Suppliers and retailers of alcoholic beverages advertise their respective products and offerings in a wide variety of digital outlets. Questions arise as to how the complex legal landscape of alcohol regulation applies in these digital spaces. Advertising media include social network services (e.g., Facebook), video sharing sites (e.g., YouTube), blogs, and smartphone applications. In addition to these types of media which engage consumers directly on their televisions and personal devices, other types of media target consumers in retail places. These media include digital screens which are physically present in store, as well as seemingly invisible technology which targets the consumer in store on his or her smartphone.

The Law Plays Catch-Up

Tied house laws, which address the financial relationships between supplier and retailer licensees, were enacted well before any digital media was invented. As a result, the alcohol laws have been playing catch up with this technology. Nevertheless, it is clear that social media qualifies as advertising for the purpose of alcohol beverage laws, and more and more jurisdictions are creating specific legislation to clarify this point. For example, Georgia, Kentucky, and Louisiana all now include social media in state definitions of advertising. On the federal level, the U.S. Tax and Trade Bureau (“TTB”) has confirmed that mandatory statements required in supplier product advertising are required in all forms of social media as well.

Paying for Technology: Compliance with State and Federal Tied House Rules

Technology can be expensive, and as a result retailers frequently wish to enlist supplier support to defray the cost of advertising both in and out of their premises. Generally, it is important to remember that the same rules which govern traditional advertising also govern these new technologies. Therefore, the same questions which come up in traditional advertising also apply here. For example, does the advertising involve the supplier paying for or buying advertising for the retailer in a manner that results in prohibited “cooperative advertising”? Does the technology involve the supplier providing or otherwise paying for a piece of equipment which is not covered by any applicable tied house exception?

The recent case of Retail Digital Network, LLC v. Prieto, 861 F.3d 839 (9th Cir. 2017), involved the issue of an impermissible payment for advertising. The plaintiff in the case installs liquid crystal displays for advertisements in retail outlets. Advertisers pay plaintiff for the opportunity to feature their brand advertising in the retail location. Plaintiff in turn then pays the retailer a percentage of the advertising fees generated by the display. Suppliers of alcohol beverages refused to do business with the plaintiff out of concern that California’s alcohol beverage laws prohibited them from paying to place advertising on a retail premises. The plaintiff sued the California Department of Alcoholic Beverage Control to enjoin enforcement of this particular part of the state tied house law. In short, the plaintiff argued that the suppliers’ proposed advertisements were protected commercial speech, and that the state interests and concerns inherent in the Twenty-first Amendment were outweighed by First Amendment interests. An en banc panel of the Ninth Circuit held that the California advertising prohibition directly and materially advanced the state’s interest in maintaining the three tier system, and therefore was sufficient to overcome First Amendment scrutiny.

Because digital advertising has become so popular, a cottage industry has developed for screens, closed loop televisions, and other devices that sit in retail places to stream digital content. Retailers frequently ask whether these items can be paid for or loaned by suppliers. This is a state specific issue, and the answer to the question will vary from one jurisdiction to another. One way to analyze the issue is to determine whether the item really a digital sign (likely covered under a tied house exception) or an illegal thing of value (a gift not covered by a tied house exception). The Texas Alcoholic Beverage Commission (“TABC”) has published two Marketing Practices Bulletins on this subject which provide helpful guidance. The TABC articulated questions to be used to determine the true nature of the item. They include:

• Is the primary purpose of the item to advertise a product?
• Is it a permanent fixture?
• Is it a thing of value?
• How long will the item stay in the retail premises?

Questions Raised by SmartPhone Applications

The uptick in digital advertising has also increased the number of smartphone applications directed at the marketing and sale of alcoholic beverages. Many retailers now have their own smartphone applications, and many interface with applications operated by non-licensees which drive traffic to the retail establishment.

Many of the best practices associated with applications which advertise alcohol are the same as the best practices for websites featuring alcohol products. These include, but are not limited to, age-gating and promoting responsible consumption. In addition, however, smartphone applications also raise several other legal issues in the alcohol space, depending on the functionality of the application. Consider the following issue-spotter questions:

• Does the app, if operated by an unlicensed third party, improperly use or avail itself of the retailer’s license to sell alcoholic beverages?
• Does the app facilitate an improper flow of funds between a supplier and a retailer?
• Does the app offer promotions which could result in violations of state happy hour or drink pricing rules?
• Does the app result in tied house exclusion by directing consumers away from one retailer and toward another?

Summary

Digital communications promoting alcohol present compliance challenges in terms of their jurisdictional reach, and to whom they may be directed. It is best for industry members to consult state law to determine which laws and regulations governing traditional advertising may also apply in the context of digital advertising. Furthermore, many states have developed enforcement policies and other opinion statements on social media and related issues; therefore, consulting state agency resources is recommended.

As a hotel executive, imagine that one of the managers you oversee shares that an employee is disparaging you and the company on Twitter. You jump online to find a member of your staff posted the following on a personal Twitter account, along with a photo looking bored and frustrated at work: “I’m about to murder someone at the reception desk! #WorstBossEver #Underpaid #Overworked.”

Incredulous that one of your employees could be so brazen and irresponsible, your first instinct is to terminate the employee immediately. However, it’s imperative that before you formally address the situation, you take a moment to gain a clear understanding of the law.

Hospitality businesses are increasingly using social media to their advantage, but with the surge in online exposure and direct consumer engagement comes a responsibility to implement clear social media guidelines. This includes developing policies that pertain to the use of social media by all hotel employees–not just those who manage your social media accounts. It is imperative that hotel owners and operators are vigilant in their efforts to monitor postings, balancing company interests with employees’ rights to express their opinions and concerns and engage in protected activity.

Employee training
While the use of social media can be highly beneficial when it comes to increasing brand awareness, it can also subject hospitality businesses to increased liability exposure. In fact, employers can be held liable for actions their employees take on social media that transpire during the scope of their employment.

For example, if a disgruntled employee takes to Facebook to complain about a coworker, the employer could face a harassment or defamation lawsuit. Employees should be prohibited from making remarks online that could be construed as harassment or discrimination in any way. Furthermore, hotels must be careful to avoid making, or being associated with, any misstatements about or misrepresentations of a competitor that could potentially lead to trade libel claims.

In order to avoid any potential legal pitfalls, hospitality businesses should craft a social media policy and train employees to follow it. This policy should be outlined clearly and concisely in a handbook that is regularly updated to stay current with new laws and technologies. A company approval process should be implemented, with a designated individual(s), or even an outside service, controlling login information and monitoring posts by employees, guests, competitors and other third parties.

Implementing a procedure for monitoring and screening content will also help to curtail employees’ accidental or intentional disclosure of a hotel’s confidential, proprietary and sensitive information—especially given that competitors may be privy to the postings. Additionally, hospitality businesses should consult legal counsel to ensure they fully comply with all local, state and federal laws.

Protected activities
When developing a social media policy, employers must be mindful that certain employee social media activity is legally protected. The National Labor Relations Board has issued a number of decisions in the last few years that provide guidance on what constitutes protected employee speech under the National Labor Relations Act (NLRA). This line of authority makes it clear that employees may lawfully discuss “concerted activity” through their personal social media accounts. It is unlawful for employers to implement overly broad policies that can reasonably be interpreted as a restriction on the exercise of collective bargaining rights.

In Landry’s Inc. and Its Wholly Owned Subsidiary Bubba Gump Shrimp Co. Restaurants, Inc. (2015), the NLRB found that a social media policy that “urges all employees not to post information regarding the company, their jobs, or other employees which could lead to morale issues in the workplace or detrimentally affect the company’s business” does not violate the NLRA because employees “could reasonably conclude … that they are being urged to be civil with others in posting job-related material and discussing on social media sites their grievances and disagreements with [their employer] or each other regarding job-related matters.”

In contrast, a different NLRB judge in 2014 concluded that it was unlawful for The Kroger Company of Michigan to require its employees to post a disclaimer whenever they identify themselves as a Kroger employee and converse with others on their personal social media pages about “work-related information.” The judge reasoned that requiring such a disclaimer would have the “tendency to chill” employees’ protected speech.

Recently, the NLRB found a Chipotle restaurant in Pennsylvania violated the law when it asked a worker to delete certain Twitter postings, such as one that included the phrase “cheap #labor,” and then fired him after he circulated a petition over break policies. “All these postings had the purpose of educating the public and creating sympathy and support for hourly workers in general and Chipotle’s workers in specific,” the judge wrote, finding they were protected under the NLRA.

An employee’s statements made during the exercise of protected conduct will, however, lose protection if they are particularly egregious. The NLRB considers four factors when determining whether an employee’s conduct, despite otherwise being protected, is so extreme as to lose protection under the NLRA: “(1) the place of the discussion; (2) the subject matter of the discussion; (3) the nature of the employee’s outburst; and (4) whether the outburst was, in any way, provoked by an employer’s unfair labor practice.”

In light of the aforementioned precedent, employers should have experienced legal counsel review and update their social media policies. Language should be clear that nothing in the policy is intended to, or will, be applied in a manner that limits employees’ rights to engage in protected activity. Using Section 7 of the National Labor Relations Act as a guide, this includes, but is not limited to, discussion of terms and conditions of employment as well as working conditions.

Enforcing the policies
In addition to regularly updating employee handbooks and providing training on social media policies, employers should also explain the consequences for violations and apply them consistently. It is imperative that the supervisor or manager tasked with addressing social media policy infractions has a clear and thorough understanding of the applicable law and a strong handle on social media best practices. Moreover, employers would be best served by having all employees sign an acknowledgement form, stating that the employee has read, understood and agreed to all of the policy’s terms. Rules and consequences should also be posted in common areas.

By adhering to these guidelines, and being cognizant of the evolving body of federal and state laws in this arena, hospitality businesses can maximize social media to grow and promote their brand, while ensuring protection from costly litigation.

Dana A. Kravetz is the Managing Partner at Michelman & Robinson, LLP (M&R), a national law firm with offices in California, Chicago and New York. As leader of M&R’s Labor and Employment Litigation group, he focuses his practice on counseling hotel and restaurant management, routinely defending his clients in various matters ranging from discrimination and harassment to hiring practices and wage and hour disputes. Contact him at dkravetz@mrllp.com or 310.564.2670.

Taylor Burras is an experienced attorney at Michelman & Robinson, LLP (M&R), a national law firm with offices in Los Angeles, Orange County, San Francisco, Sacramento and New York. Ms. Burras represents clients in the hospitality, and restaurant food and beverage industry. Contact her at tburras@mrllp.com or 310.564.2670

The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that might be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.

Click here for the original posting by Hotel News Now 

Social media has endless and valuable opportunities for the hospitality industry. From “valuable marketing” to connecting on a more personal level with consumers, social media can make or break a brand. However, in order to “maintain a positive reputation” on a world-wide platform like Twitter, it is important to take proactive measures. Completely controlling a wild beast like social media is an impossible feat. In this article, Charles Spitz and Benjamin Shechtman analyze a case involving Chipotle and a disgruntled employee and offer insight on the nuances of social media and the NLRA.

Read the full article here.

EMPLOYEES MAY TURN TO PERSONAL SOCIAL MEDIA accounts or private chat rooms to vent about the workplace without realizing that these communications may be read by their employers. The law recognizes that employers have legitimate interests in disciplining employees, safeguarding trade secrets, preventing disparagement of their business, and ensuring a work environment free of discrimination, harassment, and abusive conduct. At the same time, federal and state courts, state legislatures, and the National Labor Relations Board (NLRB) have recognized broad protections for employees in their internet communications. Attorneys should advise employers that disciplining an employee for private communications about the workplace on social media may run afoul of federal or state law, including the National Labor Relations Act (NLRA) and the federal Stored Communications Act (SCA).

Although the law on social media use is still developing, there are two principal ways the courts, legislatures, and NLRB have limited an employer’s ability to regulate an employee’s personal social media communications: 1) by restricting an employer’s access to an employee’s personal social media account, and 2) by expanding the scope of “concerted protected activity” on social media. Employers should be aware of the restrictions on accessing and regulating the personal social media use of employees and implement clear, narrowly tailored policies that balance the employer and employee rights in social media use. Overly broad social media policies, even if they are not enforced, may be interpreted as chilling or prohibiting protected concerted activity by employees and deemed an unfair labor practice.

Restricting Access

Years before the advent of social media, the federal government enacted the SCA, aimed at protecting the privacy of Internet communications.3 The SCA prohibits anyone—not just employers— from accessing electronic communications on a third-party service provider without authorization. In recent years, some states have enacted SCA-like statutes restricting an employer’s ability to access an employee’s personal social media site.4 In California, Labor Code Section 980 prohibits employers from requiring or even requesting an employee or applicant to: 1) disclose a username or password for the purpose of accessing personal social media, 2) access personal social media in employer’s presence, or 3) divulge any personal social media. The only exception occurs when the employer reasonably believes that the employee’s personal social media account is relevant to an investigation of allegations of employee misconduct or violation of law.

There are no reported cases interpreting Labor Code Section 980 or the carve-out for investigations of misconduct. However, a number of courts have found employers liable under the SCA for accessing the personal social media communications of employees. In Pietrylo v. Hillstone Restaurant Group, an employee of Hillstone maintained a personal chat group on Myspace during nonwork hours that was accessible only by electronic invitation from the plaintiff, and if accepted, a personal password to access the group.6 The site included language that indicated the group was private and a place where Hillstone employees could discuss the “crap/drama/and gossip” related to their workplace. Employees posted sexual and profane comments, jokes about Hillstone’s customer service “specs,” drug use, and a new wine list given to employees. No Hillstone upper manager was invited to join the group, and members accessed the site only during nonwork hours and on noncompany computers.

An employee member of the chat group showed the communications to her manager, who, in turn, asked the employee for her password to the account. The employee reluctantly provided the password, believing she would be in trouble if she did not. The manager accessed the chat group several times and showed it to other managers. Hillstone then fired the chat group founder and another employee for posting critical comments that it deemed offensive and violating the company’s core values. The two terminated employees sued, and the jury found Hillstone liable for violation of the SCA. The plaintiffs won compensatory and punitive damages. The jury found that the employee who reluctantly turned over her password to the manager had not done so voluntarily and had not authorized Hillstone management to access the chat group multiple times without her permission. While the jury found that the employer violated the SCA, it also concluded that the employer was not liable for invasion of privacy, finding that the plaintiffs had no reasonable expectation of privacy in the MySpace group.

Although the SCA and Labor Code Section 980 prohibit unauthorized access to employee social media accounts, they do not bar employers from viewing employee social media communications altogether. So long as the employer has done nothing unlawful to access or view the social media communications, there is no violation of these laws. In Ehling v. Monmouth-Ocean Hospital Service, a nurse maintained a private Facebook account on which she friended only other employees, not managers.8 One of the nurse’s supervisors friended her and saw a post by the nurse about a recent shooting at a holocaust museum in Washington, D.C., that stated “I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards…go to target practice.” The supervisor turned over the post to a hospital manager, and the nurse sued the hospital for violation of the SCA. The court ruled for the hospital because the manager had not accessed the nurse’s account and was shown the post by someone the nurse had authorized to view it.

While it may be tempting to gain consent to access an employee’s personal social media site by sending or accepting friend requests, employers should avoid friending, following, or connecting with employees on social media and maintain policies prohibiting, or at least discouraging, managers from doing so. Social media sites are filled with a wide range of personal information about employees, such as their sexual orientation, medical issues, religion, age, national origin, or other informa – tion protected by antidiscrimination statutes. If an employer later disciplines or terminates an employee who is social media friends with a manager, the employee may claim (and may establish at least a prima facie case) that the employment decision was based on the protected information the manager learned from the social media site, and not on job-related criteria.

employee of the Library of Congress sued the library and his former supervisor, alleging that he was harassed and humiliated by his supervisor and terminated after the supervisor’s daughter became Facebook friends with him. TerVeer liked a page that supported a same-sex parent campaign against bullying. The supervisor’s daughter commented on the post: “Don’t tell me you’re weird like that.” TerVeer alleged that before the post, he had a great relationship with his supervisor, who had even set him up with his daughter. After his post, however, the supervisor began to harass him, mock diversity, and lecture him on the “sin” of homosexuality. The library filed a motion to dismiss, and the District Court partially denied the motion, ruling that TerVeer stated claims for sex and religious discrimination, retaliation, and hostile work environment.11 This recently settled case illustrates the potential consequences of learning private information about an em – ployee through their personal social media.

Social Media as Concerted Activity

The National Labor Relations Act provides that “[e]mployees shall have the right to selforganization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.”12 The act also makes it an unfair labor practice for an em – ployer to interfere with, restrain, or coerce employees in the exercise of these rights.

Many states, including California, have enacted similar laws protecting employees from retaliation by employers for engaging in concerted activity. California Labor Code Sections 232 and 232.5 prohibit employers from requiring employees to refrain from disclosing the amount of their wages or working conditions or discharging, disciplining, or discriminating against employees who disclose the amount of their wages or their working conditions. Section 232.5, however, specifically provides that the statute is not intended to permit an employee to disclose an employer’s proprietary information, trade secret information, or information that is otherwise subject to a legal privilege without the consent of his or her employer.

In recent years, the NLRB has been actively prosecuting employers for violations of the rights of employees to engage in concerted activities, including those of a nonunionized employee on social media. As a recent article in the New York Times put it, the NLRB is intervening in social media to “expand its power” and “remain relevant as private-sector unions dwindle in size and power.”14 The NLRB, however, claims that social media sites are the new “virtual water coolers” and that it is “merely adapting the provisions of the Na tional Labor Relations Act, enacted in 1935, to the 21st century workplace.”15 Either way, employers should understand that, under certain circumstances, an employee’s expression of dissatisfaction in the workplace on social media may be protected concerted activity under the NLRA, even if the employees are not union members and there is no effort to unionize and no explicit reference to hours, pay, or other working conditions.

For example, in NLRB v. Karl Knauz Motors, Inc. d/b/a Knauz BMW, a car salesman posted a sarcastic comment on Facebook criticizing his employer for serving cheap food at a BMW sales event, and posting pictures of colleagues handing out hot dogs and water.16 Later that day, another dealership owned by the employer let a 13-year-old sit in the driver’s seat of a car, and the child accidentally drove the car into a pond. The salesman posted photos of the accident on Face – book, commenting: “This is your car. This is your car on drugs.” The salesman was fired one week later for the posts. The NLRB filed a complaint on the salesman’s behalf, contending that the Facebook posts were protected activity. The administrative law judge concluded that the first post was protected because the terminated employee and other salespersons shared communications about the cheap food, which could have impacted sales, and thus their commissions.17 The judge concluded that the second post was not protected concerted activity because it did not discuss terms and conditions of employment and, on that basis, upheld the employer’s decision to terminate the salesman.

In NLRB v. Three D, LLC d/b/a Triple Play Sports Bar and Grille, a Second Circuit case, two current employees responded to a Facebook post by a former employee regarding the employer’s mistakes in withholding taxes, which caused the employees to owe additional state taxes.19 One employee liked the former employee’s initial post. The second employee, whose privacy settings permitted only her friends to view her posts, posted one comment: “I owe too. Such an a** hole.

Both employees were terminated when the employer saw the posts. The administrative law judge recognized there is a balance to be struck between the rights of em ployees and legitimate employer interests in protecting its reputation but concluded that the employees’ posts were protected concerted activity because they were not so disloyal, disparaging, reckless, defamatory, or maliciously untrue so as to lose protection under the NLRA and were not directed at the general public.

In NRLB v. Design Technology Group, LLC d/b/a Bettie Page Clothing, a group of employees complained to their supervisor and the owner about working late hours in an unsafe neighborhood. Later that night, the employees engaged in a discussion on Facebook complaining about their employer without explicitly referring to their complaints about working late hours. One employee posted that she would be bringing a “Cali fornia Worker’s Rights” book to work the next day and that her mother worked for a law firm specializing in labor law. Another employee showed the posts to the manager, who terminated the employees. The NLRB ruled against the employer, holding that the posts were conversations for mutual aid and protection and “concerted protected activity.”

Although the NLRB has adopted a broad interpretation of “protected concerted activity” in the social media context, mere griping about the workplace is not enough to fall within the protections of the NLRA. In Tasker Healthcare Group d/b/a/ Skinsmart Derm – atology, an employee and nine other former and current employees participated in a private group chat on Facebook.23 After discussing a social event, the employee began venting about a supervisor, used profanity, and wrote: “FIRE ME…Make my day.” Later that morning, one of the employees in the chat showed the post to the employer. The employer terminated the employee, stating she obviously was no longer interested in working there. The NLRB concluded that the post was not protected activity as it did not involve shared employee concerns over terms and conditions of employment. Rather, the post was mere griping by an employee who failed to look forward to any action.

While the NLRB has not established a bright line rule for what constitutes protected concerted activity, social media communications among employees concerning any condition or aspect of the workplace and contemplating future action are likely protected activity. If, however, the communications are disloyal, disparaging, reckless, defamatory, or maliciously untrue, they may lose protection under the NLRA, especially if they are directed at the general public. If an employee is merely griping about the employer and not discussing forward-looking group activity among em – 14 Los Angeles Lawyer February 2016 ployees, the comments are not protected.25 Because each case is different, em ployers should exercise caution and seek counsel before taking action against an employee for his or her content on personal social media.

Free Speech

Public employee communications on social media may also be protected by the First Amendment. In Bland v. Roberts, the sheriff of Hampton, Virginia ran for re-election. During the campaign, one of the deputy sheriffs liked the Facebook page of the sheriff’s electoral opponent. The sheriff won re-election and fired the deputy sheriff and five other employees of the department who had shown support for the sheriff’s opponent. The employees sued, claiming that the sheriff retaliated against them because they supported his opponent, and the firings violated their right of free speech. The trial court ruled that a Facebook like did not constitute protected speech, but the Fourth Circuit reversed, holding that the Facebook like was in fact protected by the First Amendment.26 Although private sector employees have tried to bring claims against their employers for violation of the First Amendment arising out of their social media use, courts have rejected these claims because they do not involve state action and relate to private employment matters.

Ownership of Social Media Accounts

As social media proliferates, more employers are hiring employees to create and maintain company social media sites. While it may seem clear to the employer that it owns the social media sites established by and operated for the business, employees may not necessarily agree. In Phone Dog v. Kravitz, an em – ployee established and operated a Twitter account for his employer under the Twitter handle @phonedog_noah. Over time, the Twitter account grew to approximately 17,000 followers, and advertisers paid for advertising space on the Twitter account, generating revenue for the employer. When the employee left Phone Dog, he changed the Twitter account name to @noahkravitz. Phone Dog sued, arguing that it owned the Twitter a – ccount and login information. The case settled before any ruling on the merits, but the dispute underscores the importance of maintaining a clear policy that the employer owns all company social media sites, along with their usernames and passwords.

In a similar case in England, Whitmar Publications Ltd v. Gamage, four senior em – ployees set up a competing business while still employed with the plaintiff.29 They used their employer’s Linkedin groups to promote their new company and refused to turn over the login information after leaving. The British court issued injunctions against the former employees, ruling that the Linkedin account and login information were Whitmar’s protected confidential and proprietary information. The ruling in Whitmar emphasizes the need for clear policies stating that the em – ployer owns all social media sites, accounts, and login information.

Recommended Policies

Given the current state of the law, the best way for an employer to avoid disputes with employees over social media use is by drafting clear, narrowly tailored employment policies that balance the employer’s and employees’ legitimate interests. Among other things, social media policies should prohibit:

• Discrimination, harassment, and abusive conduct on social media.
• Disclosure of the employer’s trade secrets and confidential and proprietary information.
• Use of personal social media during work hours.
• Management requests that employees provide access to, or information from, their personal social media accounts.
• Friend requests from managers to employees, along with management’s following employees on social media sites or otherwise attempting to insert themselves into employee social media communications without clear, written employee consent.
• Management’s acceptance of friend requests or other invitations to follow or link with employees on social media sites.

A social media policy should also clearly state that the employer owns all social media sites established, maintained, accessed, or operated by employees for the company for business purposes during their employment, including all passwords and login information. Employers should avoid any language in a social media policy that could be interpreted as prohibiting or chilling the right of employees to engage in concerted activity and, in particular, discussions over wages, hours, and working conditions. While em – ploy ers may be permitted to discipline an employee for mere griping about the employer on social media, a social media policy should avoid broadly prohibiting communications by employees on social media that are “inappropriate,” “disparaging,” “confidential,” or “embarrassing” to the company.

Finally, employers should be aware of a recent ruling concerning employee e-mail use. In Purple Communications, the NLRB reversed its longstanding position and ruled that an employer may not maintain a policy prohibiting employees who are given company e-mail accounts from using those ac – counts during nonworking hours to engage in concerted activity and discuss wages and working conditions with other employees. An employer may only restrict these communications if they substantially disrupt or interfere with production and productivity.30 As the cases above indicate, employers face restrictions on accessing and regulating the social media posts of employees. While an em ployer may guard its trade secrets and business reputation, as well as act to prevent abusive employee conduct, an employer cannot prohibit the legally protected social media act – ivities of employees. Employers that are too heavy-handed in their monitoring of the social media activities of employees may find themselves liable under state and federal law.

____________________________________________________________________

This article was first published in Los Angeles Lawyer Magazine

Under Section 5 of the FTC Act, 15 U.S.C. § 45, the FTC is given the power to direct persons and companies away from using unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in affecting commerce. This includes advertising and social media.

One of the FTC’s main concerns is that consumers may be misguided into believing that an endorsement is the honest opinion of an endorser when in actuality there is a relationship between an endorser and a company and/or marketer. If relationship exists or an agreement has been made, the FTC requires that the endorser disclose this information.

It is common practice for companies or advertisers to provide products, services or discounts to individuals who have a broad reach on social media. For example, celebrity bloggers who have Instagram accounts with hundreds of thousands of followers are often given free merchandise and/or compensation in exchange for posting pictures of the product or themselves using the product to their accounts. The FTC is concerned that consumers are being deceived by these posts. As a result, the FTC has released guidelines that advise the endorsers, marketers and companies that they must disclose a relationship if the relationship is not apparent to consumers. (https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-endorsement-guides-what-people-are-asking#contests) Thus, if a blogger is writing a review, they must disclose whether the product was provided to them by a certain manufacturer or to at least disclose their relationship (i.e. if they’re sponsored or employed by the manufacturer).

In some forms of social media such as Twitter, Pinterest and Instagram, there is a limited amount of space in which one can post something, which makes disclosing this information more difficult. Further, the FTC has not mandated the specific wording of disclosures. However, it advises that inserting short statements such as “#sponsored”, “#promotion”, “paid ad” or even “ad,” may be enough to disclose a connection between the endorser and company.

Many bloggers and social media users feel that having such tags or wording would make their social media accounts feel non-organic or worse, they would be labeled a “sell-out.” While the FTC may choose who they would like to pursue, their rules still apply to bloggers. However, as a practical matter, the FTC has indicated that their enforcement efforts will focus on the companies and/or marketers whose products are the subject of the blogs.

Thus, while it certainly takes away from their organic publicity, companies should make an effort to advise their endorsers that they must disclose their relationship or if they received a particular item from the company or its marketing firm. Particular hash-tags such as “#sponsored” can be used, or even perhaps much more obvious hash-tags such as “ProvidedToMeBy[insertcompanyname]forfree”.

Companies and marketers know that they cannot control what is said on social media and that their endorsers may not follow these guidelines, but they must be mindful of these FTC guidelines in order to prevent being subject to an enforcement action by the FTC. The FTC advises that companies educate and instruct endorsers of such guidelines, make periodic attempts to search for what is said and if there is a problem, follow-up on it. Thus, at a minimum, companies should make a concerted effort to expressly communicate to endorsers that they must adequately disclose the relationship to consumers. The companies should then monitor the posts. Further, if the company re-tweets, re-grams, or re-pins an endorsed post, they need to also disclose the relationship.

Thus, companies and marketers should take note of the FTC’s guidelines and integrate them into their marketing plans and make the appropriate disclosures.

The proliferation of social media in the workplace has increased the risk of potential liabilities for companies. Specifically, there is a growing amount of litigation arising out of the use of confidential or proprietary information shared on social media websites. Employers have been facing, and will continue to face, a range of claims brought on by the use of social media in the workplace. Such claims may come in the form of invasion of privacy, copyright and trademark infringement, defamation, securities disclosure, advertising and consumer protection, harassment, discrimination, professional negligence and a continually evolving list of other claims.

Employers need to be aware of potential confidentiality breaches by both current and former employees. In Sasqua Group, Inc. v. Lori Courtney, et al., Case No. 10CV00528 (U.S.D.C. E.D.N.Y. 2010), a financial services company’s former managing director, Lori Courtney (Courtney), left the company to start her own financial services firm. Several of Sasqua’s clients moved their business to Courtney’s new firm. Sasqua then sought a temporary restraining order against Courtney, claiming that its trade secrets included “client contacts, their individual profiles, their hiring preferences, their employment backgrounds, and descriptions of previous interactions with client contacts.” Courtney countered with the argument that almost all potential clients in their industry have their information available on “Bloomberg, LinkedIn, Facebook or other publicly available databases.” Ultimately, the court adopted the Magistrate’s Recommendation that the information not be afforded trade secret protection and that injunctive relief be denied. Sasqua Group, Inc. v. Courtney, 2010 U.S. Dist. LEXIS 93442 (E.D.N.Y. Aug. 2, 2010).

Sasqua is an example of how the proliferation of information shared on social media sites can make it increasingly difficult for companies to maintain that sensitive information is either proprietary or confidential.

Another consideration regarding proprietary information is how to handle the information once it either intentionally or inadvertently becomes public. In Katiroll Co., Inc. v.Kati Roll and Platters, Inc., 2011 U.S. Dist. LEXIS 85212 (D.N.J. Aug. 3, 2011), the court considered a trademark infringement dispute between two restaurants. During litigation, the defendant removed his Facebook profile, which had included a photograph displaying the infringing trade dress at issue. Plaintiff alleged that the evidence had not been properly preserved. The court ultimately found that defendant had removed his Facebook pages at plaintiff’s request due to the infringement issues and, consequently, any spoliation of the evidence was unintentional. The court ordered that the Facebook picture be publicly visible again for a short period of time in order for plaintiff to obtain whatever it needed. Consequently, even if a party inadvertently posts confidential information, there may be legal ramifications associated with the subsequent removal of that information. If lawsuits are filed, then the confidential information or the misrepresentation of proprietary information will receive unwanted exposure and attention, regardless of who prevails in the lawsuit.

Another concern arising out of the dissemination of proprietary information through social media was illustrated in the recent case of PhoneDog v. Kravitz, Case No. C 11-03474 (N.D. Cal. 2011) in which a mobile news and reviews company sued former employee Noah Kravitz (Kravitz) over who owned a Twitter account. The Twitter account was started in association with PhoneDog, but was then used by Kravitz as his own Twitter account.This raises the issue of who actually owns a social media account. Although the matter remains pending in the Northern District of California, the court’s denial of Kravitz’s motion to dismiss the trade secret claim highlights the possibility of a forthcoming determination on a crucial question of law in the evolving field of social media claims.

Understandably, many employers are concerned that their employees will share proprietary information through social media sites and have established policies prohibiting such conduct. In response to such policies, the National Labor Relations Board (NLRB) maintains that a confidentiality policy is illegal if it limits employees’ ability to communicate with others regarding their working conditions. According to the General Counsel of the NLRB, a social media policy that limits use of the company’s name “without prior approval of the law department” is unlawful. (See Officeof the General Counsel, Report of the Acting GeneralCounsel Concerning Social Media, January 24, 2012.)

Therefore, under Section 7 of the National Labor Relations Act, employees have the right to use a company name and logo on items such as electronic or paper leaflets, cartoons or picket signs as long as they are engaging in protected, concerted activity.

On the other hand, one administrative law judge, in G4S Secure Solutions (USA) Inc., Case No. 28-CA- 23380 (March 29, 2012), upheld an employer policy that prohibited placement of photographs or videos of GS4 employees in uniform or at the workplace on social networking sites without express permission. In supporting the employer’s action, the court concluded that the employer had a legitimate reason for restricting the posting of pictures of its employees on social media sites and that “[t]o read it as a prohibition on Section 7 activity strikes me as a stretch.” In contrast, that very same court concluded that the employer could not restrict employees from using social media sites as a vehicle for commenting on work related matters.

It is important for companies to proactively implement social media policies regarding confidential and proprietary information that will serve to protect their interests even further in this ever-changing environment. Such policies should be carefully tailored to abide by the numerous laws and authorities that are emerging in this area. Just having the appropriate social media policies is not enough – companies need to appropriately communicate those policies to their employees and train employees\ on compliance. Further, companies that fail to secure appropriate social media insurance coverage to safeguard their interests will likely find themselves perilously exposed in a world driven by this exploding area of liability.

You could even say that some Facebook users use their accounts as diaries, describing what they’ve done, where they’ve been, and how they feel.

It’s highly doubtful, though, that these users would be disclosing such information if they knew who could access it.

According to a recent Reuters review of Westlaw’s database, police warrants for Facebook data is very common, and becoming only more so.

The first question you’d ask is, “can police really do that?”

The short answer is “yes.”

As long as there is probable cause to believe that a crime has been committed, law enforcement will probably be able to get a warrant to search through a user’s Facebook data.

Technically, there still needs to be probable cause that evidence of such a crime could be found on Facebook, but with how much personal information the general populace shares on Facebook today, a warrant would rarely be denied on these grounds.

In addition, neither Facebook nor the state need inform the user of the warrant.

Okay, so now that we’ve established that law enforcement can dig through your Facebook info without your knowledge, what can they access?

Everything you put on Facebook.

Specifically…

• Email address
• Date and Time of the account’s creation
• The most recent logins
• The user’s phone number
• Profile contact info
• Mini-feed
• Status update history
• Shares
• Notes
• Wall posts
• Friends list
• Groups list
• Future and past Events
• Videos
• Photos
• Private messages
• IP logs
• Likes
• Check-ins

So, even if a user does not expressly disclose any private details of a crime on Facebook (it amazes me how many people actually do), law enforcement can have access to a record of where you were, and when.

But even if law enforcement can’t get that data from your profile, it can comb through many of your friends’ profiles, if the abovementioned probable cause exists (which it usually does).

There are several signs that point to Facebook’s voluntary complicity in the process.

Most notably is the existence of a guide* for law enforcement agencies requesting information from Facebook that seems to have been prepared by Facebook itself (although the company would not confirm the document’s authenticity).

While the practice is against Facebook’s business interests, since it would encourage people to minimize their Facebook usage, there’s really nothing Facebook can do about it.

Realistically, to completely stop the practice would take legislation on the national level that specifically prohibits any information from any social networking sites from being used by law enforcement.

While anything’s possible in the future, we probably won’t see such legislation anytime soon.

So what can users do now to protect themselves?

The most obvious answer is to simply not commit a crime.

Unfortunately, though, that may not be enough, since you can’t control what your Facebook Friends do.

Ultimately, the only certain method to insulate oneself is to simply not use Facebook.

Of course, to many people, life without Facebook is far worse than the most obtrusive invasion of privacy.

Originally published on Saturday, July 18, 2015
52 views at time of republishing

However, in using social media to promote one’s business, there are a number of pitfalls that one must avoid. Using social media in relation to a business is not the same as using it for personal, non-commercial use. While it may seem like everything online is fair game, it is not. Just because something is found online does not mean that it is ok to use. Trouble can and does arise rather quickly…

There are three primary legal considerations when using social media and they fall within the realm of intellectual property—copyrights, right of publicity and trademarks. Often times, it is difficult to distinguish whether you are using someone else’s intellectual property—one must be cautious not to do so when posting on social media. The issues with using someone else’s copyright, likeness and trademark in social media to promote one’s business is that one is profiting off of someone else’s property that does not belong to them and that can and does create a significant amount of conflict. Profiting from another’s property is what separates the use of social media in business from just personal use.

Copyrights protect works of authorship that are original and fixed in a tangible form or medium. This includes photographs, pictures, drawings, designs, songs, poems and other works. Many times, brand owners see pictures of celebrities out in public wearing their clothes on various blogs and websites. Although this can be extremely exciting for the brand owner, it is unwise to share these photos on social media without clearing it first.

Often times, those pictures found online are copyrighted. The photographers obtain copyright registrations for those photos and retain attorneys to protect their intellectual property. Attorneys have been known to use reverse image search software to find where those photos were posted online. If the photos appear on a business’s social media account, they will often times send a cease and desist letter and request compensation of $7,000 – $14,000. If you refuse to submit to their demands you will most likely be threatened with a lawsuit against you, or worse, they will just go ahead and file a lawsuit against you. Sadly, while it does seem disingenuous, many times they have a colorable case since their client has a copyright registration and their client’s photo was used without authorization for commercial purposes.

How does one avoid these situations? Determine where the photo came from. Get a license for the photo. Look to see if the photo is in the public domain. Do not just repost the photo. This happens not only with celebrity photos, but also with photos that appear to be stock photos online. Unless there is a license that comes with a photo, you should not use what you find online. Feel free to post all the photos you take, but be cautious when it comes to posting photos from unknown sources.

In addition to a potential copyright claim over the use of a celebrity’s photo, there could be a right of publicity claim. Right of publicity is the right to use one’s name, likeness or identity for a commercial purpose. It applies when someone uses a celebrity’s name, likeness or voice and can range anywhere from a picture or silhouette to a well-known quote. Thus, if you post a picture of a celebrity wearing your goods, a quote from them or anther item that would refer to them, it may create a false and misleading impression that they are endorsing your product. A famous person does not need to be alive for a claim to be made, their estate can still make the claim for them. The laws vary from state to state and the applicable law is determined by where the celebrity resides or died. In general, you should not use the image, name, likeness or even quotes from a celebrity to promote your products as it may cause a false impression that they have an affiliation with your company. If you would like to do that, contact them, speak with their agent and try to obtain a license or endorsement.

The last social media concern is trademarks. Trademarks protect brands and their identity. Trademarks can be a simple word, slogan, logo, design or even sound. Trademarks are used as source identifiers to help consumers identify where a particular product originates from.

Ideally, one does not wish to cause any confusion with another brand owner. Thus, in using social media, be aware of the potential trademarks of others. Do not use anyone’s brand name.1 There may be a funny slogan or brand name that you want to make a play on, but if there is a possibility consumers will immediately think of the other brand owner and be confused, then do not do it. It could cause the other brand owner to bring forth trademark infringement claims. It does not take much for someone to send a cease and desist letter.

In sum, while social media is a great marketing tool, exercise caution when using it. One must look to where they are obtaining their posts, pictures and inspiration from and one must review whether their post would cause any confusion with or false association with another. If there are any questions or potential confusion in one’s commercial use of social media, then it is best simply not to do it, but if you must, consult with an experienced attorney.

While the likely surface-to-air missile that brought down Malaysia Air Flight 17 traveled at more than three times the speed of sound, criminals moved at cyber speed to exploit the intense global interest in the tragedy.

Following the downing of Malaysian Airlines Flight 17 (MH17), cyber criminals were quick to take advantage of the hashtag #MH17, used to consolidate discussion of the ongoing disaster on Twitter. Criminals entered the stream of conversation armed with links embedded with malicious code or malware. Readers looking for more information on news topics like MH17 are likely to click on links on Twitter and Facebook for two compelling reasons:

Social media encourages sharing and fosters a sense of familiarity even with strangers, lowering our guard and making us far more likely to open a link as we get caught up in the torrent of updates.

Twitter and Facebook are both incredibly popular on mobile devices that encourage a quick-click mentality without the hover feature that allows you to see the full URL before doing so.

Within hours of the downing of MH17, cyber criminals had set up several Indonesian-language Twitter feeds incorporating the newly created #MH17. The tweets and retweets from these accounts included URLs that ended with .tk, a domain extension notorious for social media scams and outright malware. When readers clicked on the link to get more information about the fast breaking event, their computers or smartphones connected with one of two IP (internet protocol) addresses that contained ZeuS/ZBOT and PE_SALITY malware. These viruses can steal .SCE and .EXE files from infected devices, a serious security violation.

Since MH17 was brought down over eastern Ukraine, #MH17 has been tweeted or retweeted 3.3 million times and counting, and it’s nearly impossible for the average user to know what links are suspect, especially when they are shortened using the Bitly URL shortening tool. A good rule of thumb is to ignore any link that ends in the .tk extension (.tk denotes the country code top-level domain of the tiny island nation of Tokelau in the Pacific Ocean). Not all .tk extensions are bad, of course, but enough are to warrant extra caution.

MH17 is only the latest tragedy to be exploited by cyber criminals. The hashtag #MH370, for the still-missing Malaysia Airlines flight, was also a tempting target for criminals, who used the same embedded link tactic. For an example of the scale we are talking about, #MH370 was tweeted and retweeted over 4 million times in the first weeks of the search, and is still being used heavily up to now. The rush for information leaves journalists and regular users alike at high risk not only for misinformation but for actual computer infection—another reason to pause before clicking on links not associated with well-respected news outlets, which is a shame since much of the power of Twitter and Facebook is their ability to bypass traditional channels of information.

Any breaking news now generates its own hashtag, making it possible for users to follow the issue across the world. It also generates a target-rich environment for scammers and criminals who don’t need to devise clever ways to get us to click; they just use the hashtag. And it’s not just tragic aviation event hashtags drawing extraordinary numbers and interest; #Gaza has been tweeted and retweeted over 6 million times in the last two weeks, and #WorldCup was mentioned over 10 million times this month.

The use of malware in tweets containing popular hashtags will increase but it’s not the only way criminals in the cyber world exploit real-world tragedies. As soon as the MH17 passenger manifest was released, scammers set up several Facebook pages “dedicated” to specific victims, including several young children from Australia. Visitors to the sites were blasted with banner ads and click-bait ads. The over-the-top ads mean the scammers are simply trying to boost click rates and increase their ad revenue. However, far worse are the tragedy-related sites or links that either inject malware directly, or direct the visitor to another site teeming with viruses. Anti-virus software is always a necessity but it can’t keep up with the daily evolutions in malware.

As social media evolves from a medium where people repeat existing information to a place where people seek to disseminate information (confirmed or unconfirmed), the risk of infected links will evolve as well, matching the trend lines step by step. It remains to be seen if social media malware safeguards will evolve in equal measure, ensuring that the power of social media is not weakened by its open and sharing nature.

Sharing information is now the way of business and social life. Companies have outsourced business processes to partners, moved data and applications to “the Cloud” and embraced social media for communication with customers and collaboration with suppliers. Individuals now bring their own computing devices to the office, mixing company and personal data on the same machine, and mobile devices are increasingly replacing desktops as the standard in business technology. All of these changes greatly increase the potential for data loss.

As the realities of these changes on modern business practice take hold, it is quite possible that we have crossed a dangerous line in this new information sharing culture. How are we to know if we are putting too much of our personal information on the Internet? And are we blurring the lines between what should and shouldn’t be said in public?

We’ve come a long way since the “Loose Lips Sink Ships” campaign of World War II, when a “need to know” concept was enforced and warned against giving away anything that could help the enemy. Now, seemingly irrelevant snippets of personal data can be used to piece together intelligence to enable hackers to target individuals, facilities and organizations. We are now at war over information. Hacktivists, criminal gangs, terrorist groups and even rogue states are targeting valuable intellectual property, customer and employee personal details. Individuals must consider their Web profiles, behaviors and security settings and wise up to the risks. Companies are also exposed to risks interacting with their supply chain, partners and customers.

A New Business Strategy

To reduce cyber risk, companies need to develop a new business strategy that is “secure by design” and understand that this isn’t just a technology issue, but a wide-ranging problem that encompasses culture, processes, staff behavior, training, and includes interactions with suppliers, partners and customers.

A key component in this strategy is to decide upon an information classification scheme. A decision must be made about what type of information should be kept secure, shared internally and published externally. Employees must be made to know what they should and shouldn’t be sharing, so the information must be marked to make it clear. Furthermore, they must understand what criteria to apply when marking their own generated content and handling protectively marked documents. Rules should be in place on information handling to reduce chances of leakage and information should be shared on a “need to know” basis internally as well as externally.

The military have used a multi-level security system and protective marking scheme for many years. This six-tier system ranges from “Top Secret” to “Unclassified” and was designed to protect paper-based information stored in filing cabinets and moved between places physically. Companies should introduce similar schemes. Here is a pragmatic example of security classification levels for different types of data:

1. Private – Company-critical information including personnel records, customer data, intellectual property, for example inventions, the design of products, components or future products, concepts and plans.

2. Transactional / Confidential – Information that needs to be shared with suppliers and customers for the business to run including contracts, invoices, purchase orders, proposals.

3. Unclassified – Data that can be shared with the world in print or online.

Some, but not all, data may move from “Private” to “Unclassified” over time. For example, the marketing strategy starts as “Private” but then becomes “Transactional” (but embargoed) as events are planned with partners, with some data becoming “Unclassified” as the campaign is launched to the public. Website content will be considered “Confidential” until it is published, but even then the organization will still own the copyright.

Controls and measures need to be put in place appropriate for the security level and industry cyber risk profile.

Collaboration at All Security Levels is Required

A key issue is that companies need to share information with partners at all levels. For example, an aircraft component design may need to be shared with a third-party manufacturer. The key emphasis and business enabler is secure collaboration – making it easy for information to flow with the business activities that require it.

The partner organizations must then operate similar security models with appropriate controls in place such as identity and access management, encryption and partnering agreements and contracts that include terms for secure collaboration.

The Private security level necessitates stricter controls and procedures, limited device access, and most importantly, better-protected information. There will be fewer people with access privileges and a lower volume of data. Enterprise strategic information assets should be given the highest priority for security spending.

Network perimeter security is no longer enough as critical data is passed out of the company to partners, customers and cloud services. The data itself must therefore be protected with encryption -only visible to the intended recipient. It is little known that e-mail and attachments are sent over the internet “in the clear,” with very little encrypted traffic. Companies should implement secure signed and encrypted e-mail, as the default standard for confidential information transfers between businesses.

A New Culture of Security and Controls

In order to enable this tiered information management structure, business processes and information systems need to be designed and implemented to prevent data loss. Employees must be trained and a new culture of “appropriate” security and controls should be introduced.

As the tools and techniques employed by cyber criminals become ever more sophisticated so must the approach to applying defense strategies. To remain static in approach to security, and to retain an improper culture of information sharing, is to accept an immediate and continuous step backward into the clutches of cyber criminals.

Doing business securely in the era of cyber crime and espionage is a significant challenge. Embedding an information security classification scheme, and with it a “need to know” cultural change, will act as a catalyst for secure, collaborative working and communication. It will also protect strategic information assets and enable organizations to prioritise spend to protect their brand.