Category: Social Networking and Web 2.0

Are Facebook and MySpace Messages Subject to Discovery?

In the recent case of Crispin v. Audigier, a California judge ruled that Facebook and MySpace messages that aren’t publicly available are protected information under the Stored Communications Act, and therefore can’t be subpoenaed for use in civil litigation.

Buckley Crispin sued clothing maker Christian Audigier for copyright infringement, alleging that Audigier used his artistic material outside the scope of a license agreement. Audigier issued a subpoena to Facebook, MySpace, and two other third parties seeking communications by Crispin about Audigier.

Crispin’s lawyers argued that such communications fell under the Stored Communications Act, which prevents providers of communication services from divulging private communications to certain entities and individuals. A magistrate judge rejected the argument and found that Facebook and MySpace were not Electronic Communications Services and therefore not subject to the protections of the Stored Communications Act. Because the magistrate judge thought the websites’ messaging services are used solely for public display, he found that they did not meet this definition.

Judge Morrow of the US District Court for the Central District of California disagreed and laid out some thoughts about the use of the sites and how they relate to civil litigation. (Law enforcement can always use a warrant to get the information, assuming it is related to a crime.)

The Judge noted that the Stored Communications Act distinguishes between a remote computing service and an electronic communications service.

“electronic communication service” means any service which provides to users thereof the ability to send or receive wire or electronic communications (18 U.S.C. § 2510(15)) With certain enumerated exceptions, the Stored Communications Act prohibits an electronic communication service provider from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.” (18 U.S.C. §§ 2702(a)(1), (b))

“remote computing service” means the provision to the public of computer storage or processing services by means of an electronic communications system (18 U.S.C. § 2711(2)) The Stored Communications Act prohibits an remote computing service provider from “knowingly divulg[ing] to any person or entity the contents of any communication which is carried or maintained on that service.” (18 U.S.C. §§ 2702(a)(2)).

In the end, the decision about whether a particular message is subject to disclosure is dependent on security settings. Different messages in Facebook and MySpace (and other web 2.0 sites) will be subject to different standards.

The judge found that webmail and private messages are inherently private and quashed the subpoena for those messages. With respect to the subpoenas seeking Facebook wall postings and MySpace comments, the decision will be dependent on the person’s privacy settings and the extent of access allowed. If the general public had access to plaintiff’s Facebook wall and MySpace comments then presumably they are subject to discovery in civil litigation.

The Stored Communications Act was passed as part of the Electronic Communications Privacy Act in 1986. This was obviously well before the development of the current internet applications and technology. Courts, including the one in this Crispin case, have found that the application of this nearly 25-year-old statute presents challenges in application to the current use of the internet.

As Facebook changes the privacy settings in its platform, those changes will affect the discoverability of messages in civil litigation.

Sources:

Snake Oil 2.0

From Hugh MacLeod of Gaping Void:

“Anyone who has spent a lot of time studying blogs and Web 2.0, will be fully aware of all the blethering hyperbole that comes with it. Every business model that ever came before is DEAD, to be replaced forever by community! YAY!

Well, some dinosaur business models may be more dead than others, however… life still goes on. People still need to make a buck. People are just as governed by the seven deadly sins as they ever were. Some things never change. All is still vanity.”

Like Hugh, I am a great believer in Web 2.0 and Enterprise 2.0. I just think there is too much hype and too many people trying to sell snake oil.

It’s not about making money and marketing yourself. It’s about sharing ideas, collecting information and connecting with people.

Just about everyone with a substantive blog ends up spending some posts on blogging itself. Even the great criminal defense lawyer and blogger Scott Greenfield will publish an occasional post about blogging.

I’m spending some of that self-reflective time next week at the Enterprise 2.0 conference. My session is on Wednesday afternoon when my panel will talk about policy formation, governance and risk management programs as a critical requirement for the internal and external use of social networking and social media.

Once again the hype comes face to face with the reality of legal requirements and risk. Beware of the snake oil.

Snake Oil 2.0 is by Hugh MacLeod

Social Media and Compliance

Compliance, ethics, and legal executives at Johnson & Johnson, Best Buy, and The Travelers Companies will provide details on their social media policies, programs, and experiences, focusing on a variety of cultural, legal, and disclosure-related issues.

    Featuring:

  • Johnson & Johnson Senior Counsel & Assistant Corporate Secretary Douglas K. Chia
  • Best Buy Chief Ethics Officer Kathleen Edmond
  • The Travelers Companies, Inc. SVP, Chief Compliance Officer & Group General Counsel David Baker
  • Compliance Week Columnist; President, Docket Media LLC; Founder and Editor, Securities Docket, the ubiquitous Bruce Carton (moderator)

I introduced Bruce and the rest of this panel. Then I helped to control the rambunctious crowd.

Travelers is using social media for complaints. You make a claim through their iPhone app. They also use it as a tool for customer service and advertising. They will push out an update on Twitter and Facebook when a catastrophe van in the area of a natural disaster.

Doug is active in social media so he can look at how the company could use social media. Currently their prime use is for their retail products. They are going to where their customers are hanging out. They use the JNJ BTW blog to publish current events at Johnson & Johnson. They are using the corporate twitter (JNJcomm) account to push out information from the shareholder meetings.

Doug highlighted a list of legal, compliance, reputational and logistical issues to consider when a company steps into social media.

Kathleen created her blog to help educate her workforce about what could get you fired. Retail companies have a huge employee turnover. The industry average is close to 100%. If someone is going to tell her story, she wants to be the person to tell it.

Best Buy has lots of social media outlets: Twelpforce, CEO’s Whiteboard, CEO’s Twitter, CMO’s Twitter, CMO’s blog.

She also used internal social media to help develop policies. She used an internal wiki to get feedback on potential policies and issues. She thinks feedback from employees is important in developing good, enforceable policies.

There is the fear of litigation. What you say could cost you and subject you to a lawsuit. Of course, if it’s effective it can save you lots of money by avoiding the bad situations.

It’s tough to work in a conservative company when facing something as innovative as social media.

One company assemble a social media task force to draft a social media policy. They managed to create a user reference manual to give detailed guidelines to the employees.

The audience expressed some concern about the improper disclosure of company information. The panel pointed out that social media is merely a newer avenue for disclosure. People have been able to improperly disclose information for years.

One of the panelists stated that they do block access to social media sites. Another pointed out that employees could just go to their mobile phone or find other ways to waste time.  It seems silly to block access to the sites if you are using the sites to market your company.

An interesting audience question was whether a privacy failure at a social media site would impact the company. Could you be tainted by a Facebook failure. It seems remote.

How do you manage the boundaries between personal and professional uses of social media. Make it clear that you are not stating the company position. Don’t use the company name in your handle or profile name. It’s @dougchia, not @J&JDougChia.

Materials:

David Baker:

Doug Chia

Kathleen Edmond

Martindale-Hubbell Connected Redesign

Lexis-Nexis gave a sneak peak of some upcoming changes to their Martindale- Hubbell Connected social network site for lawyers.

They cleaned up the user interface, with new colors, improved navigation and improved searching.

The current Connected site has been a disappointment. I have a lot of hope for the site because it has the financial backing of Lexis-Nexis and the ginormous content repository of Lexis-Nexis.

They are trying to better combine the public lawyer directory from Martindale.com to the Connected social network. That means they are also redesigning Martindale.com

One surprise was the inclusion of third party advertising. There was an ad for the  Cadillc SRX prominently on the page during part of the demonstration. (I wonder what Paul Lippe would think about placing advertisements in Legal OnRamp.)

They are also creating a subscription model so that you need to pay for access to the full features of the site. It sounds like you get full access to Connected if you have a subscription to Martindale. They were dodgy on the details during the demo. You need to be a premium member to create a group and to send messages to people that you are not “connected” to.

The site will try to push content to you based on you interests. Supposedly the more complete your profile, the better focused the information that will be pushed to you.

They added a “Diversity Information” section, sponsored by the Minority Corporate Counsel Association.  (Unfortunately, there is not much there for a white guy like me.)

The Martindale Peer Review gets a prominent display and lots of detail on how the rating was compiled. That may resuscitate lawyers’ interest in paying for that AV or BV rating.

They are continuing the emphasis on groups within the community. They went a step further and allowed for subgroups within groups. Personally, I think the use of groups is over-emphasized, merely leading to fragmented content. Groups are great for focusing an filtering information. You only need to filter when there is a big flow of information. Connected has too little information flowing to need many filters. LinkedIn had groups for a long time that merely acted as profile badges. Even now that LinkedIn groups can have substantive discussions, most are filled with self-promotion and spam.

They are also changing the privacy, allowing non-members to see the content in public groups and allowing Google to index the public groups. (I’m not sure there is much content to index.)

The redesign is scheduled to be deployed on June 2.

Update on the Social Media Policies Database

My social media policies database is now up to 162 policies. I troll the internet periodically to add new policies as they become public.

If you are looking to draft your own social media policy, the policies in the database are a good place to start.

Currently they are organized into these industries

  • Education (5)
  • Financial (2)
  • Government (40)
  • Healthcare (17)
  • Law Firm (3)
  • Media (18)
  • Non-profit (11)
  • Professional services (16)
  • Retail (10)
  • Sports (3)
  • Technology (24)
  • Utility (1)

Plus, there are a 10 generic templates.

Clearly, government is over-weighted in the database. Is it because government bodies are ahead of private industry when it comes to creating social media policies? I doubt it. I think they are just more likely to publish the policy or otherwise make it publicly available.

If you want to contribute a policy to the database, you can use the form below.

Social media bandwagon image is by Matt Hamm under a creative commons license.

.

Interact 2010:Governing Social Media

The folks at Mitratech were nice enough to send me to Miami to talk at their annual Interact 2010 conference to talk about social media and compliance. This was the session description:

Governing Social Media: How to Monitor, Manage and Make the Most of Employee Use of Social Media

  • Doug Cornelius, Chief Compliance Officer, Beacon Capital Partners, LLC (that’s me)
  • Kathleen Edmond, Chief Ethics Officer, Best Buy
  • Scott Giordano, Director, Product Marketing, Mitratech
  • Janice Innis-Thompson, SVP & Chief Compliance Officer, TIAA-CREF

Corporate Communication takes on a whole new meaning in a world of social media, where employees can freely post their views and spread documents, photographs and even videos across the globe with a click of a mouse. Companies that are ahead of the curve not only have established policies regarding use of social media sites by their executives and employees, but also are finding ways to use social media to their competitive advantage. Join our panel to hear about the risks and rewards that a well managed approach to social media can bring.

Here is the slide deck from our panel discussion:

Governing Social Media

Social Networking / Web 2.0 Revolution

This morning I presented to the Association of Legal Administrators. They asked me to give the view as a lawyer, law firm client, former legal administrator and blogger on what law firms should know about web 2.0. I also mixed risks, policies and compliance issues.

The crowd was a diverse bunch in terms of how they use the tools personally and at their law firms.

Here are the materials, with references and links to tools I mentioned in the presentation.

Here is a link to my social media policies database.

Here is the slidedeck:

ALA social networking web 2.0 revolution

Evolving Employee Rights in the Age of Web 2.0

Morgan Lewis presented and informative webcast on Web 2.0 from the viewpoint of the company/employee perspective. These are my notes.

Panelists:

Companies cannot limit the personal use of these sites. But the line between personal and professional can be very fuzzy. You limit access over the company’s network, but employees have easy access from mobile phones and home computers.

They cited Deloitte’s 2009 Ethics & Workplace Survey Examines the Reputational Risk Implications of Social Networks to point out the need of company’s to address social media.

One issues is the reasonable expectation of privacy. This is even more complicated given that the data is in the internet cloud and not the company’s hardware or storage. Most (if not all) of your Web 2.0 data resides in the cloud, not your hard drive or network storage that you control.

Personal Use of Mobile Devices

The first issue with privacy is the use of mobile devices. Its hard to prevent ALL personal use of a company supplied device, especially a mobile device. Even if you ban personal use of the device, it is hard to monitor and hard to enforce. Would you really discipline an employee who made a personal phone call on their blackberry? You need a clear policy that is enforceable. You also need to set reasonable expectations of privacy.

This is exactly the issue addressed in the Quon case, recently argued at the Supreme Court. The panel spent some time discussing the Quon case and some lessons that may be coming out of this case. There are some lessons to be learned from this case, even though the decision may be limited to government workplaces.

The additional complication is that the company (in this case the government) pulled the personal information from a third-party service provider. That implicated the Electronic Communications Privacy Act

Personal Email

They also took a close look at the . That was more focused on the use of personal email and attorney-client privilege. There are some interesting attacks on that company’s computer use policy.

They raised the Convertino v. U.S. Department of Justice (674 F. Supp 2d 97 (D.D.C. 2009). The DOJ found email between an Assistant Attorney General and his personal attorney. He had used a DOJ email account. He deleted the email, but didn’t realize that a deleted copy would be kept. He deleted the emails immediately after they were sent or received.  The court used a similar test as that used in Stengart court to look at the employee’s expectation of privacy. DOJ did not ban personal email on the company system.

The take away is that employees should inform employees that they have no reasonable expectation of privacy in any technology provided by the company. (It is probably too hard to monitor and enforce a complete ban on personal use.) You should also let them know that back-up copies may exist even if the employee deletes a copy.

Proposed Internet/Email Policy

Here are some items they propose :

  • Limit personal use of the company email system.
  • Inform employees they have no reasonable expectation of privacy in any technology provided by the company (e.g., email, Internet, laptop, PDA).
  • All information forwarded or received via the company email system is subject to monitoring and may be stored.
  • All information sent, received or viewed on the Internet, including personal, web-based communications, instant messages, text messages or other forms of communication, can be stored on a computer’s hard drive, the company’s servers, etc. and can be reviewed and retrieved by the company at any time.
  • Back-up copies of electronic communications may exist, even if “deleted” from the computer.
  • Issue periodic reminders to employees that the computers they are working on do not belong to them, and that information accessed on the computers may be subject to inspection and collection.
  • Describe prohibited activities:
    • Disseminating confidential information;
    • Any actions that could be seen as harassing;
    • “Hacking” and related activities;
    • Tampering with or disabling security mechanisms on company computers;
    • Unauthorized downloads; and
    • Violations of copyright laws.
  • Enforce the policy and punish violators.
  • Obtain signed acknowledgements and post the policy.

HR using Web 2.0

There are special limitations for HR and hiring managers. You need to be careful when using social networking sites to find information about potential hires. Do not try to gain a view of someone’s online account through deception.

You should consider whether employees can give recommendations on sites like LinkedIn.

You can’t prohibit employees from discussing terms and conditions of employment. Such a ban would be a violation under the National Labor Relations Act.

FTC Guidelines and the Workplace

The FTC guidelines are also something to keep in mind. Your employees may be the biggest fans of your products. If an employee is talking about your company’s product, the employee needs to disclose they are an employee. Otherwise it could be consider a deceptive testimonial, creating potential liability for the employee and the company.

The FTC guidelines requires disclosure of a material connection between the blogger (commenter, Twitter-er, etc.) and the company. Employment is clearly a material connection. That means it needs to be clearly and conspicuously disclosed. (16 C.F.R. §255.5 ) The existence of a policy will consider the existence of a policy in deciding in whether to bring an enforcement action.

A company should make it clear that the policy is applicable across all communication platforms.

Should you search the internet for information on job applicants?

There are issues. Many people may argue that it is an invasion of privacy. Beyond the practical issues, there are legal issues such as discrimination and unlawful background checks.

You also need to be concerned that the information you find is applicable to that person. There are lots of people out there with similar names. (Even I am not unique: Another Doug Cornelius)

Are you liable for false statements made by your employees?

If the company sponsors the content, then yes the company can be held responsible. Even on a non-sponsored site, if the company does nothing then that could be viewed as assent and be held responsible.

Can you discipline an employee for using these site?

Not if they are complaining about their working environment to other employees. That is protected under the National Labor Relations Act.

If the activity is akin to whistle-blowing, then the activity could be protected under Sarbanes-Oxley or state statute.

A few states specifically protect off-duty, off-site conduct.

Can you prevent employees from saying bad things about the company?

An injunction acts as a prior restraint on speech. [See: Bynorg v. SL Green Realty Corp., 2005 WL 3497821 (S.D.N.Y. 2005)]

It  is easier to get damages for defamation and invasion of privacy. [See: Varian Medical Systems, Inc. v. Delfino]

If the blogger is anonymous, it’s harder to do. Particularly in California, you need to prove defamation before a court will grant a subpoena.

Protect your IP

You want to be careful about how employees are using your logo or other intellectual property on their own sites.

Materials

They posted a copy of the slidedeck from the presentation on their website if you want more detail: Presentation Slidedeck

FTC and Bloggers

Back in December, the Federal Trade Commission released new guidelines that specifically required bloggers to disclose any material connections to a product or company they are writing about.

The FTC had opened an investigation against Ann Taylor Stores for providing gifts to bloggers who the company expected would post blog content about Ann Taylor’s LOFT stores.

Apparently Ann Taylor missed the memo from their law firm about these guidelines.  LOFT held a preview of their Summer 2010 collection and provided gifts to bloggers at January 26, 2010 event. Bloggers who attended failed to disclose that they received gifts for posting blog content about that event.

“Depending on the circumstances, an advertiser’s provision of a gift to a blogger for posting blog content about an event could constitute a material connection that is not reasonably expected by readers of the blog.”

The FTC decided not to bring an enforcement action and Ann Taylor escaped punishment. The FTC gave these reasons:

  1. The January 26,2010 preview was the first (and, to date, only) such preview event.
  2. Only a very small number of bloggers posted content about the preview, and several of those bloggers disclosed that LOFT had provided them gifts at the preview.
  3. LOFT adopted a written policy in February 2010 stating that LOFT will not issue any gift to any blogger without first telling the blogger that the blogger must disclose the gift in his or her blog.

Apparently, LOFT posted a sign at the event stating that bloggers should disclose that they received gifts. It seems clear that companies should get a signed agreement from their endorsers about their requirement to disclose before handing out gifts.

As the FTC had stated when the released the Guidelines, they went after the company not the bloggers. Although the FTC may go after the bloggers also.

Sources:

Quon Roundup on Employee Computer Privacy

Lots of discussion about the Quon case focused on the lack of technology expertise by the Justices on the Supreme Court. Actually, most people labeled them as Luddites. DC Dicta even claims that Chief Justice Roberts writes his opinions in long hand with pen and paper.

This issue that I am hoping to see addressed is how a stated policy on the use of a company’s hardware and network can be enforced in light of an employee’s expectations of privacy.

I doubt that issue will be addressed directly. The Quon case involves a government employee so the discussion of the issue will likely focus on the Fourth Amendment protection. These protections are largely irrelevant for private employees.

Even if the Justices avoid the Fourth Amendment issues, they may decide the case under the Stored Communications Act. That’s a rather boring and technical law. It’s also largely irrelevant to the use of a company’s hardware and network. Although it may provide some insight for the use of cloud computing and web 2.0 site.

The United States Government, through the arguments of Neal K. Katyal, Deputy Solicitor General, seemed to ask the Court to adopt a bright-line rule that a company can trump the reasonableness of any employee’s expectation of privacy by issuing a policy that employees have no privacy in communications when using the company-provided hardware or network.

The Justices seemed fairly skeptical of that kind of bright-line rule in their questions of Mr. Katyal.

The problem is that tightly crafting laws to specifically address the use of particular communication technologies will fail. In the current environment, the technological advances in communications is moving much faster than the cogs of  bureaucracy in crafting regulations. The Supreme Court (well, at least Justice Alito) recognized that the expectations of privacy with new communication are in flux.

“There isn’t a well-established understanding about what is private and what isn’t private. It’s a little different from putting garbage out in front of your house, which has happened for a long time.”

The ruling in the case is expected sometime June at the end of the Supreme Court’s term. It’s certainly something for compliance professionals to keep an eye on.

Sources:

Image of P2000 Pager.JPG is by Kevster