Social Media in the Workplace

From: Staffing

Social Media in the Workplace

Merriam-Webster defines social media as forms of electronic communication (such as websites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content (such as videos). According to a 2016 study conducted by several universities:

  • There are approximately 1.32 billion monthly active users of Facebook.
  • An estimated 86 percent of job seekers have a social network profile.
  • One in six job seekers found their last job through an online social network.
  • Fifty-four percent of social media users have used Facebook, LinkedIn, or Twitter in their job search in the last year.

Additionally, socially networked Americans from ages 18 – 64 spend an average of 3.2 hours per day using social media. Subsequently, the use of social media in the workplace is unquestionable as some studies have shown that Facebook reduces workplace productivity by 1.5 percent. However, social media use by employees can allow businesses to harness social capital through connectivity. The positive and negative impact of social media in the workplace necessitates distinct and specific policies and practices for its use.

Monitoring Social Networking Sites

In most jurisdictions, it is permissible to refer to social networking sites when making decisions about recruitment and selection, and when taking disciplinary action against an employee. However, employers should consider the following when conducting such monitoring:

  • The evidential weight given to information obtained from a social networking site. For instance, information posted may be inaccurate, out-of-date, not intended to be taken at face value, or even posted by someone other than the person who is the subject of the inquiries.
  • Relying on information contained in social networking sites potentially creates a risk of discrimination. For example, discrimination may be found if someone is treated less favorably on the basis of sex, or a condition is imposed which has disparate impact on people of a particular class.
  • Any use of social networking sites when making decisions should comply with data privacy requirements (including in relation to the secure storage and deletion of information after it is no longer needed) and any internal policies about monitoring of such sites.

Social Media Privacy Laws

Employers have requested usernames and passwords to applicant’s and employee’s social media accounts because of the high number of workers who use social media both on and off the job. Employers have argued that access to personal social media accounts is needed to protect the employer’s proprietary information and trade secrets, prevent the employer from being exposed to liability, and hire the applicant or maintain the employee who best fits within the company’s workplace culture. However, states began passing legislation in 2012 to prevent employers from requesting applicant or employee passwords to personal Internet accounts. As of January 2016, the following 23 states have enacted laws that apply to employers and personal Internet accounts:

In early 2016, similar legislation was introduced or pending in at least 12 additional states. For instance, pending Florida House Bill 635 relates to social media privacy and would:

  • Prohibit employers from requesting or requiring access to social media account of employees or prospective employees.
  • Prohibits employers from taking retaliatory personnel action against employees as a result of the employee’s refusal to allow access to his or her social media account.
  • Prohibits employers from failing or refusing to hire prospective employees as a result of the prospective employee’s refusal to allow access to his or her social media account.
  • Authorizes civil action for violation, provides for penalty for violation, and recovery of attorney fees and court costs.
  • Specifies that employers are not prohibited from seeking access to social media accounts used primarily for business purposes.

Facebook’s Stance

According to a statement from Facebook’s chief privacy officer in regard to employers requiring disclosure of Facebook profile names and passwords from employees or applicants:

“[W]e’ve seen a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information. This practice undermines the privacy expectations and the security of both the user and the user’s friends. It also potentially exposes the employer who seeks this access to unanticipated legal liability. The most alarming of these practices is the reported incidences of employers asking prospective or actual employees to reveal their passwords. If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends. We have worked really hard at Facebook to give you the tools to control who sees your information.

As a user, you shouldn’t be forced to share your private information and communications just to get a job. And as the friend of a user, you shouldn’t have to worry that your private information or communications will be revealed to someone you don’t know and didn’t intend to share with just because that user is looking for a job. That’s why we’ve made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.

Employers also may not have the proper policies and training for reviewers to handle private information. If they don’t—and actually, even if they do—the employer may assume liability for the protection of the information they have seen or for knowing what responsibilities may arise based on different types of information (e.g. if the information suggests the commission of a crime).”

Facebook’s stance tends to mirror state laws enacted to prohibit requests for employee logins and passwords.

Monitoring Employees in the Workplace

Generally, employers may monitor employees at work on employer-provided equipment. However, employers are limited in the extent to which monitoring is permissible as well as to the requirements that must be satisfied to ensure the monitoring is lawful. Additionally, employers generally do not have a right to monitor social network use on an employee’s personally owned devices (such as a smartphone).

The key consideration when monitoring social network use by employees at work on employer-provided computers is the balancing of an employer’s legitimate interest in protecting its business with an employee’s right to privacy (and associated rights in relation to data privacy and personal data). Examples of potential misconduct associated with the use of social networking in the workplace include:

  • Breach of employee privacy.
  • Defamation.
  • Disclosure of company trade secrets and confidential information.
  • Employee gripe sessions.
  • Excessive use of social media during working hours.
  • Harassment and Title VII issues.
  • Misuse of intellectual property.
  • Pornography and obscenity.
  • Unauthorized and deceptive endorsements.
  • Union organizing.
  • Violations of other employment policies.

In the monitoring of employees’ use of social networking sites, employers should:

  • Create and implement clear, well-defined, and well-communicated policies or contractual provisions concerning the appropriate use of social networking sites and the sanctions for noncompliance. Employees should expressly consent to such policies.
  • Ensure monitoring goes no further than is necessary to protect the employer’s business interests by implementing safeguards and practices to ensure:
    • Any monitoring is only done by those representatives of an employer who are authorized and who have a legitimate interest in carrying out any monitoring.
    • Any data collected as a result of any monitoring is stored safely, not tampered with, and not disseminated more widely that is necessary.
    • Personal data is not stored for any longer than is necessary.
  • Train management and employees in the correct use of information technology.
  • Be able to specify and provide examples of the misuse of social networking sites by employee.

Employers may also elect to prohibit the use of social network sites during work, both on equipment provided by the employer and on the employee’s own devices. However, the prohibition against use of social network sites on an employee’s own devices would not give the employer the right to monitor such devices (which would infringe the employee’s right to privacy in many jurisdictions). Rather, the prohibition would be an incident of the employer’s general right to require employees to devote their working hours to their work.

Employers may elect to block access to social network sites on employer-provided equipment, but have no right to prohibit an employee’s personal use of social networks. However, employees are not entitled to use social networks to do things that would otherwise be impermissible, such as misusing confidential information, infringing intellectual property rights, harassing another employee, or otherwise breaching the duties they owe to their employers. Consequently, any workplace policy on social networking must specify that employees can be held responsible (and can be disciplined) for work-related misconduct that they engage in on a social networking site, even during off-work hours. For instance, if the employer has knowledge that employees are using an online work-related social network forum, such as an electronic bulletin board, to harass another employee, the employer may have exposure if it fails to take effective measures to stop the harassment.

National Labor Relations Board

The National Labor Relations Board (NLRB), Office of the General Counsel (OGC) has taken the position that many employers’ social media policy provisions violate the National Labor Relation Act (NLRA). According to the NLRB, social media includes various online technology tools that enable people to communicate easily via the Internet to share information and resources. These tools can encompass text, audio, video, images, podcasts, and other multimedia communications. Recent developments in the OGC have presented up-and-coming issues concerning the protected and/or concerted nature of employees’ Facebook and Twitter postings, the coercive impact of a union’s Facebook and YouTube postings, and the lawfulness of employers’ social media policies and rules. The OGC released several reports discussing these cases and more

For instance, an OGC Operations Management Memo discussed numerous cases, half of which involved questions about employers’ social media policies. Many of those policies were found to be unlawfully broad, one was lawful, and one was found to be lawful after it was revised. The remaining cases involved discharges of employees after they posted comments to Facebook. Several discharges were found to be unlawful because they flowed from unlawful policies. However, in one case, the discharge was upheld despite an unlawful policy because the employee’s posting was not work related. These OGC reports underscore two main points in the compilation of cases:

  • Employer policies should not be so sweeping that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees.
  • An employee’s comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees.

Each of the sections below reviews the General Counsel’s current position on a particular type of commonly used policy provision. Employers should review their existing policies and any new policy in light of these determinations.

Defamation and Nondisparagement

According to the OGC, a broad nondisparagement policy violates the National Labor Relations Act (NLRA) because it could inhibit employees from making negative comments about the terms and conditions of their employment. For example, the OGC finds that the following policy prohibitions are illegal:

  • Prohibition of making disparaging comments about the company through any media, including online blogs or other electronic media.
  • Prohibition against discriminatory, defamatory, or harassing web entries about specific employees, work environment, or work-related issues on social media sites.

However, an employer’s nondisparagement policy will comply with the NLRA by including nondisparagement policy language within a list of other forms of unprotected conduct. For instance, a policy prohibiting statements that are slanderous or detrimental to the company is lawful when it appears on a list of prohibited conduct including sexual or racial harassment and sabotage. Following this authority, the OGC approved a policy which prohibited the use of social media to post or display comments about co-workers, supervisors, or the employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.

Related Case Law

In Hispanics United of Buffalo, the NLRB ruled that the employer violated the NLRA when it fired five employees because the employees were engaged in concerted activity for their mutual aid and protection when an employee alerted her co-workers on Facebook to another employee’s complaints about their job performance and solicited their views on her complaints, to which they responded with comments of protest. The NLRB also found that the employees’ Facebook statements were protected under federal labor law because they centered on the employees’ job performance.

The NLRB rejected the employer’s argument that the statements were unprotected because they violated the employer’s zero tolerance policy against harassment and bullying because no evidence was found that the employees’ comments could reasonably be construed as harassment under the employer’s policy. The NLRB added that even if the comments were covered by the employer’s zero tolerance policy, the employee who was the subject of the Facebook post’s subjective claim that she felt offended by the Facebook comments was not enough to trump the employees’ rights under federal labor law to engage in protected, concerted activity.

Confidentiality

According to the OGC, a confidentiality policy is illegal if it would impose on employees’ ability to discuss their wages and working conditions with others inside or outside the organization (per NLRA § 7). Consequently, the OGC rejected a provision in an employer’s social media policy that prohibited employees from disclosing or communicating confidential, sensitive, or nonpublic information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the legal department.

Alternatively, the OGC approved a policy provision that prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients as well as restricted information, such as launch and release dates and pending reorganizations. The General Counsel approved of this policy language because the employer was medically based and the policy contained several references to customers, patients, and health information, and employees would reasonably understand that the intent was to protect the privacy interests of the employer’s customers and not to restrict § 7 protected communications.

Logos and Trademarks

According to the OGC, a social media policy that prohibits the use of the company’s name or service marks outside the course of business without prior approval of the legal department is unlawful. The council takes the position that employees have the right under the NLRA to use the company’s name and logo while engaging in protected concerted activity, such as in electronic or paper leaflets, cartoons, or picket signs in connection with a protest involving the terms and conditions of employment. The council reasoned that such protected use of a company’s name and logo does not remotely implicate the company’s interests protected by trademark law, such as the trademark holder’s interests in protecting the good reputation associated with the mark from the possibility of being tarnished by inferior merchandise sold by another entity using the trademark and in being able to enter a related commercial field and use its well-established trademark.

Employee Disclaimers

According to the OCG, a policy requirement that requires employees to expressly state that their comments are their personal opinions and do not necessarily reflect the employer’s opinions violates the NLRA because it would significantly burden the exercise of employees’ § 7 rights to discuss working conditions and criticize the employer’s labor policies. However, employers may prohibit employees from representing in any way that they are speaking on the employer’s behalf without prior written authorization to do so.

The OCG also approved an employee disclaimer requirement in the section of a social media policy addressing product promotions. The council explained that this provision did not interfere with § 7 rights because the policy focused on product promotions and endorsements and was intended to avoid potential liability for unfair and deceptive trade practices under guidance issued by the Federal Trade Commission.

Discussions of Work-Related Concerns

The OCG determined that a policy which included a threat of discipline violated the NLRA. Specifically, a policy that requires employees to first discuss with their supervisor or manager any work-related concerns and failure to comply with such requirement could result in corrective action is a violation. However, employers may request but not require that employees use internal channels, rather than social media, to resolve workplace concerns.

Communications with the Media

The OCG found that an employer’s rule that prohibits employee communications to the media or requires prior authorization for such communications is unlawfully over broad. However, a media policy that simply seeks to ensure a consistent, controlled company message and limits employee contact with the media only to the extent necessary to effect that result cannot be reasonably interpreted to restrict § 7 communications. For instance, a media policy that repeatedly states that the purpose of the policy is to ensure that only one person speaks for the company is permitted, even if employees are instructed to answer all media/reporter questions in a particular way.

Unprofessional Content

According to the OCG, policy terms that are undefined, vague, or subjective are disfavored. These terms included prohibitions on the following:

  • Insubordination or other disrespectful conduct.
  • Inappropriate conversation or unprofessional communication that could negatively impact the employer’s reputation or interfere with the employer’s mission.
  • Nonprofessional/inappropriate communication regarding members of the employer’s community.
  • A requirement that social media activity occur in an honest, professional, and appropriate manner.

Employers can achieve the intended objectives of this disfavored language by using terms that are clearly defined in the social media policy or other policies or by providing examples of prohibited conduct with examples that do not include conduct protected by the NLRA.

Employee’s Self-Identification

According to the OCG, policies that prohibit employees from identifying their affiliation with the organization when engaging in social media activity unless there is a legitimate business reason for doing so violate the NLRA because personal profile pages serve an important function in enabling employees to use online social networks to find and communicate with their fellow employees at their own or other locations.

Securities Blackouts

The OGC found that publicly traded companies are rightfully concerned that employees may let slip on social media highly sensitive information about a corporate transaction, new product launch, or nonpublic financial information. Consequently, a policy provision that states that the employer might request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws is permissible. The counsel reasoned that employees reasonably would interpret the rule to address only those communications that could implicate security regulations, as opposed to the terms and conditions of their employment.

Employer Disclaimers

A disclaimer in social media policies usually explains that the employer’s policies are not intended to interfere with employees’ rights under the NLRA. However, the NLRB has found that such a disclaimer is ineffective. For example, a disclaimer that states the following does not allow for a policy provision prohibiting employees from posting inappropriate content because an employee could not reasonably be expected to know that this language encompasses discussions the employer deems inappropriate:

The policy will not be interpreted or applied so as to interfere with employee rights to self-organize, form, join, or assist labor organizations; to bargain collectively through representatives of their choosing; or to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from engaging in such activities.

Rather, employers should replace such a disclaimer with a list of specific limitations or examples which can transform an otherwise over-broad, nondisparagement provision into one that complies fully with the NLRA.

Federal Legislation

In 2013, in an attempt to address issues regarding social media use in the workplace, the Social Networking Online Protection Act and the Password Protection Act were introduced, although both acts failed in Congress. However, federal departments have enacted social media policies for applicable workplaces. For instance, the Department of the Interior (DOI) policy describes the official use of social media and social networking tools in the establishment and use by DOI or a DOI bureau of a third-party social networking or social media account or service as an official means of communication or public engagement. The policy does not govern the visiting of third-party social media or social networking websites in one’s official capacity for research or informational purposes.

Related to social media privacy in the workplace, in 2016 President Obama directed his administration to implement a Cybersecurity National Action Plan (CNAP) building upon lessons learned from cybersecurity trends, threats, and intrusions. The plan directs the federal government to take new action now and fosters the conditions required for long-term improvements in its approach to cybersecurity across the federal government, the private sector, and personal lives. The plan also intends to empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure.

Record Retention

Social media content, similar to email messages and attachments, can create electronic business records that can place companies in jeopardy of government and industry regulatory investigations or federal and state lawsuits. From defamation lawsuits and sexual harassment claims to the risks associated with mismanaged and misplaced business records, organizations may be confronted with a number of potentially costly risks triggered by the content that is posted and published on social media by employees.

For regulated companies in industries that are governed by the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes Oxley Act (SOX), the Financial Industry Regulatory Authority (FINRA) or the Securities and Exchange Commission (SEC), the potential for risk associated with record retention is magnified. Any employee-generated content, whether written and posted at the office during work hours or at home after hours, has the potential to create an electronic business record that must be preserved, protected, and produced in the event of a lawsuit.

To help minimize risks and maximize compliance with legal and regulatory rules, organizations should establish and implement a standardized process for electronic risk management, for instance:

  • Create and maintain effective policies.
  • Train the workforce in regard to company policy and the legitimate, job-related use of social media content.
  • Enforce policies through a combination of disciplinary action and quality technology designed to manage content and use and maintain records in a legally compliant fashion.

Electronically Stored Information

According to the Federal Rules of Civil Procedure (FCRP), all electronically stored information (ESI) is discoverable and may be used as evidence in federal litigation. However, to be accepted as evidence, email and other forms of ESI must be preserved, protected, and produced in a trustworthy, tamperproof, and legally compliant manner. Organizations may implement a permanent document preservation process or a destructive retention process. The permanent preservation process retains and never destroys documents while the destructive retention process destroys documents according to an established schedule. Organizations may legally elect to purge a system of electronic records in the ordinary course of business, so as long as those records are not needed in connection to current, pending, or anticipated litigation. For instance, and with exception, under Rule 26 of the FRCP (duty to disclose) employers are obligated provide a copy of all documents, ESI, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses.

Establishing a Retention Policy

To establish effective electronic record retention policies, organizations must first outline how an electronic record corresponds within the more broad definition of business record. Electronic business records usually document business-related events, activities, transactions, or discussions. A personal conversation may also meet the definition of an electronic business record if the conversation:

  • Occurred on the company network.
  • Is retained and archived alongside other business-related content.

Electronic business records may also be generated by employees’ online activities, including but not limited to blogging, email, social media posts, texting, and web surfing. Additionally, any recorded online conversation has the potential to constitute a business record based on the content of the conversation. This is because all electronic tools (laptop, smartphone, tablet) can create business records that must be retained based on their ongoing legal, regulatory, or historic value to the company.

After defining an electronic business record, the basics of a retention policy may be established. The electronic retention policy should include all types of electronic content generated by the employee in relation to the workplace, including email, instant messages, text messages, tweets, blog posts, and videos.

It is important to note that backup of email is not the same as storage because a backup system does not archive or store technology. Rather, backup of email is the collective gathering of ESI in a known location designed solely for the recovery of data in the event of a disaster. Effective storage solutions ensure that businesses preserve and are capable of producing legally compliant electronic documents in compliance with applicable laws and regulations.

A retention policy usually contains certain provisions, such as the following:

  • A policy purpose statement.
  • To whom the policy applies (for instance, the entire organization or only a certain department).
  • An exclusion from the policy for litigation or audit purposes.
  • The employees and departments responsible for overseeing the policy.
  • The employees and departments responsible for destruction pursuant to the policy.
  • A description of the types of records along with the retention schedule.

Best Practices

A few best practices for establishing an effective records management policy include:

  • Reviewing the retention guidelines and e-discovery rules of the federal court system, relevant state court systems, and any government or industry regulatory agencies that oversee the business.
  • Establishing a written retention policy.
  • Educating users about the company’s retention policy and their respective roles, if any, in the retention and disposition of email and other ESI.
  • Establishing lifecycles for every type of record created or transmitted by the business. Clearly spell out how long records must be retained, and when and how records may be purged.
  • Assigning an attorney or compliance officer the task of establishing a litigation hold policy to ensure that relevant records are retained, and purging stops, once a lawsuit is filed or in preparation for a pending lawsuit.
  • Supporting the organization’s record retention policy and compliance program with a secure document storage, imaging, and shredding provider.