Morgan Lewis presented and informative webcast on Web 2.0 from the viewpoint of the company/employee perspective. These are my notes.
Companies cannot limit the personal use of these sites. But the line between personal and professional can be very fuzzy. You limit access over the company’s network, but employees have easy access from mobile phones and home computers.
They cited Deloitte’s 2009 Ethics & Workplace Survey Examines the Reputational Risk Implications of Social Networks to point out the need of company’s to address social media.
One issues is the reasonable expectation of privacy. This is even more complicated given that the data is in the internet cloud and not the company’s hardware or storage. Most (if not all) of your Web 2.0 data resides in the cloud, not your hard drive or network storage that you control.
Personal Use of Mobile Devices
The first issue with privacy is the use of mobile devices. Its hard to prevent ALL personal use of a company supplied device, especially a mobile device. Even if you ban personal use of the device, it is hard to monitor and hard to enforce. Would you really discipline an employee who made a personal phone call on their blackberry? You need a clear policy that is enforceable. You also need to set reasonable expectations of privacy.
This is exactly the issue addressed in the Quon case, recently argued at the Supreme Court. The panel spent some time discussing the Quon case and some lessons that may be coming out of this case. There are some lessons to be learned from this case, even though the decision may be limited to government workplaces.
The additional complication is that the company (in this case the government) pulled the personal information from a third-party service provider. That implicated the Electronic Communications Privacy Act
They also took a close look at the Stengart v. Loving Care. That was more focused on the use of personal email and attorney-client privilege. There are some interesting attacks on that company’s computer use policy.
They raised the Convertino v. U.S. Department of Justice (674 F. Supp 2d 97 (D.D.C. 2009). The DOJ found email between an Assistant Attorney General and his personal attorney. He had used a DOJ email account. He deleted the email, but didn’t realize that a deleted copy would be kept. He deleted the emails immediately after they were sent or received. The court used a similar test as that used in Stengart court to look at the employee’s expectation of privacy. DOJ did not ban personal email on the company system.
The take away is that employees should inform employees that they have no reasonable expectation of privacy in any technology provided by the company. (It is probably too hard to monitor and enforce a complete ban on personal use.) You should also let them know that back-up copies may exist even if the employee deletes a copy.
Proposed Internet/Email Policy
Here are some items they propose :
- Limit personal use of the company email system.
- Inform employees they have no reasonable expectation of privacy in any technology provided by the company (e.g., email, Internet, laptop, PDA).
- All information forwarded or received via the company email system is subject to monitoring and may be stored.
- All information sent, received or viewed on the Internet, including personal, web-based communications, instant messages, text messages or other forms of communication, can be stored on a computer’s hard drive, the company’s servers, etc. and can be reviewed and retrieved by the company at any time.
- Back-up copies of electronic communications may exist, even if “deleted” from the computer.
- Issue periodic reminders to employees that the computers they are working on do not belong to them, and that information accessed on the computers may be subject to inspection and collection.
- Describe prohibited activities:
- Disseminating confidential information;
- Any actions that could be seen as harassing;
- “Hacking” and related activities;
- Tampering with or disabling security mechanisms on company computers;
- Unauthorized downloads; and
- Violations of copyright laws.
- Enforce the policy and punish violators.
- Obtain signed acknowledgements and post the policy.
HR using Web 2.0
There are special limitations for HR and hiring managers. You need to be careful when using social networking sites to find information about potential hires. Do not try to gain a view of someone’s online account through deception.
You should consider whether employees can give recommendations on sites like LinkedIn.
You can’t prohibit employees from discussing terms and conditions of employment. Such a ban would be a violation under the National Labor Relations Act.
FTC Guidelines and the Workplace
The FTC guidelines are also something to keep in mind. Your employees may be the biggest fans of your products. If an employee is talking about your company’s product, the employee needs to disclose they are an employee. Otherwise it could be consider a deceptive testimonial, creating potential liability for the employee and the company.
The FTC guidelines requires disclosure of a material connection between the blogger (commenter, Twitter-er, etc.) and the company. Employment is clearly a material connection. That means it needs to be clearly and conspicuously disclosed. (16 C.F.R. §255.5 ) The existence of a policy will consider the existence of a policy in deciding in whether to bring an enforcement action.
A company should make it clear that the policy is applicable across all communication platforms.
Should you search the internet for information on job applicants?
There are issues. Many people may argue that it is an invasion of privacy. Beyond the practical issues, there are legal issues such as discrimination and unlawful background checks.
You also need to be concerned that the information you find is applicable to that person. There are lots of people out there with similar names. (Even I am not unique: Another Doug Cornelius)
Are you liable for false statements made by your employees?
If the company sponsors the content, then yes the company can be held responsible. Even on a non-sponsored site, if the company does nothing then that could be viewed as assent and be held responsible.
Can you discipline an employee for using these site?
Not if they are complaining about their working environment to other employees. That is protected under the National Labor Relations Act.
If the activity is akin to whistle-blowing, then the activity could be protected under Sarbanes-Oxley or state statute.
A few states specifically protect off-duty, off-site conduct.
Can you prevent employees from saying bad things about the company?
An injunction acts as a prior restraint on speech. [See: Bynorg v. SL Green Realty Corp., 2005 WL 3497821 (S.D.N.Y. 2005)]
It is easier to get damages for defamation and invasion of privacy. [See: Varian Medical Systems, Inc. v. Delfino]
If the blogger is anonymous, it’s harder to do. Particularly in California, you need to prove defamation before a court will grant a subpoena.
Protect your IP
You want to be careful about how employees are using your logo or other intellectual property on their own sites.
They posted a copy of the slidedeck from the presentation on their website if you want more detail: Presentation Slidedeck