Disaster Recovery Journal

The term “social media” refers to any Internet-based medium created through social interaction where individuals primarily produce (rather than consume) the content. The growth of social media has been explosive. An estimated two-thirds of Internet users visit social networking or blogging sites. Reportedly, social media now account for almost 10 percent of all Internet time. Facebook claims more than 400 million active users. Wikepedia, YouTube, Flickr, LinkedIn, Google, and Twitter all seem to have different audiences, but each is large and growing.

These media provide new and dramatically enhanced communication capabilities. Their speed and penetration offer particular value in coping with disasters, when information is often the coin of the realm. After a recent hurricane, for example, a hospital system used Twitter to provide breaking information about patient status and the number of patients admitted and released. In the wake of the Virginia Tech shootings, a Facebook community emerged almost immediately to provide reassurance about their safety to students’ loved ones.

Conversely, use of these media is risky. A misstatement disseminated through them reaches far more people more quickly than was typically the case with “old media,” so the potential for mischief is correspondingly greater. When employees use company resources to access networking sites, viruses may contaminate networks. Even if that never happens, productivity may suffer. If a manager anonymously posts positive reviews of his product, or does so under a pseudonym, odds are good that he will be discovered, and the brand’s image will suffer.

In this article, however, I focus on legal questions rather than commercial ones. I conclude that although many companies should probably embrace these media, as their employees already do, they should do so understanding and compensating for the risks.

The popularity of social media gives companies new means to acquire valuable information. With suitable circumspection, companies can examine the social networking activities of employment candidates. There is nothing unlawful in reading what an individual elects to post about himself. But under antidiscrimination laws it is best to have an employee in a non-decision-making role conduct the search, filtering out any protected class information and reporting only on information that may lawfully be considered. Companies should not “friend” applicants to gain access to their non-public profiles and should be prepared to offer legitimate, non-discriminatory reasons for hiring decisions.

Analogously, online surveys and cookies permit site owners to collect data on visitors, but companies need to abide by data protection legislation in relevant jurisdictions, such as the UK’s Data Protection Act of 1998, lest they risk civil or even criminal liability.

Consider another example: an employee who blogs about the merits of his own organization’s products or services. Presumably, many companies would be delighted. But such statements might amount to an “endorsement,” defined to mean “any advertising message … that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser.”

Under the Federal Trade Commission Act, 15 U.S.C. § 45, FTC has developed guidelines that require disclosures relating to “material connections” between advertisers and endorsers. Such connections “might materially affect the weight or credibility of the endorsement…” 16 C.F.R. § 255.5.

Even when it knows nothing of its employees’ statements, the company could be liable for 1) any false or misleading statements in the employee’s posts or 2) the employee’s failure to disclose the employment relationship even as to statements otherwise truthful. Somewhat analogously, SEC takes the position that a company is responsible for statements made by or on its behalf and that antifraud provisions apply to such statements. On the other hand, a company is not responsible for third-party statements on company-sponsored Web sites, though it should avoid implicitly adopting third parties’ statements by endorsing or selectively posting them.

Another example arises from intellectual property law. Without express authorization, employees should not use third-party music or video clips on company-sponsored sites. User-generated content is particularly problematic when it contains images of persons or their voices. The topic is too involved to attempt to deal with in detail here, but publicity and privacy rights vary by state, and claims could arise if proper authorization is not obtained. The problematic behavior may be the employee’s, but the liability might well be the employer’s.

Social networking may also facilitate harassment and hence harassment claims. In Blakey v. Continental Airlines, 164 N.J. 38 (2000), a pilot claimed sexual harassment and defamation in part because of a co-worker’s postings on an electronic bulletin board on the company’s Internet.

In Doe v. XYC Corp., 382 N.J. Sup. 122 App.Div. (2005), the court held that an employer that knew that an employee viewed child pornography on the Internet was obligated to investigate and act to avoid third-party injury. Depending on the jurisdiction, employers may not only be permitted to investigate reports of employees’ Internet misconduct, but they may be required to and to report dangerous activity to law enforcement.

Highly regulated industries may face particular problems. Pharmaceutical companies, for example, must beware of statements made on Twitter accounts that fail to provide so-called “fair balance.” Twitter’s restrictive format renders this a challenging requirement. Links to the necessary information may furnish a partial solution. To date, FDA has not sent warning letters to drug companies on this issue, but it would be wise to watch for just such activity.

Many privacy questions arising from use of social media are unsettled. The extent to which courts will recognize claims of privilege by employees using company-issued equipment to communicate is a good example.

In Stengart v. Loving Care Agency, Inc., 200 N.J. 204, 976 A.2d 382 (2009), the New Jersey Supreme Court held that attorney/client privilege applied to e-mails sent by an employee using a personal Web-based e-mail account to his personal counsel, even though those messages were sent via an employer-provided laptop, and even though the employer’s policy stated that employees should have no expectation of privacy in communications sent over company equipment.

Yet in Scott v. Beth Israel Medical Center, 17 Misc. 3d 934 (Sup. Ct. NY Co. 2007), a New York court analyzing similar facts found no such privilege. The apparent conflict between these authorities serves to demonstrate that pertinent areas of the law remain in flux, and companies may want to follow developments closely to manage risk.

Another example is City of Ontario v. Quon, No. 08-1332 (S. Ct. Dec. 14, 2009). The Ninth Circuit held that police officers had a reasonable expectation of privacy, even when using police department-owned equipment, and even where official departmental policy, signed by the officers, stated that the department could monitor computer use and electronic communications. The policy did not explicitly cover text messaging. The court found that, notwithstanding its official policy, the department had developed an informal policy that it would not review employee pager text messages so long as the employee did not exceed a text character limit, which would have obliged the city to pay fees. The Supreme Court has heard oral argument in the case and may hand down a decision soon.

To deal with these and other issues, companies need to adopt clear guidelines. Doing so may prophylax against at least some of the legal entanglements that might otherwise ensnare the unwary. The FTC guidelines discussed above, for example, provide that employers who have established appropriate procedures governing employees’ endorsements on blogs are less vulnerable to FTC enforcement actions. The policy-creating team may need to be multidisciplinary, involving, for example, marketing, internal communications, HR compliance, Web development, IT, and of course legal counsel. In developing these policies, companies must also bear in mind, among other considerations, the First Amendment rights of employees. Companies should also train supervisors and managers on how to handle social media issues.

I will not attempt to present a comprehensive set of policy recommendations here. Rather, I will offer examples that, depending on the nature of the company’s business, may be worth considering.

Subject blogs, social networking posts, and more to the same pre-issuance review as other corporate communications. Limit those authorized to blog, post, or tweet on the company’s behalf. Admonish employees not to speak for the company without prior authorization. Before allowing them to post material, get users to electronically sign an agreement transferring their rights to the site owner, thus minimizing copyright problems. To the same end, comply with the Digital Millennium Copyright Act (DMCA), Pub. L. 105-304.

The company should demand that, except as part of a planned corporate communications program, employees should not appear in uniform on the Internet. It can also require issuance of disclaimers, stating that the views of a blogging employee, for example, are his only and not the company’s.

Companies should also explain that employees have no expectation of privacy in the use of company computers, whether connected to the network or not, even where “incidental” personal use is allowed. Make clear that the company can and will monitor all forms of electronic communication on company equipment.

State forthrightly that misuse of social media is grounds for discipline, including termination, and that employees must use good judgment and take responsibility for what they publish. Reiterate that company non-harassment and non-discrimination policies apply. Caution employees that, like e-mail, posts live forever. Post and enforce a take-down policy for any defamatory, infringing, or incorrect content. Prohibit disclosure of copyrighted, insider, confidential, trade secret, or proprietary information; using company e-mail addresses to register for social media sites; and posting false information about the company or its employees, customers, or affiliates. Request that employees bring work-related complaints to HR before posting; avoid discussion of controversial topics online; keep company logos or trademarks off personal blogs and Web pages; refrain from mentioning the company in posts, unless for business purposes; avoid embarrassing the company; and except for company purposes, avoid comment on company matters.

From time to time, there may be violations of even the clearest policies. To have any usefulness, policies must be enforced against both employees and management. Discipline may be justified, and perhaps unavoidable, but it should be imposed only after investigation and advice of counsel. Social media policy should be updated regularly, to reflect changes in both law and technology.

Companies should create a plan of action for a social media disaster. They should also coordinate with local authorities to create policy for recovery from more traditional disasters. It’s useful to select a “designated hitter” and a back-up (or two or three) to handle communications in an emergency. Develop message templates for use in disasters, but be prepared to edit them to suit the specifics. Create lists of evacuation centers, contact data for personnel, etc. As always, rehearse the plan. In an actual disaster, monitor posts for accuracy. Be prepared to correct errors quickly, specifically including posts attacking the company.

Social media promise significant benefits to companies using them well. We need to not be unduly afraid of the risks, but we do need to be aware and take them into account.

Joseph McMenamin is a partner in the Richmond, Va., office of McGuire Woods, LLP. He is an attorney and a former emergency physician with an interest in medico-legal topics related to litigation in particular.