To say that social networking, social media and Web 2.0 have grown exponentially is putting it mildly. Facebook alone has 400,000,000 members, which would make it the third largest country in the world, and Twitter reportedly had 180 million unique visitors in March 2010. Not surprisingly, employers have taken an increased interest in what their employees are saying about them on the thousands of blogs, Twitter and other “micro-blogs,” video and picture sharing sites like YouTube and Flickr, as well as the hundreds of social networking websites like Facebook, MySpace and LinkedIn. Employees’ off-duty social networking can severely injure a business reputation and brand and result in employer liability for cyber-slander, on-line harassment, and the theft of crucial data. However, as this article will discuss, attempting to monitor employees’ off-duty social networking without a coordinated and comprehensive strategy led by senior management can cause serious business and legal risks too.
A 360 degree approach to social networking must take into account that businesses themselves are increasingly using social media for marketing and communication purposes, even though this also poses legal issues for employers. Moreover, efforts by executives to grapple with employees’ off-duty social networking have been complicated by the advent of smart phones (iPhones and Blackberrys) and other technological advances that provide easy access to the Internet, which in turn has blurred the lines between personal and work-related social networking. In sum, company executives who want to monitor the off-duty social networking activity of their employees must understand the legal risks, utilize best practices and take into account their over-arching social media strategies in order to develop comprehensive and legally defensible strategies to address this cultural phenomenon.
The Reasons for Monitoring Employee Off-Duty Social Networking.
A 2009 Deloitte Social Networking Survey found that 74 percent of managers believe employees’ personal postings on social networking sites can put their firms and brands at risk and 60% of those managers believe they have the right to know what their employees are saying about the company on personal social networking Web pages. There are many reasons why employers have become so concerned about employees off-duty social networking.
For one thing, employee off-duty social networking can severely damage a company’s reputation. An egregious example occurred on April 13, 2009 when two Domino’s Pizza employees filmed themselves doing disgusting things with cheese and other ingredients on a delivery order and then posted the video on YouTube. Within two days, the video was viewed by more than a million disgusted viewers and received over 300,000 comments. Over the following week, Domino’s share value plummeted. To deal with this media tsunami, on April 15, Domino’s posted its own YouTube video of its president (which received over 650,000 views and almost 7,000 comments) and set up an official Domino’s Twitter account.
Another example occurred in April 2009, when the Chief of the U.S. Capitol Police had to initiate a public investigation after the Washington Post reported that members of the police force had established a 1,750 member Facebook group called the “Make It Rain Foundation for Underprivileged Hoes” (referring to tossing money at strippers). The group’s Facebook page showed one officer in uniform and another in a Capitol Police T-shirt. It linked to another Facebook group called “Passed Out In Trashcans.”
The incidents involving Domino’s and U.S. Capital Police show why off-duty social networking is an issue for top management. If they do not deal with it beforehand, they may find themselves trying to stop the bleeding after a social media scandal has erupted.
Monitoring Employee Social Networking to Protect Confidential Data.
Employees’ social networking can also result in the disclosure of confidential information. In February 2010, highly confidential personal contact details about thousands of Royal Dutch Shell Company employees located in dangerous parts of the world, which the company claimed compromised their personal safety, were leaked by an employee to a blogger critical of the company. In 2008, the Mayor of Battlecreek, Michigan inadvertently included a link to confidential personal files of city employees in a “tweet” on his personal Twitter account.
The threat of data leakage is one reason why more employers are monitoring employees’ off-duty social networking. However, employees’ off-duty social networking has also led to potential employer liability for electronic harassment of co-workers, cyber-defamation, and other improper employee Internet activities.
Employers could also be liable for employee off-duty social networking under the Federal Trade Commission’s new “Endorsement” Guidelines that became effective on December 1, 2009, if employees make unauthorized endorsements, testimonials and similar positive statements on their blogs and social media sites about the company’s products and services, particularly when the employees fail to disclose who they work for.
Employee off-duty social networking can also lead to a SEC violation if an employee violates the “quiet period” before an initial public offering by blogging about it. Similarly, if an employee blogs or posts about a product, invention or other development more than a year before a patent application, the company can lose significant patent rights.
Even anonymous off-duty blogging by corporate officials using pseudonyms can cause big problems for their employers. The CEO of Whole Foods, John Mackey, frequently posted anonymous comments on Yahoo! Financial message boards using a pseudonym in which he disparaged a smaller competitor Wild Oats and its management. However, when Whole Foods began efforts to acquire Wild Oats, the CEO’s anonymous postings came to light and were cited in a lawsuit filed by the Federal Trade Commission in 2007 to stop the acquisition as being anticompetitive. The SEC also launched an investigation into whether the CEO’s anonymous blog postings were an attempt to defraud the market. Eventually, the government actions were dropped, but only after Whole Foods incurred a substantial amount of attorney’s fees and a substantial amount of adverse publicity from the CEO’s anonymous off-duty blogging.
Monitoring During the Hiring Process Also Poses Risks.
In addition to the above reasons for monitoring personal internet activities, a growing number of employers peruse the Facebook profiles and other social networking activities of job applicants during the pre-hire screening process in an effort to obtain an unvarnished look at the candidates. A recent Microsoft survey noted that 70 percent of the employers surveyed found evidence of poor judgment, immaturity and other undesirable behavior (drinking and drug use, carping about prior bosses, etc.) on candidate’s social networking sites that caused them to reject those candidates.
One example of this occurred in March 2009 when a person offered a job at Cisco tweeted: “Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.” A Cisco associate found the Tweet and reported it to the hiring manager who rescinded the job offer.
However, there are potential risks in monitoring job applicants’ personal social networking. For one thing, employers can’t believe everything they read on the Internet. In J.S. v. Blue Mountain School District, a 2010 decision by the Third Circuit, a student posted a fake profile of a school principal on Facebook with false quotes in the profile suggesting he was a sex addict and a pedophile.
Moreover, even viewing accurate information on an applicant’s Facebook page may be problematic since the Americans with Disabilities Act (ADA) and the newly enacted Genetic Information Non-Discrimination Act (GINA) preclude employers from gathering and using information about an applicant’s present disability, history of health problems, and family medical history. Thus, if an employer finds information about an applicant’s struggles with cancer on his or her Facebook profile, it may taint the hiring process and expose the employer to discrimination claims. Even if an employer tries to insulate its hiring decision-makers by using a third party vendor to do this kind of background checking, the employer may have to comply with the notice and disclosure requirements of the federal Fair Credit Reporting Act, which despite its name encompasses a third party’s review of applicants’ Facebook pages in connection with the employer’s hiring decisions.
Accessing Secure Sites Can Be Especially Problematic.
Employers’ attempts to access employee’ password-protected websites pose special legal risks that include invasion of privacy claims and violating federal laws such as the Stored Communications Act.
In Konop v. Hawaiian Airlines, a 2002 decision by the Ninth Circuit, a dissident employee-pilot (Konop) established on his own time a password-protected, invitation-only website that required members to log-in with a user name and password he provided. On his website, Konop advocated for a dissident union and complained about the company. A Hawaiian Airlines Vice President surreptitiously accessed the pilot’s website using passwords obtained from other pilots and then terminated Konop. Ultimately, Hawaiian Airlines was held liable for the Vice President’s actions because he violated the Stored Communications Act by using the passwords of pilots who had never visited the site and were not “authorized users” who could lawfully give consent.
Similarly, in Pietrylo v. Hillstone Restaurant Group in September 2009, a federal district court in New Jersey affirmed an award of compensatory and punitive damages where a pair of restaurant managers violated the Stored Communications Act by improperly accessing an employee’s private password-protected, invitation-only MySpace chat room that was created during non-work hours so employees could talk about the “crap/drama/and gossip” at the restaurant. The managers used a password obtained from another employee who was a chat room member. However, because she testified that she “would have gotten in trouble” if she had not let the managers use her password, the court held her consent may have been coerced. As a result, the restaurant chain was held liable for compensatory and punitive damages because its managers inadvertently violated the Stored Communications Act.
Konop and Pietrylo illustrates why the monitoring of off-duty social networking cannot be left to middle managers. Rather, senior executives must take a leadership role in deciding when, how and who should monitor employees’ off-duty social networking in order to ensure conformity with the company’s overarching social media policy and the law.
Monitoring Off-Duty Social Networking Must Be Integrated with At-Work Internet Policies.
In addition, no strategy on employee social networking could be considered complete or comprehensive without also addressing employee Internet activity during work hours and using company equipment and systems. A Deloitte 2009 Social Networking Survey finding that 55 percent of employees admitted to visiting social networking sites during work hours (and those were just the ones who admitted it). Not surprisingly, over 70 percent of employers now monitor employee at-work Internet use and many have established electronic communications policies that either prohibit on-the-job social networking or attempt to eliminate any expectation of privacy by employees in social networking involving any company-owned equipment or internet service. However, even monitoring on-duty social networking can cause problems for employers.
In City of Ontario v. Quon, the first social networking case to reach the U.S. Supreme Court, the City of Ontario’s police department provided officers with memory-less pagers that allowed texting but did not preserve images of the texts on the City’s equipment. The police department had a technology policy that did not mention the pagers or texting, but prohibited the personal use of its computer and email systems. Moreover, there was evidence that a supervisor told officers that their texts would not be monitored if they paid overage fees. The question before the U.S. Supreme Court is whether a police sergeant (Quon) had a reasonable expectation of privacy in sexually explicitly texts (i.e., “sexts”) sent to his wife and mistress on the City-owned pagers using the third-party internet service paid for by the City. Another question that the Supreme Court may address is whether the City violated the federal Stored Communications Act when it obtained transcripts of the texts from its third party service provider without the consent of an “authorized user” like Quon. Whatever the Supreme Court decides in Quon, employers need to look at their own social media policies and to make sure they cover all technologies and may not be undermined by mid-level managers.
However, the New Jersey Supreme Court’s 2010 decision in Stengart v. Loving Care Agency indicates that some courts will disregard even broadly worded policies and prohibit employers from monitoring privileged communications between employees and their personal attorneys sent on company computers as long as they used personal password-protected email systems and other measures to protect the confidentiality of the attorney-client communications.
The advent of iPhones, BlackBerrys, iPads and other computer devices now provide employees with remote access to organizations’ data systems and the Internet from virtually anywhere in the world and has greatly increased the complexity of monitoring employees’ off-duty social media activity. These devices may use equipment and internet services that are owned by the company, by the employee, or by a third party provider. Moreover, “Cloud computing” (where a company’s data is no longer maintained on its own computers and servers, but rather is stored on “the Cloud” in hardware and software owned by third party vendors) and “collaborative” computing (in which employees from various entities contribute to the development of shared software and other content — think Wikopedia and other Wikis) has further clouded (pun intended) the issues for executives about who owns what data and how to monitor such activities.
Adding to the confusion is the widespread adoption by many businesses of social networking as a communication tool. A Cisco Study on Business Use of Social Networking released in 2010 found that 31 percent of America’s CEOs are already on Facebook and that 75 percent of organizations use social networks (such as Facebook) as their primary consumer-based social media tool, while a significant percentage of them also use blogs and micro-blogs, such as Twitter, to communicate with customers. These technological advances and changes in business strategies will continue to blur the lines between work-related and personal internet activities, which in turn will only make it more difficult for executives to develop comprehensive social media strategies.
Moreover, as the law continues to develop with cases like Quon and Stengart, there is a need for on-going review of a company’s social networking policies. There is also a need to establish monitoring protocols. Most importantly, they show the need for senior leadership to address the many legal and business issues that arise when employers attempt to monitor their employees’ social networking activities.
Paul E. Starkman ([email protected] or 312.876.7890) is chair of the Labor & Employment practice at the Chicago law firm Arnstein & Lehr LLP. He counsels public and private employers on a broad range of employment-related matters, including issues related to social networking media.