A New Social World

Strategic Security

Illustration by Stuart Briers​​

A New Social World
 

​While a senior executive was on a business trip to Europe, someone took intimate photographs of the businessman and posted them on Twitter and Reddit. In the photos, the married executive is not clothed and he is not alone.

Within hours, the tweets start. They include the company's name. The executive reaches out to the security department for help because the company's new quarterly earnings are set to be announced within days. There's also a merger under discussion. Who does security call first—IT or legal?

Fortunately, that case never came out in the news because the security team kept it under wraps internally and had the Twitter posts removed.

But the potential crisis raises several questions: What legal responsibility did the organization have to the employee, if any? What rights did the employee have? Were any of these spelled out in a company social media policy?

The adoption phase of social media is over. Now the scary part is beginning—the rapid development of new innovations in social media to keep users engaged. Social media is a communications tool of convenience. This makes it potentially detrimental to companies.

In 2016, public consumers were nearly twice as likely to recall a company's social media campaign as to recall a print advertisement. That's good news for social media, but bad news for any organization experiencing a crisis there.

Lululemon and the NFL are just two organizations that had to invest significant resources to manage social media-fueled scandals in recent years.

After Lululemon company founder Chip Wilson told Bloomberg TV that "some women's bodies just actually don't work" with Lululemon pants, social media outrage from customers led him to step down.

To protest the way NFL Commissioner Roger Goodell  handled former running back Ray Rice's domestic abuse scandal, an activist group hired an airplane to fly a banner over the stadium with the hashtag "#GoodellMustGo" printed on it. The hashtag was widely shared on social media, and more than 50,000 people signed an online petition demanding that the NFL change its policies—which it later did.

Workplace sexual harassment accusations are increasingly being made on blogs and other digital publishing platforms, then amplified on Facebook, Twitter, and Snapchat. A blog post and an iPhone video recently sparked such a massive crisis at Uber that its biggest investors insisted that Uber's cofounder and CEO Travis Kalanick resign, which he did.

"Social media is a part of everyone's life, and while using social media, the line between one's personal and work activities can sometimes be blurred," says Nancy L. Gunzenhauser, an associate in the employment, labor, and workforce management practice in the New York office of Epstein Becker & Green. "Social media allows employees to network, support their employer's recruiting, and build a company brand.

"A strong social media policy will set parameters to help employees use social media effectively while protecting the company's confidential information and the reputation of its products and services."

Accessibility to social media at work may lead to various forms of workplace misconduct, says Scott L. Vernick, a partner at Fox Rothschild LLP who specializes in technology. For instance, employees could use social media to violate privacy laws (such as the U.S. Computer Fraud and Abuse Act), disclose trade secrets, open the company to Title VII exposure, violate labor laws, authorize deceptive endorsements, or violate workplace policies.

To reduce the risk of employer liability, Vernick recommends that organizations create clear employee guidelines and policies that set forth parameters of proper social media use.

For instance, employers should consider whether employees should be allowed to use social media at all, and if so, when. If employees are allowed to use social media at work, employers should consider what limitations to impose on posts.

"An effective social media policy will be updated regularly, enforced uniformly, and will clearly state what is expected of employees and what the consequences will be for any violation of that policy," says Christine Rafin, a partner in the law firm of Kent, Beatty & Gordon, LLP, who specializes in technology-related legal issues.

Additionally, employers should define what is prohibited conduct on social media—such as offensive, demeaning, defamatory, discriminatory, harassing, abusive, inappropriate, or illegal remarks, as well as personal gripes.

And employers should create limitations on the use of company names in postings or identities, such as limiting the use and mention of competitors, employees, or clients in postings, as well as prohibiting the unauthorized dissemination of company material.

For example, adidas has a two-page social media policy for employees that includes a variety of requirements.

"Do not comment on work-related legal matters unless you are an official spokesperson, and have the legal approval by the adidas Group or its brands to do so," the policy says. "In addition, talking about revenues, future products, pricing decisions, unannounced financial results, or similar matters will get you, the company, or both, into serious trouble. Stay away from discussing financial topics and predictions of future performance at all costs."

 Employers should be clear that violations of prohibited conduct will result in disciplinary action. However, employers must avoid prohibiting protected activity under the U.S. National Labor Relations Act, which allows employees to post or engage in conversations on social media about wages and working conditions.

"Employers should be careful not to craft their policies in a way that may be seen as attempting to chill employee speech entirely," Rafin says. "Policies that prohibit employees from posting statements online that may be harmful to the company's reputation have been held to be overbroad and unlawful by the National Labor Relations Board."

Employers should also be clear that employees should have no expectation of privacy in the use of social media or communications prepared on a company computer, even if those communications are deleted. Employers should also have a program in place to monitor employee use of social media.

"This is not always an easy or inexpensive task, however," Rafin says. "It may impact employee morale and lead some employees to find creative ways to get around the monitoring, including by setting up dummy profiles and enhancing the privacy settings on their posts."

Employers should be mindful, Rafin adds, that several U.S. states have enacted laws that prohibit employers from requesting employees' usernames and passwords to their personal social media accounts, or requiring employees to log in to those accounts in the employer's presence.

"Of course, exceptions may apply in certain situations—such as when the employer has reason to believe that the employee violated the law," Rafin says.

Employees who blog should also be reminded that they need to comply with the terms of use for their sites and refrain from exercising their personal opinions in a way that can be construed to be the company's opinion.

Whether employees are the cause, source, or target of such issues, understanding and amplifying your organization's social media policy is as essential as having both IT and legal on speed dial.

Don Aviv, CPP, PCI, PSP, is president of global corporate intelligence and security consulting firm Interfor International and vice-chair of the ASIS Security Services Council. Shannon Wilkinson is CEO of online reputation management firm Reputation Communications and a contributor to The Wall Street Journal's "Crisis of the Week" column. She is an expert presenter on reputation management in The Hetty Group's Coptics: The Optics of Policing in the Digital Age initiative and a member of the ASIS Women in Security Council.