A Few Tips for Drafting Social Networking Policies

Posted on March 1, 2010 by Lauren Darienzo

Social networking and blogging sites, such as Facebook and Twitter, continue to grow in popularity. The number of participants is staggering. Facebook alone recently reported that it now has more than 400 million active users.

Given the rise in use of social networking sites, employers should consider implementing  a policy governing employee use of such sites. A well-drafted social networking policy is essential because an employer’s existing policies, such as those governing confidentiality or the use of the employer’s computer systems, may not be broad enough to protect against employee misuse of these sites. This post covers some of the issues to consider in drafting an effective social networking policy, and also discusses the practicalities of investigating alleged violations of such a policy.
 

One of the first things to consider in drafting a social networking policy is whether to allow employees to access the sites through the use of the employer’s technology, such as computer and email systems or handheld devices, and whether access will be permitted during work time. The answer to these questions may depend upon the nature of the employer’s business and whether there are business-related reasons for employees to use the sites.

A social networking policy should also prohibit inappropriate postings on, or the inappropriate use of the sites, and should advise employees what is considered inappropriate. Defining the line between appropriate and inappropriate, however, may be the most difficult challenge, particularly for those employers employing a relatively young workforce. Examples of inappropriate postings include comments and complaints that are disparaging to the employer, or the disclosure of an employer’s proprietary or confidential information or of any information that is protected by law. Employers should also consider whether to forbid employees from posting any information about the employer, or if certain information would be permissible with the employer’s prior approval. Employees should generally not be allowed to speak on behalf of their employer, unless specifically authorized to do so. See our January 27, 2010 post.

In defining what constitutes impermissible conduct under the policy, employers must use caution to avoid infringing on employees’ rights under Section 7 of the National Labor Relations Act. The policy cannot be drafted in a way that employees would reasonably construe as prohibiting discussion of wages, hours, and working conditions. A policy which prohibits and specifically describes a broad range of inappropriate communication is less likely to run afoul of the National Labor Relations Act.

Because enforcing a social networking policy can be difficult, the policy should require employees to report known violations to the human resources office or a member of management. As with other key policies, employees should be told that it is their “responsibility” to help the employer ensure compliance with the policy. The potential consequences of a violation of the policy should also be described. This can be as simple as a warning that an employee may be subject to discipline, up to and including discharge.

Once developed, the policy should be distributed to all employees, who should be required to acknowledge in writing that they have received it. The policy should be redistributed to employees periodically.

A social networking policy is most effective when developed in conjunction with a policy governing employee use of technology belonging to the employer. A policy of this kind should be designed to lower employees’ expectations of privacy when using the employer’s technology by including language stating that the employer reserves the right to access, intercept and monitor all information accessed, sent, or received through the employer’s systems. Employers should also obtain the express consent of employees both to monitor communications and to access stored communications. This is best accomplished by requiring employees to sign written consent forms. Alternatively, an employer can establish that employees have consented to the monitoring and accessing of communications by requiring them to click on a pop-up screen acknowledging consent to the employer’s policies before access is granted to the employer’s computer systems.

Even with a well-drafted social networking policy in place, investigating potential violations, such as an allegation that an employee has posted something inappropriate on a site, can be challenging. It may be difficult to verify that the alleged misconduct occurred because the information may be posted on a secured site not accessible to the public or it may be deleted before the investigation has been completed. If the posting was prepared or accessed using technology belonging to the employer, an employee’s consent to access that information could be obtained through the type of technology use policy discussed above.

If the employer’s technology was not used, it may be impossible to view the posting without the employee’s consent. In that scenario, an employer may have no recourse other than to simply question the employee about the posting, and to speak to any co-workers who may have seen it. Employers should hesitate before asking employees for their personal log-in information. Aliases or similar surreptitious means to access a secured site should not be used, and an employer should take steps to protect an employee’s privacy in the investigation.

If an investigation concludes that an employee has violated the social networking policy, appropriate discipline should be considered, but an employer should use caution when meting out discipline. Public employers should also be aware that the First Amendment may protect an employee who speaks on what is considered to be a matter of public concern.
 
Tags: , , ,

Dealing with Employee Use of Social Networking Sites

Posted on September 1, 2009 by Jessica Satriano

Being at work apparently poses no obstacle to checking the Facebook or MySpace status of friends and keeping up-to-date with the continuous “tweets” on Twitter.  According to a recent study  conducted by Nucleus Research, 61% of all employees access their Facebook profiles at work. While the length of time employees are plugged-in varies from one to 120 minutes per employee per day, according to the same study employers lose an average of 15 minutes of productivity per day from each social networking employee.

What is an employer to do?

An employer can prohibit accessing social networking sites during working hours.  But this approach may have its own detrimental side effects on employee productivity.  According to one university study, employees who surf the Internet at work, including accessing Facebook and YouTube, are 9% more productive than their non-Internet surfing counterparts.  A ban on employee access to social networking sites can also limit the potential benefits an employer might receive from such sites.  For example, the networking site LinkedIn can serve as a valuable tool for businesses looking to build relationships with potential clients/customers.  And, as one researcher has noted, sites like Facebook can assist employees in building relationships with professional acquaintances which can benefit their employers in the long run.

 Monitoring employees’ use of Twitter, Facebook, MySpace, and other social networking sites is another option.  But monitoring employee use of such sites raises several legal issues, including, in particular, whether an employer that accesses an employee’s social networking page without the employee’s consent violates federal law.

Social networking sites offer subscribers a variety of protections to keep their posts private or semi-private.  If a subscriber sets his profile to “private/friends only,” he can reasonably expect that his employer will not have access to his profile posts or pictures unless he accepts the employer as a Facebook “friend.”  But picture this scenario: Co-workers engage in a dialogue critical of their employer on a MySpace page that can only be accessed by individuals invited and authorized by the page creator to view it.  The employer then terminates these employees after learning about the page and its posts from an authorized viewer. Legal? According to the court in Pietrylo v. Hillstone Restaurant Group d/b/a/ Houston’s, (D.N.J. 2008) , the answer to that question depends, in part, on whether the employer violated a federal statute, the Stored Communications Act (“SCA”) (18 U.S.C. § 2701 et seq.).

The SCA applies to communications stored on Internet sites (such as Facebook, MySpace, Twitter, etc.). It imposes criminal penalties on individuals who gain unauthorized access to such stored communications. Employers can run afoul of the SCA by covertly monitoring their employees’ private social networking postings by, for example, using spyware to track keystrokes to gain log-in information. But the Act’s protections extend beyond such covert measures. “Unauthorized access” also encompasses situations where authorized access is exceeded.  The Act excepts from liability “conduct authorized … by a user of that service with respect to a communication of or intended for that user.”  So long as the information is freely provided by someone who is authorized to and has accessed the private website, the Act permits an authorized user to allow a third party to gain access to the same information the authorized user has access to.

In Pietrylo, the employer gained access to an employee’s password-protected, “by invitation only,” MySpace page when an invited member of the page (also an employee) showed it to a manager at a dinner party. The manager thereafter asked the invited member for her log-in name and password, and used that information to repeatedly access the page and its postings. The court held that a jury could find this means of access not “authorized” under the SCA, if the invited member’s consent was given under duress (the invited member thought that she could get in trouble with the company if she did not provide the information). The jury ultimately returned a verdict against the employer, and found that the employer had, in fact, gained unauthorized access to the MySpace page in violation of the SCA.

The Pietrylo decision and verdict does not mean that every request for log-in information will violate the SCA. Had the invited member in Pietrylo freely given the employer her log-in information, the employer would likely have faced no liability. But whether consent is freely given will often be a difficult question to answer, so employers should be cautious when making requests.

Moreover, the potential legal issues raised by accessing a social networking site do not end with the question of authorized access. Once access is lawfully gained, the issue then becomes, what, if anything, employers can do with the information that is discovered. For an overview discussion of those potential legal issues, see Employers: ‘Keep out!’ Beware intruding in employee web sites by Louis P. DiLorenzo.  

 

Tags: , , , ,