Whose Social Media Account Is It Anyway?

As a result of the rapid shift in marketing from unilateral one-to-many communications, to the multilateral, many-to-many or many-to-one conversations enabled by Social Media, employees and employers are struggling to manage accounts that are used for both work and personal purposes.

This new phenomenon has benefits, but it also creates a number of legal challenges. For employees, it may result in greater efficiency, more opportunities for authentic customers engagement and the ability to stay on top of the most current grands and business issues. For employers, it presents opportunity to reap substantial benefits from lower communications and customer support costs. For in-house counsel, it raises a host of legal and practical issues with few easy solutions and significant liability and regulatory risks.

First, there are hardware issues. Smartphones, tablets and other personal electronics often have social networking capabilities built in. in addition, they contain contain both personal and business data. Because these devices are always on and always connected, they are more than just personal property. They have become essential business tools. For both sides of the workplace equation, employers and employees must understand where the privacy lines fall between personal versus work-related information.

Second, there are data issues. Employers must balance their needs to monitor employee usage, employees’ privacy concerns, and the risk of liability for theft or exposure of data if a device is lost or stolen, or from lack of proper safeguards on account usage. For in-house counsel tasked with drafting policies to address these risks, , Prior to implementation of any policy, the legal team needs to educate front line employees and management on reasonable expectations of privacy and security and the harms that the organization seeks to prevent.

Lastly, recent cases such as the Cristou v. Beatport litigation, highlight the struggle to define and control the beginning and end of employee social media accounts, ownership and protection of intellectual property and the post termination risks that arise from the absence of appropriate policies.

As we prepare to start a new year, the time is ripe to establish security and privacy policies governing creation, maintenance and use of employees’ social media accounts for work functions. In-house counsel must lead the charge to educate, inform and train employees about privacy, security and evidence-recovery implications associated with use of social media.

A complete collection of the 38 federal acts governing U.S. information privacy law.

A complete collection of the 38 federal acts governing U.S. information privacy law.

1. Bank Secrecy Act
2. Cable Communications Policy Act
3. CAN-SPAM Act
4. Children’s Online Privacy Protection Act
5. Computer Fraud and Abuse Act
6. Communication’s Assistance for Law Enforcement Act
7. Computer Security Act
8. DNA Identification Act
9. Dodd-Frank Wall Street Reform and Consumer Protection Act
10. Drivers Privacy Protection Act
11. Economic Espionage and Protection of Proprietary Information Act
12. Electronic Communications Privacy Act
13. Electronic Signatures in Global National Commerce Act (ESIGN)
14. Employee Polygraph Protection Act
15. Fair and Accurate Credit Transactions Act of 2003 (FACTA)
16. Fair Credit Reporting Act
17. Family Educational Rights and Privacy Act
18. Federal Computer Crime Act
19. Federal Privacy Act
20. Federal Trade Commission Act
21. Foreign Intelligence Surveillance Act
22. Freedom of Information Act
23. Gramm-Leach-Bliley Act
24. HIPAA Regulations
25. Identity Theft Assumption and Deterrence Act
26. Medical Computer Crime Act
27. OECD Privacy Guidelines
28. PATRIOT Act
29. PIPEDA Privacy Act
30. Privacy Protection Act
31. Real ID Act
32. Right to Financial Privacy Act
33. Safe Harbor Privacy Principles
34. Telecommunications Act
35. Telephone Consumer Protection Act
36. Uniform Computer Information Transactions Act (UCITA)
37. Veteran’s Affairs Information Security Act
38. Video Privacy Protection Act

Managing Compliance Obligations For Electronic Communications

Financial Services is one of the most heavily regulated industries. As electronic communications devices and platforms proliferate, message retention and oversight is a top priority for many compliance officers. A recent survey of compliance professionals in the financial services industry identified the following key issues:

    Firms are working smarter, not harder to manage the growing compliance burden.

As the types of messages that Financial services firms are required to monitor and store continue to increase, firms are re-evaluating and updating supervision and retention procedures. Key areas of compliance concerns are

    New regulations
    New communications channels (e.g. social media, text messaging)
    New communications devices (e.g. smartphones and tablets)
    Increased scrutiny/enforcement by regulators
    Inefficiencies of the supervision process
    Mobile devices and communications are emerging as a top concern.

Like many other industries, Financial Services firms are facing the “Bring Your Own Device” (BYOD) challenge: growing use of smartphones and tablets as well as adoption of mobile-specific communications like text messaging. This presents a challenge to conventional compliance practices which has not gone unnoticed by regulators. Last year, FINRA issued Regulatory Notice 11-39, stating that firms are required to retain, retrieve and supervise business communications regardless of whether they are conducted from a work-issued device or a personal device. This presents a challenge to companies that must separate business and personal communications in order to ensure regulatory compliance.

    Social Media and other online communication channels present new concerns.

Use of Social Media is on the rise in the Financial Services industry. However, policies and procedures for supervision and retention lag behind the pace of adoption. In terms of the most requested message types during examination! Email was first, followed by Website pages (including
RSS feeds, blogs, wikis) with Bloomberg or Reuters messages and instant messages ( tied for third place.

Conclusion

While regulatory examiners are increasing their oversight and moving from a check-the-box approach to compliance to scrutiny of the messages themselves, financial services firms are getting more savvy about their approach to compliance. In addition, as the opportunities for new types and channels of electronic communications increase, so too are the archiving and supervision technologies allowing firms use of these emerging communication tools with a greater sense of security.