendant’s discovery request.
These cases do not address other interesting questions, like the protections afforded to arguably non-communicative social media content, such as a user’s list of online contacts. And is the analysis affected when a user’s online contacts number in the hundreds or even thousands, rendering the communications much less private? In any event, employers will want to follow this line of case law and consider its application to their employee monitoring policies.
Last year, the Federal Trade Commission (FTC) revised its Guides for the Use of Endorsements and Testimonials in Advertising to illustrate how those guidelines would apply to endorsements made in the online context. In its Guides, the FTC clarified that employees posting online content that endorses or otherwise promotes their employer’s products or services must disclose the employment relationship. The rationale is that the employment relationship would be a material factor to the consumer in evaluating the endorsement. As a result, employers should caution their employees against endorsing their products and services using social media unless they also mention their employment.
Although compliance with the Guides is voluntary, the FTC has stated that it will treat activities inconsistent with its Guides as a violation of the Federal Trade Commission Act. The FTC has already demonstrated its willingness to do so, charging Reverb Communications with a violation of the FTC Act after its employees took to social media sites to promote video games developed by companies Reverb represented. The employees’ posts, such as “amazing new game” and “really cool game,” did not disclose that the posters were employed by Reverb and thus, in the FTC’s view, constituted unfair or deceptive trade practices.
Special Privacy Considerations for Regulated Organizations
Social media is presenting special problems for organizations that are highly regulated on privacy matters – namely health care providers and financial institutions regulated under HIPAA and the Gramm-Leach-Bliley Act (GLBA), respectively. By virtue of the scope of those regulations, virtually any information about an individual who has received services from those organizations is subject to very restrictive limits on disclosure. As a result, employees of these organizations must be strongly cautioned against making inappropriate disclosures through social media. A remarkable number of such organizations have already experienced breaches as employees, emboldened by social media’s veil of seeming anonymity, take to the Internet to vent about patients and customers, ignorant or careless of the legal violations they are committing.
In light of the popularity and pervasiveness of Facebook and other social media sites, every organization needs a clear, documented policy to govern their employees’ virtually inevitable use of these sites. In light of the constantly-evolving nature of these applications, and their attendant threats and risks, that policy should be revisited often. Employers and employees need to consider a variety of topics, including those described above. As to each topic, there may be no clear right or wrong approach, but rest assured that one thing is clear: the worst position with regard to social media is to say nothing.