MOFO
SEMINAR SERIES
Data Protection Masterclass:
Hot Topics in Employee Privacy
and Technology
London
13 June 2013
MoFo Seminar.
Data Protection Masterclass:
Hot Topics in Employee Privacy and
Technology
Table of Contents
Presentation ....................................................................... 1
Speaker Biographies ......................................................... 2
About Morrison & Foerster ............................................... 3
Selected Articles and Alerts ............................................. 4
Socially Aware: The Social Media Law Update Volume 4 –
January/February 2013
“Bring Your Own Device” Brings its Own Challenges –
June 2012
© 2013 Morrison & Foerster (UK) LLP | mofo.com
Tab 1
Presentation
Data Protection Masterclass:
Hot Topics in Employee Privacy and Technology
Data Protection Masterclass:
Hot Topics in Employee Privacy
and Technology
13 June 2013
Ann Bevitt
Carlos García-Mauriño
Christine Lyon
Karin Retzer
Caroline Stakim
©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com
June 13
by Ann Bevitt and
Caroline Stakim
12 June 2013
Presented By
©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com
Background Checks
1
June 13
Background Checks
• Common practice to conduct some background checks for most
types of employment
• Types of checks depend on nature of position
• Right to respect for private life (Article 8, Human Rights Act 1998)
• Not absolute, so employer may be able to justify conducting
background checks that collect information about prospective
employee’s private life
• UK = ICO’s Employment Practices Code and Supplementary
Guidance
3
Basic Principles
• Company must:
• Balance its business needs v. applicants’ privacy rights
• Use reliable sources which are likely to provide relevant information
• Ensure check/examination/testing is necessary and justified, e.g.:
• Is the applicant fit to do the job?
• Is there a legal reason to obtain this information, e.g., to join
pension or life insurance schemes, to make any reasonable
adjustments for disability, etc?
• Allow applicant to make representations regarding information that will affect hiring
decision
4
2
June 13
Third Party Checks
• Third party conducts background checks (e.g. credit checks) written contract which contains appropriate data protection
provision, e.g.:
•
•
•
•
•
•
Limitation on use
Information security (access controls, encryption, etc.)
Transfer and disclosures
Data breach
Audit
Destruction/return on termination
• Explain the nature of and sources from which information might be
obtained
5
Types of Background Check
• References
• Credit checks
• Court judgments
• Medicals
• Drug and alcohol testing
• Criminal record checks
6
3
June 13
Changes to Criminal Record Checks
• 1 December 2012: Criminal Records Bureau + Independent
Safeguarding Authority = Disclosure & Barring Service
• Disclosure Scotland / Access Northern Ireland
• Basic, standard and enhanced disclosures
• Disclosure of spent and unspent cautions and convictions, police
reprimands and warnings and relevant police information
• 29 May 2013: protected convictions and protected cautions not
disclosed on DBS certificate
• 17 June 2013: online update service available
7
Google and Social Networking Sites
• Where permitted:
• Explain to the applicant the nature of and sources from which
information might be obtained and, if necessary, get consent
• Only Google to obtain specific information, not as a means of
general intelligence gathering
• Allow applicant to make representations regarding information
that will affect hiring decision
• Risk of exposure to discrimination claims
8
4
June 13
Germany
• Background checks to supplement CVs not very common
• Federal Data Protection Act (BDSG §4(2)):
• Personal data should be collected directly from applicant;
collection via third parties only where “nature of business
purpose” necessitates and “no overriding legitimate interest” of
individual, i.e.:
• where particular position requires certain information to be
confirmed/supplemented through background checks, e.g.,
where trustworthiness of applicant is particularly relevant, e.g.:
• financial services institutions
• child care
• where qualifications essential for employment decision
• New § 32 BDSG: data on applicants may only be collected where
required for establishment of employment relationship
9
France
• Right to respect for private life (Article 9, French Civil Code)
• French Labour Code and French Criminal Code prohibit questions
during recruiting process relating to:
• National/ethnic origin
• Sex and sexual orientation
• Morals
• Age
• Family situation
• State of health, disability and genetic characteristics
• Political opinions
• Labor union activities
• Religious beliefs
• Pregnancy
10
5
June 13
France (2)
• CNIL’s guidance on privacy in the workplace (February 2013):
• Personal data collected during recruitment process only used to
evaluate candidate/take hiring decision
• Candidates’ social security numbers, information about their
family, parents, friends, political opinions, or trade union
membership must not be collected
• Candidates must be provided with information about personal
data collected and purposes; data must not be collected using
any system that has not been notified to candidate
• Access to candidate data must be limited
11
Finland
• Act on Protection of Privacy in Working Life:
• Employee must be primary source of information related to him
• Employer may not conduct background checks without applicant’s
consent unless necessary for employment relationship
• Act on Background Checks:
• Allows more extensive processing for applicants for jobs in
airports, power plants, telecommunications centres and certain
authorities
• Data Protection Ombudsman issued opinion expressly prohibiting
employers from obtaining information on an applicant from the
Internet without applicant’s prior consent
12
6
June 13
Poland
• Right to respect for private life (Article 47 of the Constitution)
• Article 22 of Polish Labour Code contains list of data that may be
requested from applicants
• Even if applicant specifically and expressly consents to collection
of additional data, consent is not sufficient
• Paragraph 1 of Ordinance of Minister of Labour and Social Policy
regarding documentation in employment relationship matters
specifies documents that may be requested from applicants
13
Carlos García-Mauriño
Oracle Corporation
Madrid
+91 631 2326
carlos.garcia@oracle.com
7
June 13
Background checks – the view from a Data Processor
• Global and regional Security standards and best practices
require BCs to be performed by Companies on their employees
(and contractors)
- ISO 27001/ISO 27002 (Section 8)
- PCI DSS (Requirement 12.7)
- UK Financial Services Authority (2008 Report)
- Cloud Computing recommendations (De-BSI, ENISA)
• Two extremes – “Vendor will ensure that its employees with
access to customer data have undergone appropriate BCs” vs
“the fullest practicable use shall be made of the technique of
background investigation.”
Background checks – the view from a Data Processor
• UK ICO “Do not vet workers just because a customer for
your products or services imposes a condition requiring you
to do so, unless you can satisfy yourself that the condition
is justified.”
• Golden rule
- Always free, specific and informed consent required from
employee. No retaliation in case of refusal.
• Challenges
- obtaining assurances from customer vs. business
pressure
- specific requirements from customers vs internal policies
(e.g. drug testing)
- approvals of Workers Councils
8
June 13
Background checks – the view from a Data Processor
• Scenario A - Customer (Commercial) manages the process
- Vendor does not get the specific results. Employee
provides info directly to the Customer.
- Need to receive assurances from Customer about proper
handling.
• Scenario B - Customer (Public Sector) manages the process
(“Security Clearances”)
- Extremely invasive.
- Required by law.
- Imposes strict obligations / liabilities) directly on employee.
Privacy issues in Online Recruitment
• Recruiting has evolved:
- From “reactive” (job postings) to “proactive” sourcing.
- From niche Recruitment solutions to integrated Talent
Management tools.
- From Local to truly Global.
- Technology allows for collection and analysis of
Candidates’ information in multiple new ways.
9
June 13
Privacy issues in Online Recruitment
• Recruitment goes Social (and Mobile and Geospatial)
- Employee referrals, through their own social networks, is
the Holy Grail.
- Collection of Candidates’ “public” information through
Social Media.
- Apps optimized for for tablets and smartphones (BYOD).
- Mobile location linked to the Recruitment tool: know which
potential candidates are close to you now.
Privacy issues in Online Recruitment
• Recruitment in the Cloud
- Most of the most successful e-Recruitment solutions are in
the Cloud
- As with any other Cloud service, Customers need to
discuss with their vendors:
• Security
• Data location and subcontracting
• Exercise of Candidates’ rights to access/rectify/delete
• Data return upon termination of the services
10
June 13
Privacy issues in Online Recruitment
• Recruitment and Big Data
- Companies and Recruiting companies can amass
information of hundreds of thousands of Candidates
- This information can be shared and analyzed to detect
trends
- Is true anonymization possible in this context?
- Can Big Data be used to reject upfront certain Candidates?
Privacy issues in Online Recruitment
• Recruitment and the ecosystem of Processors
- Recruitment is no longer a one-Company show
- Core solutions are “integrated” with the solutions of dozens
of niche service providers (e.g. Background checks)
- Niche Service Providers – “subprocessors” or
“processors”?
11
June 13
Privacy issues in Online Recruitment
• Recommendation
- Find out what your Recruiters are doing and make sure that
your Privacy Policy is up to date.
- Many of these features are beneficial for the Candidate, so
ensure that he/she understands and agrees upfront.
- Avoid “automated decisions” (Section 15.1 Directive 95/46):
Member States shall grant the right to every person not to be subject to a decision which produces
legal effects concerning him or significantly affects him and which is based solely on automated
processing of data intended to evaluate certain personal aspects relating to him, such as his
performance at work, creditworthiness, reliability, conduct, etc.
by Christine Lyon
12 June 2013
Presented By
©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com
Social Media Developments
12
June 13
Merging of Personal and Work
Social Media
• Employers’ initial areas of focus:
• Personal use of company-owned devices
• Personal activity during work time
• Statements that appear to be made on company’s behalf
• Now expanding concerns about all social media activity
• Company-owned or personal devices
• Work time or after hours
• Personal opinions or statements affecting the company
• Desire to regulate employees’ off-duty social media activity may
conflict with employees’ protected rights
25
Employer Control Over Social Media Activity
During
Work
Hours or
Using
Company
Resources
External
Postings
on Behalf
of
Company
Off-Duty
Using
Personal
Device
13
June 13
Limitations on Employer Access
to Personal Social Media
U.S.:
• Growing number of states prohibit employers from asking applicants
or employees to provide access to personal social media accounts
• Stored Communications Act
• Common law reasonable expectation of privacy analysis
International:
• Data protection laws requiring notice and a lawful basis for monitoring
• Regulators cautioning employers about seeking access to personal
social media
27
Restrictions on Employer Use of Social Media
• Complex interplay of privacy and employment laws
• Laws limiting an employer’s ability to take action based on
information revealed by personal postings, such as:
•
•
•
•
•
•
Political or religious beliefs
Sexual orientation
Trade union membership
Medical condition, family medical history
Off-duty alcohol or tobacco use
Other “lawful” off-duty conduct
• Laws restricting an employer’s ability to regulate off-duty social media
activity
• Example: U.S. social media cases under the National Labor Relations Act (NLRA)
28
14
June 13
Best Practices for Handling Employee Social Media
Use
• Limit the inspection or use of personal social media in hiring or
employment decisions
• Train HR and internal audit to understand legal restrictions on use of
personal social media in investigations
• Develop a social media policy
• Train employees about appropriate use of social media
29
Implications for Your Business
by Karin Retzer
©2013 Morrison & Foerster LLP | All Rights Reserved | mofo.com
Bring Your Own Device
15
June 13
Advantages
• Convenience for all
• Reduced device/end point hardware costs
• Reduced operational support costs
• Greater employee flexibility and mobility
• Increased employee productivity
• Increased employee satisfaction
31
Challenges
• Legal and regulatory compliance
• Privacy and data security
Commingled data
Higher risk of infection
Theft or loss of devices &/or
(company) data + cybercrime
Employee monitoring issues
• Incompatibility issues
• Labor law issues
• IP rights/data ownership and
recovery
• Licensing implications
• Insurance implications
• Investigation and litigation
32
16
June 13
ICO Guidance
• Highlights the following risks:
Data security breaches by loss, theft or unauthorized access (including by
family members)
Unauthorized secondary use of personal data
General “blurring” of professional and private use of data
Increased or unintended employee monitoring
Loss of control over where and how data is stored and processed
Lack of ownership and control over the device
33
ICO Guidance II
• How to mitigate the risks:
Carry out BYOD audit
Develop policy (department collaboration involve IT, HR, finance, legal, etc.):
oIdentification of data to be processed on the device
oPermitted types of storage media, apps and software
oSecurity procedures (PIN codes, passwords, etc.)
oInformation on procedures for end of employment contract (including
consequences of (remotely) wiping company data from the device)
Implement appropriate security measures:
oPin codes, strong passwords, high level encryption, encrypted channels for
data transfers, ring-fencing of data and automatic locking of devices
oPublic clouds should be used with “extreme caution,” if at all (heighten risk of
interception by the cloud provider and foreign law enforcement authorities)
Ensure control over the data and the device:
oRemote management of the device (including wiping/deleting if breached)
oConsider geolocation tracking (if lost or stolen)
34
17
June 13
BSI Guidance
• Technical measures to be implemented:
Clear separation of private and professional data
Storage of business data on servers and not on the devices
Access to business data through secure network, ensuring employer access
(e.g., thin client technology or VPN)
Encryption of data when in transit, as well as of all business data stored on
devices
Prohibit the use of rooting or jail breaking devices
Ensure regular backup and archiving of information
Implement automated security scans
• Technical measures are insufficient, must be supported by
organizational measures:
Clear BYOD policy in place; and
Written agreement with employees.
35
BSI Guidance II
• Security measures to be included in the agreements:
Classification of employees eligible for BYOD programs
Restrictions on the types of devices and operation systems permitted
Access to company network only through restricted channels
Storage of business data only on servers and not on devices
Clear establishment of rules for employees that require:
oimplementation of anti-virus software
ostrong passwords
osynchronization of data sources
oprocedures for reporting lost or stolen devices
osafe return of data upon termination of employment
Employees should be made aware that in the case of a security breach, personal
data/information may be lost if a device needs to be wiped clean.
36
18
June 13
ANSSI Guidance
• Recommendations on security for mobile devices:
Recommendations for company-issued devices used to process company
information, which may include personal data
Existing security measures not sufficient
Personal use of professional devices creates higher security risk
Recommendations not applicable to BYOD policies
• BYOD not advised – “problematic”
• If BYOD is used, companies should:
Apply dedicated security measures for BYOD
Ensure that professional and personal usage is clearly separated in “closed
environments”
Be vigilant about different security solutions available on the market
Consider existing ANSSI recommendations and certification in areas such as
WiFi, passwords, information security architecture and encryption (see next slide)
37
Where to Start
• Prior to developing your BYOD strategy, consider:
Company security requirements & risk management strategies and existing BYOD
use – understand your risks and needs; involve all departments; and investigate the
company situation first
Local legal and regulatory requirements (e.g., Works Council approval)
How to ensure compliance with applicable industry standards and other existing
company policies
Which terms and conditions have to be met, i.e., implemented into a BYOD policy
Whether the conditions are too restrictive/unacceptable for your employees
Licensing implications: do your company software licenses allow personal devices to
access virtual desktop? Obtain necessary license extensions
Insurance implications: does your insurance cover use of devices owned by
employees for work purposes? Obtain necessary coverage
• Make the use of BYOD voluntary
• Develop a written policy and give clear notice to employees
• Obtain agreement to the policy prior to allowing network access
38
19
June 13
What to Include in Your BYOD Policy
•
•
•
•
Identify devices that may be used
Identify applications that may be used
Identify employees, departments and functions that qualify
Decide how data will be accessed (e.g., by remote access
or copying data onto the device in an encrypted “sandbox”)
• Make clear that work materials have to remain segregated
from personal files
• Require that all intellectual property created by an employee
(whether at work or outside work) is owned by the company
• Explain which, if any, costs of using a personal device for
work purposes are covered by the company (e.g., a
percentage of the full-time employee’s annual Internet
service)
39
What to Include in Your BYOD Policy II
• Indicate how data must be protected: impose technical and
organizational security standards on employees as a condition
for network access (e.g., encryption, remote wipe, brick or block,
anti-virus software and strong password if not passphrase).
• Indicate employee’s obligation to report loss of any device and
employer’s right to wipe it. If applicable, explain that you will use
geolocation applications to identify the device’s location in case of
theft or loss. Explain in the clearest terms the potential risks and
consequences for the employees and their privacy.
• Whether or not employee’s family members or friends will be
able to use a device that is used for work purposes.
• Indicate what happens when employee leaves employment (e.g.,
further access will be prevented by revoking passwords or
remotely deleting work data from the device).
40
20
June 13
What to Include in Your BYOD Policy III
• Refer to company monitoring and other relevant policies (e.g., use
of social media) – make clear that they still apply
• Indicate which sanctions may be expected for any policy
violations
• Have employees agree to make their personal devices available if
required for audits, investigations and incident response or
litigation (discovery request) purposes
• Exclude company liability for any damage, data costs, corruption
or deletion of data or software, loss of use or liability associated
with the use of a personal device for company reasons
41
Policy is Ready Now What?
• Enforce your policy
• Stay on top of things – perform regular audits and
Privacy Impact Assessments
• Review your policy regularly – it needs to be kept up-to-date with
changes in technology and local laws and regulations
• Educate and train your staff regularly
42
21
June 13
Reading Materials
• Guidance on Consumerization and Bring Your Own Device, German
Federal Office for Information Security (Bundesamt für Sicherheit in
der Informationstechnik (BSI), 4 February 2013 (in German):
• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Download/
Ueberblickspapier_BYOD_pdf.pdf?__blob=publicationFile
• Guidance on Bring Your Own Device, ICO, 7 March 2013:
http://ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/do
cuments/library/Data_Protection/Practical_application/ico_bring_your_own_device
_byod_guidance.ashx
• YouGov survey commissioned by the Information Commissioner’s
Office (ICO), 2013:
http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Pro
tection/Research_and_reports/yougov_survey_processing_of_personal_info_on_p
ersonal_devices_for_work_purposes.ashx
43
Reading Materials II
• Recommandations de sécurité relatives aux ordiphones, French
Agency for the Security of Information Systems (ANSSI), 15 May 2013
(in French):
http://privacylawblog.ffw.com/wpcontent/uploads/2013/05/NP_Ordiphones_NoteTech1.pdf
Password Security Recommendations:
http://www.ssi.gouv.fr/IMG/pdf/NP_MDP_NoteTech.pdf (Recommandations de
Securité Rélatives aux Mots de Passe)
WiFi Security Recommendations:
http://www.ssi.gouv.fr/IMG/pdf/NP_WIFI_NoteTech.pdf (Recommandations de
Securité Rélatives aux Reseaux Wi-Fi)
• SANS Mobility/BYOD Security Survey, March 2012:
http://www.sans.org/reading_room/analysts_program/mobility-sec-survey.pdf
• Information Security Community, BYOD & Mobile Security Report,
April 2013:
http://blog.lumension.com/docs/BYOD-and-Mobile-Security-Report-2013.pdf
44
22
June 13
Thank you
Karin Retzer
Morrison & Foerster LLP
Brussels
+32 2 340 7364
kretzer@mofo.com
45
Forthcoming DP Seminars
Data Protection Masterclass Seminars – dates for
your diaries:
• 10 September 2013 – Online Behavioural Advertising and Profiling
• 12 November 2013 – FCPA (Foreign Corrupt Practices Act)
46
23
Tab 2
Speaker Biographies
Data Protection Masterclass:
Hot Topics in Employee Privacy and Technology
Attorney Bio
Ann Bevitt
Partner
London
44 20 7920 4041
abevitt@mofo.com
Ann Bevitt is a UK-qualified partner and head of the London office’s EU Privacy Group. Her practice covers all
aspects of privacy and data security-related matters, both contentious and non-contentious. She assists clients
develop strategies for managing their data that enable them to meet both their business objectives and their legal
obligations.
Ms. Bevitt has extensive expertise advising clients on international data protection and privacy issues, in
particular with reference to the movement of personal data within and outside the EU, including in the context of
cross-border litigation or regulatory investigations, and employee privacy issues. Ms. Bevitt regularly advises
clients on multi-jurisdictional compliance projects, helping them to navigate their way through myriad local laws.
She also assists clients in crafting internal policies governing the use of personal data, technology in the
workplace, including BYOD, and social media, as well as external privacy policies for consumers.
Ms. Bevitt works with a wide range of clients, including multinationals and large corporations, from a broad
spectrum of industry sectors, including insurance; technology; banking and financial services; venture capital and
private equity; recruitment and employment; biotechnology; pharmaceuticals; and hotel and leisure.
Ms. Bevitt is a contributing author to Employee Privacy: Guide to U.S. and International Law published by BNA
Books. She is also a sought after speaker on privacy topics and a frequent speaker at the major privacy
conferences run by Privacy Laws & Business, Privacy & Data Protection and the International Association of
Privacy Professionals. She is also quoted frequently in both the national and industry press.
Ms. Bevitt is an active member of the International Association of Privacy Professionals and on the Publications
Advisory Board.
Ms. Bevitt has rights of audience in all civil courts and significant experience as an advocate. She was called to
the Bar in 1992, after graduating from Oxford University in 1990. Ms. Bevitt practised as a barrister for seven
years before qualifying as a solicitor in 2000. She joined Morrison & Foerster in June 2002.
Ann Bevitt
Speaker biography
Carlos Garcia-Mauriño
Oracle Corporation
Madrid
+91 631 2326
carlos.garcia@oracle.com
Carlos Garcia-Mauriño is the EMEA Senior Legal Director Privacy & Security at Oracle Corporation.
Carlos oversees Oracle’s compliance efforts with national Data Privacy regulations in Europe, Middle
East and Africa and is a key contributor to the design of the Oracle Global Privacy program. He trains
and provides advice to the different Lines of Business and Commercial Legal Groups on data privacy
and security aspects of Oracle’s services portfolio (e.g. Cloud Computing) and provides strategic
guidance to senior management on business decisions which might be affected by Data Privacy
considerations. As part of his role, he frequently leads complex negotiations with corporate customers
from different business sectors and regions.
Prior to this, Carlos held several senior positions in the Oracle Legal Department, including the
management of the Compliance & Ethics program for the EMEA Division. He is an attorney at law
with expertise in data protection, IT law, commercial and contract law.
Oracle Iberica S.R.L., C/José Echegaray, 6, 28230 Las Rozas, Madrid, Spain
www.oracle.com
Attorney Bio
Christine E. Lyon
Partner
Palo Alto
(650) 813-5770
clyon@mofo.com
Christine Lyon’s practice focuses on privacy and employment law. Ms. Lyon assists clients in developing global
strategies to comply with laws regulating the collection, use, disclosure, and transfer of personal information about
their customers and employees. She also advises clients about privacy issues in cloud computing and social
media, security breach notification requirements, laws regulating the use of personal data for direct marketing
purposes, and workplace privacy issues.
Ms. Lyon counsels clients regarding all aspects of employment law, including compliance with California and
federal employment laws, investigations of workplace complaints, and reductions in force. She regularly assists
clients with multinational employment issues related to mergers and acquisitions, outsourcing transactions, and
corporate restructuring.
Legal 500 US 2012 recommends Ms. Lyon as a “rising star” in the area of privacy and data protection. She
frequently writes and speaks on the topics of global data protection laws, workplace privacy issues, and data
security laws. She is a co-editor of Global Employee Privacy and Data Security Law (BNA Books, 2011) and a
member of the editorial board of the World Data Protection Report.
Education
University of Iowa (B.A., 1996)
Stanford Law School (J.D., 1999)
Christine E. Lyon
Attorney Bio
Karin Retzer
Partner
Brussels
32 2 340 7364
kretzer@mofo.com
Karin Retzer’s practice focuses on the data protection, privacy and security as well as marketing.
Ms. Retzer assists clients with privacy and data security compliance and risk management, involving both national
and international multi-jurisdictional dimensions. She advises on questions regarding data transfers, the handling
of information in shared service centers and sourcing transactions, regulatory investigations, eDiscovery, breach
notification, and the use of email and the Internet in the workplace. She has drafted privacy policies and
guidelines, notices, agreements for data list management, and data transfer and processing contracts for dozens
of multinational clients. She also assists clients in their dealings with data protection authorities, developing
appropriate responses to requests for information and complaints, and provides legislative and policy advice to
clients.
Ms. Retzer has particular expertise with regard to the implications of legislative restrictions for online tracking,
analytics, and personalization of Internet content, behavioural advertising, and direct marketing communications.
She regularly advises clients on the use of location data gathered through smart phones and location-based
services.
In addition, Ms. Retzer advises clients on issues relating to electronic commerce, such as online terms of use, the
requirements for online contracts, disclosure obligations, liability for website content, and the legal aspects of
online auction sites. She has developed template agreements and negotiated complex commercial agreements
for many clients, counseling them not only with respect to legal ramifications, but also taking into account
applicable business and technical considerations.
Her work spans a wide range of industry sectors. Clients include internationally renowned consumer product
companies, financial services organizations, technology and telecommunications providers as well as clients in
the advertising, hospitality, media and entertainment, healthcare, pharmaceutical, and retail industries.
Prior to joining Morrison & Foerster, Ms. Retzer worked in Paris at the European headquarters of Sterling
Commerce, a U.S. supplier of e-commerce products. From 1997 to 1998, Ms. Retzer worked at the European
Commission, where she was involved mainly with examining and monitoring Member States' implementation of
European Community directives.
Ms. Retzer regularly writes for a wide variety of publications and is a contributing author in the publication,
Employee Privacy: Guide to US and International Law. She is a member of the Munich bar and the Brussels EU
bar, after studies in Regensburg (Germany), Utrecht (The Netherlands), and Munich (Germany). Ms. Retzer is
fluent in German, English, and French and has a working knowledge of Dutch. She is a member of the
International Association of Privacy Professionals, the German Association for Data Protection and Data Security,
the Licensing Executives Society, and the Association for Industrial Property and Copyright Law.
Karin Retzer
Attorney Bio
Caroline Stakim
Associate
London
44 20 7920 4055
cstakim@mofo.com
Caroline Stakim is an associate in the London office of Morrison & Foerster and is a member of the firm’s
Employment and Labour Group. Ms. Stakim’s practice focuses on employment law matters and employee
privacy and data security law.
Ms. Stakim advises senior management and human resources professionals on all aspects of employment law
including employment documentation, policy, senior executive appointments and terminations, change
programmes, employment disputes, post-termination restrictions, business immigration and strategic HR issues,
often on a cross-jurisdictional basis. She also advises on the legal and tactical employee and privacy related
issues arising in corporate transactions including mergers and acquisitions and restructurings and the application
of the TUPE Regulations to outsourcing arrangements and solvent and insolvent business transfers. She also
advises on questions regarding the collection, use and disclosure of employee data, cross-border employee data
transfers; employee monitoring and surveillance; and privacy and the use of email and the internet in the
workplace.
Ms. Stakim received her LL.B (Hons.) from the University of Glasgow in 2005. She was admitted to practice in
Scotland in 2008 and in England and Wales in 2010. She is a member of the Employment Lawyers Association.
Caroline Stakim
Tab 3
About Morrison & Foerster
Data Protection Masterclass:
Hot Topics in Employee Privacy and Technology
Firm Overview
Firm Overview
Morrison & Foerster is an international firm with more than 1,000 lawyers across
16 offices in the U.S., Europe, and Asia. Founded in 1883, we remain dedicated
to providing our clients, which include some of the largest financial institutions,
Fortune 100 companies, and technology and life science companies, with
unequalled service.
Our clients rely on us for innovative and business-minded solutions. Therefore,
Among Top 10 firms
nationwide based on number we stress intellectual agility as a hallmark of our approach to client representation.
of first-tier national rankings We apply it to every matter—from the complex to the routine—to ensure the best
outcomes for our clients and deliver success.
Top-tier national rankings
included, among others:
Antitrust
Banking & Finance
Capital Markets
Commercial Litigation
Corporate/M+A
IP & Patent Litigation
Employment Law
Energy
Environmental
Financial Services
Regulation
Securitization/Structured
Finance
Tax
Technology
We believe that great client service requires insight, expertise, speed, and
integrity. Our attorneys share high standards, a commitment to excellence, and a
passion for helping their clients succeed. This commitment to serving client
needs has resulted in enduring relationships and a record of high achievement.
In addition, our culture of genuine collegiality creates a work environment ideally
suited to collaboration and effective teamwork, which ultimately translates into
organizational stability, winning results, and more positive experiences for clients.
We enjoy tremendous practice, geographic, and client diversification—attributes
that have allowed us to prosper in these challenging times.
Our practice is balanced, with more than 500 business attorneys and nearly
500 litigators.
Offices in key financial and technology centers around the world provide us
with global reach and geographic diversity:
Beijing
Brussels
Denver
Hong Kong
London
Los Angeles
New York
Northern Virginia
Palo Alto
Sacramento
San Diego
San Francisco
Shanghai
Singapore
Tokyo
Washington, D.C.
We are frequently recognized for our long-standing commitment to pro bono
work and diversity.
Our outstanding client work has earned broad recognition from well-known
national and international organizations, such as:
Firm Overview l 1
Firm Overview
We provide global reach in the world’s key markets
MOFO EUROPE
Brussels
London
MOFO USA
New York
San Francisco
Los Angeles
Palo Alto
San Diego
Washington, D.C.
Northern Virginia
Denver
Sacramento
MOFO ASIA
Beijing
Hong Kong
Shanghai
Singapore
Tokyo
Exceptional International Platform
Over the past three decades, Morrison & Foerster has invested significant effort and capital toward developing
a world-class international practice—leaving us well-positioned to serve clients across the rapidly-expanding
global economy. Our international service platform spans expertise in M&A, securities, finance and trade, and
dispute resolution, and includes complex global tax structuring, counsel on foreign workforces, the navigation of
regulatory bottlenecks in multiple jurisdictions, and antitrust, environmental, and litigation risk analyses
throughout the world, among other capabilities.
We enjoy unrivalled reach around the Pacific Rim with nearly 200 lawyers in Asia teamed with more than
500 lawyers in California.
We are the largest U.S. law firm in Japan, with more than 120 attorneys in Tokyo, including nearly 50
bengoshi admitted to practice in Japan. With our partners, Ito & Mitomi, we are widely recognized as
having Japan’s leading corporate practice.
Our nearly 30-year presence in China has produced a strong platform of more than 70 multilingual U.S.-,
PRC-, and/or Hong Kong-qualified professionals.
With an established presence in the UK for 30 years, we have nearly 60 lawyers qualified in the UK who
offer expertise across all major disciplines.
Firm Overview l 2
Practice Group Description
Privacy + Data Security
PRACTICE GROUP CHAIR
Miriam H. Wugmeister
1290 Avenue of the Americas
New York, NY 10104-0050
(212) 506-7213
mwugmeister@mofo.com
“Recommended as
‘excellent in all
respects.’”
- Legal 500 US
Morrison & Foerster has a world-class privacy and information security practice
that is cross-disciplinary and spans our global offices. With more than 60
lawyers actively counseling, litigating, and representing clients before regulators
around the world on privacy and security of information issues, we have been
recognized by Chambers and Legal 500 as having one of the best domestic and
global practices in this area. We were winner of Chambers USA’s award for
excellence in the field of Privacy and Data Security 2008. Chambers Global
ranks the practice Tier 1 in its “Data Protection: Global” category.
Clients have commented that our group is: “very responsive, with a knowledge
of the area that is second to none,” Chambers Global; and “the best at giving
practical advice by applying the law to the situation at issue”, US Legal 500.
Our practical and straightforward approach has made us the privacy counsel of
choice for some of the world’s largest and best known corporations, as well as a
host of smaller organizations. Our skills are particularly valued by companies
that operate in highly regulated sectors (such as financial services, healthcare,
and pharmaceuticals), those with an online presence, and those operating
internationally. Such organizations face multiple layers of regulation and
appreciate the timely, knowledgeable, and realistic advice our attorneys are
trained to provide. We take a big picture view of how organizations handle
information during its life cycle and help our clients find realistic solutions to
seemingly complex problems.
We Advise On:
Data protection and privacy policies, procedures, and training.
Data security standards and information handling.
Security breaches.
Regulatory investigations.
Litigation.
Cross-border data transfers.
Employee monitoring.
Compliance audits.
Commercial transactions.
Direct marketing.
E-discovery and disclosure issues in litigation.
Privacy + Data Security | 1
Practice Group Description
“The work quality is
exceptional, they are
incredibly
responsive, and they
know about all the
hottest issues in data
privacy.”
- Chambers Global
A factor driving data protection regulation in recent years has been the changing
nature of technology – including issues such as the increased emphasis on
technological means to secure data, how we use social media, and the adoption
of cloud computing. Our data protection and privacy lawyers are at home with
technological innovation as well as with complex regulation. Because of our
comfort with technology, we are at ease speaking with the general counsel, the
chief privacy officer or the chief information officer regarding technical and nontechnical issues relating to privacy and data security.
What truly distinguishes us is our practical approach to our work. In relation to all
areas of privacy law, we believe that it is our job to assist clients in finding
innovative and realistic solutions that balance compliance with the law and the
commercial realities of running their businesses. We work with our clients to find
solutions for managing business operations in light of the complex matrix of
privacy laws and regulations.
Resources
We offer important resources to support our clients in their privacy compliance
and data security efforts.
Legal Resources: The privacy team writes extensively on privacy and data
security matters, including two treatises, Global Employee Privacy and Data
Security Law setting out the U.S. and international legal landscape related to
workplace privacy and data security, and The Law of Financial Privacy
covering the Fair Credit Reporting Act, Financial Privacy Act, Bank Secrecy
Act, and Internal Revenue Code requirements, including discussions of state
financial privacy laws, use of technology, and use and protection of
confidential information.
Privacy Library: Our Privacy Library (www.mofoprivacy.com) is an online
resource which provides links to privacy laws, regulations, reports,
multilateral agreements, and government authorities of more than 90
countries around the world, including the United States. The Privacy Library
is the most comprehensive collection of privacy laws and regulations ever
assembled, the result of years of research and experience working with
clients around the world.
MoFoNotes: Morrison & Foerster provides content to Nymity
(www.nymity.com) for its MoFoNotes product, a subscription-based database
that helps organizations determine local compliance requirements in
jurisdictions around the world, spot potential compliance issues, and simplify
the development of global privacy approaches.
Privacy + Data Security | 2
Practice Group Description
Privacy + Data Security
PARTNER
Karin Retzer
Boulevard Louis Schmidt 29
1040 Brussels, Belgium
+322 340 7364
kretzer@mofo.com
Clients value our
“extensive network of
attorneys around the
world since privacy
legal issues are
becoming more
global every day.”
- Legal 500 US
EUROPEAN DATA PROTECTION
We help our clients navigate Europe’s complex patchwork of data protection laws
at the EU and individual country level, providing advice on international data
transfers and processing of personal data in the employment context and online.
We bring years of experience to the complex jurisdictional issues encountered by
multinational companies operating in Europe and work with our long-established
network of privacy experts to provide in-depth, tailored advice. In particular, we
provide advice on the implementation of EU laws in the individual EU Member
States, and provide our clients with regular updates, analysis, and practical
compliance solutions.
Our privacy group consults and negotiates extensively with European data
protection authorities, such as the French Commission Nationale de
l’Informatique et des Libertés, the various German Länder Data Protection
Commissioners and the UK Information Commissioner’s Office, as well as the
European Commission. Our work handling both compliance and advocacy
projects gives us an advantage. We are able to translate and clarify high-level
policy guidance into concrete compliance actions and, at the same time, use our
practical compliance experience to advise government policymakers on how to
craft policy in ways that can be translated into sensible compliance actions.
Recent Representative Engagements
Consumer Products Company. We provided advice on global whistleblowing
hotlines and codes of conduct, including registration obligations across the
EU. We also drafted appropriate communications with employees, internal
protocols and procedures, and crafted language to include in contracts with
service providers.
Several clients – Implementation of ePrivacy Directive. We have assisted a
number of clients in comprehensively tracking and analyzing implementation
of the EU ePrivacy Directive in all 30 EEA Member States. The ePrivacy
Directive introduced new requirements for data security breach notification,
spam and electronic marketing, and the use of cookies and online tracking
technologies. We provided and continue to provide our clients with practical
advice on how to deal with these legal changes cost effectively across the
jurisdictions.
Multinational Pharmaceuticals Company. We advised our client on the
choice, adoption, and implementation of Binding Corporate Rules as the
global cross-border data handling strategy. We drafted the BCRs, interaffiliate agreement, and provided comprehensive assistance and advice
1
Practice Group Description
including preparing presentations to management, drafting communications,
and establishing standard operating procedures and complaint handling
procedures.
Global Health Care Company. We advised on the adoption and
implementation of a global framework agreement. We advised on the
approach to consultations with works councils, drafted communications to
management, human resources, sales, marketing and clinical research
departments, conducted training for the procurement and legal functions
globally, and prepared employee notice and consent forms. We also advised
on and handled registration requirements in all EEA countries and relevant
Latin-American countries, and handled all aspects of data transfer
authorizations with regulatory authorities.
2
Tab 4
Articles and Alerts
Data Protection Masterclass:
Hot Topics in Employee Privacy and Technology
SOCIALLY AWARE
THE SOCIAL MEDIA LAW UPDATE
Volume 4, Issue 1 January/February 2013
IN THIS ISSUE
Employers and Employees Battle
Over Social Media Accounts
Page 2
Anonymous P2P User’s Motion
to Quash Subpoena Denied
Page 3
FTC Snuffs Out Online
“History Sniffing”
Page 4
Socially Aware Looks Back:
The Social Media Law Year in Review
Page 5
AdWords Decision Highlights Contours
of CDA Section 230 Safe Harbor
Page 7
FCC Rules That Opt-Out Confirmation
Text Messages Do Not Violate TCPA
Page 8
Facebook ’em, Danno: Is the
Hawaii 5-0's Facebook Wall A
Public Forum?
Page 9
PeopleBrowsr Wins Round
One Against Twitter
Page 10
EDITORS
John Delaney
Gabriel Meister
Aaron Rubin
CONTRIBUTORS
Amanda M.F. Bakale
Tiffany Cheung
Adam J. Fleisher
Matthew R. Galeotti
Jacob Michael Kaufman
J. Alexander Lawrence
Christine E. Lyon
Julie O’Neill
Jesse K. Soslow
In this issue of Socially Aware, our Burton Award-winning
guide to the law and business of social media, we explore the
challenges that arise when employers and employees battle
over work-related social media accounts; we discuss a new
litigation trend in which content owners are focusing on
individual P2P users to enforce their rights, despite potential
First Amendment hurdles; we report on the FTC’s crackdown
on so-called “history sniffing”; we examine how Section 230
of the Communications Decency Act may or may not fully
protect website operators from trademark-related claims; we
review a recent FCC ruling on whether opt-out confirmation
text messages violate the Telephone Consumer Protection Act;
we highlight constitutional challenges to how public entities
moderate their social media pages; we summarize a recent
order requiring Twitter to continue to provide PeopleBrowsr
with access to Twitter’s “Firehose”; and we recap major events
from 2012 that have had a substantial impact on the law of
social media.
All this, plus a collection of eye-opening numbers on the use of
social media in 2012.
Follow us on Twitter @MoFoSocMedia, and check out our blog.
EMPLOYERS
AND EMPLOYEES
BATTLE OVER
SOCIAL MEDIA
ACCOUNTS
When an employee uses a social
media account to promote his or her
company, who keeps that account when
the employee leaves? Perhaps more
importantly, who keeps the friends,
followers and connections associated with
that account? Three lawsuits highlight
the challenges an employer may face in
seeking to gain control of work-related
social media accounts maintained by
current or former employees.
We start with Eagle v. Edcomm, a federal
case out of Pennsylvania involving a
dispute over an ex-employee’s LinkedIn
account and related connections. The
plaintiff, Dr. Linda Eagle, was a cofounder of the defendant company,
Edcomm. She established a LinkedIn
account while at Edcomm, using the
account to promote the company and to
build her network. Edcomm personnel
had access to her LinkedIn password and
helped to maintain the account. Following
termination of her employment, Edcomm
allegedly changed Dr. Eagle’s LinkedIn
password and her account pro¿le the
new pro¿le displayed the new interim
CEO’s name and photograph instead of
Dr. Eagle’s. (Apparently, “individuals
searching for Dr. Eagle were routed to a
LinkedIn page featuring [the new CEO]’s
name and photograph, but Dr. Eagle’s
honors and awards, recommendations,
and connections.”) Both parties raced to
the courthouse, ¿ling lawsuits against
each other over the LinkedIn account and
other disputes. Although a ¿nal ruling on
all of the issues has not yet been made,
the court has issued two decisions.
In the earlier of the two decisions,
the court granted Dr. Eagle’s motion
to dismiss Edcomm’s trade secret
misappropriation claim, concluding that
the LinkedIn connections were not a trade
2 Socially Aware, January/February 2013
secret because they are “either generally
known in the wider business community or
capable of being easily derived from public
information.”
The most recent decision, however, was
largely a win for Edcomm. The court
granted Edcomm’s motion for summary
judgment on Dr. Eagle’s Computer Fraud
and Abuse Act (CFAA) and Lanham Act
claims. Regarding her CFAA claims, the
court concluded that the damages Dr.
Eagle claimed she had suffered—related
to harm to reputation, goodwill and
business opportunities—were insuf¿cient
to satisfy the “loss” element of a CFAA
claim, which requires some relation to
“the impairment or damage to a computer
or computer system.” In rejecting Dr.
Eagle’s claim that Edcomm violated the
Lanham Act by posting the new CEO’s
name and picture on Dr. Eagle’s LinkedIn
account, the court found that Dr. Eagle
could not demonstrate that Edcomm’s
actions caused a “likelihood of confusion,”
as required by the Act.
Three recent cases
illustrate the importance
of creating clear policies
on the treatment of
business-related social
media accounts, and
making sure employees
are aware of these
policies.
In a federal case out of Illinois, Maremont
v. Susan Fredman Design Group LTD, the
employee, Jill Maremont, was seriously
injured in a car accident and had to spend
several months rehabilitating away from
work. While recovering, Ms. Maremont’s
employer—Susan Fredman Design
Group—posted and tweeted promotional
messages on Ms. Maremont’s private
Facebook and Twitter accounts, where
she had developed a large following as a
well-known interior designer. The posts
and tweets continued after Ms. Maremont
had asked her employer to stop, so Ms.
Maremont changed her passwords.
Following the password changes, Ms.
Maremont alleged that her employer
started treating her poorly in order to force
her to resign. Ms. Maremont then brought
claims under the Lanham Act, Illinois’
Right of Publicity Act, and the common
law right to privacy. Although the case is
still pending, the court issued a decision
refusing to dismiss Ms. Maremont’s
Lanham Act and Right of Publicity Act
claims. The court, however, dismissed
her common law right to privacy claims,
holding that she had failed to demonstrate
that her employer’s “intrusion into her
personal ‘digital life’ is actionable under
the common law theory of unreasonable
intrusion upon the seclusion of another,”
and that she had failed to allege a false
light claim because she did not allege that
her employer “acted with actual malice.”
A recently-settled California case,
PhoneDog LLC v. Noah Kravitz, about
which we have written previously,
involved a similar dispute over a former
employee’s Twitter account. Unlike the
LinkedIn account at issue in the Edcomm
case, the Twitter account in PhoneDog
apparently was created by the employer,
not the employee—however, the Twitter
“handle” identifying the account included
both the employer’s name and the
employee’s name: @PhoneDog_Noah.
According to PhoneDog’s complaint,
the account attracted approximately
17,000 Twitter followers. Mr. Kravitz,
who after leaving PhoneDog eventually
began working for one of PhoneDog’s
competitors, kept the Twitter account but
removed PhoneDog’s name, changing
the account's handle to @noahkravitz.
PhoneDog sued Mr. Kravitz, alleging
that Mr. Kravitz wrongfully used the
Twitter account to compete unfairly
against PhoneDog. Like Edcomm,
PhoneDog alleged misappropriation
of trade secrets, although PhoneDog
appears to have viewed the account login information rather than the actual
followers as the relevant trade secret
information.
As noted above, the parties have settled
the PhoneDog case, so we will not learn
how the court would have ultimately
ruled nevertheless, this case and the
other pending suits discussed above
offer important lessons to employers.
Although the terms of the settlement are
con¿dential, news reports have indicated
that the agreement does allow Mr. Kravitz
to keep his Twitter account and followers.
These cases have received media attention,
and the two pending cases—Eagle and
Maremont—will continue to be closely
watched by the legal community to see
how courts de¿ne ownership interests
in employee social media accounts.
Employers, however, should not wait on
the rulings in these pending cases to take
steps to protect their interests in their
social media accounts. All three of these
cases illustrate the importance of creating
clear policies regarding the treatment of
business-related social media accounts,
and making sure that employees are
aware of these policies. Other measures an
employer can take include being certain
to control the passwords of the company’s
own social media accounts, and making
sure that the name of the account does
not include an individual employee’s
name. At the same time, employers need
to be mindful of new laws in California
restricting an employer’s ability to gain
access to its employees’ personal social
media accounts, laws on which we have
reported previously. And of course, in
light of these developments, it remains
particularly important to maintain a clear
distinction between company and personal
social media accounts.
ANONYMOUS P2P
USER’S MOTION TO
QUASH SUBPOENA
DENIED
BitTorrent, the peer-to-peer (PP) ¿lesharing system that enables the quick
downloading of large ¿les, has sparked
another novel controversy stemming
from copyright-infringement claims
brought against its users. Users take
3 Socially Aware, January/February 2013
advantage of the BitTorrent sharing
system to anonymously access popular
media such as books and movies. That
anonymity is unlikely to last long for
users who are alleged to have downloaded
copyrighted material. Last month, Judge
Sweet, a federal judge in the Southern
District of New York (SDNY), held that
an anonymous P2P user has no First
Amendment right to quash a subpoena
seeking her identity where the plaintiff
had no other means to effectively identify
the defendant.
Wiley reflects a new
wave of litigation in
which copyright holders
have shifted from suing
host sites to focusing on
individual users of P2P
networks.
In John Wiley & Sons Inc. v. Does Nos.
1-35, the plaintiff (Wiley), a publisher of
books and journal articles, alleged that
unidenti¿ed “John Does” used BitTorrent
to illegally copy and distribute Wiley’s
copyrighted works and infringe on Wiley’s
trademarks. Wiley sued 35 defendants
known only by their “John Doe Numbers”
and Internet Protocol (IP) addresses.
Seeking to identify the Does, Wiley moved
for court-issued subpoenas to be served
on various Internet service providers
(ISPs), ordering them to supply identifying
information corresponding to the Does’ IP
addresses. In an attempt to maintain her
anonymity and avoid liability, one of the
35 Does, then known only as John Doe No.
25 (“Doe 25”) or IP Address 74.68.143.193,
moved to quash a subpoena served on her
ISP, Time Warner Cable.
Wiley reÀects a new wave of litigation in
which copyright holders have shifted from
suing host sites to focusing on individual
users of P2P networks. The mere fact that
copyrighted material is downloaded from
a particular IP address may be insuf¿cient
to prove that the P2P network user is the
infringer. An IP address typically provides
only the location at which one of any
number of devices may be used by any
number of individuals (in fact, Doe 25
contended that her ex-husband, not she,
downloaded the infringing works). If a
motion to quash is granted, the account
holder’s identity is not revealed, and the
claim is effectively dead.
In considering whether to grant an
anonymous account holder’s motion to
quash a subpoena, courts balance the
user’s First Amendment right to act
anonymously with the plaintiff’s right to
pursue its claims.
Anonymous users can rely on a line
of precedent that extends the First
Amendment’s protections to online
expression. And under Rule 45 of the
Federal Rules of Civil Procedure, a court
must quash a subpoena if it requires
disclosure of protected matter. Thus, to
the extent that anonymity is protected by
the First Amendment, courts will quash
subpoenas designed to breach anonymity.
On the other hand, plaintiffs pursuing their
claims can point to precedent holding that
the First Amendment may not be used to
encroach upon the intellectual property
rights of others.
To balance these competing principles and
determine whether certain actions trigger
First Amendment protection, courts weigh
the ¿ve factors set out in Sony Music
Entertainment Inc. v. Does 1-40:
•
whether the plaintiff has made a
concrete showing of actionable harm;
•
the specificity of the discovery request;
•
the absence of alternative means
by which to obtain the subpoenaed
information;
•
a central need for the data; and
•
the party’s expectation of privacy.
In Wiley, each of these ¿ve factors weighed
in favor of disclosure of the defendant’s
identity. Wiley pled a suf¿ciently speci¿c
claim of copyright infringement, and,
without a subpoena, Wiley would have
no other effective way to identify potential
infringers of Wiley’s intellectual property
rights.
At least ¿ve other courts within the
SDNY have denied motions to quash in
similar litigations involving defendants
accused of infringing Wiley’s copyrights
via BitTorrent. Going forward, so long as
copyright holders can satisfy the Sony ¿vefactor test, they will be able to rely on cases
like Wiley to ferret out copyright infringers.
FTC SNUFFS OUT
ONLINE “HISTORY
SNIFFING”
The Federal Trade Commission (FTC)
has cracked down on a company that
was engaged in “history sniffing,” a
means of online tracking that digs up
information displayed by web browsers
to reveal the websites that users have
visited. In a proposed settlement with Epic
Marketplace, Inc. and Epic Media Group
(together, “EMG”) that was announced on
December 5, 2012, the FTC settled charges
that EMG had improperly used history
sniffing to collect sensitive information
regarding unsuspecting consumers.
EMG functions as an intermediary between
publishers—i.e., websites that publish
advertisements—and the advertisers who
want to place their ads on those websites.
It performs this function through online
behavioral advertising, which typically
entails placing cookies on websites that
a consumer visits in order to collect
information about his or her use of the
website, and then using that information to
serve targeted ads to the user when he or
she visits other websites within the "EMG
Marketplace Network," the network of
publisher websites serviced by EMG.
What got EMG into trouble was that
EMG also used history snif¿ng to collect
information regarding what websites users
had visited. Here’s how the technique
works at a high level: In your web browser,
hyperlinks to websites change color once
you’ve visited them. For example, if you
Continued on page 7
4 Socially Aware, January/February 2013
BIGGEST NUMBERS
IN SOCIAL MEDIA FROM 2012
810,000 – the number of retweets of
President Obama’s 2012 election victory tweet—
the most retweeted post on Twitter ever 1
4 million – the number of Facebook “likes”
for President Obama’s 2012 election victory
post—the most liked Facebook photo of all time 2
200 million – the number of LinkedIn
members as of January 9, 2013 3
1 billion – the number of views of PSY’s
“Gangnam Style”—the most viewed YouTube
video in history 4
1 billion – the number of monthly active
Facebook users as of October 2012 5
1.1 billion – the number of photos
uploaded to Facebook over New Year’s
Eve and New Year’s Day 6
3 billion – the total number of Foursquare
“check-ins” from its inception through 2012 7
4 billion – the number of hours of video
watched on YouTube every month 8
1. https://twitter.com/BarackObama/
status/266031293945503744/photo/1
5. http://finance.yahoo.com/news/number-active-usersfacebook-over-230449748.html
2. http://news.cnet.com/8301-17938_105-57546254-1/
obama-victory-photo-smashes-facebook-like-record/
6. http://techcrunch.com/2013/01/17/facebook-photosrecord/
3. http://blog.linkedin.com/2013/01/09/linkedin-200-million/
7. http://thenextweb.com/location/2012/11/21/foursquarehas-its-3-billionth-check-in-seeing-growth-of-x/
4. http://news.cnet.com/8301-1023_3-57560498-93/
gangnam-style-the-first-video-to-hit-1b-youtube-views/
8. http://www.youtube.com/t/press_statistics
SOCIALLY AWARE
LOOKS BACK:
THE SOCIAL
MEDIA LAW YEAR
IN REVIEW
2012 was a momentous year for
social media law. We've combed
through the court decisions, the
legislative initiatives, the regulatory
actions and the corporate trends to
identify what we believe to be the
ten most signi¿cant social media law
developments of the past year–here
they are, in no particular order:
Bland v. Roberts – A Facebook
“like” is not constitutionally
protected speech
Former employees of the Hamptons
Sheriff’s Of¿ce in 9irginia who were
¿red by Sheriff BJ Roberts, sued
claiming they were ¿red for having
supported an opposing candidate in
a local election. Two of the plaintiffs
had “liked” the opposing candidate’s
Facebook page, which they claimed
was an act of constitutionally
protected speech. A federal district
court in 9irginia, however, ruled that
a Facebook “like” “. . . is insuf¿cient
speech to merit constitutional
protection” according to the court,
“liking” involves no actual statement,
and constitutionally protected speech
could not be inferred from “one click
of a button.”
This case explored the increasinglyimportant intersection of free speech
and social media with the court
¿nding that a “like” was insuf¿cient
to warrant constitutional protection.
The decision has provoked much
criticism, and it will be interesting to
see whether other courts will follow
the Bland court’s lead or take a
different approach.
New York v. Harris – Twitter
required to turn over user’s
information and tweets
In early 2012, the New York City
District Attorney’s Of¿ce subpoenaed
Twitter to produce information
and tweets related to the account
5 Socially Aware, January/February 2013
of Malcolm Harris, an Occupy Wall
Street protester who was arrested
while protesting on the Brooklyn
Bridge. Harris ¿rst sought to quash
the subpoena, but the court denied
the motion, ¿nding that Harris had
no proprietary interest in the tweets
and therefore did not have standing to
quash the subpoena. Twitter then ¿led
a motion to quash, but the court also
denied its motion, ¿nding that Harris
had no reasonable expectation of
privacy in his tweets, and that, for the
majority of the information sought, no
search warrant was required.
This case set an important precedent
for production of information related
to social media accounts in criminal
suits. Under the Harris court’s ruling,
in certain circumstances, a criminal
defendant has no ability to challenge
a subpoena that seeks certain social
media account information and posts.
The National Labor Relations Board
(NLRB) issued its third guidance
document on workplace social
media policies
The NLRB issued guidance regarding
its interpretation of the National
Labor Relations Act (NLRA) and its
application to employer social media
policies. In its guidance document,
the NLRB stated that certain types
of provisions should not be included
in social media policies, including:
prohibitions on disclosure of
con¿dential information where there
are no carve-outs for discussion of
an employer’s labor policies and its
treatment of employees prohibitions
on disclosures of an individual’s
personal information via social media
where such prohibitions could be
construed as limiting an employee’s
ability to discuss wages and working
conditions discouragements of
“friending” and sending unsolicited
messages to one’s co-workers and
prohibitions on comments regarding
pending legal matters to the degree
such prohibitions might restrict
employees from discussing potential
claims against their employer.
The NLRB’s third guidance document
illustrates the growing importance of
social media policies in the workplace.
With social media becoming an ever-
increasing means of expression,
employers must take care to craft social
media policies that do not hinder their
employees’ rights. If your company has
not updated its social media policy in
the past year, it is likely to be outdated.
Fteja v. Facebook, Inc. and Twitter,
Inc. v. Skootle Corp. – Courts ruled
that the forum selection clauses in
Facebook’s and Twitter’s terms of
service are enforceable
In the Fteja case, a New York
federal court held that a forum
selection clause contained in
Facebook’s Statement of Rights and
Responsibilities (its “Terms”) was
enforceable. Facebook sought to
transfer a suit ¿led against it from
a New York federal court to one
in Northern California, citing the
forum selection clause in the Terms.
The court found that the plaintiff’s
clicking of the “I accept” button when
registering for Facebook constituted
his assent to the Terms even though
he may not have actually reviewed the
Terms, which were made available via
hyperlink during registration.
In the Skootle case, Twitter brought suit
in the Northern District of California
against various defendants for their
spamming activities on Twitter’s service.
One defendant, Garland Harris, who
was a resident of Florida, brought a
motion to dismiss, claiming lack of
personal jurisdiction and improper
venue. The court denied Harris’s
motion, ¿nding that the forum selection
clause in Twitter’s terms of service
applied. The court, however, speci¿cally
noted that it was not ¿nding that
forum selection clauses in “clickwrap”
agreements are generally enforceable,
but rather “only that on the allegations
in this case, it is not unreasonable to
enforce the clause here.”
Fteja and Skootle highlight that
potentially burdensome provisions in
online agreements may be enforceable
even as to consumers in both cases,
a consumer seeking to pursue or
defend a claim against a social media
platform provider was required to
do so in the provider’s forum. Both
consumers and businesses need to be
mindful of what they are agreeing to
when signing up for online services.
Six states passed legislation
regarding employers' access to
employee/applicant social media
accounts
California, Delaware, Illinois,
Maryland, Michigan and New Jersey
enacted legislation that prohibits an
employer from requesting or requiring
an employee or applicant to disclose a
user name or password for his or her
personal social media account.
Such legislation will likely become
more prevalent in 2013 Texas has a
similar proposed bill, and California
has proposed a bill that would
expand its current protections for
private employees to also include
public employees.
Facebook goes public
Facebook raised over $16 billion in its
initial public offering, which was one
of the most highly anticipated IPOs in
recent history and the largest tech IPO
in U.S. history. Facebook’s peak share
price during the ¿rst day of trading hit
$45 per share, but with a rocky ¿rst
few months fell to approximately $18—
sparking shareholder lawsuits. By the
end of 2012, however, Facebook had
rebounded to over $26 per share.
Facebook’s IPO was not only a
big event for Facebook and its
investors, but also for other social
media services and technology
startups generally. Many viewed,
and continue to view, Facebook’s
success or failure as a bellwether
for the viability of social media and
technology startup valuations.
Employer-employee litigation
over ownership of social media
accounts
2012 saw the settlement of one case,
and continued litigation in two other
cases, all involving the ownership
of business-related social media
accounts maintained by current or
former employees.
In the settled case of PhoneDog LLC
v. Noah Kravitz, employer sued
employee after the employee left
the company but retained a Twitter
account (and its 17,000 followers)
that he had maintained while working
for the employer. The terms of the
6 Socially Aware, January/February 2013
settlement are con¿dential, but news
reports indicated that the settlement
allowed the employee to keep the
account and its followers.
In two other pending cases, Eagle v.
Edcomm and Maremont v. Susan
Fredman Design Group LTD, social
media accounts originally created
by employees were later altered or
used by the employer without the
employees’ consent.
These cases are reminders that, with the
growing prevalence of business-related
social media, employers need to create
clear policies regarding the treatment of
work-related social media accounts.
California’s Attorney General went
after companies whose mobile
apps allegedly did not have
adequate privacy policies
Starting in late October 2012,
California’s Attorney General gave
notice to developers of approximately
100 mobile apps that they were
in violation of California’s Online
Privacy Protection Act (OPPA), a law
that, among other things, requires
developers of mobile apps that collect
personally identi¿able information to
“conspicuously post” a privacy policy.
Then, in December 2012, California’s
Attorney General ¿led its ¿rst suit
under OPPA against Delta, for failing
to have a privacy policy that speci¿cally
mentioned one of its mobile apps and
for failing to have a privacy policy
that was suf¿ciently accessible to
consumers of that app.
Privacy policies for mobile applications
continue to become more important
as the use of apps becomes more
widespread. California’s OPPA has led
the charge, but other states and the
federal government may follow. In
September, for instance, Representative
Ed Markey of Massachusetts introduced
The Mobile Device Privacy Act in the
U.S. House of Representatives, which
in some ways would have similar notice
requirements as California’s OPPA.
Changes to Instagram’s online
terms of service and privacy policy
created user backlash
In mid-December 2012, Instagram
released an updated version of its
online terms of service and privacy
policy (collectively, “Terms”). The
updated Terms would have allowed
Instagram to use a user’s likeness
and photographs in advertisements
without compensation. There was a
strong backlash from users over the
updated Terms, which ultimately led
to Instagram apologizing to its users
for the advertisement-related changes,
and reverting to its previous language
regarding advertisements.
Instagram’s changes to its Terms, and
subsequent reversal, are reminders of
how monetizing social media services
is often a dif¿cult balancing act.
Although social media services need to
¿gure out how they can be pro¿table,
they also need to pay attention to their
users’ concerns.
The defeat of the Stop Online
Piracy Act (SOPA) and the PROTECT
IP Act (PIPA)
Two bills, SOPA and PIPA—which
were introduced in the U.S. House
of Representatives and U.S. Senate,
respectively, in late 2011—would
have given additional tools to
the U.S. Attorney General and
intellectual property rights holders to
combat online intellectual property
infringement. A strong outcry,
however, arose against the bills from
various Internet, technology and social
media companies. The opponents of
the bills, who claimed the proposed
legislation threatened free speech and
innovation, engaged in various protests
that included “blacking out” websites
for a day. These protests ultimately
resulted in the defeat of these bills in
January 2012.
The opposition to and subsequent
defeat of SOPA and PIPA demonstrated
the power of Internet and social media
services to shape the national debate
and sway lawmakers. With prominent
social media services such as Facebook,
YouTube, Twitter, LinkedIn and
Tumblr opposed to the bills, signi¿cant
public and, ultimately, congressional
opposition followed. Now that we’ve
witnessed the power that these services
wield when acting in unison, it will be
interesting to see what issues unite
them in the future.
Continued from page 4
have never visited a particular website
with your browser, hyperlinks to that site
will typically appear in your browser in
one color (e.g., blue), whereas once you’ve
visited the website, hyperlinks to the
site will appear in a different color (e.g.,
purple). History snif¿ng code exploits
this feature by “snif¿ng” around a web
page displayed in your browser to see
what color your hyperlinks are. When
the code ¿nds purple links, it knows that
you’ve already visited those websites—and
thereby, the code catches a glimpse of
your browsing history.
According to the FTC, for almost 18
months—from March 2010 until August
2011—EMG included history snif¿ng
code in ads that it served to website
visitors on at least 24,000 web pages
within its network, including web pages
associated with name brand websites.
EMG used such code to determine
whether consumers had visited more
than 54,000 different domains, including
websites “relating to fertility issues,
impotence, menopause, incontinence,
disability insurance, credit repair, debt
relief, and personal bankruptcy.” EMG
used this sensitive information to sort
consumers into “interest segments” that,
in turn, included sensitive categories like
“Incontinence,” “Arthritis,” “Memory
Improvement,” and “Pregnancy-Fertility
Getting Pregnant.” EMG then used these
sensitive interest segments to deliver
targeted ads to consumers.
History snif¿ng is not per se illegal under
U.S. law. What got EMG into trouble
was that it allegedly misrepresented
how it tracked consumers. First, EMG’s
privacy policy at the time stated that
the company only collected information
about visits to websites within the EMG
network however, the FTC alleged that
the history snif¿ng code enabled EMG
to “determine whether consumers had
visited webpages that were outside
the [EMG] Marketplace Network,
information it would not otherwise have
been able to obtain.” EMG’s tracking of
users in a manner inconsistent with its
7 Socially Aware, January/February 2013
privacy policy was therefore allegedly
deceptive, in violation of Section 5 of the
FTC Act.
Second, EMG’s privacy policy did not
disclose that the company was engaged
in history sniffing it disclosed only that
it “receives and records anonymous
information that your browser sends
whenever you visit a website which
is part of the [EMG] Marketplace
Network.” According to the FTC, the fact
that the company engaged in history
sniffing would have been material to
consumers in deciding whether to use
EMG’s opt-out mechanism. EMG’s
failure to disclose the practice was
therefore also allegedly deceptive in
violation of Section 5 of the FTC Act.
If you collect data in a
manner inconsistent
with—or not disclosed
in—your privacy policy,
you run the risk of a
charge of deception in
violation of Section 5 of
the FTC Act.
The proposed consent order would,
among other things, require EMG to
destroy all of the information that it
collected using history sniffing bar
it from collecting any data through
history sniffing prohibit it from using
or disclosing any information that was
collected through history sniffing and
bar misrepresentations regarding how
the company collects and uses data from
consumers or about its use of history
sniffing code.
EMG ceased its history snif¿ng in August
2011, and most new versions of web
browsers have technology that blocks
this practice. Nonetheless, the FTC made
it clear in its complaint that it wanted to
highlight the problem because history
snif¿ng “circumvents the most common
and widely known method consumers
use to prevent online tracking: deleting
cookies.” Mark Eichorn, assistant
director of the FTC’s Division of Privacy
and Identity Protection, told the Los
Angeles Times that the FTC “really
wanted to make a statement with this
case.” He added, “People, I think, really
didn’t know that this was going on and
didn’t have any reason to know.” The
proposed consent order puts online
tracking and advertising companies on
notice: If you collect data in a manner
inconsistent with—or not disclosed in—
your privacy policy, you run the risk of a
charge of deception.
ADWORDS
DECISION
HIGHLIGHTS
CONTOURS OF
CDA SECTION 230
SAFE HARBOR
In a string of cases against Google,
approximately 20 separate plaintiffs have
claimed that, through advertisements on
its AdWords service, Google engaged in
trademark infringement. These claims
have been based on Google allowing
its advertisers to use their competitors’
trademarks in Google-generated online
advertisements. In a recent decision
emerging from these cases, CYBERsitter
v. Google, the U.S. District Court for
the Central District of California found
that Section 230 of the Communications
Decency Act (CDA) provides protection
for Google against some of the plaintiff’s
state law claims.
As we have discussed previously
(including in both 2012 and 2011),
Section 230 states that “[n]o provider or
user of an interactive computer service
shall be treated as the publisher or
speaker of any information provided by
another information content provider.”
The Section 230 safe harbor immunizes
websites from liability for content
created by users, as long as the website
did not “materially contribute” to the
development or creation of the content.
An important limitation on this safe
harbor, however, is that it shall not “be
construed to limit or expand any law
pertaining to intellectual property.”
In the CYBERsitter case, plaintiff
CYBERsitter, which sells an Internet
content-¿ltering program, sued Google
for selling and displaying advertisements
incorporating the CYBERsitter trademark
to ContentWatch, one of CYBERsitter’s
competitors. CYBERsitter’s complaint
alleged that Google had violated numerous
federal and California laws by, ¿rst, selling
the right to use CYBERsitter’s trademark
to ContentWatch and, second, permitting
and encouraging ContentWatch to use the
CYBERsitter mark in Google’s AdWords
advertising. Speci¿cally, CYBERsitter’s
complaint included claims of trademark
infringement, contributory trademark
infringement, false advertising, unfair
competition and unjust enrichment.
Google ¿led a motion to dismiss, arguing
that Section 230 of the CDA shielded it
from liability for CYBERsitter’s state law
claims. The court agreed with Google
for the state law claims of trademark
infringement, contributory trademark
infringement, unfair competition and
unjust enrichment, but only to the extent
that those claims sought to hold Google
liable for the infringing content of the
advertisements. The court, however, did
not discuss the apparent inapplicability of
the Section 230 safe harbor to trademark
claims. As noted above, Section 230 does
not apply to intellectual property claims
and, despite the fact that trademarks are
a form of intellectual property, the court
applied Section 230 without further note.
This is because the Ninth Circuit has held
that the term “intellectual property” in
Section 230 of the CDA refers to federal
intellectual property law and therefore
state intellectual property law claims
are not excluded from the safe harbor.
The Ninth Circuit, however, appears to
be an outlier with this interpretation
decisions from other circuit courts suggest
disagreement with the Ninth Circuit’s
8 Socially Aware, January/February 2013
approach, and district courts outside the
Ninth Circuit have not followed the Ninth
Circuit’s lead.
The Ninth Circuit
refused to let Google
off entirely with regard
to CYBERsitter’s
state trademark law
claims—distinguishing
between Google’s
liability for the
content of AdWords
advertisements, and its
liability for potentially
tortious conduct
unrelated to the content
of such advertisements.
Google was not let off the hook entirely
with regard to the plaintiff’s state
trademark law claims. In dismissing
the trademark infringement and
contributory trademark infringement
claims, the court distinguished between
Google’s liability for the content of the
advertisements and its liability for its
potentially tortious conduct unrelated to
the content of the advertisements. The
court refused to dismiss these claims to
the extent they sought to hold Google
liable for selling to third parties the right
to use CYBERsitter’s trademark, and for
encouraging and facilitating third parties
to use CYBERsitter’s trademark, without
CYBERsitter’s authorization. Because such
action by Google has nothing to do with the
online content of the advertisements, the
court held that Section 230 is inapplicable.
The court also found that CYBERsitter’s
false advertising claim was not barred by
Section 230 because Google may have
“materially contributed” to the content
of the advertisements and, therefore,
under Section 230 would have been
an “information content provider”
and not immune from liability. Prof.
Eric Goldman, who blogs frequently
on CDA-related matters, has pointed
out an apparent inconsistency in the
CYBERsitter court’s reasoning, noting
that Google did not materially contribute
to the content of the advertisements
for the purposes of the trademark
infringement, contributory infringement,
unfair competition and unjust
enrichment claims, but that Google
might have done so for the purposes of
the false advertising claim.
CYBERsitter highlights at least two key
points for website operators, bloggers, and
other providers of interactive computer
services. First, at least in the Ninth Circuit,
but not necessarily in other circuits,
the Section 230 safe harbor provides
protection from state intellectual property
law claims with regard to user-generated
content. Second, to be protected under
the Section 230 safe harbor, the service
provider must not have created the
content and it must not have materially
contributed to such content’s creation.
FCC RULES
THAT OPT-OUT
CONFIRMATION
TEXT MESSAGES
DO NOT VIOLATE
TCPA
As noted in our Socially Aware
blog last September, waves of class
actions have recently alleged that the
delivery of an opt-out confirmation
text message violates the Telephone
Consumer Protection Act (TCPA). Thus,
a Federal Communications Commission
(“Commission”) Declaratory Ruling
finding that a single opt-out confirmation
text does not violate the TCPA comes
at a crucial time. The Commission’s
decision, issued on November 29, 2012,
is a welcome relief to companies facing
these cases.
The TCPA generally permits the delivery
of text messages to consumers after
receiving prior express consent to do
so. Numerous plaintiffs have taken the
position that an opt-out con¿rmation
message violates the TCPA because it is
delivered after consent has been revoked.
In its ruling, however, the Commission
found that a consumer’s prior express
consent to receive a text message can be
reasonably construed to include consent
to receive a ¿nal, one-time message
con¿rming that the consumer has revoked
such consent. Speci¿cally, delivery of
an opt-out con¿rmation text message
does not violate the TCPA provided that
it (1) merely con¿rms the consumer’s
opt-out request and does not include any
marketing or promotional information,
and (2) is the only message sent to the
consumer after receipt of his or her optout request. In addition, the Commission
explained that if the opt-out con¿rmation
text is sent within ¿ve minutes of receipt
of the opt-out, it will be presumed to
fall within the consumer’s prior express
consent. If it takes longer, however, “the
sender will have to make a showing that
such delay was reasonable and the longer
this delay, the more dif¿cult it will be
to demonstrate that such messages fall
within the original prior consent.”
The Commission’s ruling brings the
TCPA into harmony with widely followed
self-regulatory guidelines issued by
the Mobile Marketing Association,
which af¿rmatively recommend that a
con¿rmation text be sent to the subscriber
after receiving an opt-out request. The
ruling also comes on the heels of, and
is consistent with, at least two recent
decisions in putative class action cases
¿led in the Southern District of California.
In Ryabyshchuck v. Citibank (South
Dakota) N.A., the court held that Citibank
did not violate the TCPA by sending a text
message con¿rming that it had received
the customer’s opt-out request. The court
went as far as to say that “common sense
renders the [opt-out] text inactionable
under the TCPA.” The court reasoned
that the TCPA was intended to shield
consumers from the proliferation of
intrusive, nuisance communications,
9 Socially Aware, January/February 2013
A recent FCC ruling
clarifies whether
opt-out confirmation
text messages delivered
after consent has been
revoked violate the
Telephone Consumer
Protection Act.
and “[s]uch simple, con¿rmatory
responses to plaintiff-initiated contact
can hardly be termed an invasion of
privacy under the TCPA.” Likewise,
in Ibey v. Taco Bell Corp., the court
dismissed a lawsuit alleging that Taco
Bell had violated the TCPA by sending
an opt-out con¿rmation message. Noting
that the TCPA was enacted to prevent
unsolicited and mass communications,
the court held, “[to] impose liability … for
a single, con¿rmatory text message would
contravene public policy and the spirit
of the statute—prevention of unsolicited
telemarketing in a bulk format.”
The Commission’s ruling should bring an
end to the rash of class actions brought in
recent months challenging the legality of
con¿rmatory opt-out messages.
FACEBOOK ’EM,
DANNO: IS THE
HAWAII 5-0'S
FACEBOOK WALL
A PUBLIC FORUM?
On top of a presidential election, protests
over Instagram’s terms of use, and the
invention of gloves that can translate
sign language, 2012 also brought to
light interesting constitutional issues
involving public entities’ use of social
media, when a citizens’ group filed suit
against the City and County of Honolulu
for “violations of [the group’s] freedoms
of speech” based on the Honolulu Police
Department’s removal of several of the
group's postings from the Department’s
official Facebook page.
The background of the lawsuit is
seemingly innocuous. Like the White
House, the City of New York, and other
governmental entities, the Honolulu
Police Department (“HPD”) has an
of¿cial Facebook page. The HPD uses
its Facebook page to provide the citizens
of Honolulu with everything from crime
reports to information on public parking,
and Facebook users are able to comment
on its various posts. For a period of
time, HPD also allowed Facebook
members to post on its “wall.” (HPD no
longer allows wall posts, but retains a
“recommendations box” on its page where
users can make comments.) Starting in
the beginning of 2012, several members
of the Hawaii Defense Foundation (the
“Foundation”), a non-pro¿t organization
dedicated to training citizens to use
handguns and informing Hawaiians
of their rights regarding ¿rearms,
began posting comments, articles, and
photographs on the HPD Facebook page’s
wall, criticizing the HPD on issues ranging
from restrictions on issuing concealed
weapons permits to alleged corruption.
The administrators of the HPD Facebook
page took the same actions that
administrators of other Facebook pages
commonly take: deleting the offensive
posts and blocking the posters, both of
which are easily accomplished using
Facebook’s interface.
Although individuals and private
companies take these actions every day
on their Facebook pages, the Foundation
pointed out that the HPD Facebook page
was a self-proclaimed “forum open to
the public” created and administered
by a government entity. Facebook
describes the HPD and other such
bodies as “Government Organizations,”
although this label is applied merely
for categorization purposes and does
not purport to carry any legal weight.
Nonetheless, the Foundation labeled
the administrators of the page as
“agents” of the city of Honolulu, and
Complaints against
administrators of
Facebook pages that
serve as “public forums”
raise new policy issues
that did not exist in the
pre-social media era.
argued that their actions were subject to
scrutiny under the First and Fourteenth
Amendments. In its complaint, the
Foundation cited Rosenberger v.
Rector and Visitors of the University of
Virginia, a case in which a university’s
fund for student activities was
considered a “limited public forum”
for First Amendment purposes, to
demonstrate that “a forum need not
be a physical place.” The Foundation
also claimed that the HPD violated
its Fourteenth Amendment rights by
removing the posts and banning the
group’s members in violation of the
Foundation members’ due process rights.
Although the Foundation’s suit against
the HPD is the ¿rst First Amendment suit
of its kind, depending on its outcome,
other private groups may soon ¿le
similar complaints against “Government
Organizations” on Facebook that take
a similarly aggressive approach to
administering their Facebook pages.
In fact, a former police of¿cer in the
small village of Island Lake, Illinois
recently requested review from the
Illinois Attorney General’s of¿ce
when his comments on Island Lake’s
Facebook page were deleted by the page’s
administrators. The Illinois Attorney
General issued an opinion in which it
found that Island Lake’s actions did not
violate the Illinois Open Meetings Act,
but the opinion did not address the First
Amendment issues.
The Foundation’s suit against the
HPD and other complaints against
administrators of Facebook pages that
10 Socially Aware, January/February 2013
serve as “public forums” raise policy
issues that did not exist in the pre-social
media era. Unlike more conventional
forms of criticizing the government,
such as holding up physical signs in
front of city, state or federal buildings,
Facebook can be used as a vehicle for
dissent from the privacy of one’s own
home and enables the complaining
individual to make his or her opinions
instantly known to the entire Internetequipped world. Although governmental
entities are not required to have
Facebook pages, they often establish
such pages as a simple and ef¿cient way
of conveying information to citizens.
If these entities are to face constant
constitutional scrutiny based on their
means of administering their Facebook
pages, they may be reluctant to maintain
social media presences. The White
House Facebook page endures an endless
onslaught of criticism in the form of
comments on its posts (although it does
not allow users to post on its wall) on
the other hand, the Island Lake Facebook
page appears to have been shut down
for the most part. In light of the HPD
and Island Lake complaints, one legal
commentator advises public schools
whose Facebook pages may be visited
by disgruntled students to “consult with
legal counsel before deleting comments
from social media webpages to address
the constitutionality of that action.”
access to the Firehose, Twitter’s complete
stream of all public tweets. Through the
Firehose, Twitter provides third-party
access to over 400 million daily tweets.
Regardless of the HPD suit’s outcome,
the fact that the complaint was ¿led in
the ¿rst place reinforces the notion that
social media is the new battleground for
all aspects of the law, from intellectual
property to criminal law... and now, the
frontier of constitutionality.
PeopleBrowsr and Twitter had entered
into a license agreement in June 2010,
enabling PeopleBrowsr to receive access
to the Firehose in exchange for over
$1 million a year. Twitter recently
invoked a contractual provision that
allowed Twitter to terminate the
agreement without cause. PeopleBrowsr
¿led a complaint for interference with
contractual relations, in which it claimed
that its products and services require
access to the Twitter Firehose in order
to provide clients with contextual data
analysis. In response, Twitter claimed
that it had decided not to renew most
of its direct-to-user Firehose contracts,
instead reselling Twitter data in various
forms through intermediaries. Without
PEOPLEBROWSR
WINS ROUND ONE
AGAINST TWITTER
The Superior Court of the State of
California has entered a temporary
restraining order requiring Twitter to
continue to provide PeopleBrowsr with
PeopleBrowsr is a San Francisco-based
social media analytics ¿rm that provides
custom applications to clients ranging
from private businesses, consumers
and publishers to government agencies.
PeopleBrowsr’s data mining and analytics
platforms support various products and
services, such as data streams, social
media command centers and consumer
targeting programs. For example,
PeopleBrowsr’s product Kred provides
a real-time measure of social inÀuence
within social media user networks.
Through its Firehose,
Twitter provides
third-party access to over
400 million daily tweets.
PeopleBrowsr’s business depends on its
continued access to user-generated social
media content from Twitter. Twitter’s
recent decision to restrict PeopleBrowsr’s
access to the Firehose led PeopleBrowsr
to sue Twitter in California state court in
order to protect its current business model.
full access to the Firehose, PeopleBrowsr
claimed, it could not provide the products
that its customers expected. According
to PeopleBrowsr, it needs access to the
Firehose in order to detect and analyze
emerging trends fully and quickly; all
tweets in the Firehose are necessary
to conduct the scoring and ranking of
individual inÀuence that underpins
PeopleBrowsr’s analysis.
On Twitter’s motion, the case has been
removed to federal court. PeopleBrowsr
has ¿led a motion to remand back to state
court, and Twitter has ¿led a motion to
dismiss. Both motions remain pending
before the Northern District of California.
with business models that depend
on access to data from social media
companies such as Twitter. Stay tuned for
further developments.
As this case moves forward it promises to
provide an in-depth look at the Twitter
ecosystem and guidance for companies
SOCIAL MEDIA 2013: ADDRESSING CORPORATE RISKS
Social media sites are transforming not only the daily lives of consumers, but also how companies
interact with consumers. However, along with the exciting new marketing opportunities presented
by social media come challenging new legal issues. In seeking to capitalize on the social media
gold rush, is your company taking the time to identify and address the attendant legal risks?
Please join Socially Aware editor John Delaney as he chairs Practising Law Institute’s (PLI) “Social
Media 2013: Addressing Corporate Risks.” Issues to be addressed at the conference include the
following:
• Social media: How it works, and why it is transforming the business world
• Drafting and updating social media policies
• User-generated content and related IP concerns
• Ensuring protection under the CDA’s Safe Harbor
• Minimizing risks relating to mobile apps
• Online marketing: New opportunities, new risks
• Privacy law considerations
• Practical tips for handling real-world issues
Representatives from Twitter, Google, Tumblr and other companies will be speaking at the event.
The conference is being held in San Francisco on February 6, 2013 and in New York City on
February 27, 2013; the February 6th event will be webcasted. For more information or to register,
please visit PLI’s website at www.pli.edu/content.
We are Morrison & Foerster—a global firm of exceptional credentials in many areas. Our clients include some of the largest financial institutions, Fortune
100 companies, investment banks and technology and life science companies. Our clients count on us for innovative and business-minded solutions. Our
commitment to serving client needs has resulted in enduring relationships and a record of high achievement. For the last nine years, we’ve been included
on The American Lawyer’s A-List. Fortune named us one of the “100 Best Companies to Work For.” Our lawyers share a commitment to achieving results
for our clients, while preserving the differences that make us stronger.
Because of the generality of this newsletter, the information provided herein may not be applicable in all situations and should not be acted upon without
specific legal advice based on particular situations. The views expressed herein shall not be attributed to Morrison & Foerster, its attorneys or its clients.
©2013 Morrison & Foerster LLP,mofo.com
11 Socially Aware, January/February 2013
Client Alert.
6 June 2012
"Bring Your Own Device" Brings its Own Challenges
By Susan McLean and Alistair Maughan
The consumerisation of IT is the growing trend for information technology to emerge first in the consumer market and
then drive change in the industry generally. One of the most dramatic impacts of this shift is a rise in so-called “bring
your own device” strategies in both public and private enterprises.
In the past, the functionality of your work computer and phone tended to be streets ahead of what you used at home.
Remember the days when employees would show off their work PDAs, smartphones and laptops as perks of their job?
These days, increasing numbers of employees have better access to technology at home than they do at work, with
personal devices and apps that are user friendly and convenient in ways that their work equipment and systems are
not. Employees also wish to work differently (working remotely, outside regular hours, on the weekend, on vacation,
etc. are becoming the norm) and users want their business tools to enable this change. Employees also want to limit
their need to carry and manage multiple devices. The answer? Bring your own device to work.
In this Alert, we highlight some of the issues that organisations need to consider when formulating policies and
procedures designed to cope with the transition to a bring your own device strategy.
Understandably, IT departments have always been keen to retain absolute control over the office environment and
therefore resisted putting any non-company (i.e., non-trusted) devices on the company network. However, IT
departments are now under increasing pressure to support – and, indeed, encourage – the use of personal devices for
work purposes.
IT departments are embracing the trend on the basis that it can help save costs and change the perception of the IT
department as the department of “No”. It has also been shown that employees are more satisfied and productive when
they have more control over what tools they can use. Therefore, it is said to be good for business too, although some
commentators argue that the perceived benefits of “bring your own device” (or “BYOD”) have been overplayed.
Either way, this is not a passing fad. The analysts TechMarket View have recently reported that, in the UK alone, the
BYOD market will be worth £2 billion to UK software and IT services suppliers over the next five years; with five million
employees having adopted BYOD by the end of 2011 and an anticipated rise to around 9.5 million by 2016 – an
increase of 80%.
The BYOD trend leads to considerably more complexity for IT departments in terms of how they manage and support
end users. Organisations also need to grapple with the potential legal and regulatory issues raised by employees
using their personal devices for work purposes. Unhelpfully for organisations in regulated industries – especially
financial services – regulatory bodies have been slow to react and provide guidance on how BYOD applies in those
sectors.
1
© 2012 Morrison & Foerster LLP | mofo.com
Attorney Advertising
Client Alert.
DATA SECURITY
Data security and the risk of data “leakage” has always been a key concern for organisations. The use of company
phones, laptops and other mobile devices increases that risk – because, by their very nature, these devices are more
easily lost, stolen and accessed. The risk is further compounded when employees start using their personal devices
for business purposes as part of a BYOD strategy.
One of the key challenges in designing a strategy to implement BYOD successfully is how to ensure data security on
non-company equipment – primarily as a result of it being harder to keep track of where data may actually be, how
data is protected and the difficulty of policing the use of personal devices.
In addition, organisations now need to grapple with the different scenarios raised by their employees’ use of corporate
data in different applications, such as what happens if an employee puts corporate data into a non-corporate supported
location (e.g., an application like Dropbox – which is becoming increasingly popular for both personal and work
purposes). These types of third party application may not have been vetted by IT or the company’s in-house legal
team and their terms and conditions may allow the third party extensive rights in terms of the data stored and/or have
wide exclusions of liability for data loss. This is more likely to be the case where the applications were originally
developed as consumer tools and not intended to store sensitive corporate data.
It is probably not practical these days to take the policy position that sensitive corporate data cannot be stored on
personal devices. Even if an organisation takes this position, how likely is it that an employee will actually comply?
Many organisations approach this issue by understanding that users, and the content that they generate and consume,
vary in the level of information sensitivity depending on their functional roles and needs. An organisation needs to take
a nuanced approach to take account of individual users and the types of data accessed on their devices.
It is not simply a question of analysing how to ensure compliance with existing security policies – it may be that
different security policies are required to replace existing security controls that simply do not work in the context of
personal devices. Companies must understand that employees tend to value convenience over security and take this
into account when formulating security policies – if you make the policies too restrictive, employees will simply ignore
them or find a way to circumvent them.
Organisations also need to consider up-front the appropriate corporate response if a security breach occurs in relation
to a personal device. Most organisations will wish to deploy remote wipe capability, but they need to consider the HR
impacts of such a strategy, as discussed further below.
DATA PROTECTION AND PRIVACY
In addition to data security generally, the data protection and privacy implications of a BYOD strategy are considerable.
Most countries have laws specifically dealing with the use and storage of personal data and requiring organisations to
protect and ensure against the implications of loss of that data, together with rules regarding the retention and
destruction of personal data. Compliance with data protection laws becomes significantly harder if the device on which
that data is stored is not owned or controlled by the enterprise itself.
Of course, it is not just a question of compliance with data protection laws (and the legal penalties for failing to comply)
– there can also be huge reputational issues if a company is shown to be poor at safeguarding personal data.
2
© 2012 Morrison & Foerster LLP | mofo.com
Attorney Advertising
Client Alert.
OWNERSHIP OF DATA AND MATERIALS
There is also the question of who owns the data stored on a personal device. In terms of corporate data stored on an
enterprise-provided device, the question of data ownership is pretty straightforward. Similarly, it is generally clear cut
that any materials created by an end user using an enterprise-provided device will be owned by the enterprise because
they will have been created in the course of the end user’s employment.
However, the position is less straightforward when the employee uses a personal device for business purposes. To
what extent is there a split in the ownership of data between the employer and the end user, depending on the nature
of the data? An enterprise would not expect to own an employee’s photos or personal files, but what about an
employee’s contacts?
Also, when an end user creates materials using a personal device, who owns the intellectual property rights (“IPR”) in
that material? In some situations, it may be clear whether or not the material was created in the course of the end
user’s employment, but in others it may not be so clear – for example, if a software developer uses his personal
computer to create new code not at the request of the company but as a personal project, should his employer own the
copyright in that code? Typically, a company will require that all IPR created by an employee (whether at work or
outside work) is owned by the company but in this context it is even more important to ensure that this issue is covered
appropriately in the employee’s terms of employment.
LICENSING
The licensing implications of a BYOD strategy are often overlooked.
Organisations often forget to check, for example, the scope of their Microsoft licences within the enterprise when
employees use personally owned mobile devices or laptops to access a virtual desktop, either from home or the office.
Such use may not be permitted within the existing licence terms or may incur additional licence fees (as some licences
may be granted on a per device basis, rather than per user basis).
Licensing issues will need to be considered carefully when formulating a BYOD strategy to ensure that the organisation
remains compliant.
LEGAL AND REGULATORY COMPLIANCE
A major risk for any enterprise that allows non-standard devices in the workplace is how to ensure and demonstrate
regulatory compliance. This is a particular challenge for regulated industries such as healthcare, pharmaceuticals and
financial services. But there are other laws, such as the U.S. Sarbanes-Oxley Act (which imposes an onus on public
companies to closely monitor financial and accounting activities) where compliance becomes more difficult depending
on the more diverse the population of IT devices in use.
In considering regulatory compliance, there are several key issues that should be addressed. These include where the
data is stored, what the implications of that storage are and what happens if a device is lost or stolen or when
employees leave the company.
INDUSTRY STANDARDS
There is also the question of how to ensure compliance with applicable industry standards (for example ISO 27001,
PCI:DSS etc.). Organisations will need to carefully consider how to incorporate non-corporate assets into applicable
risk management strategies.
3
© 2012 Morrison & Foerster LLP | mofo.com
Attorney Advertising
Client Alert.
INVESTIGATIONS AND LITIGATION
Employers will clearly have less access to data stored on a personally owned device, but may need or want to obtain
access for the purposes of investigations or litigation. Organisations need to ensure that their employees agree to
make their personal devices available if the organisation reasonably requires them for investigation purposes or they
are subject to a discovery request in the context of litigation affecting the company. (Of course, even if an employee
signs a document promising to give access to the device in such circumstances, that doesn’t necessarily mean that a
court will enforce that agreement.)
INSURANCE
An issue that is sometimes overlooked is that of insurance. Organisations will need to check that their data
security/cyber risk insurance covers devices owned by employees to ensure that they are not exposed in the event of a
security breach. Any insurance policy which only covers devices owned by or leased to the organisation will need to
be revisited.
EMPLOYEE ISSUES
Many of the issues brought up by BYOD involve compliance with HR law, largely because many of the typical
corporate policies that exist in the workplace today were developed in a world before BYOD. Some of the issues that
will need to be carefully considered when formulating a BYOD strategy are as follows.
x
Who should own the device? Ownership will impact how the company approaches some of the risk and liability
issues relating to the device.
x
Who should be responsible for the cost of personal devices used for work purposes? In some countries, the law
requires an employer to provide all of the tools that an employee needs to carry out their job. Could this result in
the employer having to reimburse an employee’s costs?
x
Should the BYOD programme be optional or mandatory? Typically, it is considered best to make it optional for
employees to use their personal devices for work purposes, by allowing them to choose to use company-issued
devices instead. This helps show that an employee’s decision to use a personally owned device (and to agree to
the related terms and obligations imposed upon the employee in relation to its use) was voluntary.
x
If employees are only allowed to choose from a limited number of devices (which, for example, do not cater to
employees with special needs due to disabilities) or the BYOD scheme is only open to certain types of staff (e.g.,
full-time staff only), the company will need to consider whether there could be a risk of discrimination claims.
x
Employers need to consider how responsibility for security is shared. Who is responsible for anti-virus updates,
etc.? At a minimum, you would expect an employer to mandate certain appropriate security measures to be
enabled by an employee before being able to use their personal device for work purposes. Policies also need to
be very clear as to the procedure the employee must follow in the event of a lost or stolen device.
x
Employers also need to consider what happens if the device fails. Whose responsibility is it to fix or replace faulty
devices?
x
The question of data protection and privacy compliance is not just an issue in terms of protecting customer data. It
is also a key issue in terms of the personal privacy of employees. It is worth noting in this context that there are
some countries where storing business data on a personal device may not even be permitted under applicable
privacy laws, so a global BYOD programme may not be appropriate – it is likely to need tailoring to meet regional
requirements.
4
© 2012 Morrison & Foerster LLP | mofo.com
Attorney Advertising
Client Alert.
o
A number of data protection and privacy issues will need to be considered up-front. For example, to what
extent should the employer have access to an employee’s personal data stored on their device? Can data
be appropriately segregated between corporate and personal data? Also, what kind of monitoring and
audit access is going to be appropriate in terms of a device which is used for both personal and work
reasons? To what extent is monitoring of an employee’s personal device even permitted under applicable
privacy laws? What about unintentional consequences – for example, that the organisation may, in effect,
be able to track an employee’s whereabouts, both during and outside work hours (using GPS and WiFi
location data)?
o
Another key issue to consider is to what extent should the employer be entitled to remotely wipe, brick or
block devices in the event of a security incident? Although it is possible to wipe company data only where
it is segregated from other data in an encrypted “sandbox”, some remote wiping software will not just wipe
the company data, but all data on the device (including, for example, any personal photos and music files).
o
In terms of data protection and privacy, simply including clauses in an employee’s contract of employment
is unlikely to satisfy the requirements of applicable law. It will be important to bring any conditions that
may be considered onerous to the attention of the employees. Particularly in the case of wiping, it is
essential that employees are informed in the clearest terms of the potential risks and that employees sign
up to appropriate clear, voluntary and express consents/waivers.
x
Employers also need to consider to what extent they should restrict anyone except the employee from using the
device (e.g., should they prevent an employee’s family members from being able to use the device).
x
To what extent should the employer control the use of apps? A company may wish to blacklist particularly risky
apps. What about apps that may be considered to affect productivity – should an organisation try to block these or
restrict their use during working hours?
x
To what extent should an employer control the use of a camera on a personal device in the workplace?
x
How does an employer deal with the potential consequences of different personnel using different devices,
particularly if this makes certain employees more productive than others?
x
To what extent can an employer control the use of a personal device by an employee? To what extent is an
employer liable if an employee breaches copyright law by carrying out illegal downloads etc. on their device?
What about if an employee accesses unlawful or inappropriate material?
x
If an employer has existing restrictions in place regarding the use of social media, are these really going to be
enforceable on a device used for both work and personal purposes? Employers should also consider to what
extent they are able to place restrictions on how employees use their personal device during work hours.
x
Another key concern is how to deal with corporate data that is stored on personal devices when an employee
leaves the organisation. There is always a risk that a departing employee, particularly when leaving to join a
competitor, may be keen to bring corporate data to their new job. If the employee is using company systems, any
attempt to do so can usually be identified, but if the information is stored on a personal device this will be more
difficult to police.
x
What are the implications for work-life balance? Across most of the EU, there is now a 48 hour limit on a working
week, but how does that apply when studies show that 66% of people read e-mails 7 days a week and expect to
receive a response the same day, and 61% of people continue to check e-mail while on vacation? The likelihood
that employees will send and receive e-mails outside of work or office hours is clearly increased where the
employee uses a personal device for work purposes (e.g., an employee may decide to leave their work phone at
home whilst on vacation, but an employee won’t leave a personal phone at home).
5
© 2012 Morrison & Foerster LLP | mofo.com
Attorney Advertising
Client Alert.
x
On a related note, in the U.S., organisations need to carefully consider whether the use of a personal device for
work purposes could impact an employee’s non-exempt status under the Fair Labor Standards Act and the
potential consequences. Employees may be considered “working” if they send or receive e-mails outside of work
or outside of office hours, triggering the potential for overtime payments. As above, this risk is greater where the
employee is using a personal device for work purposes.
x
A final key consideration is how to inform, educate and train employees concerning the implications of using their
personal devices for work purposes. Employees need to be reminded that all company policies continue to apply
to their conduct when using a personal device for work (including policies relating to confidentiality, etc). It is
important to get this right as arguably the best defence against data security breaches is well informed employees.
CONCLUSION
Organisations cannot resist the consumerisation trend. It is not a passing trend, but here to stay – and if an enterprise
tries to resist it, increasingly tech-savvy employees are likely to find a way to circumvent the restrictions imposed.
The key is to try to take a pragmatic approach and put in place appropriate policies to try to accommodate employees’
desire for increased flexibility and mobility, whilst limiting the potential risks created by such an approach. These
policies will need to be reviewed regularly and evolve over time to keep up-to-date with changes in technology and
applicable law.
BYOD is not just an IT department issue but also a business issue and organisations need to ensure that they do not
simply focus on the obvious IT risk and issues such as data leakage, etc., but collaborate with all relevant stakeholders
and consider all relevant legal, HR and finance considerations. We all want to work “smarter”, but this should not be at
the expense of working safely.
Contact:
Susan McLean
+44 20 7920 4045
smclean@mofo.com
Alistair Maughan
+44 20 7920 4066
amaughan@mofo.com
About Morrison & Foerster:
We are Morrison & Foerster—a global firm of exceptional credentials in many areas. Our clients include some of the
largest financial institutions, investment banks, Fortune 100, technology and life science companies. We’ve been
included on The American Lawyer’s A-List for eight straight years, and Fortune named us one of the “100 Best
Companies to Work For.” Our lawyers are committed to achieving innovative and business-minded results for our
clients, while preserving the differences that make us stronger. This is MoFo. Visit us at www.mofo.com.
Because of the generality of this update, the information provided herein may not be applicable in all situations and
should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a
similar outcome.
6
© 2012 Morrison & Foerster LLP | mofo.com
Attorney Advertising
© 2013 Morrison & Foerster (UK) LLP, mofo.com
