Big Brother isn’t just watching. A single mother in upstate New York was surprised to find that she had a Facebook page in her name, complete with photos of her, her son, and her niece. She hadn’t actually set up the page. It turned out that she was being investigated as a bit player in a federal drug investigation and that the Drug Enforcement Administration had created the page in her name, without her permission. The page, which has since been taken down, used the woman’s real name as well as photos from her cell phone, which had been seized by the DEA. The DEA even went so far as to send and accept friend requests for the woman. The woman was sentenced to probation and has sued the DEA agent who put up the page. Facebook says impersonating someone to set up a page is a clear violation of its terms of service.

Transparency vs. security. Twitter and other technology and communications companies frequently receive requests from the U.S. government for user data that the government asserts it needs for national security purposes. In the interest of transparency, these companies wish to disclose how many such requests they have received, if any, in a given span of time. The government wants to restrict the dissemination of this information and, earlier this year, it reached a settlement on the issue with Google, Microsoft, LinkedIn, Facebook, and Yahoo. Twitter did not reach any such settlement and it has now sued the government in U.S. District Court in California, claiming that the government restrictions violate the First Amendment. The government argues that the more is known about its sources and methods in collecting national security data, the less secure the nation will be. This should be an interesting First Amendment case.

In the city there’s a thousand things. There’s been a lot of talk about “the Internet of things.” Google now wants to bring the Internet of things directly to city dwellers. What about Zipcars that broadcast when they’re available, or bus stops that communicate with your mobile device about the next bus arrival? As part of its “Physical Web” initiative, Google is seeking to bring these and similar features to the urban environment. The idea is to interconnect seemingly unconnected physical objects that city dwellers encounter on a daily basis. As a Google designer says, “Just tap and use.”

  • Where are the CEOs? According to a new study, fully two-thirds of the CEOs of the Fortune 500 have no personal social media presence at all. And of the ones who do participate in social media, two-thirds use only one of the major networks, usually LinkedIn.  Just 42 of the senior executives have Twitter accounts, and many of those are pretty inactive. The same number of the Fortune 500 CEOs use Facebook – still not very many at all. In an age in which virtually every company wants to brand itself on social media, it’s a bit surprising that so many of the top people have no personal experience with it.
  • Facebook lawsuit can proceed. A New York state appeals panel has permitted a lawsuit by Facebook against the Manhattan District Attorney’s office to proceed.  Facebook had sued the D.A.’s office over search warrants issued to 381 users of the network by the prosecutors in a fraud investigation. The appeals panel rejected prosecutors’ motion to dismiss Facebook’s challenge to the warrants and also gave several technology companies — among them Google, LinkedIn and Twitter — permission to file briefs supporting Facebook’s position. A full appellate hearing will occur in December. The closely watched case pits Fourth Amendment protection against prosecutors’ need for data stored by social media companies.
  • Hanging on the Vine. Vine, which began as a network in which people could share bare-bones six-second videos, has become an important venue for pop singers, actors and other entertainers who appeal to younger viewers. One observer said Vine has “an intensive burst perfect for the increasingly short attention span of Generation Z.” Vine is less than two years old but already seems to have found a niche, as top “Viners” have millions of followers on the site.
  • May a lawyer ethically instruct a client to delete potentially damaging information from a client’s Facebook page? According to a new ethics opinion from the Philadelphia Bar Association, yes, so long as the information is preserved in some way, should it become relevant to the case. The opinion also determined that, under the Pennsylvania Rules of Professional Conduct, a lawyer may ethically instruct a client to change the privacy settings on a client’s Facebook page.  It remains to be seen whether other bar associations will follow Philadelphia’s lead on these thorny issues.
  • Google reportedly noticed probable child pornography in someone’s email and tipped off police, who obtained a search warrant and arrested the Houston man for possession of child pornography. This is clearly permitted by Google’s terms of service. While no one has sympathy for predators, some have expressed concern over the privacy implications of Google’s actions.
  • LinkedIn has announced that it is launching a new service designed to help buyers and salespeople find each other. The service is called Sales Navigator. It could help diversify LinkedIn and make it more profitable, experts say, and it could also pose strong competition to existing, and pricey, software platforms, that salespeople currently use to find customers.
  • Since launching its Google+ social network three years ago, Google has insisted that Google+ users use only their real names on the network — no pseudonyms.  Perhaps in an effort to attract more users to Google+, the company has now abandoned its real-name policy — but has this change arrived too late to have an impact?
  • Airbnb, perhaps the best known “sharing economy” platform, reportedly plans to launch a major redesign soon and may be moving well beyond its current business of providing short-term apartment rentals.
  • LinkedIn has just acquired Newsle, a three-year-old service that scours the Web for news items regarding a user’s friends, colleagues and acquaintances (as gleaned from the user’s LinkedIn, Facebook and email contacts), and makes available such news items to the user.

Following our post on U.S. lawsuits concerning the ownership of LinkedIn and Twitter accounts, we report on a recent United Kingdom High Court ruling that considered who was entitled to operate four LinkedIn Groups, and other UK cases that have addressed related issues.

Before we describe the High Court’s ruling, it is important to provide a bit of background.  As with other social media services, opening a LinkedIn account requires an individual to enter into a contract with LinkedIn.  LinkedIn’s User Agreement prohibits account holders from transferring their accounts to another party.  Strictly speaking, then, the question is less one of, “Who owns a given LinkedIn account?” than the equally important question of who owns or controls the contacts accumulated by that account:  are those contacts the confidential information of the account holder’s employer, or are they the property of the account holder himself or herself?  And what about LinkedIn Groups, described on LinkedIn as “a place for professionals in the same industry or with similar interests to share content, find answers, post and view jobs, make business contacts, and establish themselves as industry experts”?  Does an employer have any proprietary interest in a LinkedIn Group that was set up and operated by an employee in connection with his or her employment, once that employee leaves the company?

Before third-party networks such as LinkedIn existed, the position in the UK with regard to the ownership of company contact lists and databases was relatively straightforward:  materials created during the course of employment are owned by the employer and are the employer’s confidential information.  However, in the social media context, the position is not so clear-cut.  If employees are encouraged to use LinkedIn in connection with their employment and so accumulate contacts, can the employer prevent employees from using those contacts when their employment terminates?

Although there is not, as yet, any definitive UK legal authority on the issue, two cases now give an indication of the position that the UK courts will likely take on this issue.

First, back in 2008, in the UK High Court case of Hays v Ions, Mark Ions, a former employee of recruitment company Hays, was ordered to hand over details of contacts that he had migrated from his work email address book to his personal LinkedIn account.  Hays had alleged that Ions transferred the contacts while working at Hays with a view to their subsequent use in connection with his own rival business.  Ions argued that Hays had encouraged his use of LinkedIn to connect with clients and that, once the Hays contacts accepted his own LinkedIn invite, those contacts ceased to constitute Hays’ confidential information because the information was then accessible to others on LinkedIn.  The court did not accept Ions’ argument and noted that, even if Ions had had permission to use client email addresses to connect with clients, it was unlikely that this extended to the use of such information outside his employment with Hays.

Despite ordering the disclosure of the Hays contacts and all emails and documentation relating to such contacts and any business obtained from them, the judge in that case held that Ions was not required to disclose all of his LinkedIn contacts to Hays because those contacts could include many persons who had no contact with Hays.  This suggests that the judge accepted that the entire LinkedIn account, although originally operated by Ions in the course of his employment, was not material proprietary to Hays, his employer.

We now have a second court ruling in the UK relating to the ownership of LinkedIn accounts.  In July 2013, the UK High Court considered who was entitled to operate four LinkedIn Groups that had been set up by an ex-employee when that employee left the company.  In Whitmar Publications Ltd v Gamage, Wright, Crawley and Earth Island Publishing Ltd, three employees had resigned from Whitmar to work for Earth Island, a rival publishing company that the employees had set up a few months earlier.  Whitmar alleged that the defendants had taken steps to compete against Whitmar while still employed by the company, in that they had misused Whitmar’s confidential information, infringed its database rights and breached their terms of employment.  Concerning the LinkedIn Groups at issue, Whitmar claimed that although the Groups had been managed by Ms. Wright—one of the former Whitmar employees—on behalf of Whitmar as part of her employment, the defendants had used them for the benefit of their rival business while still employed by Whitmar.  Whitmar sought an interim injunction to prevent the defendants from using, exploiting or divulging to any third party any of the information contained in these LinkedIn Groups.  Given that this was an emergency application, the court made a preliminary assessment of the evidence only.

The court agreed that Whitmar had a strong case that the defendants had been actively competing against Whitmar while still employed by it, in breach of the terms of their employment.  Further, the court rejected Wright’s claim that the LinkedIn Groups were personal to her and merely a hobby; Wright was responsible for dealing with the LinkedIn Groups as part of her employment duties at Whitmar, and the Groups operated for Whitmar’s benefit and promoted its business, as evidenced by the fact that Wright had used Whitmar’s computers to carry out her work on the LinkedIn Groups.  The judge also agreed that information contained within the LinkedIn Groups appeared to have been used as the source of the email addresses used to publicize an Earth Island launch event.

Ultimately, the court granted an order requiring the defendants to facilitate the exclusive access, management and control of the LinkedIn Groups to Whitmar, ordering the defendants not to access or do anything that would prevent Whitmar from accessing the Groups, and preventing the defendants from using, exploiting or divulging to any third party any of the information contained in the Groups.  In effect, the judge decided that Whitmar had a good chance of succeeding at full trial based on the available evidence.

Since the judgment in the first phase of the case, the parties have entered into an out-of-court settlement that, according to Whitmar’s website, means that the ex-employees will not enter into or fulfill any contract with a number of Whitmar clients or customers until December 20, 2013.  The ex-employees have also returned control of a number of Linked-In Groups to Whitmar.  Unfortunately for legal purists, but maybe happily for the parties, as a result of the settlement we won’t now get to know how the court would have ultimately ruled at full trial.

It is also worth noting that, in 2012, a UK employment tribunal case, Flexman v BG Group, raised an altogether different issue related to an employee’s use of LinkedIn: can an employee in the UK be dismissed for using LinkedIn to search for job opportunities?

In the first case of its kind, the tribunal ruled that John Flexman, an HR manager at BG Group, had been constructively dismissed following a dispute concerning his LinkedIn account.  BG Group had claimed that Flexman breached its social media policies by uploading his CV to LinkedIn and ticking the “career opportunities” box on his LinkedIn profile.  It also accused Flexman of breaching confidentiality by stating on his CV that he was assisting the company in reducing its “attrition rate.”  As a result, the company had ordered Flexman to remove any mention of BG Group from Flexman’s LinkedIn profile, other than his job titles and the dates he had worked there.  Flexman refused and demanded to know the source of the complaint.  After a dispute arose, Flexman faced an internal disciplinary hearing, with risk of dismissal, and Flexman eventually resigned and claimed constructive dismissal.  The tribunal upheld Flexman’s claim of constructive dismissal due to unacceptable delays in the company’s dealing of the case and the company’s failure to address a grievance related to the incident.  Unfortunately, the tribunal did not specifically address whether merely uploading a CV and ticking the career opportunities box was, indeed, a disciplinary matter.

As with the U.S. lawsuits we described in our earlier post on Socially Aware, these UK cases highlight the need for organizations to have clear social media policies in place in order for employees to understand what is expected of them when using business-related social media accounts.

On April 15, 2013, the Associated Press’s Twitter account reported that President Obama had been injured in an explosion at the White House. Within seconds of the announcement, the Dow Jones Industrial Average plummeted more than 150 points. Fortunately, the President’s Press Secretary quickly confirmed that the President was unharmed and, soon after, the Associated Press announced that its Twitter account had been hacked. Although this was perhaps the most significant instance of a Twitter account being hacked, it was only one of many similar events—the Twitter accounts of the BBC, the CBS News programs “60 Minutes” and “48 Hours” and even Burger King have all been the victims of recent hacker attacks.

In late May 2013, possibly in response to calls by various news organizations and blogs to institute a more stringent authentication system, Twitter announced the launch of an optional two-factor authentication feature.

In a two-factor authentication system, accessing an account requires a second level of authentication in addition to the single level of authentication that a login system typically requires. Login systems with a single level of authentication ordinarily require a user to simply enter a username and password to log in. Two-factor authentication further requires a user to provide an extra set of credentials to log in, which could consist of anything from the individual’s fingerprint or voice print, to a physical ATM card or a code provided by telephone. With Twitter’s two-factor authentication system, as a second layer of authentication, a user is required to enter a verification code that is sent to the user’s mobile phone. Therefore, in order to hack into a Twitter user’s account that has enabled two-factor authentication, a hacker would not only need to know the user’s username and password, but also would need access to the user’s mobile phone (or some other means of accessing the user’s mobile phone messages) in order to obtain the verification code.

For users who wish to enable this additional level of security, Twitter has provided a helpful walkthrough of the activation process. To activate two-factor authentication, a user can visit his or her account settings page, scroll down to the “Account Security” section, and select the box that reads, “Require a verification code when I sign in.” Twitter has provided the following image to help users easily locate this option:

After selecting this option, a user will be prompted to enter his or her phone number, after which Twitter will send the user’s mobile phone a text message that includes a one-time, six-digit verification code. Assuming the user receives that text, he or she would need to return to Twitter, click “yes” in the “Did you receive our message?” window, and enter the code from Twitter’s text message.

From that point forward, each time the user attempts to log in to the Twitter site, a new six-digit code will be sent to the user’s phone, to be entered in the following window:

Twitter’s decision to implement two-factor authentication is a welcome step towards greater account security in the digital world. And Twitter is hardly alone in shifting towards this system. Two-factor authentication is part of a broader trend toward heightened security that is currently being adopted by many similarly situated online service providers. Both Facebook and Google have provided their users with the option of turning on two-factor authentication since 2011, and there have been recent reports that Google may make two-factor authentication mandatory. Further, shortly after Twitter announced its implementation of two-factor authentication, LinkedIn announced that it also had introduced an optional two-step verification feature.

Twitter’s introduction of two-factor authentication following the hacking of the Associated Press’s Twitter account is just one example of how the social media world seeks to rapidly adapt to increasing threats to user security. Moreover, it clearly illustrates why companies with social media accounts should consider switching to two-factor authentication on platforms that offer it, to help mitigate the risks of potentially embarrassing or injurious online situations.

Article courtesy of Morrison & Foerster’s MoFo Tech

As financial institutions and investors turn to social media to instantly share snippets of news and potential clues about market trends, the FBI and SEC are monitoring such postings for evidence of insider trading and improper investment information. Companies must comply with pre-Internet federal securities laws covering antifraud, advertising, record keeping, and more, even though the use of Facebook and Twitter is far outpacing the development of federal regulations aimed at social media.

Late last year, two FBI agents told Reuters that they see social media as a breeding ground for insider trading and securities fraud. “If there is any way to exploit it, these individuals will,” one agent said. The FBI also began a public search for an application that would scan social media for national security threats. “In trying to establish whether a trader who made significant gains in advance of market-moving news got nonpublic information from a company insider, the FBI might be interested in a list of the trader’s friends and contacts on social media sites,” says J. Alexander Lawrence, a Morrison & Foerster partner who works in securities law. “Evidence on Facebook, LinkedIn, or other sites could help the FBI connect the dots.”

Government investigators have been pursuing insider traders with growing intensity, according to Morrison & Foerster’s 2012 Insider Trading Annual Review. One reason could be the relative lack of success in bringing cases related to the financial crisis. “While the SEC and DOJ have been criticized, fairly or not, for not bringing more cases arising from the financial crisis—especially against individuals—both agencies have received abundant praise for their crackdown on insider trading,” the report concluded.

When communicating information through social media channels, companies have had to carefully consider whether material nonpublic information is being selectively disclosed in violation of Regulation FD. The SEC recently clarified its views regarding the applicability of Regulation FD to social media in a Report of Investigation which concluded that disclosure of material nonpublic information on the personal social media site of an individual corporate officer, without advance notice to investors that the social media site may be used for this purpose, is unlikely to qualify as an acceptable method of disclosure under the securities laws.

However, the SEC indicated that companies using social media to communicate information could apply existing guidance on the use of corporate websites in determining if that information is adequately being disseminated through social media channels so that a company won’t run afoul of Regulation FD, which would include taking steps to notify the market that material information about the company can be gleaned from those social media channels.

There are legal uncertainties about how far investigators can go in seeking information that is not publicly available on social media. Courts have ruled that certain messages sent on social media are protected under the Stored Communications Act, which limits the government’s power to force Internet service providers to disclose customer information. In addition, “friending” someone for the sole purpose of uncovering evidence may go against Facebook’s terms of service. States differ as to whether investigations led by attorneys can use deception, such as “friending” someone to uncover evidence, says Carl H. Loewenson Jr., a Morrison & Foerster partner and co-chair of the firm’s Securities Litigation, Enforcement, and White-Collar Defense Group. “If a prosecutor directs agents to do that, there is the risk of ethical violations resulting from engaging in misrepresentation under some state bar rules,” he says.

According to a federal judge in Oklahoma in Pre-Paid Legal Services, Inc. v. Cahill, simply sharing information about a new job over social media does not mean that you are inviting former co-workers to come join you in violation of a non-solicitation agreement.

On February 12, 2013, U.S. District Court Judge James Payne of the Eastern District of Oklahoma adopted Magistrate Judge Steven Shreder’s report and recommendation on plaintiff Pre-Paid Legal Services, Inc.’s motion for preliminary injunction. Judge Shreder, among other things, rejected issuing an injunction against former employee Todd Cahill’s online activities. In doing so, the court held that general posts on a personal Facebook page about a new employer and invitations to former coworkers to join him on Twitter did not violate Cahill’s non-solicitation agreement.

Cahill was originally hired as a sales associate for Pre-Paid Legal Services, now known as LegalShield. Like Amway, LegalShield generates sales through its multi-level marketing program. Sales associates are rewarded not only for selling the product, but also for building their own team of junior sales associates. A percentage of every sale made by a recruit accrues to the associate who recruited them.

LegalShield tracks the contact information and performance statistics of each associate’s “downline,” the network of recruits, using a password-protected site. Cahill supplemented these resources with private Facebook pages of his own creation, to better communicate with the top sellers in his downline.

Cahill thrived at LegalShield, rising from sales associate to regional manager and eventually becoming a regional vice president. Upon promotion to regional manager, Cahill signed an agreement that included a non-solicitation provision.

In 2012, Cahill decided to leave LegalShield to work with a skin-care company called Nerium, also a multi-level sales firm. Notwithstanding his non-solicitation agreement, he met with other top-performing sales associates at LegalShield and urged them to join him when he left for Nerium. On August 10, 2012, Cahill called a meeting of high-ranking associates, told them of his imminent departure, and invited the curious to email him about his new plans.

The following day, Cahill emailed his resignation letter, and LegalShield cut off access to his downline through its site. With the exception of a final posting to the private Facebook pages that he had set up, Cahill’s relevant social media activity extended only to general updates on Facebook about his new job, and invitations to former coworkers to join Twitter.

In response to LegalShield’s request for a preliminary injunction, the court barred Cahill from direct contact with current LegalShield employees, as his in-person soliciting was undisputed. LegalShield, however, also requested that the court find that Cahill’s social media activity constituted impermissible solicitation.

The court examined Cahill’s activities in light of the defendants’ behavior in two other non-solicitation cases involving social media. In Enhanced Network Solutions Group, Inc. v. Hypersonic Technologies Corp., the court found that a job posting on a LinkedIn page did not constitute “solicitation” because the initial contact came through “a publicly available portal of LinkedIn.” The fact that the defendant, Hypersonic, had publicly posted a job listing that an Enhanced Network employee found did not rise to the level of solicitation.

Similarly, in Invidia, LLC v. DiFonzo, the court held that “friending” a former employer’s customers on Facebook did not constitute impermissible solicitation. There the court stated, “one can be Facebook friends with others without soliciting those friends to change [business].”

In the instant case, the court compared the facts of Invidia and Enhanced Network to Cahill’s behavior and found his actions were even more general. Cahill discussed his new employer in personal Facebook updates, which were directed to his friends at large, and invited former coworkers to sign up for Twitter. The court found that neither act was sufficiently direct to constitute solicitation, and LegalShield offered no evidence that Cahill’s posting would cause irreparable harm or had caused a LegalShield employee to change jobs.

The court did not say that the use of social media—as opposed to traditional means of communication—can never be a means of solicitation. The court left open the possibility that social media behavior that had the effect of targeting or soliciting employees, even absent direct messaging, could be prohibited. It remains possible that impermissible solicitation may be only a tweet away.

With the explosive growth of social media, consumers increasingly expect to be able to interact online with the companies from which they buy goods and services. As a result, financial institutions have begun to explore the use of social media, both to strengthen relationships with existing customers and to attract new ones. Financial institutions, however, have proceeded with extreme caution in using social media, in large part due to uncertainty as to the application of financial laws and regulations to social media and, to the extent they are applicable, how a financial institution can comply.

In response to industry requests for guidance on the use of social media, on January 23, 2013, the Federal Financial Institutions Examination Council (FFIEC) requested public comment on proposed guidance (“Proposed Guidance”) for financial institutions relating to the use of social media. The Proposed Guidance is intended to help financial institutions understand potential risks associated with the use of social media and to communicate the expectations of the agencies that make up the FFIEC for how financial institutions should manage these risks. The Proposed Guidance, however, largely does not address how a financial institution may comply with any particular requirement when using social media.

The following provides an overview of the Proposed Guidance, which may be found here. Comments on the Proposed Guidance must be submitted to the FFIEC by March 25, 2013.

Background on the FFIEC

The FFIEC is a formal interagency body that is authorized to prescribe uniform principles, standards and report forms for the examination of financial institutions by the federal banking agencies, the National Credit Union Administration (NCUA) and the Bureau of Consumer Financial Protection (CFPB) (collectively, the “Agencies”). Historically, banks were the main type of financial institutions to be the focus of FFIEC supervisory guidance; however, the Dodd-Frank Act expanded the membership of the FFIEC to include not only the federal banking agencies and the NCUA, but also the CFPB. As a result, FFIEC guidance now extends to any person supervised by the CFPB, including many types of non-bank financial institutions, such as mortgage brokers, payday lenders, consumer reporting agencies and debt collectors.

The Proposed Guidance

The Proposed Guidance is intended to help financial institutions understand potential risks associated with their use of social media, including compliance, reputation and operational risks, and to communicate the Agencies’ expectations for how financial institutions should manage these risks. Although the Proposed Guidance clarifies that, if finalized, it would not impose additional obligations on financial institutions, the Agencies each intend to issue any final guidance as supervisory guidance to the institutions that they supervise. As a result, financial institutions subject to the Agencies’ supervisory authority will be expected to use the guidance in their efforts to ensure that their risk management practices adequately address the risks associated with their use of social media, including those outlined in the finalized guidance.

“Social Media” Defined

The Proposed Guidance casts a wide net in defining “social media” as any “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” From the Agencies’ perspective, it is social media’s interactive nature that distinguishes it from other online media. The Proposed Guidance includes the following non-exhaustive examples of media that the Agencies believe to fall within the definition:

  • micro-blogging sites (e.g., Facebook and Twitter);
  • forums, blogs, customer review websites and bulletin boards (e.g., Yelp);
  • photo and video sites (e.g., Flickr and YouTube);
  • professional networking sites (e.g., LinkedIn);
  • virtual worlds (e.g., Second Life); and
  • social games (e.g., FarmVille).

Risk Management Programs

A cornerstone of the Proposed Guidance is the expectation that a financial institution will maintain a risk management program through which it identifies, measures, monitors and controls risks related to its use of social media. The Proposed Guidance provides that a financial institution’s risk management program should include the following seven components:

  • A governance structure with clear roles and responsibilities whereby the institution’s board or senior management directs how the use of social media contributes to the institution’s strategic goals and that establishes controls and ongoing risk assessments.
  • Policies and procedures regarding the use and monitoring of social media and compliance with applicable consumer protection laws.
  • An employee training program regarding the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.
  • An oversight process for monitoring information posted to proprietary social media sites administered by, or on behalf of, the financial institution.
  • A due diligence process for selecting and managing third-party service provider relationships in connection with social media.
  • Audit and compliance functions to ensure ongoing compliance with internal policies and applicable law.
  • Parameters for reporting to the institution’s board or senior management that will enable periodic evaluations of the social media program.

As in other areas of financial law and regulation, the expectation would be that the size and complexity of a financial institution’s risk management program would be commensurate with the breadth of the institution’s involvement in social media. For example, a financial institution that relies heavily on social media should have a more detailed program than a financial institution that uses social media only in a limited manner. Nonetheless, the Proposed Guidance indicates that a financial institution that does not use social media should still be prepared to address the potential for negative comments or complaints related to the institution that may arise within social media and also to provide guidance for employee use of social media.

Risk Areas Generally

The majority of the Proposed Guidance focuses on identifying potential risks related to a financial institution’s use of social media, including risk of harm to consumers. In particular, the Proposed Guidance identifies potential risks within three broad categories: (1) compliance and legal risk; (2) reputational risk; and (3) operational risk. While the Proposed Guidance catalogs the many risks presented by the use of social media, the focus is on the risks associated with compliance with consumer protection requirements. Nonetheless, the lengthy identification of risk areas would put financial institutions on notice of the broad scope of their responsibilities with respect to the use of social media.

Compliance and Legal Risk Areas

Compliance and legal risk relates to the risks associated with the failure to comply with laws, rules, regulations, prescribed practices, internal policies and procedures, and ethical standards and the related exposure to enforcement actions and/or private rights of action. The Proposed Guidance cautions that these risks are “particularly pertinent” for an emerging medium like social media where a financial institution’s policies and procedures may not have kept pace with changes in the marketplace.

Although a financial institution would be expected to ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable legal obligations, the Proposed Guidance identifies examples of more than 15 federal laws where a financial institution may be exposed to compliance and legal risk. These examples are broken down into five general categories: (1) privacy; (2) deposit and lending products; (3) payment systems; (4) anti-money laundering; and (5) community reinvestment. Of note, none of these includes any exception regarding the use of social media. As a result, the Proposed Guidance cautions that, to the extent a financial institution uses social media to engage in covered activity (e.g., advertising a credit product), it would be required to comply with any applicable legal requirement that may relate to that covered activity.

We highlight below certain compliance risks identified in the Proposed Guidance that may be relevant to many financial institutions:

Privacy

  • A financial institution using social media should clearly disclose its privacy policies where required by the Gramm-Leach-Bliley Act.
  • A financial institution maintaining its own social media site should ensure that it maintains and follows policies restricting access to the site to users 13 or older in a manner consistent with the Children’s Online Privacy Protection Act.
  • A financial institution should consider whether any unsolicited communication sent to consumers via social media complies with the limitations of the CAN-SPAM Act and the Telephone Consumer Protection Act.

Deposit and Lending Products

  • A lender should ensure that its use of social media does not violate the Equal Credit Opportunity Act prohibition on making statements in advertising that would discourage, on a prohibited basis, a reasonable person from applying for credit.
  • A lender that advertises credit products in any form of social media communication should ensure that it does so in a manner that complies with Regulation Z’s advertising requirements.
  • A debt collector must comply with Fair Debt Collection Practices Act limitations when conducting covered activities through social media, including, for example, being cognizant that that any social media communication does not disclose the existence of a debt or harass or embarrass consumers about their debts (e.g., a debt collector writing about a debt on a Facebook wall).

Payment Systems

  • A financial institution using social media to facilitate an electronic fund transfer for a consumer should consider whether it is required by Regulation E to, for example, provide any required disclosures to the consumer.

Anti-Money Laundering

  • Financial institutions should be aware of emerging areas of Bank Secrecy Act and anti-money laundering risk in connection with social media, including, for example, the fact that virtual world Internet games and digital currencies present a high risk for money laundering and terrorist financing and should be monitored accordingly.

Community Reinvestment

  • A depository institution subject to the Community Reinvestment Act should ensure that its policies and procedures for its own social media properties address the appropriate monitoring of public comments.

Reputational Risk Areas

For purposes of the Proposed Guidance, reputational risk relates to the risks arising from negative public opinion. A financial institution engaged in social media activities would be expected to be sensitive to and properly manage the reputational risks that may arise from its social media activities. The Proposed Guidance provides a number of considerations for financial institutions related to reputational risk in the context of social media use, including that a financial institution should:

  • have appropriate policies in place to monitor and address in a timely manner the fraudulent use of its brand, such as through phishing or spoofing attacks;
  • have procedures to address risks associated with members of the public posting confidential or sensitive information (e.g., an account number) on the institution’s social media page or site;
  • weigh the risks and the benefits of using a third party to conduct social media activities, including, for example, the ability of a financial institution to control content on a site owned or administered by a third party; and
  • consider the feasibility of monitoring question and complaint forums on social media sites to ensure that customer inquiries, complaints or comments are addressed in a timely and appropriate manner.

Operational Risk Areas

For purposes of the Proposed Guidance, operational risk relates to the risk of loss resulting from inadequate or failed processes, people or systems. These include the risks posed by a financial institution’s use of information technology, including social media. In light of the vulnerability of social media platforms, the Proposed Guidance indicates that a financial institution should ensure that its internal controls designed to protect its information technology systems and to safeguard customer information from malicious software adequately address social media usage. And, in a related point, a financial institution’s incident response program should extend to security incidents involving social media.

 *          *          *          *

If the FFIEC finalizes the Proposed Guidance, financial institutions should expect that the Agencies will independently issue the finalized guidance as supervisory guidance to the institutions that they supervise. In such a case, financial institutions will be expected to use the guidance as part of their efforts to address the risks associated with the use of social media and to ensure that their risk management programs provide effective oversight and controls related to the use of social media. Until final guidance is in place, it is important for financial institutions to be cognizant of and consider the extent of their usage of social media and the risks associated with that use and whether existing controls address the types of risks identified in the Proposed Guidance. Finally, financial institutions may also wish to consider whether they will provide comments to the FFIEC on the Proposed Guidance, including, for example, identifying any technological or other impediments to compliance with otherwise applicable law when using social media.

2012 was a momentous year for social media law. We’ve combed through the court decisions, the legislative initiatives, the regulatory actions and the corporate trends to identify what we believe to be the ten most significant social media law developments of the past year–here they are, in no particular order:

Bland v. Roberts – A Facebook “like” is not constitutionally protected speech

Former employees of the Hampton Sheriff’s Office in Virginia who were fired by Sheriff B.J. Roberts, sued claiming they were fired for having supported an opposing candidate in a local election. Two of the plaintiffs had “liked” the opposing candidate’s Facebook page, which they claimed was an act of constitutionally protected speech. A federal district court in Virginia, however, ruled that a Facebook “like” “…is insufficient speech to merit constitutional protection”; according to the court, “liking” involves no actual statement, and constitutionally protected speech could not be inferred from “one click of a button.”

This case explored the increasingly-important intersection of free speech and social media, with the court finding that a “like” was insufficient to warrant constitutional protection. The decision has provoked much criticism, and it will be interesting to see whether other courts will follow the Bland court’s lead or take a different approach.

New York v. Harris – Twitter required to turn over user’s information and tweets

In early 2012, the New York City District Attorney’s Office subpoenaed Twitter to produce information and tweets related to the account of Malcolm Harris, an Occupy Wall Street protester who was arrested while protesting on the Brooklyn Bridge. Harris first sought to quash the subpoena, but the court denied the motion, finding that Harris had no proprietary interest in the tweets and therefore did not have standing to quash the subpoena. Twitter then filed a motion to quash, but the court also denied its motion, finding that Harris had no reasonable expectation of privacy in his tweets, and that, for the majority of the information sought, no search warrant was required.

This case set an important precedent for production of information related to social media accounts in criminal suits. Under the Harris court’s ruling, in certain circumstances, a criminal defendant has no ability to challenge a subpoena that seeks certain social media account information and posts.

The National Labor Relations Board (NLRB) issued its third guidance document on workplace social media policies

The NLRB issued guidance regarding its interpretation of the National Labor Relations Act (NLRA) and its application to employer social media policies. In its guidance document, the NLRB stated that certain types of provisions should not be included in social media policies, including: prohibitions on disclosure of confidential information where there are no carve-outs for discussion of an employer’s labor policies and its treatment of employees; prohibitions on disclosures of an individual’s personal information via social media where such prohibitions could be construed as limiting an employee’s ability to discuss wages and working conditions; discouragements of “friending” and sending unsolicited messages to one’s co-workers; and prohibitions on comments regarding pending legal matters to the degree such prohibitions might restrict employees from discussing potential claims against their employer.

The NLRB’s third guidance document illustrates the growing importance of social media policies in the workplace. With social media becoming an ever-increasing means of expression, employers must take care to craft social media policies that do not hinder their employees’ rights. If your company has not updated its social media policy in the past year, it is likely to be outdated.

Fteja v. Facebook, Inc. and Twitter, Inc. v. Skootle Corp. – Courts ruled that the forum selection clauses in Facebook’s and Twitter’s terms of service are enforceable

In the Fteja case, a New York federal court held that a forum selection clause contained in Facebook’s Statement of Rights and Responsibilities (its “Terms”) was enforceable. Facebook sought to transfer a suit filed against it from a New York federal court to one in Northern California, citing the forum selection clause in the Terms. The court found that the plaintiff’s clicking of the “I accept” button when registering for Facebook constituted his assent to the Terms even though he may not have actually reviewed the Terms, which were made available via hyperlink during registration.

In the Skootle case, Twitter brought suit in the Northern District of California against various defendants for their spamming activities on Twitter’s service. One defendant, Garland Harris, who was a resident of Florida, brought a motion to dismiss, claiming lack of personal jurisdiction and improper venue. The court denied Harris’s motion, finding that the forum selection clause in Twitter’s terms of service applied. The court, however, specifically noted that it was not finding that forum selection clauses in “clickwrap” agreements are generally enforceable, but rather “only that on the allegations in this case, it is not unreasonable to enforce the clause here.”

Fteja and Skootle highlight that potentially burdensome provisions in online agreements may be enforceable even as to consumers; in both cases, a consumer seeking to pursue or defend a claim against a social media platform provider was required to do so in the provider’s forum. Both consumers and businesses need to be mindful of what they are agreeing to when signing up for online services.

Six states passed legislation regarding employers’ access to employee/applicant social media accounts

California, Delaware, Illinois, Maryland, Michigan and New Jersey enacted legislation that prohibits an employer from requesting or requiring an employee or applicant to disclose a user name or password for his or her personal social media account.

Such legislation will likely become more prevalent in 2013; Texas has a similar proposed bill, and California has a proposed bill that would expand its current protections for private employees to also include public employees.

Facebook goes public

Facebook raised over $16 billion in its initial public offering, which was one of the most highly anticipated IPOs in recent history and the largest tech IPO in U.S. history. Facebook’s peak share price during the first day of trading hit $45 per share, but with a rocky first few months fell to approximately $18—sparking shareholder lawsuits. By the end of 2012, however, Facebook had rebounded to over $26 per share.

Facebook’s IPO was not only a big event for Facebook and its investors, but also for other social media services and technology startups generally. Many viewed, and continue to view, Facebook’s success or failure as a bellwether for the viability of social media and technology startup valuations.

Employer-employee litigation over ownership of social media accounts

2012 saw the settlement of one case, and continued litigation in two other cases, all involving the ownership of business-related social media accounts maintained by current or former employees.

In the settled case of PhoneDog LLC v. Noah Kravitz, employer sued employee after the employee left the company but retained a Twitter account (and its 17,000 followers) that he had maintained while working for the employer. The terms of the settlement are confidential, but news reports indicated that the settlement allowed the employee to keep the account and its followers.

In two other pending cases, Eagle v. Edcomm and Maremont v. Susan Fredman Design Group LTD, social media accounts originally created by employees were later altered or used by the employer without the employees’ consent.

These cases are reminders that, with the growing prevalence of business-related social media, employers need to create clear policies regarding the treatment of work-related social media accounts.

California’s Attorney General went after companies whose mobile apps allegedly did not have adequate privacy policies

Starting in late October 2012, California’s Attorney General gave notice to developers of approximately 100 mobile apps that they were in violation of California’s Online Privacy Protection Act (OPPA), a law that, among other things, requires developers of mobile apps that collect personally identifiable information to “conspicuously post” a privacy policy. Then, in December 2012, California’s Attorney General filed its first suit under OPPA against Delta, for failing to have a privacy policy that specifically mentioned one of its mobile apps and for failing to have a privacy policy that was sufficiently accessible to consumers of that app.

Privacy policies for mobile applications continue to become more important as the use of apps becomes more widespread. California’s OPPA has led the charge, but other states and the federal government may follow. In September, for instance, Representative Ed Markey of Massachusetts introduced The Mobile Device Privacy Act in the U.S. House of Representatives, which in some ways would have similar notice requirements as California’s OPPA.

Changes to Instagram’s online terms of service and privacy policy created user backlash

In mid-December 2012, Instagram released an updated version of its online terms of service and privacy policy (collectively, “Terms”). The updated Terms would have allowed Instagram to use a user’s likeness and photographs in advertisements without compensation. There was a strong backlash from users over the updated Terms, which ultimately led to Instagram apologizing to its users for the advertisement-related changes, and reverting to its previous language regarding advertisements.

Instagram’s changes to its Terms, and subsequent reversal, are reminders of how monetizing social media services is often a difficult balancing act. Although social media services need to figure out how they can be profitable, they also need to pay attention to their users’ concerns.

The defeat of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA)

Two bills, SOPA and PIPA—which were introduced in the U.S. House of Representatives and U.S. Senate, respectively, in late 2011—would have given additional tools to the U.S. Attorney General and intellectual property rights holders to combat online intellectual property infringement. A strong outcry, however, arose against the bills from various Internet, technology and social media companies. The opponents of the bills, who claimed the proposed legislation threatened free speech and innovation, engaged in various protests that included “blacking out” websites for a day.  These protests ultimately resulted in the defeat of these bills in January 2012.

The opposition to and subsequent defeat of SOPA and PIPA demonstrated the power of Internet and social media services to shape the national debate and sway lawmakers. With prominent social media services such as Facebook, YouTube, Twitter, LinkedIn and Tumblr opposed to the bills, significant public and, ultimately, congressional opposition followed.  Now that we’ve witnessed the power that these services wield when acting in unison, it will be interesting to see what issues unite them in the future.