Facebook, Twitter, and the Law: What Every CIO Should Know About Social MediaBy Diana McKenzie & Marty Farrant | Posted 06-06-2011
Facebook, Twitter, and the Law: What Every CIO Should Know About Social Media
Right now, the intersection of social media and the law looks a lot like a street corner where the traffic signal has just stopped working: Things are moving much too fast and you know there's bound to be an accident or two. One of the few things we can say with any certainty is that the state of the law of social media will be vastly different 12 months from now.
With millions of people continuing to share online gigabytes-worth of what was once relatively private information, no business can be completely safe from the unintended and often harmful consequences of all that information being released into the wild.
Today's CIO is frequently seen as the first and last line of defense against those consequences. You are assumed to be experts on how to deal with issues that spring from the use of social networking because, well, "it's one of those computer things."
So, we've prepared a short list of just a few of the types of legal issues that accompany the proliferation of social networking.
Implementing a Social Media Policy
Many CIOs long ago shut the Facebook nation safely outside the gates of their corporate firewalls -- if for no other reason than to increase productivity. However, with the proliferation of mobility, such a lock-out is now unlikely to stop any of your workers from accessing the sites via their wireless devices without your knowledge.
Your company should implement a social media policy that sets ground rules about what kind of information employees are not permitted to publicly post via social media. In addition, your organization should obtain an employee's acknowledgment, in writing, of the policy.
That leads to the million-dollar question: What kinds of social media activity can be prohibited? This is one of the areas where the state of the law is most in flux. Employers who wrongfully terminate an employee over an Internet post can run afoul of state off-duty conduct laws. There are also federal statutes, such as anti-retaliation or discrimination under Title VII, protected "concerted activity" under the National Labor Relations Act (which applies even in non-union workplaces), and the whistleblower provisions of the Sarbanes-Oxley Act.
Here are two informal ways of determining whether an employee should be fired or disciplined for social media activities:
- If your company has a social media policy prohibiting certain postings, and the employee's postings nonetheless cast the company, its management or its customers in a negative light.
- If the company's trade secrets and strategy are being discussed anywhere outside the secure confines of your enterprise.
Social Media's Impact on Hiring Decisions
Some of use may have used social media to find out more about a prospective job candidate. However, it's important to use social media judiciously in making hiring decisions. Be aware that when conducting your due diligence on a potential hire via Internet searches and social media sites, information that wouldn't be fair game in an interview (age, medical conditions, race, religion, sexual orientation, etc.), is often plainly available about the candidate on the Internet. Such information can be the basis for a discrimination claim if that candidate isn't offered a job.
An unscrupulous job seeker may even intentionally put this information on the Internet knowing that a company which refuses to hire him or her will have difficulty "proving the negative" -- that it never saw the information and therefore didn't use it as a basis for its hiring decision.
Social Media and Electronic Discovery
E-Discovery presents a minefield of social media issues for the enterprise.
First, if your company maintains its own Facebook, Twitter, or other social media account as a marketing tool, it should be considered just as susceptible to discovery requests and litigation holds as your email server. Statements your company makes to the public, as well as the public's feedback to you, are ripe for mining by plaintiffs' attorneys.
For example, if the Twitter page for your company's latest product is covered with user comments discussing how that product has a tendency to send folks to the ER, it's likely those posts will fit the broad scope of a discovery request. Even if you don't own or manage the servers on which these "marketing" accounts are hosted, your company should retain records of everything posted in such accounts.
Because litigants can directly subpoena social media companies to obtain these records, there's no tactical advantage in not retaining these records -- especially because doing so can allow your organization to moderate and monitor public feedback, and take proactive steps to correct potential liability issues early.
Conversely, the information posted on social media sites can also be a treasure trove for defense counsel because unsophisticated plaintiffs often write statements that are in direct opposition to the alleged facts of their claims. However, businesses should tread carefully in attempting to gather this information, as obtaining access to an employee's or litigant's social media posts using tactics such as spyware or creating a false identity can lead to liability for invasion of privacy or violations of the Stored Communications Act, Wiretap Act, or other state electronic monitoring statutes.
Unfortunately, when someone in your organization concocts one of these cloak-and-dagger schemes to conduct surveillance on an employee, they'll likely turn to your IT department's for help. The better practice is to let your company's attorneys subpoena the social media site and insist that opposing counsel place a litigation hold on the plaintiff's accounts to prevent any further editing of past posts.
These are but a few of the potential issues that social media presents to today's CIO. As always, consult with your company's attorneys, or a lawyer knowledgeable in information technology law, well before taking action in any of these areas.
About the Authors
Diana J.P. McKenzie is a partner and chair of the Information Technology and Outsourcing Practice Group at Hunter Maclean. She can be reached at 912.238.2627 or email@example.com. Marty G. Farrant is an associate in the Information Technology and Outsourcing Practice Group at Hunter Maclean. He can be reached at 912.238.8833 or firstname.lastname@example.org.