Social media have transformed our ability to share and learn information for personal and business use. As with most technology, social media have affected the employer-employee relationship by expanding information channels and encouraging communications that can upset traditional notions of interaction in the workplace. Social media raise legal issues in hiring and firing decisions and everything in between.
Social media, including social networking, involve online communications in which individuals shift from audience to author in an online setting.1 Social media include Facebook, Linkedin, Twitter, blogs, YouTube, and a number of other applications in which information and ideas are shared. Social media are often implicated in hiring decisions, internal investigations, advertising, marketing, termination, and the use of confidential or proprietary information by employees. These events are subject to legal regulation, violations of which expose the employer to potential liability and regulatory scrutiny.
This article addresses the most common questions that surface when private employers and their employees are permitted to access, share, and use social media in the employment setting.2 The first section discusses the use of social media in hiring and firing decisions. The second section addresses fundamental questions concerning the ownership of (and responsibility for) social media when used by employees, including special implications surrounding “cloud” technology and the growing use of bring-your-own-device (BYOD) policies and their application to social media. The article concludes with solutions for potential problems arising from the use of social media in the workplace, including policies and practices that limit liability exposure for employers.
Ownership and Management of Social Media Content
Given the wide range of individuals who might receive communications through social media that relate to the employment relationship, it is important to understand who is responsible for the content of the communication and potential legal consequences.
Timothy D. Edwards, Wayne State 1989, is a litigation partner with Edwards Richter Phillips LLP, Madison. He provides consultation and litigation support in cases involving the preservation and production of electronically stored information. He has successfully litigated numerous employment, business, and construction disputes throughout Wisconsin.
For example, who is responsible for defamatory content, regarding a competitor, that is disseminated by an employee through the company’s Facebook account? What is the employer’s responsibility when a management employee is harassing a subordinate through emails and social media posts? Who owns vital sales information on a departing employee’s social media account?
The answers to these questions are complex, depending on the language of the employer’s social media policy, whether the individual or the entity owns the device and, in some cases, the existence of an agency relationship between the employer and the employee at the time of the communication.
Because of their scope, social media invite a number of problems. Even so, it is impractical for employers to monitor all social media use of employees, thus opening the door to potentially harmful communications. For example, an employer might be liable for harassment or other discriminatory acts taken by an authorized supervisory employee on social media. Under these circumstances, it is imperative that the employer implement a social media policy that reaffirms the company’s obligation to investigate and, when necessary, cure discriminatory conduct that occurs on social media. These provisions should:
Clearly define prohibited harassment and discrimination;
Expressly prohibit jokes or other unguarded comments that could be viewed as offensive;
Apply directly to any use of social media, personal or employer-owned, while the employee is working;
Provide employees with an avenue to complain or report improper communications, including those on social media;
Provide for immediate investigations; and
Be consistently enforced.
For employers that use social media regularly, or allow employees to bring their own devices to work, it may be useful to implement filtering software that monitors communications, with the employees’ express consent, to ensure that employees interact appropriately.
Hiring, Firing, and Discipline
Sample Bring Your Own Device (BYOD) Policy
An example of a workplace policy for employers that allow employees to bring their own mobile devices to work and use them at the place of employment appears below. Tailor a policy to fit the specific circumstances of an employer-client’s business.
Personal-Mobile-Device Policy for Employees of XYZ Co.
XYZ Co. (hereinafter Employer) grants XYZ Co. employees (hereinafter Employee) the privilege of purchasing smartphones and tablets of their choosing and using them at work for their convenience. Employer reserves the right to revoke this privilege if Employee does not abide by the policies and procedures outlined below.
To connect devices to Employer network, Employee must agree to the terms and conditions set forth in this policy.
By agreeing to this policy, Employee explicitly waives any privacy or proprietary rights in all data left on or transmitted over the device, including any rights conferred under the Computer Fraud and Abuse Act. In addition, Employee expressly consents to Employer’s access to, use of, and destruction of any data that is left on or transmitted over the device, as fully set forth below.
Acceptable Use
Employer defines acceptable business use as activities that directly or indirectly support Employer’s business during working hours.
Employer has discretion to block Employee from accessing certain websites during work hours or while connected to the corporate network.
Devices’ camera and video capabilities must be disabled while on-site.
Devices cannot be used at any time to:
Store or transmit illicit materials;
Store or transmit proprietary information belonging to Employer or another company;
Engage in harassment, discrimination, or other impermissible conduct under Employer’s anti-harassment policy;
Engage in outside business activities; or
Disparage any third party, including competitors.
Employee may use personal mobile device to access the following Employer-owned resources: email, calendars, contacts, documents, specific data sites.
Texting or emailing while driving on Employer business is forbidden. Only hands-free talking while driving is permitted.
Devices and Support
Employee may use any of the following types of smartphones while at work: iPhone, Android, Blackberry, Windows. Employee may use iPad or Android tablet computer.
Employer’s IT department supports connectivity issues for Employee devices. Employee [choose one] should/should not contact the device manufacturer or carrier for operating system or hardware-related issues.
Employee must present devices to IT for proper job provisioning and configuration of standard apps, such as browsers, office productivity software, and security tools, before Employee can access Employer’s network.
Reimbursement
Employer [choose one] will/will not reimburse Employee for a percentage of the cost of the device (include the amount of Employer’s contribution).
Employer [choose one] will/will not reimburse Employee for the following charges: roaming, plan overages, and so on.
Security
To prevent unauthorized access, devices must be password protected using the features of the device. A strong password is required to access the company network.
Employee is automatically prevented from downloading, installing, and using any app that does not appear on Employer’s list of approved apps.
Smartphones and tablets not on Employer’s list of supported devices [choose one] are/are not allowed to connect to the network.
Employee [choose one] can/cannot connect to the network with a smartphone or tablet that Employee keeps only for personal use.
Employee access to company data is limited based on user profiles defined by IT and automatically enforced.
Employee’s device will be remotely wiped if 1) the device is lost, 2) Employee terminates his or her employment, or 3) IT detects a data or policy breach, a virus, or a similar threat to the security of the company’s data and technology infrastructure.
Risks, Liabilities, and Disclaimers
If Employer must remotely wipe a device, Employer’s IT department will take all practical steps to prevent Employee’s personal data from being lost, but it is Employee’s responsibility to take additional precautions, such as backing up email, contacts, and so on.
Employer reserves the right to disconnect devices or disable services without notification.
Lost or stolen devices must be reported to Employer within 24 hours. Employee is responsible for notifying his or her mobile carrier immediately upon loss of a device.
Employee is expected to use his or her devices in an ethical manner at all times and adhere to Employer’s Acceptable Use Policy and Code of Conduct as outlined above.
Employee is personally liable for all costs associated with his or her device.
Employee assumes full liability for risks including, but not limited to, the partial or complete loss of Employer’s data and personal data due to an operating system crash, errors, bugs, viruses, malware, or other software or hardware failures, or programming errors that render the device unusable.
Employer reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy.
Like many communication channels that operate through the Internet, social media provide an outlet for unguarded, and sometimes unwise, communications. Social media communications might give information about an individual’s political views, religious beliefs, and controversial points of view and might identify an individual’s race, ethnic background, and sexual orientation. In some cases, social media communications reveal a user’s more intimate thoughts, including information that would otherwise be kept private.
Even though social media provide access to a wide array of information that could not be obtained through an interview, employers should exercise caution in searching social media for information about prospective employees. This is so even if the information is not used to make a hiring decision. Indeed, there are reported cases in which employers searched for and circulated information about a prospective employee’s religious views, inviting costly scrutiny and litigation regarding the employer’s refusal to hire the applicant on religious grounds.3
These cases teach that it is unwise to search social media in connection with employment decisions, because the employer invites liability for doing so even if the information is not used. Some states prohibit “cybervetting” by prohibiting employers from asking for account information from a prospective employee. Wisconsin has not passed such legislation.
Similar issues surface when employers access social media during internal employee investigations. Social media may indicate than an employee is not working during a given time period or provide information about employees who are transferring proprietary or confidential data to third parties.
Despite the obvious utility of this information, there are limits. For example, federal law prohibits employers from intentionally accessing a user’s social media account without the user’s permission or consent.4 The employer also subjects itself to liability when it uses deceit or duress to access an employee’s social media account.5 Nevertheless, employers are generally permitted to access information that is in the public domain when conducting employee evaluations, provided that the employee is not disciplined for using social media during nonworking hours.
Restricting the Content of Employee Social Media Communications
Under certain circumstances, it is reasonable for employers to limit employees’ access to social media and to restrict the content of employee communications. As a starting point, it is permissible for an employer to restrict or prohibit access to social media on computers and mobile devices that are issued by the company. Employers can prohibit the use of social media for personal reasons during working hours.
Otherwise, it is often impermissible for employers to enact policies that prohibit the employees’ lawful, off-duty conduct on their own devices. In fact, Wisconsin has enacted a statute that prohibits discrimination against employees for using lawful products, which would include social media.6
Federal legislation also proscribes employer policies that restrict the use or content of social media. Under section 8(a)(1) of the National Labor Relations Act, it is unlawful for an employer to interfere with or restrain employees from organizing or otherwise engaging in protected, concerted activity. The National Labor Relations Board (NLRB) has strictly enforced this provision against social media policies by prohibiting restrictions that interfere with the exchange of information between employees that may support protected, concerted actions. Given the NLRB’s strict enforcement of this prohibition, employers cannot restrict employee social media content that is “rude,” “disparaging, “disrespectful,” or “inappropriate.” Unfortunately, the NLRB has not drawn a clear line that defines unacceptable restrictions in social media policies, and the issue remains unsettled.
As noted above, employers are permitted to implement clearly stated policies that prohibit employees from using social media during working hours. However, there are restrictions on employers’ right to discipline employees for the content of social media that is disseminated when employees are not working. If an employee is engaged in concerted activity, such discipline is impermissible. Again, the definition of “concerted activity” remains elusive. In general, communications regarding the terms and conditions of employment that are shared with other employees are protected and employers are not allowed to discipline employees for such communications, even if they are made during working hours.
Bring-your-own-device Policies
Many companies allow their employees to bring their mobile devices to work and use them at the workplace. This approach, commonly referred to as a bring-your-own-device (BYOD) policy, raises discrete legal questions. Because the employee owns his or her device, the first question centers on employee privacy and the employer’s right to access or monitor information stored on the employee’s device. To a large extent, these questions can be answered by language in the employer’s computer and social media policy, which should allow for access when the employer suspects misconduct.7
Similar questions arise when an employer seeks to erase confidential information from an employee’s device when an employment relationship terminates. Such action will require the employee’s consent to avoid liability exposure under the Computer Fraud and Abuse Act, which creates a qualified “right to privacy” in data stored on employees’ devices.
In addition to issues surrounding privacy and access, BYOD policies create problems in document-retention and litigation-hold scenarios. In both litigation and administrative inquiries, the employer must be prepared to defend the process that it employed for retaining and preserving data in anticipation of litigation. When the preservation obligation is triggered, the employer must preserve data that is in its “possession or control.”8 If the employee is viewed as a “third party,” the employer’s access rights are limited and it is only required to inform the employee of his or her obligation to preserve potentially responsive data. On the other hand, the employer may be required to produce the employee’s data if it has the legal right to obtain it “on demand.”
The Value of a Social Media Policy
As a result of the growing use of mobile devices in the workplace, an employer should implement a social media policy that is tailored to the size and mobility of its employee base, the sensitivity of data that the employees handle, and the risk presented by the unauthorized or improper use of social media. For some employers, it may be necessary to maintain ownership of the mobile device and the data stored there. Other employers may be more comfortable with BYOD policies uniquely tailored to their workforces and the data they maintain.
In all cases, the implementation of a social media policy should include potential revisions to other company policies to prevent the use of social media for improper purposes, such as harassment or discrimination. Such comprehensive revisions provide broader protection to the employer.
If the employer selects a BYOD policy, a number of questions emerge. First, the company must decide which employees will be allowed to use their mobile device at work or for work purposes when they are “off the clock.” BYOD policies might not be appropriate for certain employees in especially sensitive positions, or for nonexempt employees who might complain that the device required them to perform uncompensated “off the clock” work. In some cases, it may be advisable for senior executives to use company-owned devices to ensure better protection and retention of sensitive data.
If nonexempt employees are permitted to use their own devices for work purposes, the policy must emphasize how time should be properly recorded. Policies should also prohibit the use of personal devices for work purposes, such as scheduling or contacting clients from home. Such policies should be strictly enforced to avoid overtime claims.
Before employees are permitted to use personal devices at work, the employer should secure their consent to 1) monitor and retrieve information on the devices, 2) install security software to manage the devices, 3) access and retain data on the devices pursuant to a “litigation hold,” and 4) otherwise access data for legitimate business purpose.
These provisions should make clear that employees have minimal expectations of privacy in data stored on their devices, and thus help avert disputes regarding the appropriate ownership of company data. The policy should also prohibit the disclosure of confidential data, including trade secrets and other proprietary information.
Finally, any policy must be consistent with any existing collective bargaining agreements and, equally as important, with other workplace policies. Any social media policy must comport with wage and hour laws, harassment and discrimination laws, and myriad regulatory provisions that govern workplace conduct. Such policies are strengthened when they are internally consistent and objectively enforced.
Conclusion
In today’s digital world, information can be accessed and disseminated on a wide scale at the touch of a button. Much of this information is processed through social media and published through mobile devices. With these developments, it should come as no surprise that the circulation of information through social media creates unique legal challenges for employers. If these challenges are anticipated and analyzed in advance and addressed through appropriate workplace policies, the employer is in a better position to minimize risk and manage information in a more proactive and efficient manner.
Endnotes
1 Joseph Thornley, CEO of Thornley Fallis, April 8, 2008, http://propr.ca/2008/what-issocial-media/.
2 This article is intended to provide a general review of issues confronting private employers when their employees use social media at work. It does not address discrete issues that confront public employers under the First and Fourth Amendments to the U.S. Constitution.
3 Gaskell v. University of Ky., No. CIV.A.09-244- KSF, 2010 WL 4867630 (E.D. Ky. Nov. 3, 2010).
4 18 U.S.C. § 1701.
5 SeeEhling v. Monmouth-Ocean Hosp. Serv. Corp., 872 F. Supp. 2d 369 (D.N.J. 2012). In Ehling, theplaintiff alleged her employer gained access to her Facebook account after a supervisor asked a coworker who was a Facebook friend with the plaintiff to access the account on a work computer in the supervisor’s presence. The plaintiff argued that she had a reasonable expectation of privacy in her Facebook posting because her posts were limited to her “friends,” and while some friends were coworkers, none were management employees. “[G]iven the open-ended nature of the case law,” the court found that the plaintiff had stated a plausible claim for invasion of privacy and denied the employer’s motion to dismiss.
6 Christine Burke & Barbara Roth, Labor: Lifestyle Discrimination Laws are Becoming Increasingly Prevalent, INSIDECOUNSEL (June 13, 2011).
7 Siton v. Print Direction Inc., 718 S.E.2d 532, 535 (Ga. 2011).
8 Fed. R. Civ. P. 34(a).