Social Media Law Update

California Bill to Expand Data Security Breach Notification Law Clears Senate Hurdle

Sheppard Mullin — Thu, 23 May 2013 08:52:51 -0800

Last week, the California state Senate passed S.B. 46, a bill to expand the triggering data under the existing data security breach notification law. Currently, breach notification in California is triggered by the unauthorized acquisition of an individual’s first name or initial and last name in combination with one or more of the following data elements, when either the name or the data elements are unencrypted: social security number; driver’s license or state identification number; account, credit card or debit card number in combination with any required security or access codes; medical information; or health information. S.B. 46 adds to the list of data elements, password, user name or security question and answer for an account other than a financial account. Like the existing list of personal information, this additional information must be in combination with the first name or initial and last name of the individual and one of the elements must be unencrypted in order to trigger the reporting requirement.

The bill now makes its way to the state Assembly for review. It will also need the governor’s signature prior becoming law.

Who Owns Your Online Persona?

Sheppard Mullin — Wed, 27 Mar 2013 08:50:20 -0800

By Paul Cowie and Wayne Chang

Eagle v. Morgan, 2013-11-4303 (E.D. Pa. 2013), represents one of the first trials on the issue of who owns social media accounts: the individual employee who first created the account or the employer whose business was promoted using the account? In Eagle a company's founder sued her former employer for the alleged illegal use of her LinkedIn account. The U.S. District Court for the Eastern District of Pennsylvania held that an employer's conduct, absent a company social media policy, resulted in the torts of unauthorized use of name, invasion of privacy by misappropriation and misappropriation of publicity. The court, however, held the employer not liable for conversion, tortious interference with contract, civil conspiracy and civil aiding and abetting. Lastly, the court rejected the employer's counterclaims of misappropriation and unfair competition.

This case illustrates the increasingly common issues surrounding employee use of social media in the course of promoting, selling and marketing for their employers. Specifically, it shows the consequences of not having in place a policy relating to use and ownership of social media and social media accounts. In Eagle, the court suggested that the employer may have prevailed if it had implemented a social media policy that covered factors relevant to ownership, such as whether: (1) the employer paid the social media account fees; (2) the employer dictated the precise contents of the employee's account; (3) the employee acted expressly on behalf of the employer due to her position, role or responsibility; or (4) the social media account was developed and built through investment of the employer's time and resources.

Facts and Claims

Dr. Linda Eagle was a co-founder of a business which was sold to Edcomm. As part of the sale Eagle agreed to continue as an employee of Edcomm. During her employment, Eagle used her LinkedIn account to promote Edcomm's business. She shared her username and password with several Edcomm employees to help respond to invitations and to update the account. Edcomm terminated Eagle's employment on June 20, 2011, and upon doing so, Edcomm changed the password to Eagle's LinkedIn account, thereby locking her out. Edcomm gained exclusive control of the account until July 7, 2011, when LinkedIn took over the account and returned access to Eagle a week later. As of the date of Eagle's termination in June 2011, Edcomm did not have in place a company policy informing the employees that their LinkedIn accounts were the property of the employer.

During Edcomm's control of the account, it changed the account to reflect the name, picture, education and experience of Sandi Morgan, the interim CEO of Edcomm, even though the URL of the account remained http://www.linkedin.com/in/lindaeagle, and a Google search of "Linda Eagle" would return results to said URL.

Eagle sued Edcomm for (1) unauthorized use of name; (2) invasion of privacy by misappropriation of identity; (3) misappropriation of publicity; (4) identity theft; (5) conversion; (6) tortious interference with a contract; (7) civil conspiracy; and (8) civil aiding and abetting. Edcomm counterclaimed for (1) misappropriation; and (2) unfair competition.

Plaintiff's first three causes of action

The court held Edcomm liable under claims of unauthorized use of name, invasion of privacy by misappropriation of identity and misappropriation of publicity because it took over Eagle's account and replaced the content with Morgan's information. Specifically, the court found that Eagle's name and likeness held commercial value because of the investment of time and effort in developing her reputation in the industry; and that Edcomm used Eagle's name without her consent for commercial and advertising purposes. The court said "[when searching for Eagle or visiting Eagle's LinkedIn page,] an individual would unawaringly be put in contact with Edcomm [and Morgan], despite the fact that Dr. Eagle was no longer affiliated with Edcomm." The court concluded that Edcomm's actions were for the commercial benefit of Edcomm and at the same time deprived Eagle of the benefit of her name.

Even though Eagle established the prima facie elements for the first three causes of action, she did not recover any compensation because she failed to establish with sufficient certainty any damages or a causal connection between Edcomm's wrong and any injury.

Plaintiff's Other Causes of Actions

Eagle failed in her other causes of actions.

First, identity theft was not established because Pennsylvania requires an unlawful possession of a person's identifying information, and the court held that mere use of Eagle's name to direct to Morgan's information and keeping Eagle from her personal account, "while perhaps unscrupulous, is not so clearly an 'unlawful' purpose."

Second, conversion was not established because under Pennsylvania law a LinkedIn account is not tangible chattel subject to a conversion claim, but rather it is an intangible right to access a specific page on a computer; the court analogized the LinkedIn account to other intangible property not subject to conversion such as software, domain names and satellite signals.

Third, tortious interference with a contract failed because it required Eagle to prove damages, which she could not establish. The court noted, however, that all of the other requisite elements of this tort were met, and in particular, Edcomm acted with the purpose or intent to harm Eagle when Edcomm locked her out of her account thereby preventing the Eagle-LinkedIn relationship to continue. The court expressly rejected Edcomm's argument that it owned Eagle's LinkedIn account under Edcomm's policy, because (a) no such policy existed, and (b) LinkedIn's User Agreement clearly indicated the contrary.

Counterclaim For Misappropriation

Unsurprisingly, given its rulings in Eagle's favor, the court held that Eagle's reclaiming of her LinkedIn account was not misappropriation because: (i) "Edcomm never had a policy requiring that its employees use LinkedIn, did not dictate the precise contents of an employee's account, and did not pay for its employee's LinkedIn account."; (ii) the LinkedIn User Agreement expressly stated that Eagle's account was between LinkedIn and Eagle; and (iii) Edcomm failed to show Eagle's contact list was "developed and built through investment of Edcomm['s] time and money as opposed to Eagle's own time, money and extensive past experience."

Importance of a Social Media Policy

This case provides employers with guidance regarding what steps should be taken if they wish to obtain ownership rights to LinkedIn and other social media accounts. Of particular interest, the judgment included an entire email exchange wherein company executives had discussed the importance of LinkedIn accounts and the need to introduce a policy that such accounts were the property of the company. However, despite this email exchange the policy was never formulated and implemented. The lesson is clear: Employers wishing to protect social media accounts which they view as company marketing and branding should act now and introduce clear policies regarding ownership.

This article is reprinted with permission from the 3/22/13 issue of The Recorder. ©The Recorder 2013 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Privacy On The Go: Recommendations For The Mobile Ecosystem

Sheppard Mullin — Thu, 10 Jan 2013 14:50:03 -0800

California’s Attorney General today issued recommendations for mobile app developers and the mobile industry to safeguard privacy for consumers.

Pinterest "Pins" New Guidelines For Sweepstakes And Contests

Sheppard Mullin — Thu, 20 Dec 2012 10:21:36 -0800

Pinterest has released new Promotions and Marketing Guidelines for retailers, consumer brands and other companies running promotions on its platforms. Among other things, the new guidelines say don’t run a sweepstakes where each pin, repin or like represents an entry.

FTC Enacts COPPA Updates

Sheppard Mullin — Wed, 19 Dec 2012 15:56:33 -0800

In October we reported that the FTC had issued its proposed updates to COPPA. Today it enacted these new rules.

California AG to Begin Enforcing Privacy Law Against App Developers - $2500-per-Download Fines

Sheppard Mullin — Fri, 07 Dec 2012 09:25:07 -0800

By Rachel Tarko Hudson

Mobile app developers must now conspicuously post and follow privacy policies just like websites and other commercial online services according to California Attorney General Kamala Harris. On October 30, the Attorney General’s office began sending warning letters to app developers notifying them that they had 30 days to comply. Time is now up. And the consequences are potentially substantial with the law carrying fines of up to $2,500 per download.

California’s Online Privacy Protection Act (OPPA) provides that “[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site,” or in the case of an operator of an online service, make that policy reasonably accessible to those consumers. The OPPA also includes specific requirements for the content of privacy policies. While the OPPA has been in effect since 2004, the Attorney General’s office only recently began focusing its attention on enforcing the law against app developers.

The Attorney General’s office sent about 100 warning letters to the developers of some of the most popular apps in this first round, stating that it was the first step in enforcement against those developers. Given the high proportion of apps without posted privacy policies, it is likely that additional letters will be sent. While no more formal enforcement actions have been reported, the Attorney General has indicated that she and her office are prepared to sue developers if necessary. In addition, the Attorney General has reached an agreement with the major app platforms to require that apps distributed through their platforms have clear privacy policies.

While the Attorney General is presently giving app developers 30 days to comply with the OPPA in the warning letters, with the increased regulatory and consumer focus on privacy issues, app developers should examine their information privacy practices and draft and post a privacy policy that complies with the OPPA and other privacy laws. Many developers cut and paste privacy policies from other apps. This is a mistake. Those privacy policies may not comply with the law. Also, each developer should tailor its privacy policy to fit their specific app and information privacy practices.

New York AG Addresses Cause Marketing on Social Media

Sheppard Mullin — Wed, 28 Nov 2012 08:39:49 -0800

By Rachel Tarko Hudson

The New York Attorney General’s Charities Bureau recently released “Five Best Practices for Transparent Cause Marketing” which contains general best practices for cause marketing campaigns, including campaigns conducted on social media. Cause marketing, also known as commercial coventures, is the practice by a for-profit company of donating a portion of the purchase price of an item or service to a charity. Cause marketing is becoming increasingly popular among companies looking to do good as well as to generate positive publicity for their brand. Many states regulate cause marketing, however, New York’s Best Practices indicate that greater attention may begin to be focused on campaigns conducted using social media and other newer online platforms for giving.

According to the Best Practices, companies and charities’ “should be no less vigilant” in their conducting of cause marketing campaigns using social media than they would be in more traditional product sales settings. Applying the general best practices to the social media setting, the Best Practices advise that:

The terms of the campaign should be “clearly and prominently” disclosed as part of the online marketing
Marketing should include:
- the amount to be donated to charity per action
- the name of the charity
- the dates of the campaign
- any minimum or maximum amount to be donated

Companies are also told to track donations in real-time for the duration of the campaign and make the progress of the campaign transparent to users. When the campaign ends or any maximum amount is reached, it should be discontinued or at least made clear to users that any subsequent actions will not result in a donation to the charity. Companies are also told, as part of the general Best Practices, to post and maintain on their website the amount of the donation made by the company as a result of the campaign.

The Best Practices focus on social media campaigns conducted on sites such as Facebook or Twitter where a donation will be made for every person who “likes” or “follows” a company. But the Best Practices should be considered in conducting other social media and online campaigns as they are a window into how at least one Attorney General will view these types of campaigns.

The bottom line is that marketers should keep in mind that an overarching theme in the Best Practices are that consumers should receive helpful and truthful information about cause marketing campaigns. Tell consumers what you are doing and what they are getting for their money or their “likes.”

FTC Proposes Updates to Children's Online Privacy Law

Sheppard Mullin — Fri, 12 Oct 2012 09:40:13 -0800

The Federal Trade Commission recently proposed several updates to the Children's Online Privacy Protection Act of 1998 (COPPA).

COPPA currently provides that operators of websites and other online services that collect personal information online about children under 13, or whose websites or services are directed at children under 13, must:

post a clear and comprehensive privacy policy on their website or service describing their information practices for children’s personal information;
provide direct notice to parents and obtain verifiable parental consent before collecting personal information from children;
give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
provide parents access to their child’s personal information to review and/or delete it;
give parents the opportunity to prevent further use or online collection of a child’s personal information; and
maintain the confidentiality, security, and integrity of information they collect from children.

The proposed updates to COPPA are designed to address challenges created by technology advancement since COPPA was enacted in 1998 – Twitter, Facebook, and the iPhone and other smart phones and mobile devices did not exist in 1998.

What would the proposed updates to COPPA mean for website and online services?

COPPA’s regulations would extend to mobile devices;
websites that integrate features such as a Facebook login, advertising networks, and downloadable software kits ("plug-ins") would need to get verifiable parental consent before collecting personal information from children under 13;
behavioral advertising tracking cookies and geo-location information would be added to the definition of personal information that marketers and website operators must get verifiable parental consent to collect; and
COPPA would allow a website that attracts both children and adults to apply privacy protections only to those who say they are under 13 (currently, such websites must treat all users as under 13).

The proposed updates to COPPA have been in the making for several years. In September 2010, the FTC solicited public comments on how COPPA might be improved. In 2011, the FTC released its recommendations. It then solicited two additional rounds of comments on its recommendations. The FTC will make final recommendations by the end of the year.

He "Likes" Me, He "Likes" Me Not - Facebook's Sponsored Stories Lawsuit, Fraley v. Facebook, Changes Landscape Of Privacy Litigation; Kids Threaten Proposed Class Settlement

Sheppard Mullin — Mon, 30 Jul 2012 09:36:17 -0800

By Elizabeth Berman

Facebook, Inc. was sued in a class action last year over one of its advertising practices called “Sponsored Stories,” which typically consist of a Facebook Friend’s name, profile picture, and an assertion that the person (your Facebook Friend) “likes” an advertiser, coupled with the advertiser’s logo, featured on your Facebook page or News Feed. The idea is that the target of the advertisement (i.e., you) will be more influenced by the company’s advertisement because someone in your network (i.e., your Friend) “likes” that company. The disconnect is that “liking” a page on Facebook does not necessarily mean the user likes that company in the normal sense of the word. For example, one could “like” a page in order to get some promotional benefit from the company or learn more information about the company or its product.

The named plaintiffs, two of which are minors, alleged “Sponsored Stories” violated California’s Right of Publicity Statute, Civil Code § 3344; California’s Unfair Competition Law, Business & Professions Code § 17200, et seq. (“UCL”); and the common law doctrine of unjust enrichment. Generally, the plaintiffs alleged the way Sponsored Stories worked unlawfully misappropriated their names, photographs, likeness and identities for use in paid advertisements without their consent. Facebook moved to dismiss their claims, arguing lack of Article III standing, immunity under § 230 of the federal Communications Decency Act (“CDA”), and failure to state a claim upon which relief can be granted. Late last year, the California Northern District Court denied the motion except with respect to the unjust enrichment claim.

Notably, the District Court rejected Facebook’s argument that the plaintiffs lacked Article III standing, drawing a distinction between the plaintiffs’ allegations and other recent District Court privacy cases coming to the opposite conclusion under similar facts (Low v. LinkedIn, iPhone App Litig., and LaCourt v. Specific Media, In re Doubleclick, Cohen v. Facebook), on the grounds that the plaintiffs’ allegations were sufficiently particular with regard with what information Facebook used, how it used it, to whom their information was published, how they were economically injured by the use of their information to advertise to others (versus using one’s information to advertise to oneself), and how their information inherently had some commercial value (because a Sponsored Story ad was viewed by Facebook as more valuable, and therefore more expensive, than a generic ad).

The case did not proceed beyond the plaintiffs’ allegations to class certification or summary judgment because, before the hearing on class certification was held, the parties reached a settlement in or around May, 2012. The plaintiffs filed a motion for preliminary approval of the proposed class settlement, which calls for changes to Facebook’s website and terms of use and additional control functions over one’s appearance in a Sponsored Story. The settlement includes other terms applicable to minors, such as a requirement that minors represent that they have received parental consent before they can be featured in a Sponsored Story. Facebook also agreed to bear the costs for class notice and settlement administration, in addition to paying $10 million in cy pres relief to the class and almost $40,000 to three class representatives. The proposed class is nationwide, and there is also a proposed subclass consisting of minors.

A motion to intervene and oppose the motion for preliminary approval was filed in June, 2012 on behalf of the minor class members, whose interests are also represented in another related class action against Facebook and would be covered by the proposed release in the Fraley settlement. The minors are objecting for several reasons, including for example (1) the proposed settlement would not address the fundamental issue that minors lack the capacity to provide consent, and simply asking them to confirm they have parental consent is insufficient, and (2) that the Fraley action is limited to Sponsored Stories, whereas their related action, C.M.D. v. Facebook, challenges the use of children in advertising more generally. The intervention has the potential to blow up the proposed settlement and force the parties to start settlement discussions over again or proceed to class certification.

Both motions (for preliminary approval and intervention) are set to be heard on August 2, 2012.

Federal Government Targets Privacy Violations by Social Media Companies

Sheppard Mullin — Fri, 29 Jun 2012 09:46:55 -0800

By Neil Ray

Continuing its focus on privacy issues, the Federal Trade Commission (FTC) reached a settlement earlier this month with social networking service, Myspace, over charges that it misrepresented its protection of users' personal information. The FTC alleged that Myspace allowed advertisers to access personally identifiable information despite previous assurances to its users that it would keep such information private. The settlement requires Myspace to implement a comprehensive privacy program, and calls for regular, independent privacy assessments for the next 20 years.

The primary data practice at issue was Myspace's alleged sharing of the unique identifier assigned to each profile of each Myspace user called a “Friend ID” with third-party advertisers to customize advertisements directly on its site. The FTC alleged that advertisers could use the identifier - by simply typing the Friend ID in the URL after the slash in www.myspace.com/ - to access a particular user's profile and personal information. A user's profile contains some basic profile information such as his or her age, gender, profile picture (if the user chooses to include one), display name, and, by default, the user's full name. User profiles also may contain additional information such as pictures, hobbies, interests, and lists of users' friends. The FTC also alleged that advertisers could use a tracking cookie to combine an individual user's real name and other personal information to link broader web-browsing activity to that specific individual.

Myspace's privacy policy promised it would not share users personally identifiable information, or use such information in a way that was inconsistent with the purpose for which it was submitted, without first giving notice to users and receiving their permission to do so. The privacy policy also promised that the information used to customize ads would not individually identify users to third parties and would not share non-anonymized browsing activity. The FTC alleged that the Myspace's use of the Friend ID was not described in its privacy policy and it did not receive permission from its users for such sharing. The FTC charged that this constituted deceptive statements in its privacy policy which violated federal law (Section 5(a) of the Federal Trade Commission Act).

In addition, Myspace certified that it complied with the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States. As part of its self-certification, Myspace claimed that it complied with the Safe Harbor Principles, including the requirements that consumers be given notice of how their information will be used and the choice to opt out. The FTC alleged that these statements were false.

The proposed settlement bars Myspace from misrepresenting the extent to which it protects the privacy of users' personal information or the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework. The order also requires that Myspace establish a comprehensive privacy program designed to protect consumers' information, and to obtain biennial assessments of its privacy program by independent, third-party auditors for 20 years.

Since 2010, the FTC has reached a dozen settlements against companies that the agency accused of failing to uphold their privacy promises to consumers. The agreement with Myspace is similar to one the FTC made in November with Facebook over its sharing of users’ information with advertisers and making public information that it had said would be kept private. Under that settlement, Facebook is required to submit to a third-party privacy audit every two years for the next 20 years and to obtain express consent before making changes that override user privacy preferences. In March 2011, Google agreed to settle the agency's claims that it used deceptive practices and violated its own privacy policies when it launched its Google Buzz social network in 2010. That agreement, similar to the later ones with Facebook and Myspace, also requires regular privacy audits for the next 20 years.

Companies Using Pinterest, Be Careful Not to Get Pricked

Sheppard Mullin — Thu, 26 Apr 2012 09:50:14 -0800

By Rachel Tarko Hudson

Pinterest has seen its number of daily visitors increase by 145 percent since the beginning of 2012, now counting 11 million users on its site, according to recent reports. It is a powerful social media tool by any standard, however, in recent months, with its meteoric rise, concerns have also surfaced about potential copyright issues. Needless to say, companies are clamoring to gain access to this vast and ever increasing pool of users, but they should (and can) proceed with caution in order to stay on the right side of the copyright issues.

What is Pinterest?

If you are not among the 11 million users, Pinterest is a site that allows users to "pin" content of their own and from around the internet on an attractive display that looks much like a corkboard you would have at home or in your office. In this format, users can then follow other users' "pinboards" and re-pin items they see on Pinterest on their own pinboards. Pinterest is linked through an app to Facebook and Twitter and provides a "Pin It" button for web browser tool bars and for websites allowing users to easily pin things to their pinboards as they see them. There is of course also a mobile phone app.

So What is the Problem?

Pinterest is set up to encourage users to pin content they find on the internet on their pinboards, but these users may not always have the right to post these images on Pinterest. It is still unclear what rights are necessary to be able to pin content on Pinterest. The pins usually involve posting entire images, so if users do not own or have a license to the image, they may not have the right to pin it. Some, however, have argued that the images are more like thumbnails with links and thus that it is potentially a fair use. In any event, the Terms of Use for Pinterest's site place responsibility for content posted by users with the user. Thus, a user represents and warrants that she has the right to pin the item and to grant the right to others to re-pin it and agrees to indemnify Pinterest from liability for infringement.

This policy creates several issues. First, it places the burden for any infringing activity on users. Second, it may not protect Pinterest in the first place. Pinterest could still be the subject of claims for contributory copyright infringement for its actions (encouraging or aiding infringement through the site) and inactions (not taking more affirmative steps to prevent infringement). Finally, re-pinners may also be at risk if they re-pin infringing content when it is highly unlikely that the original user who pinned the item had permission to do so.

Pinterest's Response

Pinterest has taken several steps to address concerns over copyright issues on its site. Pinterest has a Digital Millennium Copyright Act (DMCA) Policy in effect. The DMCA provides a safe harbor for organizations like Pinterest that potentially protects them from liability for infringement. The safe harbor applies when the site provides a mechanism for copyright holders to report alleged infringement to the site and then the site promptly removes the allegedly infringing content. Pinterest also offers a "no pin" code. Copyright holders can add the code to their content so that it cannot then be pinned on Pinterest, a so called opt out.

Recently, Pinterest has said that it (and its lawyers) feel that the site is protected by the DMCA. The company contends that its activities fall squarely under the safe harbor of the DMCA and that they are committed to responding efficiently to all reports of copyright infringement.

Pinterest also revised its terms of service on April 6, 2012, in addition to making other changes to its legal policies and other disclosures. The license grant from users to Pinterest no longer gives Pinterest the right to sell the pinned content. This change should alleviate some of the copyright concern. The license grant from users, however, is still fairly broad, although limited to the Pinterest site. Pinterest also made changes to make it easier for copyright holders to report copyright violations to Pinterest. Finally, Pinterest changed the Pin Etiquette rule encouraging pinners to avoid self promotion to now only encourage them to be authentic. This change comes in response to critiques that by telling pinners to avoid self promotion, Pinterest was encouraging them to post other people's content, possibly in violation of copyright laws.

Does That Settle the Issue?

Not really. If the DMCA protects anyone, it is Pinterest and not its users. The DMCA does not provide any protection against liability to users for copyright infringement and if a user frequently posts material that is the subject of complaints of infringement, the user can have her account disabled. But the DMCA may not even protect Pinterest. To come under the DMCA safe harbor, you cannot have actual knowledge of infringement on your site. It is unclear how the general knowledge standard would apply in the case of Pinterest.

The opt out code is helpful to users as it protects them (and Pinterest) from the copyright holders who are most concerned about their content being posted on Pinterest. It also protects people and businesses who do not want their content to be pinned on Pinterest. Simply not posting content with the opt out code may not be enough, however, to protect either Pinterest or users just because they post content that does not include the code. The DMCA policy also helps copyright holders who want to prevent unauthorized use of their content on Pinterest. If you find unauthorized pins of your content on Pinterest, you can notify Pinterest through the process posted in their legal section in order to have that content removed.

The "Pin It" button appearing on a website is likely the most promising development. If a copyright holder places a "Pin It" icon with her content, it may act as an implied license to pin that content on Pinterest.

The changes to the terms of service and other disclosure language will help alleviate some of the concern about copyright issues by making it easier to address copyright infringement, relieving concern about what Pinterest will do with images, and by removing some of the social pressure to pin other people's content. However, these changes are likely only a step in the right direction and not a panacea.

What Now?

The risks do not mean users cannot use Pinterest without violating copyright laws. So long as you own the rights to your content, you can pin it and others can re-pin it. When users pin content, they grant others the right to re-pin it on Pinterest. If you re-pin content that it is reasonable to believe was pinned by someone who can grant you the rights they are granting, then you are likely protected from infringement. For example if I post photographs that I take of a room in my home or a company posts images of its products, it is reasonable to rely upon the license I and that company are granting you to re-pin the image using the functionality of the Pinterest service. If I, on the other hand, pin one of Annie Leibowitz's photographs of Miley Cyrus on Pinterest, it is unlikely I had permission to do so, and thus it might be unreasonable for other users to rely on my license to re-pin that image. As noted above, a relatively safe practice is to Pin content that contains the Pin It button. Users on Pinterest should also be aware of the rights to their own content that they are giving away when they post on Pinterest. You are granting to other users the right to re-pin the item on Pinterest and thus are giving up some control over that content.

Users, businesses included, who use Pinterest carefully should be able to navigate the waters successfully and open their products, services, creations, and inspirations up to the rapidly growing base of Pinners. Like any new online service there is some uncertainty and some risk, but by exercising care, much can be mitigated.

Occupiers' Motion to Quash Subpoenas of Tweets Raises Privacy Questions

Sheppard Mullin — Tue, 03 Apr 2012 08:57:18 -0800

By Craig Cardon and Rachel Tarko Hudson

Occupy protesters in New York are attempting to quash the Manhattan District Attorney's subpoenas of their tweets and Twitter account information. The protesters were arrested for obstructing the Brooklyn Bridge during a protest in October. The District Attorney wants to use the tweets to show that the protesters knew their actions were not sanctioned by the police. The D.A. is also attempting to obtain account information in order to connect anonymous Twitter accounts to their real owners. The protesters' motions argue that the subpoenas violate their privacy rights and their right to speak anonymously.

Craig Cardon of Sheppard Mullin was quoted by Law 360 on this issue as saying that it is more of an urban myth than an actual privacy right that the anonymity of the internet provides unfettered privacy protection to users. While the First Amendment provides protection for anonymous speech the Tweets at issue here were not anonymous. The users Tweeted publicly under their own names, removing any expectation of privacy in the Tweet content. But even had the Tweets been anonymous or private, a court would engage in the traditional balancing test used in cases where an individuals' privacy rights must be weighed against a prosecutor's need for information for a criminal investigation. Nevertheless, subpoenas of internet service providers to reveal anonymous posters have readily been allowed for over a decade.

The district attorney's decision to refrain from requesting private direct messages that can not be publicly viewed or searched for and his explanation that the requested information would be used to disprove beyond a reasonable doubt that the protesters' defense that they believed their obstruction of the Brooklyn Bridge was authorized by the police should help mitigate any privacy concerns. The argument that allowing these subpoenas would allow investigators in the future to request direct messages and other information will not likely get a lot of traction in this case. As Law360 quoted Cardon, “Judges do not want to hear about a parade of horribles; they are focused on what's falling on us today.”

While the issue makes for good headlines, it is likely a tempest in a tea pot and simply a harbinger of challenges to come in the future. The law is fairly clear that subpoenas of the nature involved here (seeking public Tweet content and corresponding time log information for evidentiary purposes) are permitted where as here the prosecution has a well articulated need.

Do Your Social Media Accounts Belong To Your Business? Why Worry, When There Are Safeguards You Can Take Now

Sheppard Mullin — Thu, 29 Dec 2011 11:27:43 -0800

By Michelle Sherman

The world is closely watching a federal case in the Northern District of California where a mobile news and reviews resource company, PhoneDog, is suing a former employee Noah Kravitz (or independent contractor, depending on what news report you read) over who owns a Twitter account that was started in association with PhoneDog, and is now being used by Kravitz as his own Twitter account. The issues drawing so much attention include who owns a social media account – the employee who posts on it, or the employer on whose behalf the employee was posting. The other issue is what value, if any, can be placed on Twitter followers (or, by analogy Facebook likes), when social media attracts people who are portable and not "owned" by the social media account.

As will be discussed more fully below, PhoneDog does not enter court with the best of facts in order to decide these larger issues of interest to employers and the social media community. However, the shortcomings in PhoneDog's case are instructive in terms of steps employers should take to better demonstrate ownership over their social media sites.

1. PhoneDog Lawsuit

The crux of the lawsuit is that Kravitz was paid as a product reviewer and video blogger for PhoneDog from April 2006 through October 2010, and that this position included posting tweets on a Twitter account called @PhoneDog_Noah. After Kravitz left PhoneDog, he changed the name of the account to @noahkravitz, and kept its followers instead of relinquishing the account and its followers over to PhoneDog as was requested of him.

On November 28, 2011, the complaint survived a motion to dismiss filed by Kravitz with the magistrate judge allowing the claims for misappropriation of trade secrets and conversion to stand, and giving PhoneDog leave to file amended claims for intentional interference with prospective economic advantage and negligent interference with prospective economic advantage. On the tortious interference claims, the court held that PhoneDog failed to allege how Kravitz continuing to use the Twitter account in his own name disrupted the purported relationships between PhoneDog and the Twitter users, or how it resulted in economic harm – two essential elements for these claims.

In reviewing the complaint, and what it does not allege, PhoneDog has some formidable hurdles to prevailing on its remaining claims. For example, PhoneDog alleges that it took reasonable measures to protect the confidential information that it loosely describes as the Twitter account password and "many details of PhoneDog's relationships with its users that are not generally known or readily accessible to the public or PhoneDog's competitors." However, PhoneDog does not allege that it had an employment agreement or confidentiality agreement with Kravitz that would have protected this information, or clearly stated that this information should be treated as confidential, proprietary information.

2. The Importance Of Having Written Agreements With Your Employees Concerning Use Of The Company's Social Media Accounts

In a statistical study of trade secret litigation in federal courts with issued written opinions from 1950 through 2008, it was found that employees prevailed more often than the employers with employees winning 54.1% of the summary judgment motions, and employers winning 34.7%. The study also found that while there is no bright line rule for what reasonable measures an employer must take to protect its trade secrets, the most important thing an employer can do is to have a confidentiality agreement with its employees.

3. Social Media And The Internet Present Unique Challenges To Demonstrating Something Is A Trade Secret

With the growth of the internet, we are also finding that the universe of trade secret information is becoming smaller. This would seem to be especially true in the case of Twitter followers who are on a public list that can be viewed by anyone with a Twitter account. Indeed, a federal court in the Eastern District of New York held in August 2010, that a customer list of an executive search consulting firm was not a trade secret given the fact that the list and needs of the firm's clients could be pieced together through internet searches of FX Week, Google, Bloomberg.com, and LinkedIn:

"The information in Sasqua's database concerning the needs of its clients… may well have been a protectable trade secret in the early years of Sasqua's existence when greater time, energy and resources may have been necessary to acquire the level of detailed information to build and retain the business relationships at issue here. However, for good or bad, the exponential proliferation of information made available through full-blown use of the Internet and the powerful tools it provides to access such information in 2010 is a very different story." Sasqua Group, Inc. v. Courtney, 2010 WL 3613855 (E.D.N.Y. Aug. 2, 2010).

As the PhoneDog court held in its motion to dismiss order, PhoneDog also faces a hurdle in alleging "facts regarding how Mr. Kravitz's conduct disrupted its relationships and what economic harm it caused." It is worth noting that the complaint alleges a following of approximately 17,000 followers on Twitter when Kravitz was with PhoneDog. The account that is now used by Kravitz in his personal capacity shows followers numbering 23,578 as of December 28, 2011. In contrast, principals of PhoneDog have far less followers on their respective company Twitter accounts with the Editor in Chief, @PhoneDog_Aaron, having 12,603 Twitter followers as of December 29, 2011, and the President, @PhoneDog_TK, having only 846 as of the same date.

4. Act Promptly To Remove Employees From Social Media Accounts When You Know The Employment Relationship Is Ending

In the trade secrets study, another reasonable measure for protecting trade secrets that an employer should take is introducing computer-based protections. These protections may include requiring personalized logins and passwords for users having access to the information; monitoring their access and use of the information; and terminating access when a user no longer needs access to the confidential information or their employment has been terminated. In the PhoneDog action, the complaint is vague on who established the Twitter account, and whether the plaintiff PhoneDog had the login and password information for the account used by Kravitz. PhoneDog alleges that its confidential information included the passwords, but then alleges that it requested that Kravitz "relinquish use of the Account." If PhoneDog had the Twitter account login with password, then one of the reasonable measures that PhoneDog should have arguably taken was to change the password, and take back control of the Twitter account when Kravitz quit in October 2010.

In general, companies should to the greatest extent possible register social media accounts in their own names or through a senior marketing person and/or social media manager if the account needs to be in the name of a person. Further, on social media accounts such as Facebook pages, where you can have more than one administrator, companies should take advantage of this option and have several administrators. Having several administrators, and asserting control over the account, is another way to demonstrate "ownership" of the account, and also avoid some of the problems experienced by PhoneDog.

Indeed, the time gap between when Kravitz left the company in October 2010, and the filing of the legal action in July 2011 is another hurdle for PhoneDog in its case. Reading between the lines of the complaint, and theorizing from there, it appears that there may be some credence to Kravitz's argument that PhoneDog asked him to "tweet on their behalf from time to time," as reported in the December 25, 2011 New York Times article. In the complaint, PhoneDog also alleges that, "[o]n information and belief, from October 2010 and December 2010, Kravitz free-lanced for a variety of media outlets before obtaining a full-time position with TechnoBuffalo", who is described as a competitor of PhoneDog. In other words, PhoneDog also seems to be pursuing this action because Kravitz is now working for a competitor of PhoneDog. PhoneDog does not allege that there was a non-compete agreement with Kravitz.

5. If You Have A Social Media Non-Compete Or Confidentiality Agreement With Your Employees, Make Sure Your Intentions Are Clearly Stated

It does not appear that PhoneDog had any written agreement that would prevent Kravitz from continuing to tweet about mobile news and reviews after he left the company. If there was a non-compete agreement, or a confidentiality agreement concerning PhoneDog's purported trade secrets, then the agreement needs to be clear about what the parties intended, and the terms of their agreement.

For example, a federal court of appeals held that an ex-News Corporation employee did not breach his post-employment agreement in a trade secrets case by sending 55 pages of internal documents from his former employer to a U.S. Senate staffer because the documents were mailed one day before he signed the agreement in which he promised not to disclose NewsAmerica's confidential information or disparage the company. News America Marketing v. Emmel, D.C. Docket No. 07-00791-CV-TCB-1 (11^th Cir. June 8, 2011).The court's decision turned on the post-employment agreement only referring in the present tense to future acts. Robert Emmel agreed that he "will not disparage, denigrate or defame the company, " and that he "will maintain in complete confidence" the company's confidential information. The court held, "If it had wanted the agreement to cover past acts or future inaction, New America should have written the agreement to say that."

The News America Marketing case highlights the importance of having an agreement with employees concerning their access and use of social media accounts on behalf of the company, and ensuring that the agreement clearly spells out the relationship and the parameters for it because some courts will literally interpret agreements with employees.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

Facebook's Settlement With The FTC Is A Wake Up Call For Businesses To Review And Update Their Website Privacy Policy And Agreements

Sheppard Mullin — Tue, 27 Dec 2011 11:41:27 -0800

By Michelle Sherman

The Federal Trade Commission ("FTC") is working hard to make sure consumers are not being misled about how websites and social networking sites are using their personal information. Companies that do not follow their own privacy policies are finding themselves the subject of FTC complaints. It is therefore even more important for businesses to review and update their "privacy policy," "terms of use," and other legal agreements on their websites. This review should also include any company apps.

1. When Businesses Do Not Comply With The Terms Of Their Website Privacy Policy, Then They May Be In Violation Of Section 5(a) Of The FTC Act

The recent consent decrees that the FTC entered into with Facebook, Google and online advertiser ScanScout highlight the need for businesses to make sure they are acting in accordance with their privacy policies. Businesses are well advised to take the following actions:

(1) Ensure that the published policies on their websites for terms of use and privacy reflect what information the businesses are collecting from consumers, and that the disclosures are clearly stated without unnecessary and lengthy legalese;

(2) Examine how the businesses are using personal information or anticipate using it, and that these uses are being fully disclosed to consumers; and

(3) Take reasonable measures to safeguard consumer information. Because of the risks of cyberhacking, it is also worthwhile to conduct an audit on how consumer information is being safeguarded, and what information is being stored and for how long a period. The FTC settled a complaint against Twitter for its alleged failure to take reasonable safeguards to protect users' accounts against hackers.

In all of these complaints, the FTC alleged that the respondents made false or misleading representations about their privacy policies in violation of Section 5(a) of the FTC Act. The FTC Act prohibits unfair or deceptive acts or practices. 15 U.S.C. § 45(a).

The consent decrees entered into by Facebook, Google and ScanScout in order to avoid more costly litigation and possibly stiffer penalties are similar in some key respects, and include some terms that will increase their costs of doing business. As is sometimes the case with the FTC, the FTC conditioned the settlements on these businesses agreeing to change their business practices in ways that may place them at a competitive disadvantage to their competitors because some of the additional privacy measures they must now take are not required under current law.

2. Lessons To Be Learned From The FTC Settlements With Facebook And Others

It is instructive to know how these businesses allegedly violated the terms of their privacy policies with users because the same may be true for many companies.

(a) Facebook Complaint

In its complaint against Facebook, the FTC alleged:

(1) Facebook told its users that third-party apps that users installed – such as Farmville by Zynga– would have access only to user information that they needed to operate. In fact, the apps could access nearly all of the users' personal data.

(2) Facebook told users that they could restrict sharing of data to limited audiences – for example, with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with the third-party applications their friends used.

(3) Facebook promised users it would not share their personal information with advertisers. Facebook did according to the FTC.

(4) Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, when in fact Facebook allowed access to the content according to the FTC.

(5) Facebook also claimed that it complied with the U.S. – EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union, but it did not.

(b) Google Complaint

Google is also faulted for making use of its users' data in ways that was contrary to what Google was telling users about the launching of Google's Buzz social network through its Gmail web-based email product. The FTC alleged that "Google led Gmail users to believe that they could choose whether or not they wanted to join the [Buzz] network, [but] the options for declining or leaving the social network were ineffective." Google was apparently trying to immediately ramp up its social network in order to compete with Facebook. The Buzz launch ended up being a public relations nightmare for Google with thousands of consumers reportedly complaining that they were concerned about public disclosures of their email contacts from which Google tried to create immediate Buzz connections for users. In some cases, use of the emails disclosed ex-spouses, therapists, employers or competitors.

According to the FTC, Google breached its privacy policy when it launched Buzz, its social networking site, because Google's policy told Gmail users that "[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use." According to the FTC, Google used Gmail users' information for a different purpose without telling them by starting a social networking site with the information.

(c) Online Advertiser ScanScout Complaint

The FTC is not just pursuing these actions against social media behemoths such as Facebook and Google. In November 2011, the FTC reached a settlement with an online advertiser ScanScout. ScanScout is an advertising network that places video ads on websites for advertisers. ScanScout collects information about consumers' online activities (aka behavioral advertising) in order to post video ads targeted to the people visiting the website. In ScanScout, the FTC alleged that there was a discrepancy between the online service and their website privacy policy:

"[F]rom at least April 2007 to September 2009, ScanScout's website privacy policy discussed how it used cookies to track users' behavior. The privacy policy stated, 'You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.' However, changing browser settings did not remove or block the Flash cookies used by ScanScout…. The claims by ScanScout were deceptive and violated Section 5(a) of the FTC Act."

In the ScanScout action, the company Tremor Video, Inc. is also subject to the settlement order because ScanScout merged with Tremor Video. This settlement also highlights the importance of doing an audit of a target company's social media activity before acquiring or merging with it so your company will have more information concerning the legal risks of the deal.

3. Business Costs Of Not Updating Your Privacy Policy And Following It

In each of these cases, the FTC is making the settling party do some things that are more than they would have been required to do in the normal course of business, thereby, making it more challenging and expensive for them to do business.

These consent decrees require the settling party to do the following:

(1) Tell users what information is being collected and for what purpose, with the right to "opt out" of the targeted advertising (ScanScout);

(2) Obtain consumers' affirmative express consent before enacting changes that override their privacy preferences (Facebook; Google);

(3) Establish and maintain a comprehensive privacy program to address privacy risks associated with new and existing products and service, and protect the privacy and confidentiality of consumers' information (Facebook; Google); and

(4) Every two years, for the next 20 years, obtain independent, third party audits certifying that the privacy program meets or exceeds the requirements of the FTC order (Facebook; Google).

4. Conclusion

Considering that the vast majority of consumers simply click through the legal agreements to get to the applications on a website, there is no real downside to companies spending a little time and money to ensure that their privacy policy, terms of use and other legal agreements reflect their current practices. Similarly, updating these agreements should be a routine part of changing how the company is collecting and using information from its users. It should be coordinated between marketing, IT and legal with each checking off on the updates being accurate. And, finally, the website should clearly indicate that the privacy policy and/or agreements have been updated so users have the option to review any changes. If experience is any indicator, virtually all users will continue to visit the website notwithstanding the updated policy or agreements.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

Using the Internet to Your Company's Advantage in Defending Against A Whistleblower Action

Sheppard Mullin — Tue, 29 Nov 2011 15:28:58 -0800

By Michelle Sherman

The wide dissemination of news on the Internet through “new media” online sites such as the Huffington Post, well recognized blogs like the Drudge Report, or social media sites such as Twitter is changing how we get our news today. The Internet is also making it harder for someone to be the first and original source for allegations of corporate malfeasance that can be the basis for a whistleblower or false claims action. In other words, businesses who are defending themselves against a whistleblower or qui tam (false claims) plaintiff (collectively, “whistleblower”) should exhaustively search the Internet for evidence showing that the whistleblower is not the “original source” of the information.

1. Section 922 Of The Dodd-Frank Wall Street Reform And Consumer Protection Act.

Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act provides that the Securities and Exchange Commission (“SEC”) shall pay awards to eligible whistleblowers who voluntarily provide the SEC with original information that leads to a successful enforcement action yielding monetary sanctions of over $1 million. Whistleblowers can recover from 10 to 30 percent of the total monetary sanctions collected in the SEC’s action or any related action, so there is a real financial incentive for someone to report suspected wrongdoing. Section 922 of Dodd-Frank also added Section 21F to the Securities Exchange Act of 1934, and Section 21F reflects these incentives to whistleblowers.

According to the SEC’s May 25, 2011 press release, Section 922 defines original information as information that “must be based upon the whistleblower’s independent knowledge or independent analysis, not already known to the Commission and not derived exclusively from certain public sources” such as the news media.

Because the public policy behind whistleblower statutes is to reward the reporting of alleged wrongdoing that may otherwise go undetected, the statutes do not allow for bounty rewards to plaintiffs who are not the original source of the information.

Thus, a whistleblower, who provides information that is already known and discoverable through a blog post, Twitter or other social network activity, may have trouble satisfying an essential element to recovering the mandatory award under Section 922.

2. The False Claims Act And The Public Disclosure Bar.

Similarly, the False Claims Act includes a public disclosure bar which provides that courts shall dismiss qui tam suits when the relevant information has already entered the public domain through certain channels, including the news media, unless the action is being brought by the Attorney General or by a person who is the original source of the information. 31 U.S.C. § 3730(e)(4)(A). Section 3730(e)(4)(A) also allows the government to stop dismissal of the action by opposing the dismissal.

The public disclosure bar was added by Congress to the False Claims Act “in an effort to strike a balance between encouraging private persons to root out fraud and stifling parasitic lawsuits.” Graham County Soil and Water Conservation District v. United States ex rel. Wilson, 559 U.S. __, 130 S. Ct. 1396 (2010).

Recent amendments to the False Claims Act left unchanged the defense that information available in the news media cannot form the basis for a qui tam plaintiff being able to maintain his action.

3. Why The Public Disclosure Bar Should Include Activity On The Internet Including Blogs, Online News, And Social Network Sites Such As Twitter.

With the exponential growth of the Internet, the meaning of news media has expanded and, thereby, created more opportunities for a company to assert the public disclosure bar. The definition of “news media” in Wikipedia highlights this broad scope:

“The news media are those elements of the mass media that focus on delivering news to the general public or a target public. These include print media (newspapers, newsmagazines), broadcast news (radio and television), and more recently the Internet (online newspapers, news blogs, etc.)” (emphasis provided).

The New York Times has also reported on how many stories are being covered online these days instead of through print editions:

“Crucial to the Times’s approach in a time of less print space is City Room, the fourth most popular blog on the NYTimes.com. It is where The Times dishes breaking news and a creative menu of features, columns and digital novelties. In City Room, a whole new kind of metro report emerges, with most of its 3,000 plus blog posts a year never surfacing in print.” Arthur S. Brisbane, New York Times, Covering Its Own Backyard (Oct. 23, 2011).

In Graham County, the Supreme Court specifically cited to the broad scope of the news media component of the public disclosure bar when the Court recognized it includes “a large number of local newspapers and radio stations.” As we have seen with online news sources such as the Huffington Post, which AOL acquired for $315 million, and which had an estimated 25 million monthly users at the time of the sale, new media can have a far greater reach than a small town local newspaper that is included in the news media category of the public disclosure bar.

WikiLeaks is also a good example of how confidential information was first publicized through the Internet, and ahead of an alleged whistleblower. A New York Times article described how much WikiLeaks (and the use of the Internet to dump confidential information) has changed the whole nature of whistle blowing:

“Whistle-blowers in possession of valuable and perhaps incriminating corporate and government information now had a global dead drop on the Web. Traditional news organizations watched, first out of curiosity and then with competitive avidity, as WikiLeaks began to reveal classified government information that in some instances brought the lie to the official story.” David Carr, New York Times, “Is This the WikiEnd?” (Nov. 6, 2011).

4. Conclusion.

Consequently, a company is well advised to search the Internet for discussions concerning the allegations that form the basis for a whistleblower’s action. Industry specific blog sites are a good starting point since they often carry gossip concerning companies in that industry. Twitter is also a good resource since it has the most real time news updates, and often scoops the mainstream media as we saw with reports of the earthquake in Japan and its aftermath, the United States finding and killing Osama bin Laden (with a local resident live tweeting the storming of the compound), and the political upheaval in Egypt (described as the “Twitter revolution”). YouTube is also a good resource as evidenced by the video that quickly went viral in which University of California, Davis campus police were seen spraying students with pepper spray.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

Protect IP Act: One Approach to Dealing with Internet Piracy

Sheppard Mullin — Tue, 29 Nov 2011 10:58:14 -0800

By Michelle Sherman

Digital media theft or piracy, as it is more commonly called, is a serious and pervasive problem with countries taking different approaches to address it. It is estimated that copyright piracy and the sale of counterfeit goods costs US creators and producers billions of dollars every year.

Click here to read the full article as published in the Journal of Internet Law.

Legal Issues Surrounding Social Media Background Checks

Sheppard Mullin — Mon, 03 Oct 2011 10:04:12 -0800

By Michelle Sherman

Agatha Christie had a novel take on invention being the mother of necessity. She disagreed and said, “[I]nvention, in my opinion, arises directly from idleness, possibly also from laziness. To save oneself trouble.” She may have been onto something when you think about businesses that are turning to outside vendors to research employees and job candidates for them. Whether or not these outside vendors are the best solution, however, remains to be seen.

Companies Should Have An Internal Procedure For Researching Job Candidates And Employees On The Internet

We recommended earlier this year that businesses establish an internal procedure for making employment decisions based on Internet research, so they would not run afoul of state and federal laws that prohibit job discrimination based on protected factors. The protected factors include, for example: (1) Race, color, national origin, religion and gender under Title VII of the Civil Rights Act of 1964; and (2) Sexual orientation, marital status, pregnancy, cancer, political affiliation, genetic characteristics, and gender identity under California law. Most states have their own list of protected factors, which should be considered depending on where your company has employees.

Not surprisingly, the legal risks of making employment decisions using the Internet have become a real concern for businesses, especially when you consider that 54% of employers surveyed in 2011 acknowledged using the Internet to research job candidates. The actual number of employers using the Internet is probably higher, and sometimes companies may not even be aware that their employees are researching job candidates and factoring that information into their evaluations. This is yet another reason to establish an internal procedure for researching job candidates, and communicating your procedure to employees who are participating in the employment process.

There is nothing wrong with researching people on the Internet so long as it is done properly. The Internet has a wealth of useful information, some of it intentionally posted by job applicants for employers to consider such as LinkedIn profiles.

With this “necessity” to do Internet searches properly, some businesses have turned to outside vendors to do the research for them, and, thereby, try to reduce their legal exposure and the administrative inconvenience of doing it themselves. At least one of these vendors has received letters concerning its business practices from the Federal Trade Commission (“FTC”) and, more recently, two U.S. Senators.

The Business Practices Of Outside Vendors That Provide Social Media Background Checks Are Being Examined For Compliance With Privacy And Intellectual Property Laws

On May 9, 2011, the staff of the FTC’s Division of Privacy and Identity Protection sent a “no action” letter to Social Intelligence Corporation (“Social Intelligence”), “an Internet and social media background screening service used by employers in pre-employment background screening.” The FTC treated Social Intelligence as a consumer reporting agency “because it assembles or evaluates consumer report information that is furnished to third parties that use such information as a factor in establishing a consumer’s eligibility for employment.” The FTC stated that the same rules that apply to consumer reporting agencies (such as the Fair Credit Reporting Act (“FCRA”)) apply equally in the social networking context. These rules include the obligation to provide employees or applicants with notice of any adverse action taken on the basis of these reports. Businesses should also be mindful of similar state consumer protection laws that may be applicable (e.g. California Investigative Consumer Reporting Agencies Act).

The FTC concluded by stating that information provided by Social Intelligence about its policies and procedures for compliance with the FCRA appears not to warrant further action, but that its action “is not to be construed as a determination that a violation may not have occurred,” and that the FTC “reserves the right to take further action as the public interest may require.” This FTC “no action” letter was reported fairly widely, and probably increased the comfort level of businesses that wanted to use an outside service for Internet background checks.

On September 19, 2011, Senators Richard Blumenthal (D-Conn) and Al Franken (D-Minn) sent a letter to Social Intelligence with 13 questions regarding whether the company is taking steps to ensure that the information it is gathering from social networks is accurate, whether the company is respecting the guidelines for how the websites and their users want the content used, and whether the company is protecting consumers’ right to online privacy. The letter raises some legitimate concerns, and requests a prompt response from Social Intelligence to the questions presented.

Legal Assurances That Your Company May Want To Seek If Using An Outside Vendor

Some of the questions also warrant due consideration on the part of businesses receiving reports from outside vendors about how much weight they want to give the information provided. Further, what the business may want in the form of legal assurances from the outside vendor that no laws (e.g. FCRA, privacy, copyright, or other intellectual property laws) have been violated in gathering the information or providing screenshot copies of pages from social networking sites.

Some of the questions from the Senators which raise these concerns include, for example:

1. “How does your company determine the accuracy of the information it provides to employers?” [Social Intelligence is reportedly collecting social networking activity dating back 7 years, and, therefore, may capture something that was later removed, or was a “tag” post through a picture that the job candidate was not responsible for making public, and may have removed once it came to his attention.]

2. “Is your company able to differentiate among applicants with common names? How?” [e.g. Have they researched the correct “Jane Smith” of the hundreds on Facebook since social security numbers or other specific identifying information is not useful on social networking sites as it is with the standard background check.]

3. “Is the information that your company collects from social media websites like Facebook limited to information that can be seen by everyone, or does your company endeavor to access restricted information.”

4. “The reports that your company prepares for employers contain screenshots of the sources of the information your company compiles…These websites are typically governed by terms of service agreements that prohibit the collection, dissemination, or sale of users’ content without the consent of the user and/or the website….. Your company’s business model seems to necessitate violating these agreements. does your company operate in compliance with the agreements found on sites whose content your company compiles and sells?”

5. There appears “to be significant violations of user’s intellectual property rights to control the use of the content that your company collects and sells. …. These pictures [of the users], taken from sites like Flickr and Picasa, are often licensed by the owner for a narrow set of uses, such as noncommercial use only or a prohibition on derivative works. Does your company obtain permission from the owners of these pictures to use, sell, or modify them?”

Conclusion

Establishing an internal procedure for using the Internet to make employment decisions is one more piece of a sound ethics and compliance program that addresses how your company is using social media. If using an outside vendor to perform social media background checks is part of that policy, you should assure yourself that the company is acting in compliance with the relevant laws.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

Your Social Media Policy May Need Revamping

Sheppard Mullin — Mon, 03 Oct 2011 09:36:07 -0800

By Michelle Sherman

If your company adopted a social media policy more than two months ago, or, if your company modeled its policy after one of the sample policies available on the Internet, then there is a very good chance that your social media policy is overbroad and needs to be revised. For example, if your social media policy prohibits social media activity that disparages the company without making it very clear that this prohibition does not include protected concerted activity (as more fully described below), then your policy needs to be amended.

An Overbroad Social Media Policy Can Hurt Your Company’s Bottom Line

The financial incentive for making sure your policy, and how you apply it to your employees’ social media activity, is done correctly is underscored by a September 2, 2011 administrative law judge opinion. In Hispanics United of Buffalo, Inc., the ALJ ordered the non-profit Hispanics United of Buffalo, Inc. (“HUB”) to rehire and provide back pay to five employees who were fired over Facebook posts in which they were complaining about criticisms of their job performance by another HUB employee. Their posts were held to be “concerted activity” on a subject matter protected by Section 7 of the National Labor Relations Act (“NLRA”), and their termination was in violation of Section 8(a)(1) of the NLRA. Individual action is concerted if it is engaged in with the object of initiating or inducing group action. In terms of dollars for a company, this type of ruling can mean hundreds of thousands of dollars in salary to the employees hired to replace the terminated employees, back pay and attorneys’ fees and costs in defending the action.

The NLRB Has Issued Helpful Guidelines For How To Respond To Your Employees’ Social Media Activity

This is the first decision involving the firing of employees for work related social media activity. However, it is not the first time that the National Labor Relations Board (“NLRB”) has communicated its official position on the parameters for a social media policy. On August 18, 2011, the Acting General Counsel for the NLRB reported on the outcome of investigations into 14 cases involving the use of social media and employer’s social media policies. Acting General Counsel Lafe Solomon stated, “I hope that this report will be of assistance to practitioners and human resource professionals.” In four cases, the NLRB found that the employees were engaged in “protected concerted activity” because their social media activity was an online discussion of the terms and conditions of their employment with co-workers. The NLRB report also stated that employers had the most problems with overbroad policies.

Another helpful guide for employers was issued on August 5, 2011 by the U.S. Chamber of Commerce (Labor, Immigration & Employee Benefits Division) in which the Chamber reported that the NLRB has reviewed more than 129 cases involving social media in some way. “The issues most commonly raised in the cases before the Board allege that an employer has overbroad policies restricting employee use of social media or that an employer unlawfully discharged or disciplined one or more employees over contents of social media posts.”

The relevant law for HR professionals and businesses to consider when speaking to employees about their social media activity are Sections 7 and 8(a)(1) of the NLRA. Section 7 provides in pertinent part that: “Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection”. In practice, this means that employers cannot chill, or penalize communications between employees concerning work conditions, terms and conditions of employment (salary, benefits), managers and management.

A further wrinkle added by social media to this statutory protection of employees is that most employees who are on a social networking site, such as Facebook, are connected with other employees, and those employees may comment on their co-worker’s online complaint about work, thereby, giving possibly rise to “protected concerted activity.” Even a “like” of the co-worker’s post – short of a comment – may possibly give rise to protected activity. The NLRB has even held that a comment that seems on its face to be outside the scope of protected activity is off limits for sanctioning an employee. For example, the NLRB has held that employees should not have been terminated for the following content on a social networking site:

1. An employee complained about the cheap food that his luxury car dealership employer gave away at a sales event for customers. The rationale was that the employee and the co-workers, who commented on his Facebook post, were concerned that giving away cheap food would result in a negative impression of the car dealership, less cars being sold, and thus reduced sales commissions for them.

2. An employee used profanity and sarcasm in soliciting comments from her work colleagues on Facebook about a victim advocate who worked with them and was critical of the client services they were providing. Her comments did not lose their protected status even with the strong language she used.

Section 8(a)(1) provides that employers cannot “interfere with, restrain, or coerce employees in the exercise of the right guaranteed in Section 7 of this Act.” Employers are also prohibited from “unlawful surveillance” of their employees, which means that employers should not try to access social media activity of their employees that is not public and concerns protected activity.

Not All Social Media Activity Is Protected: Employees Cannot Harass Or Bully Other Employees, Or Defame Their Employers Indiscriminately

This does not mean that employers cannot take action against employees for social media posts concerning the company and its management if: (1) the employee is bad mouthing the company and/or management, and the statements clearly do not concern work conditions, benefits, wages and other terms and conditions of employment – employers are entitled to loyalty from their employees; (2) the employee is discussing privileged and confidential client communications; and (3) the employee is harassing, threatening, or making racist statements directed at a co-worker.

Conclusion

The good news is that the revision or drafting of a social media policy by an attorney who stays current with social media legal issues is relatively inexpensive and easily executed. Companies do not need to resort to boilerplate policies that may be overbroad, and create unnecessary legal exposure for the company.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

Anonymous Bloggers And The First Amendment: When And How Your Company Can Identify Its John Doe Defendants

Sheppard Mullin — Mon, 25 Jul 2011 15:13:10 -0800

By Michelle Sherman

The exponential growth of the internet is also seeing an increase in the number of legal actions against “John Doe” defendants. John Doe is really synonymous with an anonymous speaker (blogger), who may be liable for claims such as copyright infringement, trademark infringement, or defamation. Fortunately, there is guidance from the courts so your company can increase its chances of identifying these anonymous bloggers, if necessary.

If you are fortunate enough to have the anonymous blogger’s IP address, then there are online services through which you can get more information concerning the computer, tablet or smartphone from which the post was made, such as the city, and possibly the name of the organization. However, to get the name on the account with the internet service provider (ISP) (such as WordPress, or Google), your company will need to get a court order. The ISPs are not required to connect the dots for you.

The most common approach for identifying an anonymous blogger is typically a motion for leave to take discovery prior to the Federal Rules of Civil Procedure Rule 26(f) conference of the parties, and an order allowing discovery from the ISP through a subpoena served on the ISP. In the discovery order, courts generally require the ISP to give notice to its subscriber (the anonymous blogger) before turning over their contact information. The discovery order will typically include a cutoff date for the notice to be given, and for the subscriber to file a motion to quash the subpoena.

It cannot be overemphasized that the First Amendment protections afforded anonymous speech on the internet present a tremendous hurdle for getting relief from the courts. At the same time, courts are issuing discovery orders in recognition that speech is not absolutely protected. Political speech receives the highest level of protection as the essence of the First Amendment. Speech that can be characterized as “commercial” speech does not receive the same protections, and is protected only so long as “the communication is neither misleading nor related to unlawful activity.” Central Hudson Gas & Elec. Corp. v. Public Serv. Comm’n of N.Y., 447 U.S. 557, 564 (1980). Fighting words and obscenity are not a protected form of speech. Thus, how the speech is characterized will affect the merits of your discovery motion.

5 FACTORS IN FAVOR OF IDENTIFYING THE ANONYMOUS BLOGGER

Your company can make a prima facie showing of its claim against the anonymous speaker. There is not a single standard that is applied uniformly by all of the federal district courts. However, the prima facie case standard is applied by many courts, including California district courts. The most rigorous standard that some courts apply is that the legal claim, on which the discovery motion is based, could survive a motion for summary judgment. The lowest standard is the motion to dismiss or good faith standard. Thus, where you file your action may affect your chances of identifying the anonymous blogger.

The Ninth Circuit, citing to a Supreme Court decision, has held that the type of speech at issue (political vs. commercial) should be considered in deciding what standard to apply, with a more relaxed standard being applied to commercial speech: “[W]e suggest that the nature of the speech should be a driving force in choosing a standard by which to balance the rights of anonymous speakers in discovery disputes.” In re Anonymous Online Speakers, 2011 WL 61635, *6 (9th Cir. Jan. 7, 2011).
The anonymous blogger is a defendant (as opposed to a non-party).
The nature of the claim, and the interest being protected. For example, courts have held that when a plaintiff has made a prima facie claim of copyright infringement, the plaintiff’s need for disclosure outweighs any First Amendment rights. Arista Records LLC v. Does 1-19 (“a defendant’s First Amendment privacy interests are exceedingly small where the ‘speech’ [at issue] is the alleged infringement of copyrights”). Cases involving the disclosure of confidential insider information online is another area in which courts seem more inclined to issue a discovery order. In defamation cases, it is more difficult to overcome the First Amendment protections. However, discovery orders are being issued in these cases as well.
The identity of the anonymous blogger is not available from other, less intrusive sources, such as deposing the person who is reasonably believed to have posted the objectionable material.
There has been some effort to give the blogger notice of the subpoena before filing the motion .

5 FACTORS THAT CONTRIBUTE TO COURTS DENYING THESE DISCOVERY MOTIONS

The anonymous blogger is being sued for speech that can be characterized as political speech, which is entitled to the highest level of First Amendment protection.
The blogger is someone whose identity should be protected under the relevant state shield law – reporter’s privilege. Blogs, chat rooms, websites can potentially be encompassed within the spectrum of a shield law extended to the news media. For example, the electronic publication called the Drudge Report has successfully asserted the reporter’s privilege.

Media companies have also asserted the reporter's privilege in response to subpoenas seeking the identity of anonymous posters, with some success in states such as Colorado, North Carolina, Oregon, Montana, Florida and Illinois.
The basis for the subpoena is stated in a cursory manner without any evidence to support the elements of the claim on which it is based.
The subpoena is overbroad, and does not specifically seek information that is necessary to identify the anonymous blogger.
The subpoena seeks information that is cumulative of other evidence. For example, your company has a reasonable idea about who posted the speech at issue and can confirm its suspicions by deposing the person, or serving less intrusive discovery.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

10 Social Media Must Haves For Your Corporate Compliance And Ethics Program

Sheppard Mullin — Mon, 18 Jul 2011 08:59:55 -0800

By Michelle Sherman

Companies would be legally remiss not to add a social media component to their corporate compliance and ethics program. As we have seen and reported on, agencies such as FINRA, the FTC, and the NLRB are bringing complaints against companies arising from their social media activity or employee related activity, thus, highlighting the need for companies to demonstrate that they are exercising due diligence to promote ethical conduct and prevent criminal conduct in the context of social media activity [e.g. Federal Sentencing Guidelines, § 8B2.1].

The following list is a good starting point, however, there may be additional items that a social media attorney will recommend you include in your policy depending on the nature of your business. A companion article to this one, for example, includes additional items that government contractors should have in their social media policies.

Adopt a social media policy. Include the basic list of “Dos” and “Don’ts” in your policy. Don’t try to prohibit lawful protected activity such as complaining about work conditions or compensation/benefits, or whistle blowing. However, employees should be advised of the importance of communicating possible wrongdoing at the company through established internal channels so an appropriate investigation can be conducted.
Implement an effective training program on how your employees should use social media, with emphasis on areas of particular concern for your company which may include, for example, protecting the privacy interests of your company clients, complying with FINRA/SEC social media guidelines, antitrust compliance, not disclosing confidential, proprietary information, and brand protection.
Update your e-discovery approach and make sure that you include social media activity and cloud computing because it is discoverable.
Update your document retention policy to make sure you are capturing and storing the social media activities of your company, and don’t forget employees conducting business from their smart phones and tablets.
Update your Sarbanes-Oxley Act compliance program to ensure that financial information posted on your Facebook fan page, Twitter, website, etc., is updated to reflect material changes in financial condition and operations. Do not release financial information on social networking sites that you have not also published in a press release.
Audit the social media activity of potential targets for mergers and acquisitions to identify any legal risks and liabilities, including, without limitation, the target failing to comply with the Sarbanes-Oxley Act.
Train your HR department, managers and anyone making employment decisions so they do not use information from social networking sites to discriminate against anyone based on protected factors under federal or state law. Set up protocols so protected factors are not considered.
Take reasonable measures to protect your trade secrets. Update your confidentiality agreements and computer use policies with employees. Clearly communicate what are the company’s trade secrets and the ways in which use of them is restricted. One of the essential elements for a misappropriation of trade secrets case is that the company has taken reasonable measures to protect its trade secrets, which would include, in the social media era, a social media policy with training for employees so they are not inadvertently disclosing the company's trade secrets.
Incorporate privacy protections into your business practices such as data security, the collection of a reasonable amount of information and not more, sound retention practices (not an unduly long period of time), and data accuracy (so misinformation is not reported on consumers).
Review the FTC guidelines for online endorsements with employees, including the prohibition on employees giving reviews for the company’s products (or the products of it’s competitors) without disclosing their biased relationship with their employer company.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)