Social Networking / Web 2.0 Revolution

This morning I presented to the Association of Legal Administrators. They asked me to give the view as a lawyer, law firm client, former legal administrator and blogger on what law firms should know about web 2.0. I also mixed risks, policies and compliance issues.

The crowd was a diverse bunch in terms of how they use the tools personally and at their law firms.

Here are the materials, with references and links to tools I mentioned in the presentation.

Here is a link to my social media policies database.

Here is the slidedeck:

Evolving Employee Rights in the Age of Web 2.0

Morgan Lewis presented and informative webcast on Web 2.0 from the viewpoint of the company/employee perspective. These are my notes.

Panelists:

Companies cannot limit the personal use of these sites. But the line between personal and professional can be very fuzzy. You limit access over the company’s network, but employees have easy access from mobile phones and home computers.

They cited Deloitte’s 2009 Ethics & Workplace Survey Examines the Reputational Risk Implications of Social Networks to point out the need of company’s to address social media.

One issues is the reasonable expectation of privacy. This is even more complicated given that the data is in the internet cloud and not the company’s hardware or storage. Most (if not all) of your Web 2.0 data resides in the cloud, not your hard drive or network storage that you control.

Personal Use of Mobile Devices

The first issue with privacy is the use of mobile devices. Its hard to prevent ALL personal use of a company supplied device, especially a mobile device. Even if you ban personal use of the device, it is hard to monitor and hard to enforce. Would you really discipline an employee who made a personal phone call on their blackberry? You need a clear policy that is enforceable. You also need to set reasonable expectations of privacy.

This is exactly the issue addressed in the Quon case, recently argued at the Supreme Court. The panel spent some time discussing the Quon case and some lessons that may be coming out of this case. There are some lessons to be learned from this case, even though the decision may be limited to government workplaces.

The additional complication is that the company (in this case the government) pulled the personal information from a third-party service provider. That implicated the Electronic Communications Privacy Act

Personal Email

They also took a close look at the . That was more focused on the use of personal email and attorney-client privilege. There are some interesting attacks on that company’s computer use policy.

They raised the Convertino v. U.S. Department of Justice (674 F. Supp 2d 97 (D.D.C. 2009). The DOJ found email between an Assistant Attorney General and his personal attorney. He had used a DOJ email account. He deleted the email, but didn’t realize that a deleted copy would be kept. He deleted the emails immediately after they were sent or received.  The court used a similar test as that used in Stengart court to look at the employee’s expectation of privacy. DOJ did not ban personal email on the company system.

The take away is that employees should inform employees that they have no reasonable expectation of privacy in any technology provided by the company. (It is probably too hard to monitor and enforce a complete ban on personal use.) You should also let them know that back-up copies may exist even if the employee deletes a copy.

Proposed Internet/Email Policy

Here are some items they propose :

  • Limit personal use of the company email system.
  • Inform employees they have no reasonable expectation of privacy in any technology provided by the company (e.g., email, Internet, laptop, PDA).
  • All information forwarded or received via the company email system is subject to monitoring and may be stored.
  • All information sent, received or viewed on the Internet, including personal, web-based communications, instant messages, text messages or other forms of communication, can be stored on a computer’s hard drive, the company’s servers, etc. and can be reviewed and retrieved by the company at any time.
  • Back-up copies of electronic communications may exist, even if “deleted” from the computer.
  • Issue periodic reminders to employees that the computers they are working on do not belong to them, and that information accessed on the computers may be subject to inspection and collection.
  • Describe prohibited activities:
    • Disseminating confidential information;
    • Any actions that could be seen as harassing;
    • “Hacking” and related activities;
    • Tampering with or disabling security mechanisms on company computers;
    • Unauthorized downloads; and
    • Violations of copyright laws.
  • Enforce the policy and punish violators.
  • Obtain signed acknowledgements and post the policy.

HR using Web 2.0

There are special limitations for HR and hiring managers. You need to be careful when using social networking sites to find information about potential hires. Do not try to gain a view of someone’s online account through deception.

You should consider whether employees can give recommendations on sites like LinkedIn.

You can’t prohibit employees from discussing terms and conditions of employment. Such a ban would be a violation under the National Labor Relations Act.

FTC Guidelines and the Workplace

The FTC guidelines are also something to keep in mind. Your employees may be the biggest fans of your products. If an employee is talking about your company’s product, the employee needs to disclose they are an employee. Otherwise it could be consider a deceptive testimonial, creating potential liability for the employee and the company.

The FTC guidelines requires disclosure of a material connection between the blogger (commenter, Twitter-er, etc.) and the company. Employment is clearly a material connection. That means it needs to be clearly and conspicuously disclosed. (16 C.F.R. §255.5 ) The existence of a policy will consider the existence of a policy in deciding in whether to bring an enforcement action.

A company should make it clear that the policy is applicable across all communication platforms.

Should you search the internet for information on job applicants?

There are issues. Many people may argue that it is an invasion of privacy. Beyond the practical issues, there are legal issues such as discrimination and unlawful background checks.

You also need to be concerned that the information you find is applicable to that person. There are lots of people out there with similar names. (Even I am not unique: Another Doug Cornelius)

Are you liable for false statements made by your employees?

If the company sponsors the content, then yes the company can be held responsible. Even on a non-sponsored site, if the company does nothing then that could be viewed as assent and be held responsible.

Can you discipline an employee for using these site?

Not if they are complaining about their working environment to other employees. That is protected under the National Labor Relations Act.

If the activity is akin to whistle-blowing, then the activity could be protected under Sarbanes-Oxley or state statute.

A few states specifically protect off-duty, off-site conduct.

Can you prevent employees from saying bad things about the company?

An injunction acts as a prior restraint on speech. [See: Bynorg v. SL Green Realty Corp., 2005 WL 3497821 (S.D.N.Y. 2005)]

It  is easier to get damages for defamation and invasion of privacy. [See: Varian Medical Systems, Inc. v. Delfino]

If the blogger is anonymous, it’s harder to do. Particularly in California, you need to prove defamation before a court will grant a subpoena.

Protect your IP

You want to be careful about how employees are using your logo or other intellectual property on their own sites.

Materials

They posted a copy of the slidedeck from the presentation on their website if you want more detail: Presentation Slidedeck

FTC and Bloggers

Back in December, the Federal Trade Commission released new guidelines that specifically required bloggers to disclose any material connections to a product or company they are writing about.

The FTC had opened an investigation against Ann Taylor Stores for providing gifts to bloggers who the company expected would post blog content about Ann Taylor’s LOFT stores.

Apparently Ann Taylor missed the memo from their law firm about these guidelines.  LOFT held a preview of their Summer 2010 collection and provided gifts to bloggers at January 26, 2010 event. Bloggers who attended failed to disclose that they received gifts for posting blog content about that event.

“Depending on the circumstances, an advertiser’s provision of a gift to a blogger for posting blog content about an event could constitute a material connection that is not reasonably expected by readers of the blog.”

The FTC decided not to bring an enforcement action and Ann Taylor escaped punishment. The FTC gave these reasons:

  1. The January 26,2010 preview was the first (and, to date, only) such preview event.
  2. Only a very small number of bloggers posted content about the preview, and several of those bloggers disclosed that LOFT had provided them gifts at the preview.
  3. LOFT adopted a written policy in February 2010 stating that LOFT will not issue any gift to any blogger without first telling the blogger that the blogger must disclose the gift in his or her blog.

Apparently, LOFT posted a sign at the event stating that bloggers should disclose that they received gifts. It seems clear that companies should get a signed agreement from their endorsers about their requirement to disclose before handing out gifts.

As the FTC had stated when the released the Guidelines, they went after the company not the bloggers. Although the FTC may go after the bloggers also.

Sources:

Quon Roundup on Employee Computer Privacy

Lots of discussion about the Quon case focused on the lack of technology expertise by the Justices on the Supreme Court. Actually, most people labeled them as Luddites. DC Dicta even claims that Chief Justice Roberts writes his opinions in long hand with pen and paper.

This issue that I am hoping to see addressed is how a stated policy on the use of a company’s hardware and network can be enforced in light of an employee’s expectations of privacy.

I doubt that issue will be addressed directly. The Quon case involves a government employee so the discussion of the issue will likely focus on the Fourth Amendment protection. These protections are largely irrelevant for private employees.

Even if the Justices avoid the Fourth Amendment issues, they may decide the case under the Stored Communications Act. That’s a rather boring and technical law. It’s also largely irrelevant to the use of a company’s hardware and network. Although it may provide some insight for the use of cloud computing and web 2.0 site.

The United States Government, through the arguments of Neal K. Katyal, Deputy Solicitor General, seemed to ask the Court to adopt a bright-line rule that a company can trump the reasonableness of any employee’s expectation of privacy by issuing a policy that employees have no privacy in communications when using the company-provided hardware or network.

The Justices seemed fairly skeptical of that kind of bright-line rule in their questions of Mr. Katyal.

The problem is that tightly crafting laws to specifically address the use of particular communication technologies will fail. In the current environment, the technological advances in communications is moving much faster than the cogs of  bureaucracy in crafting regulations. The Supreme Court (well, at least Justice Alito) recognized that the expectations of privacy with new communication are in flux.

“There isn’t a well-established understanding about what is private and what isn’t private. It’s a little different from putting garbage out in front of your house, which has happened for a long time.”

The ruling in the case is expected sometime June at the end of the Supreme Court’s term. It’s certainly something for compliance professionals to keep an eye on.

Sources:

Image of P2000 Pager.JPG is by Kevster

Taxonomy and Compliance

Compliance often has to deal with a great big piles of data. When tackling a big pile of data, it helps to organize the data into a taxonomy. The taxonomy helps with analysis.

Of course, just by choosing the nodes in the taxonomy you are influencing the view of the data.

I was struck by how hard it is to work with a taxonomy in a recent article in the Economist: In Quite a State. The article looked at the many different lists of countries in the world and the many different ways of defining a country.

The US Department of Homeland Security offers 251 choices when you apply online for a visa-free entry. That list includes Bouvet Island, uninhabited Antarctic volcanic island belonging to Norway in the South Atlantic.

Hotmail offers a menu 242 countries/regions when you register an e-mail account. The United Nations has 192 member states.

One of the most interesting examples is Taiwan or Chinese Taipei. During the days of the Cold War many countries recognized Taiwan as a separate country because it was the non-communist regime exiled from China. Now that mainland China has become an economic titan, only 23 countries have formal diplomatic ties with Taiwan.

I am always struck by the treatment of Taiwan during Olympics, when their athletes walk behind a generic Olympic flag instead of the traditional Taiwan flag.

Adding an item or deleting an item to a taxonomy affects your view of the underlying data and affects the prominence of that item. It’s hard to “flag” a problem if it is not properly identified.

April 15 is Tax Day, Except for Flooding

With the recent flooding in Eastern Massachusetts, several counties were declared federal disaster areas. The bonus is that you have an automatic extension for filing your taxes.

If you live in Bristol, Essex, Middlesex, Norfolk, Plymouth, Suffolk or Worcester County in Massachusetts, you have until May 11 to file your income taxes. that applies for both Federal and Massachusetts filings.

Massachusetts is not alone. These parts of the country were also granted extensions:

  • New Jersey: Atlantic, Bergen, Cape May, Essex, Gloucester, Mercer, Middlesex, Monmouth, Morris, Passaic, Somerset, and Union counties
  • Rhode Island: Bristol, Kent, Newport, Providence and Washington counties
  • West Virginia: Fayette, Greenbrier, Kanawha, Mercer and Raleigh counties

The automatic extension applies regardless of whether you were underwater or high and dry.

Good news for me. I suffered no damage, but can still procrastinate in finishing my taxes.
Sources:

  • TIR 10-7: Extension of Time for Certain Tax Filings and Payments for Taxpayers Affected by March 2010 Severe Storms and Flooding

Nobody Saw It Coming? Magnetar Saw it Coming

After reading Michael Lewis’ The Big Short this weekend, it’s clear that some people saw the collapse of the residential mortgage market coming.

This American Life had a story this weekend about another investor who also saw it coming: Magnetar Capital.

(A magnetar is a neutron star with a magnetic field 100-1000 times stronger than that of an ordinary neutron star.)

The story paints the picture of Magnetar buying the most risky tranche of subprime CDOs while at the same time buying credit default swaps against less risky tranches of the same subprime CDOs.

The equity tranche is the last to get paid, the riskiest portion of the CDO and the hardest to sell. Without someone to buy the equity a CDO was less likely to be put together in the first place. Also keep in mind that CDOs were often composed of the equity and junkier pieces of mortgage backed securities as a well as a kitchen soup of mortgage securities.

Pro Publica and This American Life interpret Magentar’s trade as one to sustain the volume of subprime CDOs, which sustained the volume of subprime mortgage backed securities, which sustained the origination of subprime mortgage loans, which sustained the bubble in housing prices. They claim that Magnetar’s trades made the bubble worse. By buying the equity tranche, they enabled the creation of the entire subprime CDO and had more to bet against.

Magnetar denies that was their intent. They were merely combining long positions with short positions.

I assume they saw a weakness in the pricing of CDOs and CDO CDSs and made trades to exploit the weakness. Others, like the people in The Big Short saw weaknesses in CDOs and took bets on their downfall. I doubt any of them realized that the collapse of the CDOs would result in something as catastrophic as the Great Panic.

That didn’t stop This American Life from comparing the Magnetar trades to the plot of The Producers. In the movie, a theatrical producer and his accountant attempt to cheat their investors by deliberately producing a flop show on Broadway. They realize they can oversell the shares in the production and make more money if it the show flops than if it becomes successful.

They even made a song parody based on the Broadway musical adaptation of the movie: Bet Against the American Dream.

Sources:

Incentives, Productivity and NUMMI

I recently listened to a great show from This American Life. They covered the story of New United Motor Manufacturing Inc. (NUMMI). General Motors and Toyota opened NUMMI in 1984 as a joint venture so Toyota could start building cars in the US. Toyota showed GM the secrets of its production system and how Toyota made cars of much higher quality and much lower cost than GM.

There are some great lessons in the story for compliance professionals. In part because the story can be seen through the lens of incentives and corporate culture. Two topics that are important to compliance.

For GM plant managers, their pay was based on productivity. They needed to get lots of cars out the door at the end of the assembly line. It didn’t matter whether the car could drive off the line or had to be towed. Workers told the story of cars coming off the line with a Monte Carlo having the front end of a Regal. They would just let them run down the line and out into the yard. Then they were fixed out there (with overtime). The emphasis was on quantity. At GM, the production line could never stop.

The Toyota system empowered the line workers to stop the line if there was a problem they couldn’t fix. The emphasis was to fix the problem at its source and not defer it for later. The emphasis was on quality. (Some of the recent problems at Toyota can be blamed on changing their focus to quantity. They wanted to be the biggest car company in the world.)

In spreading the Toyota system, there was resistance from both the company and the union. The union was opposed because the system was more efficient and would reduce the workers at a plant by 25%. The NUMMI plant was the re-opening of a shut down GM plant. The union was out of work and was more open to change. It was either change the way you work or don’t work at all.

GM had trouble empowering its worker and changing the corporate culture that comes along with the Toyota production line. They thought workers would just stop the line to play cards and get coffee.

Its worth an hour of your time to listen to the story.

Sources:

N.J. Supreme Court upholds privacy of personal e-mails accessed at work

The New Jersey courts have been handling a case that squarely addressed a company’s ability to monitor employee email.

Back in April of 2009, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email. That later was overturned: Workplace Computer Policy and the Attorney Client Privilege.

The New Jersey Supreme Court has ruled on the appeal and found that the employee

“could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”

The court went a step further and chastised the company’s lawyers for reading and using privileged documents.

The court’s decision focused on two areas: the adequacy of the company’s notice in its computer use policy and the importance of attorney-client privilege.

Computer use policy

The court was not swayed by the company’s arguments about its computer use policy. The company took the position that its employees have no expectation of privacy in their use of company computers based on its Policy. The court found that the policy did not address personal email accounts at all and therefore had no express notice that the accounts would be subject to monitoring. Also, the policy did not warn employees that the contents of the emails could be stored on a hard drive and retrieved by the company.

Attorney Client Communication

The bigger problem was that the communications between attorneys and their client are held to a higher standard. They were not “illegal or inappropriate material” stored on the company’s equipment that could harm the company. The e-mails warned the reader directly that the e-mails are personal, confidential, and may be attorney-client communications.

In my opinion, the nature and content of these emails made this an easy decision for the court.

Key Considerations

The decision does not mean that a company cannot monitor or regulate the use of workplace computers.

  • A policy should be clear that employees have no expectation of privacy in their use of company computers.
  • A policy needs to explicitly not address the use of personal, web-based e-mail accounts accessed through company equipment.
  • A policy should warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.

Sources:

Bentley CS 299

I spent some time this afternoon with Mark Frydenberg‘s class at Bentley University: CS 299 Web 2.0 – Technology, Strategy, and Community.

I talked about my perspective on Web 2.0, trying to show how 2.0 tools can be used to help you organize the information you need to do your job better and develop yourself professionally. My take on web 2.0 tools is that they are great for personal knowledge management.

Web 2.0 has some obvious uses for marketing. But that’s like saying you watch television for the ads.

My slide deck is embedded below.

I used Google Docs to create the presentation. It falls far short of PowerPoint for the way I create my presentations. On the positive side, I could access the slide deck from any computer and make an edit when I had an idea.

Updates: