Monitoring Employees’ Social Media

20140514-100704.jpg

A great deal has been written in the last week about whether you should monitor your employees’ social media activity. A lot of very smart folks fall on both sides of the debate, since it can be a rather murky issue involving a balancing act between protecting the company and respecting employees’ right to act as they wish in their time off work. Notice that I didn’t say employees’ privacy. Little, if anything, shared via social media is private, so monitoring social media can hardly be deemed an invasion of privacy.

So now I’ll offer my two cents on the subject: it probably isn’t worth it to actively monitor your employees’ social media accounts. Doing so would require a great deal of time and effort for only a small likelihood of a worthwhile result. And let’s face it, you’re probably already busy as it is, do you really need more on your plate?

Instead, just be prepared to take action if an employee posts something that could damage your business or reputation. Because the truth is, you’ll find out about it. Once you know about it, then you can decide on an appropriate response.

Monitoring doesn’t do much more than allow you to act a little bit quicker. After all, monitoring the account wouldn’t prevent an employee from saying or sharing something, it would only notify you if they did. Once the employee posts something, it will be seen and it will be cached, at which point it’s never truly gone anyway.

So maybe the biggest takeaway here is to make sure you hire employees you can trust to represent your business and your brand. Monitoring employees’ social media use probably isn’t worth the effort.

To Delete, Or Not To Delete

Two recent cases, one from the plaintiff’s side and one from the defendant’s side, highlight the importance of following information retention requirements.

Recently, Heather Painter learned a difficult lesson about deleting. Ms. Painter claimed that her boss, a dentist, sexually harassed her. After filing her lawsuit, she deleted some Facebook comments that (allegedly) said she loved her job and working for the dentist. Ms. Painter claimed that she did not know it was improper to delete the comments, but the court disagreed. Deleting the posts was a deliberate act, and the court could not infer that she deleted comments, that were detrimental to her case, for an innocent reason. The judge decided that the jury should infer that the Facebook posts undermine Ms. Painter’s claims, which is a particularly rough sanction.

Even more seriously, Kurt Mix, a former high-level engineer for BP, is in trouble for deleting text messages from his employer-supplied iPhone in April 2010. A federal jury decided that Mr. Mix deliberately destroyed the messages because they would prove that BP lied about the amount of oil spilled into the Gulf of Mexico. Now he is facing a prison term of up to 20 years and a max fine of $250,000 in fines.

Back in the day, businesses only had to worry about retaining paper documents. Now, information is stored in so many places and forms. Important information is stored via hard drive, cloud drive, email, text message, social media and more. Corralling, and more importantly retaining, that information can be a herculean task, especially when employees have easy, and sometimes sole, access to the information.

So, how do you tackle this difficult issue? Develop a comprehensive information retention policy and provide your employees with training on implementing the policy.

Your information retention policy should address:
How long information should be retained
When information should be retained beyond the policy limits (for example, when litigation occurs)
Where information should be stored and in what format
Procedure for inquiries regarding implementation of the policy
Disciplinary procedures for violating the policy

Training, which is probably more important than the policy itself, should address not only the proper retention of information, but the reasons for doing so. Your employees will be much more likely to adhere to the policy if they know they could face fines or prison time, as well as subject the company to significant sanctions in court.

And most importantly, when it comes to information, never, ever, ever try to destroy something that hurts your case. It will almost always come back to haunt you, and it will be much worse when it does.

Confident It Won’t Remain A Secret

confideTwo fairly new apps are receiving a lot of press lately: Confide and Secret.  While you may have heard them mentioned before, you may not be familiar with what each app offers.

Confide is an iOS messaging app that its creators say will allow users to send messages without fear that those messages will be shared.  Confide accomplishes this in several ways.  Messages must be swiped to be read, preventing a simple screenshot.  In addition, the app will alert you if a screenshot is attempted (because let’s be honest, someone will attempt it at some point).  Finally, messages are not stored on Confide’s servers, so once they are read they’re supposed to be gone for good.

Secret isn’t a messaging app, its more of an anonymous sharing app.  The app allows you to create a post, saying anything that you’d like, without attaching your name to it.  They want users to “speak freely” in the hopes that others will share your thoughts.

When I first heard about these two apps, my first thought was “Someone is going to get caught saying something dumb because they don’t think they’ll get caught.”  In some cases these apps, particularly Confide, are being billed as a way for executives and other business people to have off-the-record conversations.

Unfortunately, there’s no sure-fire way to ensure that the words you typed into Confide won’t be shared in some manner.  There’s no alert to inform you that the recipient of your message had someone reading over their shoulder.  There’s also no way to prevent the recipient from simply telling someone else about the message.  Every day plaintiffs file lawsuits based on testimony that a fellow employee or supervisor said something derogatory or inappropriate.  Confide and Secret only change things slightly. “I heard the boss say he’d never hire a pregnant woman” isn’t any worse or damaging than “I saw the boss’s message on Confide that said he’d never hire a pregnant woman.”

With any of these apps, you’re entirely dependant upon the trustworthiness of the recipient.  Just because they don’t have an email or a screenshot of the message does not mean that it can’t be used, in some way, to damage the company.

I’ll leave you with this thought: If you wouldn’t feel comfortable saying it in front of a judge, then don’t say it, don’t type it and, maybe, don’t even think it.

Don’t Let Jailbreaking Escape Your BYOD Policy

Bring-your-own-device (BYOD) approaches have been embraced by employers, because they can reduce costs and employees tend to prefer being allowed the freedom to choose their own phones and tablets.

Of course, the freedom to purchase and use their own phones and tablets comes with a new set of challenges and, potentially, headaches.  A small, but very passionate, minority of smartphone and tablet owners choose to jailbreak  (Apple) or root (Android) their devices.

Continue reading on HR Examiner

Tight Rope Walking: Social Media Policies and the NLRB

Social MediaI’ve written about technology and social media before, and how they are continually impacting your business. Social media, particularly, plays a huge role in your employees’ lives. And if you think they’re not accessing social media throughout the day, including work hours, I have a bridge in Brooklyn to sell you.

Over the last few years, the NLRB, whose rulings may cover both union and non-union workplaces, began targeting employer social media policies.  Under the National Labor Relations Act, an employer may not prevent employees from discussing working conditions or engaging in protected, concerted activity and the NLRB has been applying those rules to employer social media policies.  Where an employer’s social media policy directly infringes on those rights, or even if it includes vague terms or provisions without limitation, the policy may be unlawful.

The NLRB’s guidance for social media policies seems to change every day, but these are the important points to remember:

  • Don’t prohibit disclosure of “confidential” or “proprietary” information without specifically defining the terms. Even better, use examples.

  • Be careful with restricting employee’s use of your business’s name or trademark.

  • Don’t require employees to obtain permission before posting to social media, as it could appear that you’re trying to inhibit protected activity.

  • Narrowly tailor any prohibition on “offensive, demeaning, abusive or inappropriate remarks” because protected employee criticisms of labor policies or employee treatment could be prohibited.

  • Don’t prohibit employees from discussing legal matters or litigation, because employees must be allowed to discuss potential claims against your business.

  • Don’t include any language that may be read to prohibit or dissuade employees connecting on social media, because it could inhibit protected communications.

  • Include examples when requiring employee posts to be accurate.

  • Don’t prohibit employees from discussing salaries, working conditions or job satisfaction.

Unfortunately, while the NLRB’s rulings and guidance are helpful in crafting a lawful social media policy, the NLRB’s rulings may be reviewed by federal appellate courts, resulting in further changes.

In short, make sure your social media policy doesn’t affect your employees’ ability to communicate, specifically defines any terms that may have different meanings and includes examples of appropriate behavior wherever possible.

Dnt Txt N Drv

While many states, including Pennsylvania, have implemented laws the ban texting while driving, the federal government has also thrown its hat into the ring. The Occupational Safety & Health Administration (OSHA) has implemented a Distracted Driving Initiative, which will focus on texting while driving.

OSHA calls upon all employers to ban texting while driving and remove any practice or policy that requires or encourages workers to text while driving. The first part of OSHA’s call to action is certainly easy to implement. Simply add a section in your employee handbook prohibiting texting while driving (and maybe take it a step further by prohibiting cell phone use in general while driving) and ensure that all of your employees are aware of the policy.

The second part, removing practices or policies that require or encourage texting while driving, is a little more confusing and, possibly, more difficult to implement. If your policies and practices require texting while driving, create incentives that encourage it or if work is structured so that texting is a practical necessity for workers to carry out their job, you may be subject to an OSHA fine.

For example, if your employee is required to make a certain number of deliveries each day and must stay in contact with other employees or customers via text message or email, you could be fined by OSHA And in this case, the employee would not even need to have an accident for you to be fined, OSHA could find the violation due to an employee complaint or an inspection.

If OSHA does find a violation, it will issue a General Duty Claus citation, which carries a maximum penalty of $70,000 per Willful or Repeat violation or $7,000 per Serious Violation. Given the announcement of this Initiative, expect OSHA to respond aggressively to any accident where distracted driving may have been a factor or if an employee complaint is lodged.

Employers should implement policies that clearly prohibit texting or emailing while driving any company vehicle or while driving on the job. The policies must be communicated to all employees. Any practice that requires or encourages employees to text or email while driving, even if the encouragement is indirect, should be removed or rewritten so that it clearly forbids texting while driving. Erring on the side of caution now may save you thousands of dollars, and potentially employee lives, in the future.

Will a BYOD Policy W-O-R-K for You?

One of the most popular trends in the IT world right now is the bring-your-own-device (BYOD) approach, where employees use their own mobile device at work. Its another case of new technology creating new problems. Before implementing a BYOD policy, you need to weigh the risks against the cost benefits.

IT departments have spent years working on desktop security and trying to prevent data loss via web and email, but employees are increasingly accessing corporate data with their own smartphones and tablets. As a result, employers have much less control over the security protecting their corporate data. Unlike desktops, very few people have protection against viruses and malware on their smartphones and tablets. Thirty-seven percent of IT decision makers reported that their business had unintentionally exposed corporate data through theft or loss of removable devices in the past two years.

From a legal standpoint, ownership of the smartphone or tablet is irrelevant in case of a lawsuit. Current discovery rules require litigation parties to preserve all relevant electronic data, which will include information stored on employee devices. Employees will need make any personal information stored on their devices accessible, including the history of the websites visited, songs and movies downloaded and played, copy of financial transactions or statements, the list of personal contacts and electronic communications including personal emails, personal phone call, text messages and various social media activities including Facebook, Twitter and VoIP services such as Skype.

While employees may initially be happy to choose their own device for work, that happiness may fade when the reality of the BYOD policy sets in. The IT department may restrict access to certain device features, like the application store, camera and media tagged as explicit. Employees may lose personal information if their device has to be remotely wiped. Employees may also be concerned that the IT department could access their personal data, even though most device management solutions do not allow such intrusions. Finally, if an employee is on a business trip, and loses their smartphone or tablet, there will likely be some confusion as to who is responsible for replacing the device.

Despite the risks, a BYOD policy may be the right choice for your business. You can adopt certain policies, which must be clearly communicated to employees, to help mitigate the risks. Any lost personally-owned or personally-owned devices belonging to a terminated employee should be remotely wiped. Employees should be prohibited from storing confidential corporate data or credit card data on unencrypted devices. Employees should also be prohibited from conducting any company business through the use of personal accounts, such as text messaging or email. And, as with all technology-based policies, it’s important to remember that the policies must evolve and change along with the technology, as it seems like smartphones and tablets have new features every day.

The Cost of Curiosity

In a growing trend, employers are asking job applicants and employees to provide login information to their Facebook pages and other social networking accounts. Many are questioning the propriety of asking for login information, particularly because an applicant or employee may believe refusing will cost them a job. However, even reviewing social media profiles, or utilizing a third-party application, to obtain information about applicants and employees may expose employers to legal liability.

Facebook has already confirmed that password sharing is prohibited under its Terms of Service. Facebook’s “Statement of Rights and Responsibilities” Section 4(8) explicitly prohibits password sharing:   “You will not share your password, (or in case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.” While violating the letter or spirit of the Facebook Rights and Responsibilities can lead to deletion of the user’s Facebook account, there are few real legal consequences for such violations. The Department of Justice regards entering a social networking site in violation of the terms of service to be a federal crime, but admitted that they would not prosecute offenders.

There are real legal dangers in asking an applicant or employee for login information, or even reviewing their social media accounts.  Many people post information on social media sites that may show a protected status (age, sex, religion, disability, genetic information, race, national origin and pregnancy), lawful off-duty conduct (alcohol or smoking), or criminal history.  Such information may be, albeit unintentionally, factored into hiring or workplace decisions. It could be particularly damaging if an employer requested access to social media accounts, and then makes a decision that detrimentally affects the applicant or employee. It simply creates more fodder for a potential lawsuit.

Employers that insist on reviewing applicant or employee social media profiles should take steps to maintain objectivity. Assigning a non-decision-maker to review the social media profiles, before passing on relevant information onto the hiring personnel, can help to prevent those making the hiring decision from relying on improper information. Employers may also want to limit their social media search to LinkedIn, because it is a professional site, which is much less likely to display improper information.

In the end, employers are generally better off not trying to obtain information about applicants and employees via Facebook and other social networks. The possibility that important information may be unearthed is greatly outweighed by the potential legal pitfalls and lawsuits a search may create.

Hat-tip and thanks to Susan Stobbart Shapiro