MOFO SEMINAR SERIES Data Protection Masterclass: Hot Topics in Employee Privacy and Technology London 13 June 2013 MoFo Seminar. Data Protection Masterclass: Hot Topics in Employee Privacy and Technology Table of Contents Presentation ....................................................................... 1 Speaker Biographies ......................................................... 2 About Morrison & Foerster ............................................... 3 Selected Articles and Alerts ............................................. 4 Socially Aware: The Social Media Law Update Volume 4 – January/February 2013 “Bring Your Own Device” Brings its Own Challenges – June 2012 © 2013 Morrison & Foerster (UK) LLP | mofo.com Tab 1 Presentation Data Protection Masterclass: Hot Topics in Employee Privacy and Technology Data Protection Masterclass: Hot Topics in Employee Privacy and Technology 13 June 2013 Ann Bevitt Carlos García-Mauriño Christine Lyon Karin Retzer Caroline Stakim ©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com June 13 by Ann Bevitt and Caroline Stakim 12 June 2013 Presented By ©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com Background Checks 1 June 13 Background Checks • Common practice to conduct some background checks for most types of employment • Types of checks depend on nature of position • Right to respect for private life (Article 8, Human Rights Act 1998) • Not absolute, so employer may be able to justify conducting background checks that collect information about prospective employee’s private life • UK = ICO’s Employment Practices Code and Supplementary Guidance 3 Basic Principles • Company must: • Balance its business needs v. applicants’ privacy rights • Use reliable sources which are likely to provide relevant information • Ensure check/examination/testing is necessary and justified, e.g.: • Is the applicant fit to do the job? • Is there a legal reason to obtain this information, e.g., to join pension or life insurance schemes, to make any reasonable adjustments for disability, etc? • Allow applicant to make representations regarding information that will affect hiring decision 4 2 June 13 Third Party Checks • Third party conducts background checks (e.g. credit checks) written contract which contains appropriate data protection provision, e.g.: • • • • • • Limitation on use Information security (access controls, encryption, etc.) Transfer and disclosures Data breach Audit Destruction/return on termination • Explain the nature of and sources from which information might be obtained 5 Types of Background Check • References • Credit checks • Court judgments • Medicals • Drug and alcohol testing • Criminal record checks 6 3 June 13 Changes to Criminal Record Checks • 1 December 2012: Criminal Records Bureau + Independent Safeguarding Authority = Disclosure & Barring Service • Disclosure Scotland / Access Northern Ireland • Basic, standard and enhanced disclosures • Disclosure of spent and unspent cautions and convictions, police reprimands and warnings and relevant police information • 29 May 2013: protected convictions and protected cautions not disclosed on DBS certificate • 17 June 2013: online update service available 7 Google and Social Networking Sites • Where permitted: • Explain to the applicant the nature of and sources from which information might be obtained and, if necessary, get consent • Only Google to obtain specific information, not as a means of general intelligence gathering • Allow applicant to make representations regarding information that will affect hiring decision • Risk of exposure to discrimination claims 8 4 June 13 Germany • Background checks to supplement CVs not very common • Federal Data Protection Act (BDSG §4(2)): • Personal data should be collected directly from applicant; collection via third parties only where “nature of business purpose” necessitates and “no overriding legitimate interest” of individual, i.e.: • where particular position requires certain information to be confirmed/supplemented through background checks, e.g., where trustworthiness of applicant is particularly relevant, e.g.: • financial services institutions • child care • where qualifications essential for employment decision • New § 32 BDSG: data on applicants may only be collected where required for establishment of employment relationship 9 France • Right to respect for private life (Article 9, French Civil Code) • French Labour Code and French Criminal Code prohibit questions during recruiting process relating to: • National/ethnic origin • Sex and sexual orientation • Morals • Age • Family situation • State of health, disability and genetic characteristics • Political opinions • Labor union activities • Religious beliefs • Pregnancy 10 5 June 13 France (2) • CNIL’s guidance on privacy in the workplace (February 2013): • Personal data collected during recruitment process only used to evaluate candidate/take hiring decision • Candidates’ social security numbers, information about their family, parents, friends, political opinions, or trade union membership must not be collected • Candidates must be provided with information about personal data collected and purposes; data must not be collected using any system that has not been notified to candidate • Access to candidate data must be limited 11 Finland • Act on Protection of Privacy in Working Life: • Employee must be primary source of information related to him • Employer may not conduct background checks without applicant’s consent unless necessary for employment relationship • Act on Background Checks: • Allows more extensive processing for applicants for jobs in airports, power plants, telecommunications centres and certain authorities • Data Protection Ombudsman issued opinion expressly prohibiting employers from obtaining information on an applicant from the Internet without applicant’s prior consent 12 6 June 13 Poland • Right to respect for private life (Article 47 of the Constitution) • Article 22 of Polish Labour Code contains list of data that may be requested from applicants • Even if applicant specifically and expressly consents to collection of additional data, consent is not sufficient • Paragraph 1 of Ordinance of Minister of Labour and Social Policy regarding documentation in employment relationship matters specifies documents that may be requested from applicants 13 Carlos García-Mauriño Oracle Corporation Madrid +91 631 2326 carlos.garcia@oracle.com 7 June 13 Background checks – the view from a Data Processor • Global and regional Security standards and best practices require BCs to be performed by Companies on their employees (and contractors) - ISO 27001/ISO 27002 (Section 8) - PCI DSS (Requirement 12.7) - UK Financial Services Authority (2008 Report) - Cloud Computing recommendations (De-BSI, ENISA) • Two extremes – “Vendor will ensure that its employees with access to customer data have undergone appropriate BCs” vs “the fullest practicable use shall be made of the technique of background investigation.” Background checks – the view from a Data Processor • UK ICO “Do not vet workers just because a customer for your products or services imposes a condition requiring you to do so, unless you can satisfy yourself that the condition is justified.” • Golden rule - Always free, specific and informed consent required from employee. No retaliation in case of refusal. • Challenges - obtaining assurances from customer vs. business pressure - specific requirements from customers vs internal policies (e.g. drug testing) - approvals of Workers Councils 8 June 13 Background checks – the view from a Data Processor • Scenario A - Customer (Commercial) manages the process - Vendor does not get the specific results. Employee provides info directly to the Customer. - Need to receive assurances from Customer about proper handling. • Scenario B - Customer (Public Sector) manages the process (“Security Clearances”) - Extremely invasive. - Required by law. - Imposes strict obligations / liabilities) directly on employee. Privacy issues in Online Recruitment • Recruiting has evolved: - From “reactive” (job postings) to “proactive” sourcing. - From niche Recruitment solutions to integrated Talent Management tools. - From Local to truly Global. - Technology allows for collection and analysis of Candidates’ information in multiple new ways. 9 June 13 Privacy issues in Online Recruitment • Recruitment goes Social (and Mobile and Geospatial) - Employee referrals, through their own social networks, is the Holy Grail. - Collection of Candidates’ “public” information through Social Media. - Apps optimized for for tablets and smartphones (BYOD). - Mobile location linked to the Recruitment tool: know which potential candidates are close to you now. Privacy issues in Online Recruitment • Recruitment in the Cloud - Most of the most successful e-Recruitment solutions are in the Cloud - As with any other Cloud service, Customers need to discuss with their vendors: • Security • Data location and subcontracting • Exercise of Candidates’ rights to access/rectify/delete • Data return upon termination of the services 10 June 13 Privacy issues in Online Recruitment • Recruitment and Big Data - Companies and Recruiting companies can amass information of hundreds of thousands of Candidates - This information can be shared and analyzed to detect trends - Is true anonymization possible in this context? - Can Big Data be used to reject upfront certain Candidates? Privacy issues in Online Recruitment • Recruitment and the ecosystem of Processors - Recruitment is no longer a one-Company show - Core solutions are “integrated” with the solutions of dozens of niche service providers (e.g. Background checks) - Niche Service Providers – “subprocessors” or “processors”? 11 June 13 Privacy issues in Online Recruitment • Recommendation - Find out what your Recruiters are doing and make sure that your Privacy Policy is up to date. - Many of these features are beneficial for the Candidate, so ensure that he/she understands and agrees upfront. - Avoid “automated decisions” (Section 15.1 Directive 95/46): Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. by Christine Lyon 12 June 2013 Presented By ©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com Social Media Developments 12 June 13 Merging of Personal and Work Social Media • Employers’ initial areas of focus: • Personal use of company-owned devices • Personal activity during work time • Statements that appear to be made on company’s behalf • Now expanding concerns about all social media activity • Company-owned or personal devices • Work time or after hours • Personal opinions or statements affecting the company • Desire to regulate employees’ off-duty social media activity may conflict with employees’ protected rights 25 Employer Control Over Social Media Activity During Work Hours or Using Company Resources External Postings on Behalf of Company Off-Duty Using Personal Device 13 June 13 Limitations on Employer Access to Personal Social Media U.S.: • Growing number of states prohibit employers from asking applicants or employees to provide access to personal social media accounts • Stored Communications Act • Common law reasonable expectation of privacy analysis International: • Data protection laws requiring notice and a lawful basis for monitoring • Regulators cautioning employers about seeking access to personal social media 27 Restrictions on Employer Use of Social Media • Complex interplay of privacy and employment laws • Laws limiting an employer’s ability to take action based on information revealed by personal postings, such as: • • • • • • Political or religious beliefs Sexual orientation Trade union membership Medical condition, family medical history Off-duty alcohol or tobacco use Other “lawful” off-duty conduct • Laws restricting an employer’s ability to regulate off-duty social media activity • Example: U.S. social media cases under the National Labor Relations Act (NLRA) 28 14 June 13 Best Practices for Handling Employee Social Media Use • Limit the inspection or use of personal social media in hiring or employment decisions • Train HR and internal audit to understand legal restrictions on use of personal social media in investigations • Develop a social media policy • Train employees about appropriate use of social media 29 Implications for Your Business by Karin Retzer ©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com Bring Your Own Device 15 June 13 Advantages • Convenience for all • Reduced device/end point hardware costs • Reduced operational support costs • Greater employee flexibility and mobility • Increased employee productivity • Increased employee satisfaction 31 Challenges • Legal and regulatory compliance • Privacy and data security Commingled data Higher risk of infection Theft or loss of devices &/or (company) data + cybercrime Employee monitoring issues • Incompatibility issues • Labor law issues • IP rights/data ownership and recovery • Licensing implications • Insurance implications • Investigation and litigation 32 16 June 13 ICO Guidance • Highlights the following risks: Data security breaches by loss, theft or unauthorized access (including by family members) Unauthorized secondary use of personal data General “blurring” of professional and private use of data Increased or unintended employee monitoring Loss of control over where and how data is stored and processed Lack of ownership and control over the device 33 ICO Guidance II • How to mitigate the risks: Carry out BYOD audit Develop policy (department collaboration involve IT, HR, finance, legal, etc.): oIdentification of data to be processed on the device oPermitted types of storage media, apps and software oSecurity procedures (PIN codes, passwords, etc.) oInformation on procedures for end of employment contract (including consequences of (remotely) wiping company data from the device) Implement appropriate security measures: oPin codes, strong passwords, high level encryption, encrypted channels for data transfers, ring-fencing of data and automatic locking of devices oPublic clouds should be used with “extreme caution,” if at all (heighten risk of interception by the cloud provider and foreign law enforcement authorities) Ensure control over the data and the device: oRemote management of the device (including wiping/deleting if breached) oConsider geolocation tracking (if lost or stolen) 34 17 June 13 BSI Guidance • Technical measures to be implemented: Clear separation of private and professional data Storage of business data on servers and not on the devices Access to business data through secure network, ensuring employer access (e.g., thin client technology or VPN) Encryption of data when in transit, as well as of all business data stored on devices Prohibit the use of rooting or jail breaking devices Ensure regular backup and archiving of information Implement automated security scans • Technical measures are insufficient, must be supported by organizational measures: Clear BYOD policy in place; and Written agreement with employees. 35 BSI Guidance II • Security measures to be included in the agreements: Classification of employees eligible for BYOD programs Restrictions on the types of devices and operation systems permitted Access to company network only through restricted channels Storage of business data only on servers and not on devices Clear establishment of rules for employees that require: oimplementation of anti-virus software ostrong passwords osynchronization of data sources oprocedures for reporting lost or stolen devices osafe return of data upon termination of employment Employees should be made aware that in the case of a security breach, personal data/information may be lost if a device needs to be wiped clean. 36 18 June 13 ANSSI Guidance • Recommendations on security for mobile devices: Recommendations for company-issued devices used to process company information, which may include personal data Existing security measures not sufficient Personal use of professional devices creates higher security risk Recommendations not applicable to BYOD policies • BYOD not advised – “problematic” • If BYOD is used, companies should: Apply dedicated security measures for BYOD Ensure that professional and personal usage is clearly separated in “closed environments” Be vigilant about different security solutions available on the market Consider existing ANSSI recommendations and certification in areas such as WiFi, passwords, information security architecture and encryption (see next slide) 37 Where to Start • Prior to developing your BYOD strategy, consider: Company security requirements & risk management strategies and existing BYOD use – understand your risks and needs; involve all departments; and investigate the company situation first Local legal and regulatory requirements (e.g., Works Council approval) How to ensure compliance with applicable industry standards and other existing company policies Which terms and conditions have to be met, i.e., implemented into a BYOD policy Whether the conditions are too restrictive/unacceptable for your employees Licensing implications: do your company software licenses allow personal devices to access virtual desktop? Obtain necessary license extensions Insurance implications: does your insurance cover use of devices owned by employees for work purposes? Obtain necessary coverage • Make the use of BYOD voluntary • Develop a written policy and give clear notice to employees • Obtain agreement to the policy prior to allowing network access 38 19 June 13 What to Include in Your BYOD Policy • • • • Identify devices that may be used Identify applications that may be used Identify employees, departments and functions that qualify Decide how data will be accessed (e.g., by remote access or copying data onto the device in an encrypted “sandbox”) • Make clear that work materials have to remain segregated from personal files • Require that all intellectual property created by an employee (whether at work or outside work) is owned by the company • Explain which, if any, costs of using a personal device for work purposes are covered by the company (e.g., a percentage of the full-time employee’s annual Internet service) 39 What to Include in Your BYOD Policy II • Indicate how data must be protected: impose technical and organizational security standards on employees as a condition for network access (e.g., encryption, remote wipe, brick or block, anti-virus software and strong password if not passphrase). • Indicate employee’s obligation to report loss of any device and employer’s right to wipe it. If applicable, explain that you will use geolocation applications to identify the device’s location in case of theft or loss. Explain in the clearest terms the potential risks and consequences for the employees and their privacy. • Whether or not employee’s family members or friends will be able to use a device that is used for work purposes. • Indicate what happens when employee leaves employment (e.g., further access will be prevented by revoking passwords or remotely deleting work data from the device). 40 20 June 13 What to Include in Your BYOD Policy III • Refer to company monitoring and other relevant policies (e.g., use of social media) – make clear that they still apply • Indicate which sanctions may be expected for any policy violations • Have employees agree to make their personal devices available if required for audits, investigations and incident response or litigation (discovery request) purposes • Exclude company liability for any damage, data costs, corruption or deletion of data or software, loss of use or liability associated with the use of a personal device for company reasons 41 Policy is Ready Now What? • Enforce your policy • Stay on top of things – perform regular audits and Privacy Impact Assessments • Review your policy regularly – it needs to be kept up-to-date with changes in technology and local laws and regulations • Educate and train your staff regularly 42 21 June 13 Reading Materials • Guidance on Consumerization and Bring Your Own Device, German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI), 4 February 2013 (in German): • https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Download/ Ueberblickspapier_BYOD_pdf.pdf?__blob=publicationFile • Guidance on Bring Your Own Device, ICO, 7 March 2013: http://ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/do cuments/library/Data_Protection/Practical_application/ico_bring_your_own_device _byod_guidance.ashx • YouGov survey commissioned by the Information Commissioner’s Office (ICO), 2013: http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Pro tection/Research_and_reports/yougov_survey_processing_of_personal_info_on_p ersonal_devices_for_work_purposes.ashx 43 Reading Materials II • Recommandations de sécurité relatives aux ordiphones, French Agency for the Security of Information Systems (ANSSI), 15 May 2013 (in French): http://privacylawblog.ffw.com/wpcontent/uploads/2013/05/NP_Ordiphones_NoteTech1.pdf Password Security Recommendations: http://www.ssi.gouv.fr/IMG/pdf/NP_MDP_NoteTech.pdf (Recommandations de Securité Rélatives aux Mots de Passe) WiFi Security Recommendations: http://www.ssi.gouv.fr/IMG/pdf/NP_WIFI_NoteTech.pdf (Recommandations de Securité Rélatives aux Reseaux Wi-Fi) • SANS Mobility/BYOD Security Survey, March 2012: http://www.sans.org/reading_room/analysts_program/mobility-sec-survey.pdf • Information Security Community, BYOD & Mobile Security Report, April 2013: http://blog.lumension.com/docs/BYOD-and-Mobile-Security-Report-2013.pdf 44 22 June 13 Thank you Karin Retzer Morrison & Foerster LLP Brussels +32 2 340 7364 kretzer@mofo.com 45 Forthcoming DP Seminars Data Protection Masterclass Seminars – dates for your diaries: • 10 September 2013 – Online Behavioural Advertising and Profiling • 12 November 2013 – FCPA (Foreign Corrupt Practices Act) 46 23 Tab 2 Speaker Biographies Data Protection Masterclass: Hot Topics in Employee Privacy and Technology Attorney Bio Ann Bevitt Partner London 44 20 7920 4041 abevitt@mofo.com Ann Bevitt is a UK-qualified partner and head of the London office’s EU Privacy Group. Her practice covers all aspects of privacy and data security-related matters, both contentious and non-contentious. She assists clients develop strategies for managing their data that enable them to meet both their business objectives and their legal obligations. Ms. Bevitt has extensive expertise advising clients on international data protection and privacy issues, in particular with reference to the movement of personal data within and outside the EU, including in the context of cross-border litigation or regulatory investigations, and employee privacy issues. Ms. Bevitt regularly advises clients on multi-jurisdictional compliance projects, helping them to navigate their way through myriad local laws. She also assists clients in crafting internal policies governing the use of personal data, technology in the workplace, including BYOD, and social media, as well as external privacy policies for consumers. Ms. Bevitt works with a wide range of clients, including multinationals and large corporations, from a broad spectrum of industry sectors, including insurance; technology; banking and financial services; venture capital and private equity; recruitment and employment; biotechnology; pharmaceuticals; and hotel and leisure. Ms. Bevitt is a contributing author to Employee Privacy: Guide to U.S. and International Law published by BNA Books. She is also a sought after speaker on privacy topics and a frequent speaker at the major privacy conferences run by Privacy Laws & Business, Privacy & Data Protection and the International Association of Privacy Professionals. She is also quoted frequently in both the national and industry press. Ms. Bevitt is an active member of the International Association of Privacy Professionals and on the Publications Advisory Board. Ms. Bevitt has rights of audience in all civil courts and significant experience as an advocate. She was called to the Bar in 1992, after graduating from Oxford University in 1990. Ms. Bevitt practised as a barrister for seven years before qualifying as a solicitor in 2000. She joined Morrison & Foerster in June 2002. Ann Bevitt Speaker biography Carlos Garcia-Mauriño Oracle Corporation Madrid +91 631 2326 carlos.garcia@oracle.com Carlos Garcia-Mauriño is the EMEA Senior Legal Director Privacy & Security at Oracle Corporation. Carlos oversees Oracle’s compliance efforts with national Data Privacy regulations in Europe, Middle East and Africa and is a key contributor to the design of the Oracle Global Privacy program. He trains and provides advice to the different Lines of Business and Commercial Legal Groups on data privacy and security aspects of Oracle’s services portfolio (e.g. Cloud Computing) and provides strategic guidance to senior management on business decisions which might be affected by Data Privacy considerations. As part of his role, he frequently leads complex negotiations with corporate customers from different business sectors and regions. Prior to this, Carlos held several senior positions in the Oracle Legal Department, including the management of the Compliance & Ethics program for the EMEA Division. He is an attorney at law with expertise in data protection, IT law, commercial and contract law. Oracle Iberica S.R.L., C/José Echegaray, 6, 28230 Las Rozas, Madrid, Spain www.oracle.com Attorney Bio Christine E. Lyon Partner Palo Alto (650) 813-5770 clyon@mofo.com Christine Lyon’s practice focuses on privacy and employment law. Ms. Lyon assists clients in developing global strategies to comply with laws regulating the collection, use, disclosure, and transfer of personal information about their customers and employees. She also advises clients about privacy issues in cloud computing and social media, security breach notification requirements, laws regulating the use of personal data for direct marketing purposes, and workplace privacy issues. Ms. Lyon counsels clients regarding all aspects of employment law, including compliance with California and federal employment laws, investigations of workplace complaints, and reductions in force. She regularly assists clients with multinational employment issues related to mergers and acquisitions, outsourcing transactions, and corporate restructuring. Legal 500 US 2012 recommends Ms. Lyon as a “rising star” in the area of privacy and data protection. She frequently writes and speaks on the topics of global data protection laws, workplace privacy issues, and data security laws. She is a co-editor of Global Employee Privacy and Data Security Law (BNA Books, 2011) and a member of the editorial board of the World Data Protection Report. Education University of Iowa (B.A., 1996) Stanford Law School (J.D., 1999) Christine E. Lyon Attorney Bio Karin Retzer Partner Brussels 32 2 340 7364 kretzer@mofo.com Karin Retzer’s practice focuses on the data protection, privacy and security as well as marketing. Ms. Retzer assists clients with privacy and data security compliance and risk management, involving both national and international multi-jurisdictional dimensions. She advises on questions regarding data transfers, the handling of information in shared service centers and sourcing transactions, regulatory investigations, eDiscovery, breach notification, and the use of email and the Internet in the workplace. She has drafted privacy policies and guidelines, notices, agreements for data list management, and data transfer and processing contracts for dozens of multinational clients. She also assists clients in their dealings with data protection authorities, developing appropriate responses to requests for information and complaints, and provides legislative and policy advice to clients. Ms. Retzer has particular expertise with regard to the implications of legislative restrictions for online tracking, analytics, and personalization of Internet content, behavioural advertising, and direct marketing communications. She regularly advises clients on the use of location data gathered through smart phones and location-based services. In addition, Ms. Retzer advises clients on issues relating to electronic commerce, such as online terms of use, the requirements for online contracts, disclosure obligations, liability for website content, and the legal aspects of online auction sites. She has developed template agreements and negotiated complex commercial agreements for many clients, counseling them not only with respect to legal ramifications, but also taking into account applicable business and technical considerations. Her work spans a wide range of industry sectors. Clients include internationally renowned consumer product companies, financial services organizations, technology and telecommunications providers as well as clients in the advertising, hospitality, media and entertainment, healthcare, pharmaceutical, and retail industries. Prior to joining Morrison & Foerster, Ms. Retzer worked in Paris at the European headquarters of Sterling Commerce, a U.S. supplier of e-commerce products. From 1997 to 1998, Ms. Retzer worked at the European Commission, where she was involved mainly with examining and monitoring Member States' implementation of European Community directives. Ms. Retzer regularly writes for a wide variety of publications and is a contributing author in the publication, Employee Privacy: Guide to US and International Law. She is a member of the Munich bar and the Brussels EU bar, after studies in Regensburg (Germany), Utrecht (The Netherlands), and Munich (Germany). Ms. Retzer is fluent in German, English, and French and has a working knowledge of Dutch. She is a member of the International Association of Privacy Professionals, the German Association for Data Protection and Data Security, the Licensing Executives Society, and the Association for Industrial Property and Copyright Law. Karin Retzer Attorney Bio Caroline Stakim Associate London 44 20 7920 4055 cstakim@mofo.com Caroline Stakim is an associate in the London office of Morrison & Foerster and is a member of the firm’s Employment and Labour Group. Ms. Stakim’s practice focuses on employment law matters and employee privacy and data security law. Ms. Stakim advises senior management and human resources professionals on all aspects of employment law including employment documentation, policy, senior executive appointments and terminations, change programmes, employment disputes, post-termination restrictions, business immigration and strategic HR issues, often on a cross-jurisdictional basis. She also advises on the legal and tactical employee and privacy related issues arising in corporate transactions including mergers and acquisitions and restructurings and the application of the TUPE Regulations to outsourcing arrangements and solvent and insolvent business transfers. She also advises on questions regarding the collection, use and disclosure of employee data, cross-border employee data transfers; employee monitoring and surveillance; and privacy and the use of email and the internet in the workplace. Ms. Stakim received her LL.B (Hons.) from the University of Glasgow in 2005. She was admitted to practice in Scotland in 2008 and in England and Wales in 2010. She is a member of the Employment Lawyers Association. Caroline Stakim Tab 3 About Morrison & Foerster Data Protection Masterclass: Hot Topics in Employee Privacy and Technology Firm Overview Firm Overview Morrison & Foerster is an international firm with more than 1,000 lawyers across 16 offices in the U.S., Europe, and Asia. Founded in 1883, we remain dedicated to providing our clients, which include some of the largest financial institutions, Fortune 100 companies, and technology and life science companies, with unequalled service. Our clients rely on us for innovative and business-minded solutions. Therefore, Among Top 10 firms nationwide based on number we stress intellectual agility as a hallmark of our approach to client representation. of first-tier national rankings We apply it to every matter—from the complex to the routine—to ensure the best outcomes for our clients and deliver success. Top-tier national rankings included, among others: Antitrust Banking & Finance Capital Markets Commercial Litigation Corporate/M+A IP & Patent Litigation Employment Law Energy Environmental Financial Services Regulation Securitization/Structured Finance Tax Technology We believe that great client service requires insight, expertise, speed, and integrity. Our attorneys share high standards, a commitment to excellence, and a passion for helping their clients succeed. This commitment to serving client needs has resulted in enduring relationships and a record of high achievement. In addition, our culture of genuine collegiality creates a work environment ideally suited to collaboration and effective teamwork, which ultimately translates into organizational stability, winning results, and more positive experiences for clients. We enjoy tremendous practice, geographic, and client diversification—attributes that have allowed us to prosper in these challenging times. Our practice is balanced, with more than 500 business attorneys and nearly 500 litigators. Offices in key financial and technology centers around the world provide us with global reach and geographic diversity: Beijing Brussels Denver Hong Kong London Los Angeles New York Northern Virginia Palo Alto Sacramento San Diego San Francisco Shanghai Singapore Tokyo Washington, D.C. We are frequently recognized for our long-standing commitment to pro bono work and diversity. Our outstanding client work has earned broad recognition from well-known national and international organizations, such as: Firm Overview l 1 Firm Overview We provide global reach in the world’s key markets MOFO EUROPE Brussels London MOFO USA New York San Francisco Los Angeles Palo Alto San Diego Washington, D.C. Northern Virginia Denver Sacramento MOFO ASIA Beijing Hong Kong Shanghai Singapore Tokyo Exceptional International Platform Over the past three decades, Morrison & Foerster has invested significant effort and capital toward developing a world-class international practice—leaving us well-positioned to serve clients across the rapidly-expanding global economy. Our international service platform spans expertise in M&A, securities, finance and trade, and dispute resolution, and includes complex global tax structuring, counsel on foreign workforces, the navigation of regulatory bottlenecks in multiple jurisdictions, and antitrust, environmental, and litigation risk analyses throughout the world, among other capabilities. We enjoy unrivalled reach around the Pacific Rim with nearly 200 lawyers in Asia teamed with more than 500 lawyers in California. We are the largest U.S. law firm in Japan, with more than 120 attorneys in Tokyo, including nearly 50 bengoshi admitted to practice in Japan. With our partners, Ito & Mitomi, we are widely recognized as having Japan’s leading corporate practice. Our nearly 30-year presence in China has produced a strong platform of more than 70 multilingual U.S.-, PRC-, and/or Hong Kong-qualified professionals. With an established presence in the UK for 30 years, we have nearly 60 lawyers qualified in the UK who offer expertise across all major disciplines. Firm Overview l 2 Practice Group Description Privacy + Data Security PRACTICE GROUP CHAIR Miriam H. Wugmeister 1290 Avenue of the Americas New York, NY 10104-0050 (212) 506-7213 mwugmeister@mofo.com “Recommended as ‘excellent in all respects.’” - Legal 500 US Morrison & Foerster has a world-class privacy and information security practice that is cross-disciplinary and spans our global offices. With more than 60 lawyers actively counseling, litigating, and representing clients before regulators around the world on privacy and security of information issues, we have been recognized by Chambers and Legal 500 as having one of the best domestic and global practices in this area. We were winner of Chambers USA’s award for excellence in the field of Privacy and Data Security 2008. Chambers Global ranks the practice Tier 1 in its “Data Protection: Global” category. Clients have commented that our group is: “very responsive, with a knowledge of the area that is second to none,” Chambers Global; and “the best at giving practical advice by applying the law to the situation at issue”, US Legal 500. Our practical and straightforward approach has made us the privacy counsel of choice for some of the world’s largest and best known corporations, as well as a host of smaller organizations. Our skills are particularly valued by companies that operate in highly regulated sectors (such as financial services, healthcare, and pharmaceuticals), those with an online presence, and those operating internationally. Such organizations face multiple layers of regulation and appreciate the timely, knowledgeable, and realistic advice our attorneys are trained to provide. We take a big picture view of how organizations handle information during its life cycle and help our clients find realistic solutions to seemingly complex problems. We Advise On: Data protection and privacy policies, procedures, and training. Data security standards and information handling. Security breaches. Regulatory investigations. Litigation. Cross-border data transfers. Employee monitoring. Compliance audits. Commercial transactions. Direct marketing. E-discovery and disclosure issues in litigation. Privacy + Data Security | 1 Practice Group Description “The work quality is exceptional, they are incredibly responsive, and they know about all the hottest issues in data privacy.” - Chambers Global A factor driving data protection regulation in recent years has been the changing nature of technology – including issues such as the increased emphasis on technological means to secure data, how we use social media, and the adoption of cloud computing. Our data protection and privacy lawyers are at home with technological innovation as well as with complex regulation. Because of our comfort with technology, we are at ease speaking with the general counsel, the chief privacy officer or the chief information officer regarding technical and nontechnical issues relating to privacy and data security. What truly distinguishes us is our practical approach to our work. In relation to all areas of privacy law, we believe that it is our job to assist clients in finding innovative and realistic solutions that balance compliance with the law and the commercial realities of running their businesses. We work with our clients to find solutions for managing business operations in light of the complex matrix of privacy laws and regulations. Resources We offer important resources to support our clients in their privacy compliance and data security efforts. Legal Resources: The privacy team writes extensively on privacy and data security matters, including two treatises, Global Employee Privacy and Data Security Law setting out the U.S. and international legal landscape related to workplace privacy and data security, and The Law of Financial Privacy covering the Fair Credit Reporting Act, Financial Privacy Act, Bank Secrecy Act, and Internal Revenue Code requirements, including discussions of state financial privacy laws, use of technology, and use and protection of confidential information. Privacy Library: Our Privacy Library (www.mofoprivacy.com) is an online resource which provides links to privacy laws, regulations, reports, multilateral agreements, and government authorities of more than 90 countries around the world, including the United States. The Privacy Library is the most comprehensive collection of privacy laws and regulations ever assembled, the result of years of research and experience working with clients around the world. MoFoNotes: Morrison & Foerster provides content to Nymity (www.nymity.com) for its MoFoNotes product, a subscription-based database that helps organizations determine local compliance requirements in jurisdictions around the world, spot potential compliance issues, and simplify the development of global privacy approaches. Privacy + Data Security | 2 Practice Group Description Privacy + Data Security PARTNER Karin Retzer Boulevard Louis Schmidt 29 1040 Brussels, Belgium +322 340 7364 kretzer@mofo.com Clients value our “extensive network of attorneys around the world since privacy legal issues are becoming more global every day.” - Legal 500 US EUROPEAN DATA PROTECTION We help our clients navigate Europe’s complex patchwork of data protection laws at the EU and individual country level, providing advice on international data transfers and processing of personal data in the employment context and online. We bring years of experience to the complex jurisdictional issues encountered by multinational companies operating in Europe and work with our long-established network of privacy experts to provide in-depth, tailored advice. In particular, we provide advice on the implementation of EU laws in the individual EU Member States, and provide our clients with regular updates, analysis, and practical compliance solutions. Our privacy group consults and negotiates extensively with European data protection authorities, such as the French Commission Nationale de l’Informatique et des Libertés, the various German Länder Data Protection Commissioners and the UK Information Commissioner’s Office, as well as the European Commission. Our work handling both compliance and advocacy projects gives us an advantage. We are able to translate and clarify high-level policy guidance into concrete compliance actions and, at the same time, use our practical compliance experience to advise government policymakers on how to craft policy in ways that can be translated into sensible compliance actions. Recent Representative Engagements Consumer Products Company. We provided advice on global whistleblowing hotlines and codes of conduct, including registration obligations across the EU. We also drafted appropriate communications with employees, internal protocols and procedures, and crafted language to include in contracts with service providers. Several clients – Implementation of ePrivacy Directive. We have assisted a number of clients in comprehensively tracking and analyzing implementation of the EU ePrivacy Directive in all 30 EEA Member States. The ePrivacy Directive introduced new requirements for data security breach notification, spam and electronic marketing, and the use of cookies and online tracking technologies. We provided and continue to provide our clients with practical advice on how to deal with these legal changes cost effectively across the jurisdictions. Multinational Pharmaceuticals Company. We advised our client on the choice, adoption, and implementation of Binding Corporate Rules as the global cross-border data handling strategy. We drafted the BCRs, interaffiliate agreement, and provided comprehensive assistance and advice 1 Practice Group Description including preparing presentations to management, drafting communications, and establishing standard operating procedures and complaint handling procedures. Global Health Care Company. We advised on the adoption and implementation of a global framework agreement. We advised on the approach to consultations with works councils, drafted communications to management, human resources, sales, marketing and clinical research departments, conducted training for the procurement and legal functions globally, and prepared employee notice and consent forms. We also advised on and handled registration requirements in all EEA countries and relevant Latin-American countries, and handled all aspects of data transfer authorizations with regulatory authorities. 2 Tab 4 Articles and Alerts Data Protection Masterclass: Hot Topics in Employee Privacy and Technology SOCIALLY AWARE THE SOCIAL MEDIA LAW UPDATE Volume 4, Issue 1 January/February 2013 IN THIS ISSUE Employers and Employees Battle Over Social Media Accounts Page 2 Anonymous P2P User’s Motion to Quash Subpoena Denied Page 3 FTC Snuffs Out Online “History Sniffing” Page 4 Socially Aware Looks Back: The Social Media Law Year in Review Page 5 AdWords Decision Highlights Contours of CDA Section 230 Safe Harbor Page 7 FCC Rules That Opt-Out Confirmation Text Messages Do Not Violate TCPA Page 8 Facebook ’em, Danno: Is the Hawaii 5-0's Facebook Wall A Public Forum? Page 9 PeopleBrowsr Wins Round One Against Twitter Page 10 EDITORS John Delaney Gabriel Meister Aaron Rubin CONTRIBUTORS Amanda M.F. Bakale Tiffany Cheung Adam J. Fleisher Matthew R. Galeotti Jacob Michael Kaufman J. Alexander Lawrence Christine E. Lyon Julie O’Neill Jesse K. Soslow In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we explore the challenges that arise when employers and employees battle over work-related social media accounts; we discuss a new litigation trend in which content owners are focusing on individual P2P users to enforce their rights, despite potential First Amendment hurdles; we report on the FTC’s crackdown on so-called “history sniffing”; we examine how Section 230 of the Communications Decency Act may or may not fully protect website operators from trademark-related claims; we review a recent FCC ruling on whether opt-out confirmation text messages violate the Telephone Consumer Protection Act; we highlight constitutional challenges to how public entities moderate their social media pages; we summarize a recent order requiring Twitter to continue to provide PeopleBrowsr with access to Twitter’s “Firehose”; and we recap major events from 2012 that have had a substantial impact on the law of social media. All this, plus a collection of eye-opening numbers on the use of social media in 2012. Follow us on Twitter @MoFoSocMedia, and check out our blog. EMPLOYERS AND EMPLOYEES BATTLE OVER SOCIAL MEDIA ACCOUNTS When an employee uses a social media account to promote his or her company, who keeps that account when the employee leaves? Perhaps more importantly, who keeps the friends, followers and connections associated with that account? Three lawsuits highlight the challenges an employer may face in seeking to gain control of work-related social media accounts maintained by current or former employees. We start with Eagle v. Edcomm, a federal case out of Pennsylvania involving a dispute over an ex-employee’s LinkedIn account and related connections. The plaintiff, Dr. Linda Eagle, was a cofounder of the defendant company, Edcomm. She established a LinkedIn account while at Edcomm, using the account to promote the company and to build her network. Edcomm personnel had access to her LinkedIn password and helped to maintain the account. Following termination of her employment, Edcomm allegedly changed Dr. Eagle’s LinkedIn password and her account pro¿le the new pro¿le displayed the new interim CEO’s name and photograph instead of Dr. Eagle’s. (Apparently, “individuals searching for Dr. Eagle were routed to a LinkedIn page featuring [the new CEO]’s name and photograph, but Dr. Eagle’s honors and awards, recommendations, and connections.”) Both parties raced to the courthouse, ¿ling lawsuits against each other over the LinkedIn account and other disputes. Although a ¿nal ruling on all of the issues has not yet been made, the court has issued two decisions. In the earlier of the two decisions, the court granted Dr. Eagle’s motion to dismiss Edcomm’s trade secret misappropriation claim, concluding that the LinkedIn connections were not a trade 2 Socially Aware, January/February 2013 secret because they are “either generally known in the wider business community or capable of being easily derived from public information.” The most recent decision, however, was largely a win for Edcomm. The court granted Edcomm’s motion for summary judgment on Dr. Eagle’s Computer Fraud and Abuse Act (CFAA) and Lanham Act claims. Regarding her CFAA claims, the court concluded that the damages Dr. Eagle claimed she had suffered—related to harm to reputation, goodwill and business opportunities—were insuf¿cient to satisfy the “loss” element of a CFAA claim, which requires some relation to “the impairment or damage to a computer or computer system.” In rejecting Dr. Eagle’s claim that Edcomm violated the Lanham Act by posting the new CEO’s name and picture on Dr. Eagle’s LinkedIn account, the court found that Dr. Eagle could not demonstrate that Edcomm’s actions caused a “likelihood of confusion,” as required by the Act. Three recent cases illustrate the importance of creating clear policies on the treatment of business-related social media accounts, and making sure employees are aware of these policies. In a federal case out of Illinois, Maremont v. Susan Fredman Design Group LTD, the employee, Jill Maremont, was seriously injured in a car accident and had to spend several months rehabilitating away from work. While recovering, Ms. Maremont’s employer—Susan Fredman Design Group—posted and tweeted promotional messages on Ms. Maremont’s private Facebook and Twitter accounts, where she had developed a large following as a well-known interior designer. The posts and tweets continued after Ms. Maremont had asked her employer to stop, so Ms. Maremont changed her passwords. Following the password changes, Ms. Maremont alleged that her employer started treating her poorly in order to force her to resign. Ms. Maremont then brought claims under the Lanham Act, Illinois’ Right of Publicity Act, and the common law right to privacy. Although the case is still pending, the court issued a decision refusing to dismiss Ms. Maremont’s Lanham Act and Right of Publicity Act claims. The court, however, dismissed her common law right to privacy claims, holding that she had failed to demonstrate that her employer’s “intrusion into her personal ‘digital life’ is actionable under the common law theory of unreasonable intrusion upon the seclusion of another,” and that she had failed to allege a false light claim because she did not allege that her employer “acted with actual malice.” A recently-settled California case, PhoneDog LLC v. Noah Kravitz, about which we have written previously, involved a similar dispute over a former employee’s Twitter account. Unlike the LinkedIn account at issue in the Edcomm case, the Twitter account in PhoneDog apparently was created by the employer, not the employee—however, the Twitter “handle” identifying the account included both the employer’s name and the employee’s name: @PhoneDog_Noah. According to PhoneDog’s complaint, the account attracted approximately 17,000 Twitter followers. Mr. Kravitz, who after leaving PhoneDog eventually began working for one of PhoneDog’s competitors, kept the Twitter account but removed PhoneDog’s name, changing the account's handle to @noahkravitz. PhoneDog sued Mr. Kravitz, alleging that Mr. Kravitz wrongfully used the Twitter account to compete unfairly against PhoneDog. Like Edcomm, PhoneDog alleged misappropriation of trade secrets, although PhoneDog appears to have viewed the account login information rather than the actual followers as the relevant trade secret information. As noted above, the parties have settled the PhoneDog case, so we will not learn how the court would have ultimately ruled nevertheless, this case and the other pending suits discussed above offer important lessons to employers. Although the terms of the settlement are con¿dential, news reports have indicated that the agreement does allow Mr. Kravitz to keep his Twitter account and followers. These cases have received media attention, and the two pending cases—Eagle and Maremont—will continue to be closely watched by the legal community to see how courts de¿ne ownership interests in employee social media accounts. Employers, however, should not wait on the rulings in these pending cases to take steps to protect their interests in their social media accounts. All three of these cases illustrate the importance of creating clear policies regarding the treatment of business-related social media accounts, and making sure that employees are aware of these policies. Other measures an employer can take include being certain to control the passwords of the company’s own social media accounts, and making sure that the name of the account does not include an individual employee’s name. At the same time, employers need to be mindful of new laws in California restricting an employer’s ability to gain access to its employees’ personal social media accounts, laws on which we have reported previously. And of course, in light of these developments, it remains particularly important to maintain a clear distinction between company and personal social media accounts. ANONYMOUS P2P USER’S MOTION TO QUASH SUBPOENA DENIED BitTorrent, the peer-to-peer (PP) ¿lesharing system that enables the quick downloading of large ¿les, has sparked another novel controversy stemming from copyright-infringement claims brought against its users. Users take 3 Socially Aware, January/February 2013 advantage of the BitTorrent sharing system to anonymously access popular media such as books and movies. That anonymity is unlikely to last long for users who are alleged to have downloaded copyrighted material. Last month, Judge Sweet, a federal judge in the Southern District of New York (SDNY), held that an anonymous P2P user has no First Amendment right to quash a subpoena seeking her identity where the plaintiff had no other means to effectively identify the defendant. Wiley reflects a new wave of litigation in which copyright holders have shifted from suing host sites to focusing on individual users of P2P networks. In John Wiley & Sons Inc. v. Does Nos. 1-35, the plaintiff (Wiley), a publisher of books and journal articles, alleged that unidenti¿ed “John Does” used BitTorrent to illegally copy and distribute Wiley’s copyrighted works and infringe on Wiley’s trademarks. Wiley sued 35 defendants known only by their “John Doe Numbers” and Internet Protocol (IP) addresses. Seeking to identify the Does, Wiley moved for court-issued subpoenas to be served on various Internet service providers (ISPs), ordering them to supply identifying information corresponding to the Does’ IP addresses. In an attempt to maintain her anonymity and avoid liability, one of the 35 Does, then known only as John Doe No. 25 (“Doe 25”) or IP Address 74.68.143.193, moved to quash a subpoena served on her ISP, Time Warner Cable. Wiley reÀects a new wave of litigation in which copyright holders have shifted from suing host sites to focusing on individual users of P2P networks. The mere fact that copyrighted material is downloaded from a particular IP address may be insuf¿cient to prove that the P2P network user is the infringer. An IP address typically provides only the location at which one of any number of devices may be used by any number of individuals (in fact, Doe 25 contended that her ex-husband, not she, downloaded the infringing works). If a motion to quash is granted, the account holder’s identity is not revealed, and the claim is effectively dead. In considering whether to grant an anonymous account holder’s motion to quash a subpoena, courts balance the user’s First Amendment right to act anonymously with the plaintiff’s right to pursue its claims. Anonymous users can rely on a line of precedent that extends the First Amendment’s protections to online expression. And under Rule 45 of the Federal Rules of Civil Procedure, a court must quash a subpoena if it requires disclosure of protected matter. Thus, to the extent that anonymity is protected by the First Amendment, courts will quash subpoenas designed to breach anonymity. On the other hand, plaintiffs pursuing their claims can point to precedent holding that the First Amendment may not be used to encroach upon the intellectual property rights of others. To balance these competing principles and determine whether certain actions trigger First Amendment protection, courts weigh the ¿ve factors set out in Sony Music Entertainment Inc. v. Does 1-40: • whether the plaintiff has made a concrete showing of actionable harm; • the specificity of the discovery request; • the absence of alternative means by which to obtain the subpoenaed information; • a central need for the data; and • the party’s expectation of privacy. In Wiley, each of these ¿ve factors weighed in favor of disclosure of the defendant’s identity. Wiley pled a suf¿ciently speci¿c claim of copyright infringement, and, without a subpoena, Wiley would have no other effective way to identify potential infringers of Wiley’s intellectual property rights. At least ¿ve other courts within the SDNY have denied motions to quash in similar litigations involving defendants accused of infringing Wiley’s copyrights via BitTorrent. Going forward, so long as copyright holders can satisfy the Sony ¿vefactor test, they will be able to rely on cases like Wiley to ferret out copyright infringers. FTC SNUFFS OUT ONLINE “HISTORY SNIFFING” The Federal Trade Commission (FTC) has cracked down on a company that was engaged in “history sniffing,” a means of online tracking that digs up information displayed by web browsers to reveal the websites that users have visited. In a proposed settlement with Epic Marketplace, Inc. and Epic Media Group (together, “EMG”) that was announced on December 5, 2012, the FTC settled charges that EMG had improperly used history sniffing to collect sensitive information regarding unsuspecting consumers. EMG functions as an intermediary between publishers—i.e., websites that publish advertisements—and the advertisers who want to place their ads on those websites. It performs this function through online behavioral advertising, which typically entails placing cookies on websites that a consumer visits in order to collect information about his or her use of the website, and then using that information to serve targeted ads to the user when he or she visits other websites within the "EMG Marketplace Network," the network of publisher websites serviced by EMG. What got EMG into trouble was that EMG also used history snif¿ng to collect information regarding what websites users had visited. Here’s how the technique works at a high level: In your web browser, hyperlinks to websites change color once you’ve visited them. For example, if you Continued on page 7 4 Socially Aware, January/February 2013 BIGGEST NUMBERS IN SOCIAL MEDIA FROM 2012 810,000 – the number of retweets of President Obama’s 2012 election victory tweet— the most retweeted post on Twitter ever 1 4 million – the number of Facebook “likes” for President Obama’s 2012 election victory post—the most liked Facebook photo of all time 2 200 million – the number of LinkedIn members as of January 9, 2013 3 1 billion – the number of views of PSY’s “Gangnam Style”—the most viewed YouTube video in history 4 1 billion – the number of monthly active Facebook users as of October 2012 5 1.1 billion – the number of photos uploaded to Facebook over New Year’s Eve and New Year’s Day 6 3 billion – the total number of Foursquare “check-ins” from its inception through 2012 7 4 billion – the number of hours of video watched on YouTube every month 8 1. https://twitter.com/BarackObama/ status/266031293945503744/photo/1 5. http://finance.yahoo.com/news/number-active-usersfacebook-over-230449748.html 2. http://news.cnet.com/8301-17938_105-57546254-1/ obama-victory-photo-smashes-facebook-like-record/ 6. http://techcrunch.com/2013/01/17/facebook-photosrecord/ 3. http://blog.linkedin.com/2013/01/09/linkedin-200-million/ 7. http://thenextweb.com/location/2012/11/21/foursquarehas-its-3-billionth-check-in-seeing-growth-of-x/ 4. http://news.cnet.com/8301-1023_3-57560498-93/ gangnam-style-the-first-video-to-hit-1b-youtube-views/ 8. http://www.youtube.com/t/press_statistics SOCIALLY AWARE LOOKS BACK: THE SOCIAL MEDIA LAW YEAR IN REVIEW 2012 was a momentous year for social media law. We've combed through the court decisions, the legislative initiatives, the regulatory actions and the corporate trends to identify what we believe to be the ten most signi¿cant social media law developments of the past year–here they are, in no particular order: Bland v. Roberts – A Facebook “like” is not constitutionally protected speech Former employees of the Hamptons Sheriff’s Of¿ce in 9irginia who were ¿red by Sheriff BJ Roberts, sued claiming they were ¿red for having supported an opposing candidate in a local election. Two of the plaintiffs had “liked” the opposing candidate’s Facebook page, which they claimed was an act of constitutionally protected speech. A federal district court in 9irginia, however, ruled that a Facebook “like” “. . . is insuf¿cient speech to merit constitutional protection” according to the court, “liking” involves no actual statement, and constitutionally protected speech could not be inferred from “one click of a button.” This case explored the increasinglyimportant intersection of free speech and social media with the court ¿nding that a “like” was insuf¿cient to warrant constitutional protection. The decision has provoked much criticism, and it will be interesting to see whether other courts will follow the Bland court’s lead or take a different approach. New York v. Harris – Twitter required to turn over user’s information and tweets In early 2012, the New York City District Attorney’s Of¿ce subpoenaed Twitter to produce information and tweets related to the account 5 Socially Aware, January/February 2013 of Malcolm Harris, an Occupy Wall Street protester who was arrested while protesting on the Brooklyn Bridge. Harris ¿rst sought to quash the subpoena, but the court denied the motion, ¿nding that Harris had no proprietary interest in the tweets and therefore did not have standing to quash the subpoena. Twitter then ¿led a motion to quash, but the court also denied its motion, ¿nding that Harris had no reasonable expectation of privacy in his tweets, and that, for the majority of the information sought, no search warrant was required. This case set an important precedent for production of information related to social media accounts in criminal suits. Under the Harris court’s ruling, in certain circumstances, a criminal defendant has no ability to challenge a subpoena that seeks certain social media account information and posts. The National Labor Relations Board (NLRB) issued its third guidance document on workplace social media policies The NLRB issued guidance regarding its interpretation of the National Labor Relations Act (NLRA) and its application to employer social media policies. In its guidance document, the NLRB stated that certain types of provisions should not be included in social media policies, including: prohibitions on disclosure of con¿dential information where there are no carve-outs for discussion of an employer’s labor policies and its treatment of employees prohibitions on disclosures of an individual’s personal information via social media where such prohibitions could be construed as limiting an employee’s ability to discuss wages and working conditions discouragements of “friending” and sending unsolicited messages to one’s co-workers and prohibitions on comments regarding pending legal matters to the degree such prohibitions might restrict employees from discussing potential claims against their employer. The NLRB’s third guidance document illustrates the growing importance of social media policies in the workplace. With social media becoming an ever- increasing means of expression, employers must take care to craft social media policies that do not hinder their employees’ rights. If your company has not updated its social media policy in the past year, it is likely to be outdated. Fteja v. Facebook, Inc. and Twitter, Inc. v. Skootle Corp. – Courts ruled that the forum selection clauses in Facebook’s and Twitter’s terms of service are enforceable In the Fteja case, a New York federal court held that a forum selection clause contained in Facebook’s Statement of Rights and Responsibilities (its “Terms”) was enforceable. Facebook sought to transfer a suit ¿led against it from a New York federal court to one in Northern California, citing the forum selection clause in the Terms. The court found that the plaintiff’s clicking of the “I accept” button when registering for Facebook constituted his assent to the Terms even though he may not have actually reviewed the Terms, which were made available via hyperlink during registration. In the Skootle case, Twitter brought suit in the Northern District of California against various defendants for their spamming activities on Twitter’s service. One defendant, Garland Harris, who was a resident of Florida, brought a motion to dismiss, claiming lack of personal jurisdiction and improper venue. The court denied Harris’s motion, ¿nding that the forum selection clause in Twitter’s terms of service applied. The court, however, speci¿cally noted that it was not ¿nding that forum selection clauses in “clickwrap” agreements are generally enforceable, but rather “only that on the allegations in this case, it is not unreasonable to enforce the clause here.” Fteja and Skootle highlight that potentially burdensome provisions in online agreements may be enforceable even as to consumers in both cases, a consumer seeking to pursue or defend a claim against a social media platform provider was required to do so in the provider’s forum. Both consumers and businesses need to be mindful of what they are agreeing to when signing up for online services. Six states passed legislation regarding employers' access to employee/applicant social media accounts California, Delaware, Illinois, Maryland, Michigan and New Jersey enacted legislation that prohibits an employer from requesting or requiring an employee or applicant to disclose a user name or password for his or her personal social media account. Such legislation will likely become more prevalent in 2013 Texas has a similar proposed bill, and California has proposed a bill that would expand its current protections for private employees to also include public employees. Facebook goes public Facebook raised over $16 billion in its initial public offering, which was one of the most highly anticipated IPOs in recent history and the largest tech IPO in U.S. history. Facebook’s peak share price during the ¿rst day of trading hit $45 per share, but with a rocky ¿rst few months fell to approximately $18— sparking shareholder lawsuits. By the end of 2012, however, Facebook had rebounded to over $26 per share. Facebook’s IPO was not only a big event for Facebook and its investors, but also for other social media services and technology startups generally. Many viewed, and continue to view, Facebook’s success or failure as a bellwether for the viability of social media and technology startup valuations. Employer-employee litigation over ownership of social media accounts 2012 saw the settlement of one case, and continued litigation in two other cases, all involving the ownership of business-related social media accounts maintained by current or former employees. In the settled case of PhoneDog LLC v. Noah Kravitz, employer sued employee after the employee left the company but retained a Twitter account (and its 17,000 followers) that he had maintained while working for the employer. The terms of the 6 Socially Aware, January/February 2013 settlement are con¿dential, but news reports indicated that the settlement allowed the employee to keep the account and its followers. In two other pending cases, Eagle v. Edcomm and Maremont v. Susan Fredman Design Group LTD, social media accounts originally created by employees were later altered or used by the employer without the employees’ consent. These cases are reminders that, with the growing prevalence of business-related social media, employers need to create clear policies regarding the treatment of work-related social media accounts. California’s Attorney General went after companies whose mobile apps allegedly did not have adequate privacy policies Starting in late October 2012, California’s Attorney General gave notice to developers of approximately 100 mobile apps that they were in violation of California’s Online Privacy Protection Act (OPPA), a law that, among other things, requires developers of mobile apps that collect personally identi¿able information to “conspicuously post” a privacy policy. Then, in December 2012, California’s Attorney General ¿led its ¿rst suit under OPPA against Delta, for failing to have a privacy policy that speci¿cally mentioned one of its mobile apps and for failing to have a privacy policy that was suf¿ciently accessible to consumers of that app. Privacy policies for mobile applications continue to become more important as the use of apps becomes more widespread. California’s OPPA has led the charge, but other states and the federal government may follow. In September, for instance, Representative Ed Markey of Massachusetts introduced The Mobile Device Privacy Act in the U.S. House of Representatives, which in some ways would have similar notice requirements as California’s OPPA. Changes to Instagram’s online terms of service and privacy policy created user backlash In mid-December 2012, Instagram released an updated version of its online terms of service and privacy policy (collectively, “Terms”). The updated Terms would have allowed Instagram to use a user’s likeness and photographs in advertisements without compensation. There was a strong backlash from users over the updated Terms, which ultimately led to Instagram apologizing to its users for the advertisement-related changes, and reverting to its previous language regarding advertisements. Instagram’s changes to its Terms, and subsequent reversal, are reminders of how monetizing social media services is often a dif¿cult balancing act. Although social media services need to ¿gure out how they can be pro¿table, they also need to pay attention to their users’ concerns. The defeat of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA) Two bills, SOPA and PIPA—which were introduced in the U.S. House of Representatives and U.S. Senate, respectively, in late 2011—would have given additional tools to the U.S. Attorney General and intellectual property rights holders to combat online intellectual property infringement. A strong outcry, however, arose against the bills from various Internet, technology and social media companies. The opponents of the bills, who claimed the proposed legislation threatened free speech and innovation, engaged in various protests that included “blacking out” websites for a day. These protests ultimately resulted in the defeat of these bills in January 2012. The opposition to and subsequent defeat of SOPA and PIPA demonstrated the power of Internet and social media services to shape the national debate and sway lawmakers. With prominent social media services such as Facebook, YouTube, Twitter, LinkedIn and Tumblr opposed to the bills, signi¿cant public and, ultimately, congressional opposition followed. Now that we’ve witnessed the power that these services wield when acting in unison, it will be interesting to see what issues unite them in the future. Continued from page 4 have never visited a particular website with your browser, hyperlinks to that site will typically appear in your browser in one color (e.g., blue), whereas once you’ve visited the website, hyperlinks to the site will appear in a different color (e.g., purple). History snif¿ng code exploits this feature by “snif¿ng” around a web page displayed in your browser to see what color your hyperlinks are. When the code ¿nds purple links, it knows that you’ve already visited those websites—and thereby, the code catches a glimpse of your browsing history. According to the FTC, for almost 18 months—from March 2010 until August 2011—EMG included history snif¿ng code in ads that it served to website visitors on at least 24,000 web pages within its network, including web pages associated with name brand websites. EMG used such code to determine whether consumers had visited more than 54,000 different domains, including websites “relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.” EMG used this sensitive information to sort consumers into “interest segments” that, in turn, included sensitive categories like “Incontinence,” “Arthritis,” “Memory Improvement,” and “Pregnancy-Fertility Getting Pregnant.” EMG then used these sensitive interest segments to deliver targeted ads to consumers. History snif¿ng is not per se illegal under U.S. law. What got EMG into trouble was that it allegedly misrepresented how it tracked consumers. First, EMG’s privacy policy at the time stated that the company only collected information about visits to websites within the EMG network however, the FTC alleged that the history snif¿ng code enabled EMG to “determine whether consumers had visited webpages that were outside the [EMG] Marketplace Network, information it would not otherwise have been able to obtain.” EMG’s tracking of users in a manner inconsistent with its 7 Socially Aware, January/February 2013 privacy policy was therefore allegedly deceptive, in violation of Section 5 of the FTC Act. Second, EMG’s privacy policy did not disclose that the company was engaged in history sniffing it disclosed only that it “receives and records anonymous information that your browser sends whenever you visit a website which is part of the [EMG] Marketplace Network.” According to the FTC, the fact that the company engaged in history sniffing would have been material to consumers in deciding whether to use EMG’s opt-out mechanism. EMG’s failure to disclose the practice was therefore also allegedly deceptive in violation of Section 5 of the FTC Act. If you collect data in a manner inconsistent with—or not disclosed in—your privacy policy, you run the risk of a charge of deception in violation of Section 5 of the FTC Act. The proposed consent order would, among other things, require EMG to destroy all of the information that it collected using history sniffing bar it from collecting any data through history sniffing prohibit it from using or disclosing any information that was collected through history sniffing and bar misrepresentations regarding how the company collects and uses data from consumers or about its use of history sniffing code. EMG ceased its history snif¿ng in August 2011, and most new versions of web browsers have technology that blocks this practice. Nonetheless, the FTC made it clear in its complaint that it wanted to highlight the problem because history snif¿ng “circumvents the most common and widely known method consumers use to prevent online tracking: deleting cookies.” Mark Eichorn, assistant director of the FTC’s Division of Privacy and Identity Protection, told the Los Angeles Times that the FTC “really wanted to make a statement with this case.” He added, “People, I think, really didn’t know that this was going on and didn’t have any reason to know.” The proposed consent order puts online tracking and advertising companies on notice: If you collect data in a manner inconsistent with—or not disclosed in— your privacy policy, you run the risk of a charge of deception. ADWORDS DECISION HIGHLIGHTS CONTOURS OF CDA SECTION 230 SAFE HARBOR In a string of cases against Google, approximately 20 separate plaintiffs have claimed that, through advertisements on its AdWords service, Google engaged in trademark infringement. These claims have been based on Google allowing its advertisers to use their competitors’ trademarks in Google-generated online advertisements. In a recent decision emerging from these cases, CYBERsitter v. Google, the U.S. District Court for the Central District of California found that Section 230 of the Communications Decency Act (CDA) provides protection for Google against some of the plaintiff’s state law claims. As we have discussed previously (including in both 2012 and 2011), Section 230 states that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” The Section 230 safe harbor immunizes websites from liability for content created by users, as long as the website did not “materially contribute” to the development or creation of the content. An important limitation on this safe harbor, however, is that it shall not “be construed to limit or expand any law pertaining to intellectual property.” In the CYBERsitter case, plaintiff CYBERsitter, which sells an Internet content-¿ltering program, sued Google for selling and displaying advertisements incorporating the CYBERsitter trademark to ContentWatch, one of CYBERsitter’s competitors. CYBERsitter’s complaint alleged that Google had violated numerous federal and California laws by, ¿rst, selling the right to use CYBERsitter’s trademark to ContentWatch and, second, permitting and encouraging ContentWatch to use the CYBERsitter mark in Google’s AdWords advertising. Speci¿cally, CYBERsitter’s complaint included claims of trademark infringement, contributory trademark infringement, false advertising, unfair competition and unjust enrichment. Google ¿led a motion to dismiss, arguing that Section 230 of the CDA shielded it from liability for CYBERsitter’s state law claims. The court agreed with Google for the state law claims of trademark infringement, contributory trademark infringement, unfair competition and unjust enrichment, but only to the extent that those claims sought to hold Google liable for the infringing content of the advertisements. The court, however, did not discuss the apparent inapplicability of the Section 230 safe harbor to trademark claims. As noted above, Section 230 does not apply to intellectual property claims and, despite the fact that trademarks are a form of intellectual property, the court applied Section 230 without further note. This is because the Ninth Circuit has held that the term “intellectual property” in Section 230 of the CDA refers to federal intellectual property law and therefore state intellectual property law claims are not excluded from the safe harbor. The Ninth Circuit, however, appears to be an outlier with this interpretation decisions from other circuit courts suggest disagreement with the Ninth Circuit’s 8 Socially Aware, January/February 2013 approach, and district courts outside the Ninth Circuit have not followed the Ninth Circuit’s lead. The Ninth Circuit refused to let Google off entirely with regard to CYBERsitter’s state trademark law claims—distinguishing between Google’s liability for the content of AdWords advertisements, and its liability for potentially tortious conduct unrelated to the content of such advertisements. Google was not let off the hook entirely with regard to the plaintiff’s state trademark law claims. In dismissing the trademark infringement and contributory trademark infringement claims, the court distinguished between Google’s liability for the content of the advertisements and its liability for its potentially tortious conduct unrelated to the content of the advertisements. The court refused to dismiss these claims to the extent they sought to hold Google liable for selling to third parties the right to use CYBERsitter’s trademark, and for encouraging and facilitating third parties to use CYBERsitter’s trademark, without CYBERsitter’s authorization. Because such action by Google has nothing to do with the online content of the advertisements, the court held that Section 230 is inapplicable. The court also found that CYBERsitter’s false advertising claim was not barred by Section 230 because Google may have “materially contributed” to the content of the advertisements and, therefore, under Section 230 would have been an “information content provider” and not immune from liability. Prof. Eric Goldman, who blogs frequently on CDA-related matters, has pointed out an apparent inconsistency in the CYBERsitter court’s reasoning, noting that Google did not materially contribute to the content of the advertisements for the purposes of the trademark infringement, contributory infringement, unfair competition and unjust enrichment claims, but that Google might have done so for the purposes of the false advertising claim. CYBERsitter highlights at least two key points for website operators, bloggers, and other providers of interactive computer services. First, at least in the Ninth Circuit, but not necessarily in other circuits, the Section 230 safe harbor provides protection from state intellectual property law claims with regard to user-generated content. Second, to be protected under the Section 230 safe harbor, the service provider must not have created the content and it must not have materially contributed to such content’s creation. FCC RULES THAT OPT-OUT CONFIRMATION TEXT MESSAGES DO NOT VIOLATE TCPA As noted in our Socially Aware blog last September, waves of class actions have recently alleged that the delivery of an opt-out confirmation text message violates the Telephone Consumer Protection Act (TCPA). Thus, a Federal Communications Commission (“Commission”) Declaratory Ruling finding that a single opt-out confirmation text does not violate the TCPA comes at a crucial time. The Commission’s decision, issued on November 29, 2012, is a welcome relief to companies facing these cases. The TCPA generally permits the delivery of text messages to consumers after receiving prior express consent to do so. Numerous plaintiffs have taken the position that an opt-out con¿rmation message violates the TCPA because it is delivered after consent has been revoked. In its ruling, however, the Commission found that a consumer’s prior express consent to receive a text message can be reasonably construed to include consent to receive a ¿nal, one-time message con¿rming that the consumer has revoked such consent. Speci¿cally, delivery of an opt-out con¿rmation text message does not violate the TCPA provided that it (1) merely con¿rms the consumer’s opt-out request and does not include any marketing or promotional information, and (2) is the only message sent to the consumer after receipt of his or her optout request. In addition, the Commission explained that if the opt-out con¿rmation text is sent within ¿ve minutes of receipt of the opt-out, it will be presumed to fall within the consumer’s prior express consent. If it takes longer, however, “the sender will have to make a showing that such delay was reasonable and the longer this delay, the more dif¿cult it will be to demonstrate that such messages fall within the original prior consent.” The Commission’s ruling brings the TCPA into harmony with widely followed self-regulatory guidelines issued by the Mobile Marketing Association, which af¿rmatively recommend that a con¿rmation text be sent to the subscriber after receiving an opt-out request. The ruling also comes on the heels of, and is consistent with, at least two recent decisions in putative class action cases ¿led in the Southern District of California. In Ryabyshchuck v. Citibank (South Dakota) N.A., the court held that Citibank did not violate the TCPA by sending a text message con¿rming that it had received the customer’s opt-out request. The court went as far as to say that “common sense renders the [opt-out] text inactionable under the TCPA.” The court reasoned that the TCPA was intended to shield consumers from the proliferation of intrusive, nuisance communications, 9 Socially Aware, January/February 2013 A recent FCC ruling clarifies whether opt-out confirmation text messages delivered after consent has been revoked violate the Telephone Consumer Protection Act. and “[s]uch simple, con¿rmatory responses to plaintiff-initiated contact can hardly be termed an invasion of privacy under the TCPA.” Likewise, in Ibey v. Taco Bell Corp., the court dismissed a lawsuit alleging that Taco Bell had violated the TCPA by sending an opt-out con¿rmation message. Noting that the TCPA was enacted to prevent unsolicited and mass communications, the court held, “[to] impose liability … for a single, con¿rmatory text message would contravene public policy and the spirit of the statute—prevention of unsolicited telemarketing in a bulk format.” The Commission’s ruling should bring an end to the rash of class actions brought in recent months challenging the legality of con¿rmatory opt-out messages. FACEBOOK ’EM, DANNO: IS THE HAWAII 5-0'S FACEBOOK WALL A PUBLIC FORUM? On top of a presidential election, protests over Instagram’s terms of use, and the invention of gloves that can translate sign language, 2012 also brought to light interesting constitutional issues involving public entities’ use of social media, when a citizens’ group filed suit against the City and County of Honolulu for “violations of [the group’s] freedoms of speech” based on the Honolulu Police Department’s removal of several of the group's postings from the Department’s official Facebook page. The background of the lawsuit is seemingly innocuous. Like the White House, the City of New York, and other governmental entities, the Honolulu Police Department (“HPD”) has an of¿cial Facebook page. The HPD uses its Facebook page to provide the citizens of Honolulu with everything from crime reports to information on public parking, and Facebook users are able to comment on its various posts. For a period of time, HPD also allowed Facebook members to post on its “wall.” (HPD no longer allows wall posts, but retains a “recommendations box” on its page where users can make comments.) Starting in the beginning of 2012, several members of the Hawaii Defense Foundation (the “Foundation”), a non-pro¿t organization dedicated to training citizens to use handguns and informing Hawaiians of their rights regarding ¿rearms, began posting comments, articles, and photographs on the HPD Facebook page’s wall, criticizing the HPD on issues ranging from restrictions on issuing concealed weapons permits to alleged corruption. The administrators of the HPD Facebook page took the same actions that administrators of other Facebook pages commonly take: deleting the offensive posts and blocking the posters, both of which are easily accomplished using Facebook’s interface. Although individuals and private companies take these actions every day on their Facebook pages, the Foundation pointed out that the HPD Facebook page was a self-proclaimed “forum open to the public” created and administered by a government entity. Facebook describes the HPD and other such bodies as “Government Organizations,” although this label is applied merely for categorization purposes and does not purport to carry any legal weight. Nonetheless, the Foundation labeled the administrators of the page as “agents” of the city of Honolulu, and Complaints against administrators of Facebook pages that serve as “public forums” raise new policy issues that did not exist in the pre-social media era. argued that their actions were subject to scrutiny under the First and Fourteenth Amendments. In its complaint, the Foundation cited Rosenberger v. Rector and Visitors of the University of Virginia, a case in which a university’s fund for student activities was considered a “limited public forum” for First Amendment purposes, to demonstrate that “a forum need not be a physical place.” The Foundation also claimed that the HPD violated its Fourteenth Amendment rights by removing the posts and banning the group’s members in violation of the Foundation members’ due process rights. Although the Foundation’s suit against the HPD is the ¿rst First Amendment suit of its kind, depending on its outcome, other private groups may soon ¿le similar complaints against “Government Organizations” on Facebook that take a similarly aggressive approach to administering their Facebook pages. In fact, a former police of¿cer in the small village of Island Lake, Illinois recently requested review from the Illinois Attorney General’s of¿ce when his comments on Island Lake’s Facebook page were deleted by the page’s administrators. The Illinois Attorney General issued an opinion in which it found that Island Lake’s actions did not violate the Illinois Open Meetings Act, but the opinion did not address the First Amendment issues. The Foundation’s suit against the HPD and other complaints against administrators of Facebook pages that 10 Socially Aware, January/February 2013 serve as “public forums” raise policy issues that did not exist in the pre-social media era. Unlike more conventional forms of criticizing the government, such as holding up physical signs in front of city, state or federal buildings, Facebook can be used as a vehicle for dissent from the privacy of one’s own home and enables the complaining individual to make his or her opinions instantly known to the entire Internetequipped world. Although governmental entities are not required to have Facebook pages, they often establish such pages as a simple and ef¿cient way of conveying information to citizens. If these entities are to face constant constitutional scrutiny based on their means of administering their Facebook pages, they may be reluctant to maintain social media presences. The White House Facebook page endures an endless onslaught of criticism in the form of comments on its posts (although it does not allow users to post on its wall) on the other hand, the Island Lake Facebook page appears to have been shut down for the most part. In light of the HPD and Island Lake complaints, one legal commentator advises public schools whose Facebook pages may be visited by disgruntled students to “consult with legal counsel before deleting comments from social media webpages to address the constitutionality of that action.” access to the Firehose, Twitter’s complete stream of all public tweets. Through the Firehose, Twitter provides third-party access to over 400 million daily tweets. Regardless of the HPD suit’s outcome, the fact that the complaint was ¿led in the ¿rst place reinforces the notion that social media is the new battleground for all aspects of the law, from intellectual property to criminal law... and now, the frontier of constitutionality. PeopleBrowsr and Twitter had entered into a license agreement in June 2010, enabling PeopleBrowsr to receive access to the Firehose in exchange for over $1 million a year. Twitter recently invoked a contractual provision that allowed Twitter to terminate the agreement without cause. PeopleBrowsr ¿led a complaint for interference with contractual relations, in which it claimed that its products and services require access to the Twitter Firehose in order to provide clients with contextual data analysis. In response, Twitter claimed that it had decided not to renew most of its direct-to-user Firehose contracts, instead reselling Twitter data in various forms through intermediaries. Without PEOPLEBROWSR WINS ROUND ONE AGAINST TWITTER The Superior Court of the State of California has entered a temporary restraining order requiring Twitter to continue to provide PeopleBrowsr with PeopleBrowsr is a San Francisco-based social media analytics ¿rm that provides custom applications to clients ranging from private businesses, consumers and publishers to government agencies. PeopleBrowsr’s data mining and analytics platforms support various products and services, such as data streams, social media command centers and consumer targeting programs. For example, PeopleBrowsr’s product Kred provides a real-time measure of social inÀuence within social media user networks. Through its Firehose, Twitter provides third-party access to over 400 million daily tweets. PeopleBrowsr’s business depends on its continued access to user-generated social media content from Twitter. Twitter’s recent decision to restrict PeopleBrowsr’s access to the Firehose led PeopleBrowsr to sue Twitter in California state court in order to protect its current business model. full access to the Firehose, PeopleBrowsr claimed, it could not provide the products that its customers expected. According to PeopleBrowsr, it needs access to the Firehose in order to detect and analyze emerging trends fully and quickly; all tweets in the Firehose are necessary to conduct the scoring and ranking of individual inÀuence that underpins PeopleBrowsr’s analysis. On Twitter’s motion, the case has been removed to federal court. PeopleBrowsr has ¿led a motion to remand back to state court, and Twitter has ¿led a motion to dismiss. Both motions remain pending before the Northern District of California. with business models that depend on access to data from social media companies such as Twitter. Stay tuned for further developments. As this case moves forward it promises to provide an in-depth look at the Twitter ecosystem and guidance for companies SOCIAL MEDIA 2013: ADDRESSING CORPORATE RISKS Social media sites are transforming not only the daily lives of consumers, but also how companies interact with consumers. However, along with the exciting new marketing opportunities presented by social media come challenging new legal issues. In seeking to capitalize on the social media gold rush, is your company taking the time to identify and address the attendant legal risks? Please join Socially Aware editor John Delaney as he chairs Practising Law Institute’s (PLI) “Social Media 2013: Addressing Corporate Risks.” Issues to be addressed at the conference include the following: • Social media: How it works, and why it is transforming the business world • Drafting and updating social media policies • User-generated content and related IP concerns • Ensuring protection under the CDA’s Safe Harbor • Minimizing risks relating to mobile apps • Online marketing: New opportunities, new risks • Privacy law considerations • Practical tips for handling real-world issues Representatives from Twitter, Google, Tumblr and other companies will be speaking at the event. The conference is being held in San Francisco on February 6, 2013 and in New York City on February 27, 2013; the February 6th event will be webcasted. For more information or to register, please visit PLI’s website at www.pli.edu/content. We are Morrison & Foerster—a global firm of exceptional credentials in many areas. Our clients include some of the largest financial institutions, Fortune 100 companies, investment banks and technology and life science companies. Our clients count on us for innovative and business-minded solutions. Our commitment to serving client needs has resulted in enduring relationships and a record of high achievement. For the last nine years, we’ve been included on The American Lawyer’s A-List. Fortune named us one of the “100 Best Companies to Work For.” Our lawyers share a commitment to achieving results for our clients, while preserving the differences that make us stronger. Because of the generality of this newsletter, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. The views expressed herein shall not be attributed to Morrison & Foerster, its attorneys or its clients. ©2013 Morrison & Foerster LLP,mofo.com 11 Socially Aware, January/February 2013 Client Alert. 6 June 2012 "Bring Your Own Device" Brings its Own Challenges By Susan McLean and Alistair Maughan The consumerisation of IT is the growing trend for information technology to emerge first in the consumer market and then drive change in the industry generally. One of the most dramatic impacts of this shift is a rise in so-called “bring your own device” strategies in both public and private enterprises. In the past, the functionality of your work computer and phone tended to be streets ahead of what you used at home. Remember the days when employees would show off their work PDAs, smartphones and laptops as perks of their job? These days, increasing numbers of employees have better access to technology at home than they do at work, with personal devices and apps that are user friendly and convenient in ways that their work equipment and systems are not. Employees also wish to work differently (working remotely, outside regular hours, on the weekend, on vacation, etc. are becoming the norm) and users want their business tools to enable this change. Employees also want to limit their need to carry and manage multiple devices. The answer? Bring your own device to work. In this Alert, we highlight some of the issues that organisations need to consider when formulating policies and procedures designed to cope with the transition to a bring your own device strategy. Understandably, IT departments have always been keen to retain absolute control over the office environment and therefore resisted putting any non-company (i.e., non-trusted) devices on the company network. However, IT departments are now under increasing pressure to support – and, indeed, encourage – the use of personal devices for work purposes. IT departments are embracing the trend on the basis that it can help save costs and change the perception of the IT department as the department of “No”. It has also been shown that employees are more satisfied and productive when they have more control over what tools they can use. Therefore, it is said to be good for business too, although some commentators argue that the perceived benefits of “bring your own device” (or “BYOD”) have been overplayed. Either way, this is not a passing fad. The analysts TechMarket View have recently reported that, in the UK alone, the BYOD market will be worth £2 billion to UK software and IT services suppliers over the next five years; with five million employees having adopted BYOD by the end of 2011 and an anticipated rise to around 9.5 million by 2016 – an increase of 80%. The BYOD trend leads to considerably more complexity for IT departments in terms of how they manage and support end users. Organisations also need to grapple with the potential legal and regulatory issues raised by employees using their personal devices for work purposes. Unhelpfully for organisations in regulated industries – especially financial services – regulatory bodies have been slow to react and provide guidance on how BYOD applies in those sectors. 1 © 2012 Morrison & Foerster LLP | mofo.com Attorney Advertising Client Alert. DATA SECURITY Data security and the risk of data “leakage” has always been a key concern for organisations. The use of company phones, laptops and other mobile devices increases that risk – because, by their very nature, these devices are more easily lost, stolen and accessed. The risk is further compounded when employees start using their personal devices for business purposes as part of a BYOD strategy. One of the key challenges in designing a strategy to implement BYOD successfully is how to ensure data security on non-company equipment – primarily as a result of it being harder to keep track of where data may actually be, how data is protected and the difficulty of policing the use of personal devices. In addition, organisations now need to grapple with the different scenarios raised by their employees’ use of corporate data in different applications, such as what happens if an employee puts corporate data into a non-corporate supported location (e.g., an application like Dropbox – which is becoming increasingly popular for both personal and work purposes). These types of third party application may not have been vetted by IT or the company’s in-house legal team and their terms and conditions may allow the third party extensive rights in terms of the data stored and/or have wide exclusions of liability for data loss. This is more likely to be the case where the applications were originally developed as consumer tools and not intended to store sensitive corporate data. It is probably not practical these days to take the policy position that sensitive corporate data cannot be stored on personal devices. Even if an organisation takes this position, how likely is it that an employee will actually comply? Many organisations approach this issue by understanding that users, and the content that they generate and consume, vary in the level of information sensitivity depending on their functional roles and needs. An organisation needs to take a nuanced approach to take account of individual users and the types of data accessed on their devices. It is not simply a question of analysing how to ensure compliance with existing security policies – it may be that different security policies are required to replace existing security controls that simply do not work in the context of personal devices. Companies must understand that employees tend to value convenience over security and take this into account when formulating security policies – if you make the policies too restrictive, employees will simply ignore them or find a way to circumvent them. Organisations also need to consider up-front the appropriate corporate response if a security breach occurs in relation to a personal device. Most organisations will wish to deploy remote wipe capability, but they need to consider the HR impacts of such a strategy, as discussed further below. DATA PROTECTION AND PRIVACY In addition to data security generally, the data protection and privacy implications of a BYOD strategy are considerable. Most countries have laws specifically dealing with the use and storage of personal data and requiring organisations to protect and ensure against the implications of loss of that data, together with rules regarding the retention and destruction of personal data. Compliance with data protection laws becomes significantly harder if the device on which that data is stored is not owned or controlled by the enterprise itself. Of course, it is not just a question of compliance with data protection laws (and the legal penalties for failing to comply) – there can also be huge reputational issues if a company is shown to be poor at safeguarding personal data. 2 © 2012 Morrison & Foerster LLP | mofo.com Attorney Advertising Client Alert. OWNERSHIP OF DATA AND MATERIALS There is also the question of who owns the data stored on a personal device. In terms of corporate data stored on an enterprise-provided device, the question of data ownership is pretty straightforward. Similarly, it is generally clear cut that any materials created by an end user using an enterprise-provided device will be owned by the enterprise because they will have been created in the course of the end user’s employment. However, the position is less straightforward when the employee uses a personal device for business purposes. To what extent is there a split in the ownership of data between the employer and the end user, depending on the nature of the data? An enterprise would not expect to own an employee’s photos or personal files, but what about an employee’s contacts? Also, when an end user creates materials using a personal device, who owns the intellectual property rights (“IPR”) in that material? In some situations, it may be clear whether or not the material was created in the course of the end user’s employment, but in others it may not be so clear – for example, if a software developer uses his personal computer to create new code not at the request of the company but as a personal project, should his employer own the copyright in that code? Typically, a company will require that all IPR created by an employee (whether at work or outside work) is owned by the company but in this context it is even more important to ensure that this issue is covered appropriately in the employee’s terms of employment. LICENSING The licensing implications of a BYOD strategy are often overlooked. Organisations often forget to check, for example, the scope of their Microsoft licences within the enterprise when employees use personally owned mobile devices or laptops to access a virtual desktop, either from home or the office. Such use may not be permitted within the existing licence terms or may incur additional licence fees (as some licences may be granted on a per device basis, rather than per user basis). Licensing issues will need to be considered carefully when formulating a BYOD strategy to ensure that the organisation remains compliant. LEGAL AND REGULATORY COMPLIANCE A major risk for any enterprise that allows non-standard devices in the workplace is how to ensure and demonstrate regulatory compliance. This is a particular challenge for regulated industries such as healthcare, pharmaceuticals and financial services. But there are other laws, such as the U.S. Sarbanes-Oxley Act (which imposes an onus on public companies to closely monitor financial and accounting activities) where compliance becomes more difficult depending on the more diverse the population of IT devices in use. In considering regulatory compliance, there are several key issues that should be addressed. These include where the data is stored, what the implications of that storage are and what happens if a device is lost or stolen or when employees leave the company. INDUSTRY STANDARDS There is also the question of how to ensure compliance with applicable industry standards (for example ISO 27001, PCI:DSS etc.). Organisations will need to carefully consider how to incorporate non-corporate assets into applicable risk management strategies. 3 © 2012 Morrison & Foerster LLP | mofo.com Attorney Advertising Client Alert. INVESTIGATIONS AND LITIGATION Employers will clearly have less access to data stored on a personally owned device, but may need or want to obtain access for the purposes of investigations or litigation. Organisations need to ensure that their employees agree to make their personal devices available if the organisation reasonably requires them for investigation purposes or they are subject to a discovery request in the context of litigation affecting the company. (Of course, even if an employee signs a document promising to give access to the device in such circumstances, that doesn’t necessarily mean that a court will enforce that agreement.) INSURANCE An issue that is sometimes overlooked is that of insurance. Organisations will need to check that their data security/cyber risk insurance covers devices owned by employees to ensure that they are not exposed in the event of a security breach. Any insurance policy which only covers devices owned by or leased to the organisation will need to be revisited. EMPLOYEE ISSUES Many of the issues brought up by BYOD involve compliance with HR law, largely because many of the typical corporate policies that exist in the workplace today were developed in a world before BYOD. Some of the issues that will need to be carefully considered when formulating a BYOD strategy are as follows. x Who should own the device? Ownership will impact how the company approaches some of the risk and liability issues relating to the device. x Who should be responsible for the cost of personal devices used for work purposes? In some countries, the law requires an employer to provide all of the tools that an employee needs to carry out their job. Could this result in the employer having to reimburse an employee’s costs? x Should the BYOD programme be optional or mandatory? Typically, it is considered best to make it optional for employees to use their personal devices for work purposes, by allowing them to choose to use company-issued devices instead. This helps show that an employee’s decision to use a personally owned device (and to agree to the related terms and obligations imposed upon the employee in relation to its use) was voluntary. x If employees are only allowed to choose from a limited number of devices (which, for example, do not cater to employees with special needs due to disabilities) or the BYOD scheme is only open to certain types of staff (e.g., full-time staff only), the company will need to consider whether there could be a risk of discrimination claims. x Employers need to consider how responsibility for security is shared. Who is responsible for anti-virus updates, etc.? At a minimum, you would expect an employer to mandate certain appropriate security measures to be enabled by an employee before being able to use their personal device for work purposes. Policies also need to be very clear as to the procedure the employee must follow in the event of a lost or stolen device. x Employers also need to consider what happens if the device fails. Whose responsibility is it to fix or replace faulty devices? x The question of data protection and privacy compliance is not just an issue in terms of protecting customer data. It is also a key issue in terms of the personal privacy of employees. It is worth noting in this context that there are some countries where storing business data on a personal device may not even be permitted under applicable privacy laws, so a global BYOD programme may not be appropriate – it is likely to need tailoring to meet regional requirements. 4 © 2012 Morrison & Foerster LLP | mofo.com Attorney Advertising Client Alert. o A number of data protection and privacy issues will need to be considered up-front. For example, to what extent should the employer have access to an employee’s personal data stored on their device? Can data be appropriately segregated between corporate and personal data? Also, what kind of monitoring and audit access is going to be appropriate in terms of a device which is used for both personal and work reasons? To what extent is monitoring of an employee’s personal device even permitted under applicable privacy laws? What about unintentional consequences – for example, that the organisation may, in effect, be able to track an employee’s whereabouts, both during and outside work hours (using GPS and WiFi location data)? o Another key issue to consider is to what extent should the employer be entitled to remotely wipe, brick or block devices in the event of a security incident? Although it is possible to wipe company data only where it is segregated from other data in an encrypted “sandbox”, some remote wiping software will not just wipe the company data, but all data on the device (including, for example, any personal photos and music files). o In terms of data protection and privacy, simply including clauses in an employee’s contract of employment is unlikely to satisfy the requirements of applicable law. It will be important to bring any conditions that may be considered onerous to the attention of the employees. Particularly in the case of wiping, it is essential that employees are informed in the clearest terms of the potential risks and that employees sign up to appropriate clear, voluntary and express consents/waivers. x Employers also need to consider to what extent they should restrict anyone except the employee from using the device (e.g., should they prevent an employee’s family members from being able to use the device). x To what extent should the employer control the use of apps? A company may wish to blacklist particularly risky apps. What about apps that may be considered to affect productivity – should an organisation try to block these or restrict their use during working hours? x To what extent should an employer control the use of a camera on a personal device in the workplace? x How does an employer deal with the potential consequences of different personnel using different devices, particularly if this makes certain employees more productive than others? x To what extent can an employer control the use of a personal device by an employee? To what extent is an employer liable if an employee breaches copyright law by carrying out illegal downloads etc. on their device? What about if an employee accesses unlawful or inappropriate material? x If an employer has existing restrictions in place regarding the use of social media, are these really going to be enforceable on a device used for both work and personal purposes? Employers should also consider to what extent they are able to place restrictions on how employees use their personal device during work hours. x Another key concern is how to deal with corporate data that is stored on personal devices when an employee leaves the organisation. There is always a risk that a departing employee, particularly when leaving to join a competitor, may be keen to bring corporate data to their new job. If the employee is using company systems, any attempt to do so can usually be identified, but if the information is stored on a personal device this will be more difficult to police. x What are the implications for work-life balance? Across most of the EU, there is now a 48 hour limit on a working week, but how does that apply when studies show that 66% of people read e-mails 7 days a week and expect to receive a response the same day, and 61% of people continue to check e-mail while on vacation? The likelihood that employees will send and receive e-mails outside of work or office hours is clearly increased where the employee uses a personal device for work purposes (e.g., an employee may decide to leave their work phone at home whilst on vacation, but an employee won’t leave a personal phone at home). 5 © 2012 Morrison & Foerster LLP | mofo.com Attorney Advertising Client Alert. x On a related note, in the U.S., organisations need to carefully consider whether the use of a personal device for work purposes could impact an employee’s non-exempt status under the Fair Labor Standards Act and the potential consequences. Employees may be considered “working” if they send or receive e-mails outside of work or outside of office hours, triggering the potential for overtime payments. As above, this risk is greater where the employee is using a personal device for work purposes. x A final key consideration is how to inform, educate and train employees concerning the implications of using their personal devices for work purposes. Employees need to be reminded that all company policies continue to apply to their conduct when using a personal device for work (including policies relating to confidentiality, etc). It is important to get this right as arguably the best defence against data security breaches is well informed employees. CONCLUSION Organisations cannot resist the consumerisation trend. It is not a passing trend, but here to stay – and if an enterprise tries to resist it, increasingly tech-savvy employees are likely to find a way to circumvent the restrictions imposed. The key is to try to take a pragmatic approach and put in place appropriate policies to try to accommodate employees’ desire for increased flexibility and mobility, whilst limiting the potential risks created by such an approach. These policies will need to be reviewed regularly and evolve over time to keep up-to-date with changes in technology and applicable law. BYOD is not just an IT department issue but also a business issue and organisations need to ensure that they do not simply focus on the obvious IT risk and issues such as data leakage, etc., but collaborate with all relevant stakeholders and consider all relevant legal, HR and finance considerations. We all want to work “smarter”, but this should not be at the expense of working safely. Contact: Susan McLean +44 20 7920 4045 smclean@mofo.com Alistair Maughan +44 20 7920 4066 amaughan@mofo.com About Morrison & Foerster: We are Morrison & Foerster—a global firm of exceptional credentials in many areas. Our clients include some of the largest financial institutions, investment banks, Fortune 100, technology and life science companies. We’ve been included on The American Lawyer’s A-List for eight straight years, and Fortune named us one of the “100 Best Companies to Work For.” Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger. This is MoFo. Visit us at www.mofo.com. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome. 6 © 2012 Morrison & Foerster LLP | mofo.com Attorney Advertising © 2013 Morrison & Foerster (UK) LLP, mofo.com