July 2012

With the issuance of its third guidance document on workplace social media policies in the past year, the National Labor Relations Board (NLRB) continues to refine its position on how to craft workplace social media policies that are consistent with the terms of the National Labor Relations Act (NLRA).

Section 7 of the NLRA provides employees with the right to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.”  This right applies regardless of whether the employees are members of a labor union.  The NLRB’s guidance on this subject suggests that employee social media policies that discourage the exercise of these rights may run afoul of the NLRA.

The NLRB’s third memorandum, issued by Acting General Counsel Lafe Solomon, analyzes in detail seven different social media policies at issue in recent cases before the NLRB.  Six of these policies were found by the NLRB to contain provisions that are contrary to the NLRA, while the seventh “revised” policy was upheld in its entirety as lawful.  The NLRB specifically questioned the breadth of the following types of provisions, many of which are commonly found in social media policies:

  • Prohibitions on the disclosure of confidential or “non-public” information, or of matters concerning individual privacy rights, via social media. Instructions not to reveal non-public information may be unenforceable as applied to discussions about, or criticism of, the employer’s labor policies and its treatment of employees. The NLRB noted such a tension in policy requiring social media users not to “reveal non-public company information on any public site,” where the explanation of non-public company information did not include appropriate carve-outs for activities protected under Section 7.
  • Prohibitions on the disclosure of an individual’s personal information via social media.  The NLRB took issue with a social media policy instructing employees: “[D]on’t disclose [personal information regarding employees and other third parties] in any way via social media or other online activities.” As the NLRB explained, “[I]n the absence of clarification, employees would reasonably construe it to include information about employee wages and their working conditions.”
  • Discouragements of the “friending” of one’s co-workers.  According to the third memorandum, a policy statement advising employees to “think carefully about ‘friending’ other co-workers” could be construed as unlawfully discouraging employees from communicating regarding the terms of their employment.
  • Requirements that employee grievances be addressed through internal procedures, rather than aired online.  A social media policy providing the employer “believes that individuals are more likely to resolve concerns about work by speaking directly with co-workers, supervisors or other management-level personnel than by posting complaints on the Internet” was found to be unlawful, according to the NLRB, because it might inhibit employees from “seeking redress through alternative forums.” The NLRB noted, however, that employers may “reasonably suggest” availing of internal dispute resolution procedures.
  • Prohibitions on the sending of unsolicited communications to other employees. The NLRB found a policy requiring employees to report receiving “unsolicited or inappropriate electronic communications” to be an impermissible restraint on employees’ right to discuss their employment conditions.
  • Restrictions on public discussions of personal opinions regarding work.  One policy discussed in the memorandum expressly permitted employees to discuss online their personal opinions about work-related issues, but only to other employees and not to the general public. The NLRB found this overbroad because the right to discuss employment conditions extends to discussions with non-employees.
  • Prohibitions on comments regarding pending legal matters.  A policy providing, “Don’t comment on any legal matters, including pending litigation or disputes,” was found to be unlawful on the basis that it “restricts employees from discussing the protected subject of potential claims” against their employer.
  • Prohibitions on responding to government inquiries.  The NLRB found that one employer’s direction to employees not to respond to communications from government agencies was overbroad “to the extent that it restricts employees from their protected right to converse with [NLRB] agents or otherwise concertedly seek the help of government agencies regarding working conditions, or respond to inquiries from government agencies regarding the same.”
  • Requirements that employees check with the legal department or human resources (HR) department prior to posting or communicating with the media.  Requiring employees to secure permission from their employer before engaging in activities protected under Section 7, the memorandum noted, is prohibited by the NLRA.

Analyzing employer social media policies under the NLRA continues to be major enforcement priority of the NLRB, although the NLRB’s position on social media policies remains, for the most part, untested by the courts.  The third memorandum underscores how the precise wording of the policy is critical to whether it is considered overbroad by the NLRB.  Social media policies that distinguish between the prohibited behavior and concerted activities excluded by the policy, and that provide examples of each, would be more likely to withstand NLRB scrutiny.  By contrast, the third memorandum cautions employers against relying on a so-called “savings clause” (such as a general statement that the policy will not be interpreted in a manner inconsistent with the NLRA) if “employees would not understand from this disclaimer that protected activities are in fact permitted.”

Alongside its long list of examples of potentially unlawful policy language, the third memorandum provides one example of a social media policy that it considered lawful.  Although this exemplar, which is attached to the NLRB memorandum in full, will not meet the needs of all employers, it may serve useful as a resource against which to compare your company’s social media policy.  As the NLRB’s position on this subject evolves, we suggest consulting counsel to address whether specific provisions of your company’s social media policy are consistent with the NLRB’s guidance.

As the Occupy Wall Street protests fade from memory, a related discovery battle between Twitter and the New York County District Attorney rages on.

Earlier this year, we discussed the District Attorney’s efforts to subpoena user information and tweets of criminal defendant Malcolm Harris, an Occupy Wall Street protester charged with disorderly conduct for allegedly occupying the roadway of the Brooklyn Bridge.  In a setback for Twitter, the Criminal Court of the City of New York recently denied Twitter’s motion to quash the District Attorney’s subpoena; Twitter has announced its decision to appeal the court’s decision.  In this article, we take a look at the court’s decision rejecting Twitter’s motion, and discuss key issues to be addressed on appeal.

As noted, the dispute emerges from the District Attorney’s criminal prosecution of Harris.  Believing that Harris had tweeted information inconsistent with his anticipated defense, the District Attorney sought from Twitter the user information and tweets associated with the account @destructuremal—the Twitter account allegedly used by Harris.  Harris filed a motion to quash, and Twitter refused to comply with the subpoena pending the results of Harris’s motion.

The court found that Harris lacked standing to quash the third-party subpoena on Twitter, because Harris had neither a proprietary interest nor a privacy interest in the user information or tweets associated with the @destructuremal account.  The court observed that no search warrant was required to obtain Harris’s tweets, as no Fourth Amendment privacy rights are implicated when information is sought from a third party, such as Twitter.  Rather, in a criminal case, the Stored Communications Act (SCA) permits the government to subpoena subscriber and session information directly from a social media site.  The court ordered Twitter to comply with the subpoena.

Twitter then filed its own motion to quash the subpoena.  Twitter argued that, under its Terms of Service, Harris in fact retained his rights to any content that he submitted, posted or displayed on or through the Twitter service; and that denying Harris’s standing to oppose the subpoena placed an undue burden on Twitter.  In a decision handed down on June 30, 2012, the court disagreed.  The court noted that the general rule in New York is that “only the recipient of a subpoena in a criminal case has standing to quash it,” and reiterated that Harris had no Fourth Amendment privacy right in his tweets.  Twitter has objected to the court’s decision, and, as noted, will be filing an appeal; a review of the court’s decision highlights key issues to be addressed on appeal.

No Privacy Violation

Proving a violation of the Fourth Amendment requires a showing of either (1) a physical intrusion onto personal property or (2) a violation of a reasonable expectation of privacy.  The court found that, due to Harris’s publication of his tweets to third parties, neither showing could be made here.

No Physical Intrusion

With regard to physical intrusion, the court stated simply that there had been no physical intrusion into Harris’s Twitter account.  Unlike the contents of someone’s home or car, the contents of Harris’s Twitter account had been “purposely broadcast to the entire world [and] into a server 3,000 miles away.”

No Reasonable Expectation of Privacy

With regard to any expectation of privacy, the court likened posting a tweet to screaming out of an open window.  According to the court, “If you post a tweet, just like if you scream it out the window, there is no reasonable expectation of privacy.  There is no proprietary interest in your tweets, which you have now gifted to the world.”  The court distinguished a tweet, however, from a “private” Internet dialogue, such as one conducted via private email, private direct message, or private chat.  Accessing relevant information from such private Internet dialogues “would require a warrant based on probable cause.”  A tweet, however, is not like an email sent to a single party, and “[t]here can be no reasonable expectation of privacy in a tweet sent around the world.”

A Tweet Is a “Public Posting”

The court based its decision on its finding that a tweet is a “public posting.”  In the court’s view, “It is the act of tweeting or disseminating communications to the public that controls.”  The court supported its finding by citing Twitter’s Privacy Policy, which states that “[o]ur Services are primarily designed to help you share information with the world.  Most of the information you provide us is information you are asking us to make public.”  As further evidence of the public nature of a tweet, the court also cited Twitter’s 2010 agreement with the Library of Congress, under which every public tweet since Twitter’s inception is to be archived; several Internet sites through which deleted tweets remain accessible; and a National Geographic Channel project that has collected tweets and intends to broadcast them into space this August.

The court likened the third-party recipient of a tweet to a witness on the street who overhears something screamed out of an open window.  As the court put it, “today, the street is an online, information superhighway, and the witness can be the third-party providers like Twitter, Facebook, Instagram, Pinterest, or the next hot social media application.”  A tweet, like a scream out the window, has been made public, and “[t]here is no reasonable expectation of privacy for tweets that the user has made public.”

No Undue Burden on Twitter

Twitter argued that denying standing to Harris placed an undue burden on Twitter, who was thereby forced to either comply with, or move to quash, each such subpoena seeking information of a Twitter user that it receives.  The court flatly disagreed, noting that “that burden is placed on every third-party respondent to a subpoena and cannot be used to create standing for a defendant where none exists.”

No Undue Burden Under the Stored Communications Act

A court issuing an order under Section 2703(d) of the SCA, “on a motion made promptly by the service provider,” may quash or modify the order if it finds that the information or records sought are “unusually voluminous” or if compliance with the order “otherwise would cause an undue burden” on the service provider.  In this case, the order requires Twitter to provide all user information associated with the @destructuremal Twitter account, including all tweets posted from it between September 15, 2011, and December 31, 2011.  The court declined to find that this order placed an undue burden on Twitter under the SCA, stating instead that “it does not take much to search and provide the data to the court.”

Warrant Required for Tweets in Electronic Storage for Less Than 180 Days

The only data associated with the @destructuremal account that the court did not order Twitter to produce were those tweets sent out from the account on December 31, 2011.  This is because, under the SCA, the court may compel either an Electronic Communications Service (ECS) or a Remote Computing Service (RCS) to disclose non-content information, and may compel an RCS to disclose its contents; but the court may only compel an ECS to disclose content that has been in electronic storage for more than 180 days.  At the time that the June 30, 2012 order was issued, the court did not have the proper authority under the SCA to order disclosure of tweets made on December 31, 2011.  The court, accordingly, modified its previous order with respect to the ECS content that was less than 180 days old—removing that portion of the order that would have required Twitter to produce tweets placed from the @destructuremal account on December 31, 2011.

What Next?

The Criminal Court of the City of New York ordered Twitter to disclose all non-content information, as well as all content information from September 15, 2011, to December 30, 2011.  As noted, Twitter has announced its intention to appeal, rather than to comply with, the decision.  Twitter will not have to turn over the December 31, 2011 tweets unless the government obtains a search warrant.  Will Twitter have to turn over the other @destructuremal tweets?  We’ll keep you posted.

On July 19th, California Attorney General Kamala D. Harris announced the formation of a new Privacy Enforcement and Protection Unit within the state’s Department of Justice. The move is widely seen as a means of stepping up the state’s enforcement activities involving privacy issues.

The Privacy Enforcement and Protection Unit will be organized under the state’s new eCrime Unit, which was formed in August 2011, and will centralize a number of existing California Justice Department programs intended to enforce privacy laws, combat identity theft, educate consumers, and create partnerships with private industry under one umbrella. The new unit’s mission is broad: it will enforce federal and state laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. In addition to traditional online privacy, the unit’s mandate covers health privacy, financial privacy, identity theft, government records, and data breach laws. The unit will be staffed by California Department of Justice employees, including six dedicated prosecutors.

Harris has made online privacy protection a major focus of her administration, and the creation of the new Privacy Enforcement and Protection and eCrime Units are just two of her initiatives aimed at fighting online crime and protecting consumer privacy. In February of this year, Harris also secured an agreement between her office and the six major platforms for distributing and selling mobile applications. The agreement is designed to ensure that mobile and social apps comply with the California Online Privacy Protection Act, which requires operators of commercial websites and online services that collect personally identifiable information about Californians to conspicuously post a privacy policy. Facebook signed onto the agreement, called a “Joint Statement of Principles,” in June 2012, adding the primary platform for social applications to the agreement.

Earlier this year, Fred Weiss, a Pittsburgh Penguins hockey team fan, responded to an offer to receive text messages alerting him to team news and special offers.  Although the terms pertaining to the call-to-action apparently promised Weiss that he would receive no more than three messages per week, he alleges that he received five messages the first week and four the following week.  Instead of simply following the alerts’ unsubscribe instructions, Weiss filed a putative class action lawsuit against the hockey team, alleging that its delivery of more messages than promised violated the federal Telephone Consumer Protection Act (TCPA).

The TCPA generally prohibits the delivery of a text message without the recipient’s express consent.  In his complaint, Weiss has alleged that the delivery of messages in excess of those to which he had agreed (i.e., three per week) was without his express consent, and, for each of those violating messages, he says that he—and his fellow class members—should therefore receive the prescribed statutory damages of at least $500.  Statutory damages per violating message could go up to as much as $1,500 if the Penguins are found to have willfully or knowingly violated the law.

Some may wonder why the Penguins would have made a message frequency promise in the first place.  Widely followed industry guidelines issued by the Mobile Marketing Association (MMA)  state that a marketer should provide certain information to consumers when seeking their consent to receive recurring text messages—including the fact that the consumer’s mobile carrier’s message and data rates apply, as well as how many messages the consumer can expect to receive.  These disclosures give the consumer the information that he or she needs to make an informed decision regarding whether to sign up.  The MMA guidelines do not have the force of law, but they are intended to help ensure that marketers comply with mobile carrier requirements.  Moreover, while a message frequency disclosure is not expressly prescribed by law, the Federal Trade Commission (FTC) or a state regulator could take the position that a failure to tell a consumer, before he or she subscribes, how many messages to expect is an omission of material information and therefore deceptive.  Marketers are therefore advised to make the disclosures imposed by the MMA guidelines.

As the ongoing Penguins litigation highlights, however, making the disclosures is not enough:  the marketer must also take care to abide by its own promises.  A failure to do so may give rise not only to a private cause of action under the TCPA—a very hot area for plaintiffs’ attorneys over the past couple of years—but could also lead to an enforcement action by the FTC or a state regulator, charging that the marketer’s failure to follow its own promises was deceptive.  The bottom line is that companies sending text messages to consumers need to ensure that they are in compliance with their own representations regarding such messages, or they may find themselves in the penalty box.   

The announcement by a Wall Street firm that it plans to give its financial advisers limited access to social media websites has been viewed by many as inevitable.  Morgan Stanley’s foray into the fast-changing world of social media highlights the difficulties faced by broker-dealers and investment advisers and the regulators who oversee them.  As more financial firms follow suit, regulators will struggle to enforce securities laws that were written when the telephone and the telegraph were the prevailing social media.

Federal securities laws require broker-dealers and investment advisers to comply with a panoply of detailed rules designed to ensure that customers and clients are not misled.  The rules require them to keep records of every paragraph, sentence, and word—and now, every tweet.

The challenge:  how can financial firms comply with these strict rules while satisfying the market’s growing passion for communicating by texts and tweets?  And how can regulators enforce two-dimensional securities laws in the new three-dimensional world?

The exponential jump in social media usage has attracted the attention of federal securities regulators, who have responded with additional guidance and enforcement actions.

The Financial Industry Regulatory Authority (FINRA), which regulates broker-dealers, published guidance on blogs and social networking websites in January 2010.  This was followed by guidance on social networking websites and business communications, posted in August 2011.

In January 2012, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a National Examination Risk Alert called Investment Adviser Use of Social Media, which outlines in stark terms the SEC staff’s compliance concerns on the use of social media by registered investment advisers.

While investors typically do not distinguish between broker-dealers, on one hand, and registered investment advisers, on the other hand, these two types of financial institutions are regulated under similar, but very different, sets of rules.  Social media use by investment advisers that are dually registered with the SEC and with FINRA is subject to both sets of rules and interpretations.

Investment advisers.  The SEC has recognized that social media is “landscape-shifting” and that its use by the financial services industry is rapidly accelerating.

The SEC staff has stated its view that use of social media to communicate with clients and prospective clients may implicate Rule 206(4)-1 under the Investment Advisers Act of 1940, as amended (Advisers Act), which governs advertisements by investment advisers.

This rule, in relevant part, provides that an investment adviser will violate the Advisers Act’s anti-fraud provisions if it publishes, circulates, or distributes “any advertisement” that:

  • Refers, directly or indirectly, to “testimonials of any kind concerning the investment adviser” or the investment advice it provides;
  • Refers, directly or indirectly, to past specific recommendations it provided (e.g., “cherry picking”), unless the adviser discloses a list of all recommendations, subject to certain requirements;
  • Represents that a graph, chart, or formula, by itself, can be used to determine which securities to buy, without prescribed disclosures;
  • Contains a statement to the effect that a report, analysis, or other service will be furnished free of charge, unless it is actually provided entirely free of charge without condition; or
  • Contains any untrue statement of a material fact, or that is otherwise false or misleading.

The SEC defines “advertisement” very broadly.  “Advertisements” include, in relevant part, any notice, circular, letter, or other written communication addressed to more than one person, or any notice or announcement in any publication or by radio or television, that (1) offers analysis, report, or publication concerning securities, or that is to be used in making any determination as to when to buy or sell any security, or (2) any graph, chart, formula, or other device to be used in making any determination as to when to buy or sell any security, or (3) any other investment advisory service with regard to securities.

While this regulatory definition reflects technological advancements through and including the cathode ray tube television set, we can reasonably conclude that it applies to all kinds of social media communications, including blogs, wikis, photo and video sharing, podcasts, social networking, and virtual worlds.

OCIE’s regulatory concerns can be categorized into three broad categories:  compliance policies and procedures, third-party content, and record keeping.

Compliance programs.  First, the SEC staff is concerned that investment adviser compliance programs may include overlapping procedures that apply to advertisements and communications but do not specifically include social media.  The staff urges investment advisers to evaluate the effectiveness of their compliance programs with respect to the use of social media by the firms themselves, their representatives, or solicitors, including the following hot buttons:

  • Usage guidelines.  Compliance procedures should address appropriate usage and restrictions on use of social media, based on potential risks.
  • Content standards. Content may implicate fiduciary duties or other regulatory issues, which compliance procedures should address.
  • Monitoring.  Advisers should consider how to monitor use of social media by employees, representatives, and solicitors, and should take into consideration the lack of ability to monitor third-party sites.
  • Frequency of monitoring.  The staff suggests a risk-based approach for frequency of monitoring of social media communications.
  • Approval of content.  Advisers should consider pre-approval of communications, rather than after-the-fact reviews.
  • Firm resources.  Advisers should evaluate their resources to ensure that they are sufficient to adequately monitor personnel and archive communications.
  • Criteria for approving participation.  Compliance procedures should assess risks to the adviser, including operational, reputational, privacy, and other regulatory issues.
  • Training.  Advisers should consider implementing a training program related to social media, with a view toward promoting compliance.
  • Certification. Consider procedures that require personnel to certify that they understand and will comply with social media policies.
  • Functionality. Advisers should consider the functionality of social media sites approved for use, including the continuing obligation to address any upgrades or modifications.
  • Personal/professional sites.  Advisers should consider whether to adopt policies to address business conducted on personal or third-party media sites.
  • Information security. Advisers should consider whether permitting representatives to have access to social media sites poses information security risks, and how to protect information.
  • Enterprise-wide sites.  Advisers that are part of a larger financial services or corporate enterprise may consider creation of usage guidelines designed to prevent the advertising practices of a firmwide social media site from violating the Advisers Act.

Third-party content.   Second, the staff has indicated that third-party content on social media sites presents special compliance challenges.  These issues arise when third parties post messages, forward links, or post articles to an adviser’s website or in social media sites.  Adviser representatives and solicitors generally do not interact with these third parties or respond to their postings.

The staff noted its concern about direct or indirect testimonials “of any kind.” The SEC’s rules do not define the term “testimonial,” but the SEC’s staff broadly interprets the term to include a statement of a client’s experience with, or endorsement of, an investment adviser.  Therefore, the use of “social plug-ins,” even when a third party hits the “Like” button on an adviser’s Facebook page could be a “testimonial” under the Advisers Act if the “Like” represents an explicit or implicit statement of a client’s experience with an investment adviser or its representative.

The staff’s concerns underscore the challenges that investment advisers face when the use of freewheeling, interactive social media collides with requirements to comply with pre-Internet regulations that were designed to regulate newspaper and magazine advertisements.

Recordkeeping.  The SEC’s third area of concern is recordkeeping obligations of advisers.  OCIE noted that the recordkeeping rules do not differentiate between traditional paper communications, like snail mail, and electronic communications, such as emails, instant messages, and other ways that investment advisers provide advisory services.  In other words, the federal regulators focus on the content of the communication, rather than its form.  OCIE urges investment advisers to ensure that their recordkeeping policies and procedures allow advisers that use social media to comply with the recordkeeping requirements.

In January 2012, the SEC published an Investor Alert, Social Media and Investing: Avoiding Fraud, designed to make investors aware of fraudulent investment schemes that use social media.  It also provides tips for checking the backgrounds of investment advisers and brokers.  An Investor Bulletin, Social Media and Investing, Understanding Your Accounts provides tips for investors who use social media about privacy settings, security, and password selection.

Also in January 2012, the Enforcement Division announced that the SEC charged an Illinois-based investment adviser with offering to sell fictitious securities on LinkedIn.  Among other things, the Division alleged that the adviser used LinkedIn discussions to promote fictitious “bank guarantees” and “medium term notes,” which generated interest from potential investors.  The adviser failed to comply with recordkeeping requirements or maintain a required Code of Ethics.

The SEC’s Enforcement Division noted that fraudsters are quick to adapt to new technologies to exploit them for unlawful purposes.  This case suggests that the federal regulators are determined to adapt to new technologies to follow the fraud.

Broker-dealers.  As long ago as 1999, FINRA recognized the potential compliance issues posed by use of social media when it stated that a registered representative’s participation in an Internet chat room is subject to the same requirements as a presentation in person before a group of investors.  FINRA codified this guidance in 2003, when it defined the term “public appearance” to include participation in an interactive electronic forum.

FINRA published its Guide to the Internet for Registered Representatives, and in September 2011, it released a three-part series of podcasts on these issues to educate broker-dealers and their representatives.

FINRA is not so much concerned about the form of a communication from a registered representative; rather, it is concerned about the content of the communication and whether the registered representative obtained prior supervisory approval for sending the communication.  FINRA penalized a registered representative who posted 32 tweets touting a particular security without prior principal approval, among other alleged violations.

For a summary of recent FINRA concerns about social networking, see our August 3, 2011 News Bulletin, FINRA to Issue More Guidance on Social Media.

The Morgan Stanley initiative.  The New York Times DealB%k reported on June 25, 2012 that, after a yearlong trial program, Morgan Stanley planned to give about 17,000 financial advisers “partial access” to Twitter and LinkedIn.  But don’t expect their registered representatives to get carried away with a flurry of on-the-fly stock picks.  The representatives draw posts “from a prewritten library” of Twitter messages and submit all LinkedIn postings for approval, using advanced software designed for this purpose.  Other firms likely will follow suit and devote more resources to developing this latest frontier of communications with customers.

Not only did Morgan Stanley give the green light to its financial advisers to post limited tweets, but, on the firm’s official Twitter account, senior Morgan Stanley economists recently tweeted their analysis of the U.S. jobs report and the European Central Bank’s decision to lower interest rates.

This initiative signals a trajectory and confirms that the financial services industry’s use of social media is here to stay.  And it is a somber reminder that, notwithstanding advances in communications technology, firms must still comply with pre-Internet federal securities laws covering anti-fraud, advertising, and record-keeping.

Conclusion.   The exponential growth of the use of social media presents compliance and operational challenges for investment advisers and broker-dealers.  Regulators are devoting more and more resources as they scramble to stay current with technological advances in this area.  Financial services firms are well advised to assess how their customers and employees use social media, to evaluate the potential risks, and to ensure that their policies and procedures adequately address the increasingly complex compliance and operational issues arising from the soaring popularity of social media.