MN Attorneys: What’s Your Policy on Social Media?
Facebook, Twitter, and other social media sites are a little bit like tigers: They’re huge, powerful, and valuable, but sort of dangerous to have in the office. For every customer question answered or event advertised, it seems there’s an employee sharing party photos or spilling the beans about the next product release.
Still, Daniel Goldman, legal counsel at Rochester-based Mayo Clinic, sees great business value in social media sites, despite their potential for embarrassment. “Our brand has been built through word of mouth, and social media is kind of electronic word of mouth,” he says. “And at some level, it’s kind of free consumer research . . . you really immediately hear what people think about you when you’re on social media.”
Even if you shun social media, it won’t necessarily ignore you. “It’s putting your head in the sand to assume that if you’re not on social media and your employees aren’t on social media, that means your company’s not going to get talked about,” Goldman says. “If somebody is saying something about Mayo Clinic on Facebook, I’d frankly rather they say it on our wall, because then we have the opportunity to respond to it and maybe make the situation better.”
But when employees use social media, they often expose their employers to liability, damaged reputations, or security breaches. That’s why many companies’ in-house counsel have created social media policies.
“One thing that happens is that employees will make statements online that could be interpreted as a statement made on behalf of the company,” says Megan Kelley, an associate at Minneapolis law firm Nilan Johnson Lewis. “Or, when they’ve got a very public connection to the company, they’ll engage in behavior that puts the company in a negative light or damages the company’s reputation.”
Employees saying or doing stupid things is hardly a new problem. “What [changed] was the fact that the Internet now documents some of those stupid things in permanent ways, and generally what is documented, either in photos or blog posts or on Facebook, can either be accessed by a certain subset of other people, or the public at large,” says Michael Wilhelm, an associate at Briggs and Morgan, a law firm in Minneapolis. “And there’s always the capacity for those things to kind of spiral out of control and go viral in a way that did not exist before.”
Kelley concurs: “More and more, we’re seeing people’s Facebook posts as exhibits in a harassment case. Maybe a manager was Facebook friends with an employee and made comments on their Facebook page that could be considered harassing in some way, or flirtatious.”
Because these issues are familiar ones, Wilhelm says the most important aspect of a social media policy is its connection and continuity with the company’s other employment policies. “To the extent the employer has an anti-discrimination policy, an ethics policy, a confidentiality policy, those sorts of things should generally be incorporated,” he says. “Really, anything that you want to prohibit offline, you generally also want to prohibit online to the extent you can. I think it’s important to make clear that the standards that the employer expects of the employee in the physical world are also true in the digital world.”
The Whos and Wherefores
Social media policies are as individual as the companies whose lawyers write them. “The amount of detail that they include in a policy depends on a number of things,” Kelley says. “One is just how they generally approach personnel policies. Another is what their business is—how much their business depends on their public image. Another is the makeup of their work force. If they tend to hire a lot of entry-level employees, they probably will have more employees who are conversant in social media and use it regularly. It also depends partly on the extent to which the employer has employees with a legitimate reason to be using social media as part of their job duties.” Jamie Nafziger, a partner at the Dorsey & Whitney law firm in Minneapolis, co-chairs Dorsey’s privacy and social media practice. She says that in some cases, she and her colleagues have created two separate types of policies for their clients. “One is for employees who aren’t going to be using social media as part of their work; a second one is, I would say, more best practices or issue-spotting for the employees who are going to be using social media.”
“Your social media policy should include something about how employees aren’t authorized to speak on behalf of the company on public Facebook pages,” Kelley says. “There’s probably a handful of employees who are, and I’m guessing you only want that to happen on the company’s Facebook page.”
Lee Pulju, general counsel at Universal Hospital Services, Inc. (UHS), a medical equipment services company in Edina, let other companies’ policies inspire her. “A lot of big companies have their social media policies publicly available online,” she says. “So we looked at a wide selection of policies, and it was actually pretty fun. Some companies had actually pretty funny social media policies, really informal. We just chose the parts that made sense for us.”
“I would definitely advise people to look at the policies that are already out there,” Goldman agrees. “I’ve seen ones that are 20 pages; ours started out as a page and I think it’s now a page and a half. There’s no right or wrong way to do it, but I think you can see lots of different approaches and lots of good ideas.”
The Devil is in the Details
The first social-media issue that occurs to many businesspeople is productivity: Are employees making personal posts on Facebook all day? But from the point of view of general counsel, that isn’t usually the elephant in the room. For one thing, the issue may already be addressed in existing policies. That’s the case at Minneapolis-based Thrivent Financial for Lutherans, according to Senior Counsel Mandy Tuong.
“[Our computer use and privacy policies lay out] how you should be using your work computer or your mobile technology,” she says. “Anyway, it’s not really been an issue for us as much. We recognize that people have their own thing going on, and we really only will step in as it pertains to our business.”
What is a big issue is labor law. The National Labor Relations Board looks very dimly on policies that might have the effect of limiting protected concerted activity, such as the discussion of wages, hours, management, and working conditions. Recently, it has released a series of reports that examined social media policies and struck down the portions it considered overly restrictive.
“One of the things that the NLRB has kind of been hard on employers about is not being specific enough,” Wilhelm says. “If you just say ‘Don’t disparage people online,’ the NLRB would say that’s so vague that an employee could look at it and reasonably think that it means that they should not say that their manager was overworking them or not paying them correctly, in which case it would infringe on their protected rights. So you want to include a lot of examples, generally, about things that you would consider a legitimate basis for discipline and termination—not leave it up to an employee’s imagination.”
In the same vein, if the social media policy tells employees not to distribute confidential information online, it should give examples as to which kinds of confidential information it refers to, so that employees could not reasonably misinterpret it to mean working conditions. Does it mean information protected by HIPAA? Does it mean the company’s secret sauce recipe?
“There have been, I think, about three National Labor Relations Board announcements or reports in the last year or so, where people have challenged employer social media policies,” Nafziger says. “And each one, I’d say, is getting stricter on what you can have in the policy. So policies that we might have written three years ago, many provisions of them now would need to be revised.”
Depending on the company, in-house counsel may need to include language about confidentiality in their social media policies. Because UHS is in the health care industry, Pulju says controlling information flow was her main focus. “Our policy is more focused on preventing disclosure of proprietary information to the company or confidential information to our customers,” she explains. “We want people to participate, but we also need to protect the company’s, and also our customers’, confidential or proprietary information. For example, we want people to be transparent. To the extent that they’re commenting on a UHS[-connected] site, we’d want them to identify themselves as being affiliated with UHS. Obviously we don’t want them to disclose any confidential information such as [protected health information].”
Some industries, such as health care, pharmaceuticals, medical products, and finance, have regulatory bodies that may dictate what can and can’t be revealed online, Nafziger says. Public companies that trade on the stock exchange definitely need a policy, because they are subject to certain regulations about how they release information. “Because we’re a financial services company and an investment advisor, we’re subject to SEC regulation as well,” Tuong says. “Occasionally, we’ll get some kind of guidance on how they interpret certain aspects of social media that may or may not affect our policies. The SEC came out in January and said something about how a ‘like’ could be considered a testimonial. Usually I think normal people’s use of a ‘like’ button can be pretty flippant. But in our world it’s really different.”
The flip side of the coin is the privacy of employees: How should it be balanced against the needs of the company? The media is full of stories of employers using social media to screen applicants or to monitor the activities of existing employees. What’s all right and what isn’t?
Technically, anything that isn’t protected by privacy settings and is accessible by the public at large is fair game to look at. “There was a case in New Jersey where a group of employees set up a private chat room on MySpace where they basically went in there to talk trash about their managers,” Wilhelm recalls. “The managers heard about it secondhand, and they coerced an employee to give them access to that chat room. [The employee] testified that she felt that she would be fired if she didn’t do that. The court said that that was a violation of the Stored Communications Act. Any time you’re imitating someone you’re not, or you’re trying to guess somebody’s password or use somebody else’s password, you’re probably crossing the line.”
But hiring is another matter altogether: a Facebook status may inadvertently give a business access to information that cannot legally be used in the hiring process. Kelley and Pulju both agree that employers should not be looking at the Facebook pages of applicants.
“There’s a lot of information available over social media that would not be information that an applicant or a candidate would disclose as part of the recruiting process,” Kelley says. “If somebody posts ‘I spent the weekend at the breast cancer walk celebrating my mother’s third year cancer-free,’ believe it or not, that’s genetic information. If an employer goes looking for that kind of information, they could face liability if they use that in an employment or a hiring decision.”
If recruiters must search online for information, she says, they had better do it for everyone equally. Better yet, they hire a third-party vendor to do the searching for them and release only the relevant information to the person who actually makes hiring decisions.
This sort of information is important to share as part of employee onboarding and routine training. “You want to reiterate in your social media policy the company’s right to monitor employees’ Internet use,” Kelley says. “You want to be very clear to employees that they do not have a right to privacy with respect to activities . . . on company time and company property.
“But the other important aspect is to make sure that policy is clearly communicated to your work force. Tucking it into page 74 of a 200-page employee handbook is probably not going to cut it if you’re really worried about social media issues with your work force.”
“I think the policy is one piece to the puzzle, and I think it’s an important piece,” Goldman says. “But I think the other pieces to the puzzle are training and culture. If the policy just sits on your intranet and nobody’s aware of it, then it really just becomes sort of a gotcha tool, which really isn’t our goal. The goal is, you want employees to use social media and use it responsibly.”