Social Media Law Update : Intellectual Property, Advertising and Video Game Law: Sheppard Mullin Lawyers & Attorneys

The following list is a good starting point, however, there may be additional items that a social media attorney will recommend you include in your policy depending on the nature of your business. A companion article to this one, for example, includes additional items that government contractors should have in their social media policies.

1. Adopt a social media policy. Include the basic list of “Dos” and “Don’ts” in your policy. Don’t try to prohibit lawful protected activity such as complaining about work conditions or compensation/benefits, or whistle blowing. However, employees should be advised of the importance of communicating possible wrongdoing at the company through established internal channels so an appropriate investigation can be conducted.
    
2. Implement an effective training program on how your employees should use social media, with emphasis on areas of particular concern for your company which may include, for example, protecting the privacy interests of your company clients, complying with FINRA/SEC social media guidelines, antitrust compliance, not disclosing confidential, proprietary information, and brand protection.
    
3. Update your e-discovery approach and make sure that you include social media activity and cloud computing because it is discoverable.
    
4. Update your document retention policy to make sure you are capturing and storing the social media activities of your company, and don’t forget employees conducting business from their smart phones and tablets.
    
5. Update your Sarbanes-Oxley Act compliance program to ensure that financial information posted on your Facebook fan page, Twitter, website, etc., is updated to reflect material changes in financial condition and operations. Do not release financial information on social networking sites that you have not also published in a press release.
    
6. Audit the social media activity of potential targets for mergers and acquisitions to identify any legal risks and liabilities, including, without limitation, the target failing to comply with the Sarbanes-Oxley Act.
    
7. Train your HR department, managers and anyone making employment decisions so they do not use information from social networking sites to discriminate against anyone based on protected factors under federal or state law. Set up protocols so protected factors are not considered.
    
8. Take reasonable measures to protect your trade secrets. Update your confidentiality agreements and computer use policies with employees. Clearly communicate what are the company’s trade secrets and the ways in which use of them is restricted. One of the essential elements for a misappropriation of trade secrets case is that the company has taken reasonable measures to protect its trade secrets, which would include, in the social media era, a social media policy with training for employees so they are not inadvertently disclosing the company's trade secrets.
    
9. Incorporate privacy protections into your business practices such as data security, the collection of a reasonable amount of information and not more, sound retention practices (not an unduly long period of time), and data accuracy (so misinformation is not reported on consumers).
    
10. Review the FTC guidelines for online endorsements with employees, including the prohibition on employees giving reviews for the company’s products (or the products of it’s competitors) without disclosing their biased relationship with their employer company.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

"Penny wise and pound foolish," companies are not having their social media business practices reviewed by knowledgeable legal counsel. Companies invest time and money putting together a Facebook fan page that is promoted throughout the company without training their employees on the Do's and Don'ts of posting comments on the fan page, or using social media in general.

Another risk of social media was highlighted by settlements that the FTC reached with Twitter and Google concerning shortcomings in their privacy guidelines. The consent decrees reached by each of the companies highlight how seriously the FTC takes the safeguarding of consumer information. In the case of Twitter, the FTC put the responsibility for hackers gaining administrative access to Twitter personal accounts on Twitter. One hacker gained access to non-public information such as users email addresses and mobile phone numbers. The same hacker changed the passwords for approximately 45 high profile Twitter users including President Obama and sent phony tweets from those accounts.

The hacker found his way into the system because Twitter did not have a feature that is commonly used with online stock brokerage accounts where the system will lock you out after a few unsuccessful attempts to enter the correct password. The hacker used an automated password guessing tool which submitted thousands of guesses until finding the correct password. The FTC identified other shortcomings in Twitter's security system including: (1) Not requiring that passwords be unique and different from what a Twitter employee, who also had administrative control of the Twitter system, used to access third-party programs and networks; (2) not requiring periodic changes of administrative passwords; and (3) not requiring that Twitter passwords in personal email accounts be stored encrypted instead of the plain text that some Twitter employees used.

The FTC framed the complaint as Twitter not living up to its representations to consumers on its security practices. Twitter's privacy policy stated, "Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access."

Twitter settled with the FTC and agreed, among other things, to establish and maintain a comprehensive information security program so that nonpublic consumer information cannot be hacked into. This security information program will be assessed by an independent third-party auditor every other year for the next ten years. Twitter must also maintain records regarding its privacy practices and policies. Each violation of the settlement order may result in a civil penalty up to $16,000.

The recent Google Buzz settlement is a perfect example of a company forgetting to read and take into account its own privacy policy. Google's Gmail privacy policy assured users of its email service that the information was being stored for the user's purposes, and that Google would seek permission in advance of using the user's personal information for a different purpose.

In launching Google Buzz, a social networking platform that Google hoped would compete with Facebook, the FTC alleged that Google tried to create instant networks of friends for its users by pulling from their email contact lists without considering this information may be very sensitive to the individual users (imagine, clients of therapists and attorneys, abusive ex-husbands, children and job recruiters).

As a result, Google has had to enter into a comprehensive settlement that goes beyond the current regulatory requirements, and will likely hamstring Google's efforts to compete with Facebook and other social networking sites that are not subject to similar restrictions. Among other things, Google must get affirmative consent to any new or additional uses of previously collected data. Google must also implement a comprehensive privacy program that is reduced to writing, and includes an employee designated to manage the privacy program; and implement privacy controls and procedures with regular audits to make sure it is effective. Every two years, Google must have an independent auditor review the privacy program and prepare a written report. Google must comply with this comprehensive privacy program for 20 years, and that time period can be extended if Google violates the settlement consent order.

These FTC consent orders underscore the importance of making sure companies have their social media practices reviewed by knowledgeable legal counsel, risks identified and addressed, employees trained on correct usage, and new social media marketing strategies coordinated with legal counsel.


For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

In a letter to the Ethicist column in the NY Times (August 1, 2010), "Name Withheld" in Dallas wrote that when his company releases a new iPhone application, "our boss urges the staff to download it at the App store and give it a five-star rating, even employees who don't own a device that can run it." The employee believes fake reviews are wrong, and that his boss should not pressure employees in this way. However, the employee is torn because he wants to support his company. The Ethicist, Randy Cohen, lists several ways in which it is an unethical request for a company to make, including: (1) nobody should review an app they have not actually used; and (2) no one can review something on which their paycheck depends, or their work buddies developed, since it is an obvious conflict of interest. What the Ethicist failed to say is that fake endorsements could also expose the company to legal liability.

Businesses need to understand that planting fake reviews may violate the Endorsement and Advertising Guidelines (Guidelines) issued by the Federal Trade Commission (FTC), and amended last year to expressly apply to the Internet. "Fake reader reviews would violate section 255.5 of the FTC guidelines on the use of endorsements and testimonials in advertising," asserts Frank Dorman of the FTC.

Further, fake reviews have resulted in monetary sanctions and other penalties against businesses doing it. In July 2009, a plastic surgery outfit Lifestyle Lift reached a settlement with the New York State Attorney General's office over the publication of numerous reviews purportedly submitted by very satisfied clients. According to a release from the AG's office, Lifestyle Lift actively encouraged its employees to post glowing reviews of their cosmetic surgery experiences on Web sites and message boards. Some employees even went so far as to set up their own Web site, with one using the URL "MyFaceLiftStory.com". The AG's office also released part of an internal email in which Lifestyle Lift told its employees: "Friday is going to be a slow day - I need you to devote the day to doing more postings on the web as a satisfied client." Lifestyle Lift agreed to pay $300,000 in penalties and costs, and other remedial actions. In a press release, the AG's office said the action was "a strike against the growing practice of 'astroturfing,' in which employees pose as independent consumers to post positive reviews and commentary to Web sites and Internet message boards about their own company."

More recently, the FTC settled charges for deceptive advertising against the California marketing company, Reverb Communications. The FTC alleged that Reverb paid its employees to write and post positive game reviews of clients' games in the Apple iTunes store without disclosing that they were being paid for their reviews. According to the complaint, Reverb employees posted positive reviews about clients' games from November 2008 to May 2009. The reviews would give the respective games 4 to 5 stars, and describe the game as an "amazing new game," or "one of the best apps just got better." The reviews were posted under account names that would give consumers the impression that they had been placed by ordinary buyers. The complaint states that Reverb was paid a portion of the sales by its game developer clients.

These charges are some of the first to be filed under the amended version of the FTC Guidelines. These Guidelines were amended last year to apply explicitly to Internet endorsements. The Guidelines apply to bloggers, and anyone writing reviews on Web sites or promoting products through Facebook and Twitter.

While the FTC did not condition its settlement on Reverb paying monetary sanctions, the case was clearly a well publicized warning that deceptive reviews will not be tolerated.

The negative press from an FTC action for false advertising can also destroy the trust and credibility that businesses work hard to build but can lose easily. In addition, an employee who is fired down the line now has a possible legal claim in which she can argue that she was fired in retaliation for not posting misleading reviews. Put simply, astroturfing with fake reviews is a bad idea.

While the Guidelines and how they are applied in some instances can vary depending on the facts of a particular situation, the FTC has sought to draw some bright lines. Businesses and advertisers involved in online marketing "[s]hould not pass themselves off as ordinary consumers touting a product, and endorsers should make it clear when they have financial connections to sellers," as succinctly stated by Mary Engle, Director of the FTC's Division of Advertising Practices.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)

Social media - Tweets, Facebook posts, LinkedIn updates - can have real legal and economic consequences for businesses. A post may seem as innocent as an employee expressing a personal opinion. However, if the person describes herself as working for a particular company, and then speaks on a highly controversial subject, her post could damage the "good will" of the company. Or, the poster may be recommending a product to all of her Facebook friends without sharing that she happens to work for the product manufacturer in violation of fair advertising practices.

1. A Social Media Policy Is A Good Way To Show Compliance With The Federal Trade Commission's Revised Endorsement Guidelines.

In the last year, businesses have increasingly recognized the need for a social media policy. First, the Federal Trade Commission revised its "Guides Concerning the Use of Endorsements and Testimonials in Advertising" ("Endorsement Guidelines") to make it clear that, in some contexts, truth-in-advertising principles may apply to social media posts: (1) endorsements should not be misleading; and (2) non-obvious connections between the endorser and the marketer of the product should be disclosed if they would reasonably affect how much weight a consumer places on the endorsement. 

The connection may include the endorser being paid or receiving some quid pro quo from the product being endorsed, and this needs to be disclosed. For example, reviews on social media sites such as Yelp should disclose if the reviewer also happens to be an employee of the business, or if the reviewer is swapping positive reviews with another business owner, or is receiving anything of value in return for their positive review. Similarly, the Endorsement Guidelines would require someone who tweets about a product to disclose if the poster is being paid to endorse the product. 

More significantly for businesses, the FTC recognized in its Endorsement Guidelines that a business cannot realistically oversee all of the social media posts by its employees, and ensure that they do not violate the Endorsement Guidelines. The FTC has stated that the employer should not be held liable in this situation if: (1) the employer has a social media policy concerning the "social media participation" of its employees; and (2) the established company policy adequately covered the "rogue" employee's conduct. 

Thus, the company can show that, despite its best efforts, the employee violated the Endorsement Guidelines, and the company should not be held liable for the employee's unauthorized acts. In order to do so, however, the employer also needs to establish procedures to monitor compliance with its social media policy. The FTC declined to say how the monitoring should be done, but put the onus on companies to determine for themselves what would best satisfy their legal responsibilities in the context of their business.

2. Businesses Can Better Protect The Value of Their Brand By Ensuring That Employees Do Not Post Unflattering Material In Association with The Business.

Second, businesses should have a social media policy in order to protect the considerable investment they have made in their "brand" and reputation in the marketplace. A social media policy is a proactive way for a business to try and not have its employees post on controversial subjects with the business suffering by association. 

A perfect example of this was headline news a few weeks ago. Namely, the CNN reporter who was fired after she posted on Twitter that she had a lot of respect for a recently deceased Hezbollah leader: "Sad to hear of the passing of Sayyed Mohammad Hussein Fadlallah.. One of Hezbollah's giants I respect a lot. #Lebanon."

Octavia Nasr described herself in her Twitter profile as a 25 year veteran of the news business, and the CNN Senior Editor of Mideast Affairs, thereby, turning the personal into a reflection on her news agency CNN. The association with CNN was further highlighted by her Twitter name which was octavianasrCNN.

Ms. Nasr tried to explain the reason for her post a few days later. She said the 140 character limit on Twitter made her message too "simplistic." Her excuse came too late. The damage was done. She was forced out of her job because a single misguided tweet was seen as compromising her position as a CNN reporter. 

The immediate public outcry was directed against CNN as well. The Simon Wiesenthal Center called on CNN to make a formal repudiation of Ms. Nasr’s comments. On the other end of the scale, editorials have criticized CNN as being hypocritical in its editorial standards, and for caving in to pressure from the Jerusalem Post and conservative blog site NewsBusters. Put simply, Ms. Nasr's tweet has had a negative effect on the public perception of CNN.

On the same day as Ms. Nasr's post, CNN issued its own statement through a spokesman: "CNN regrets any offense her Twitter message caused. It did not meet CNN’s editorial standards. This is a serious matter and will be dealt with accordingly." 

This statement however does not go to the essence of the problem. Ms. Nasr was not submitting an article that needed to satisfy the editorial standards of CNN. What was absent from this statement, and is the best long term solution for this type of problem, is the implementation and enforcement of a social media policy. 

3. The Barebones For Any Social Media Policy.

Every business should have a social media policy. The posts of your employees reflect on your business, and can result in negative impacts to it. The damage can range from harm to the company's brand and public perception of it to legal consequences such as loss of trade secret protections, unfair competition and deceptive advertising. A social media policy should include the following bright line rules: 

DO'S:

1. Stop and think how your post will reflect on your company and its clients or potential clients.
    
2. Do assume that no matter how restrictive your privacy settings, your posts may become public. Litigation attorneys, professional colleagues, prospective clients and employers are searching these sites for information gathering purposes.
    
3. Cooperate with your company in monitoring the social network sites by providing a current list of the sites you are using if you are associated with the company in any way on the site. This is not intended to discourage employees from using social media sites. The company favors the use of social media in general provided it is in accordance with all governing laws.
    
4. Be transparent. Make clear that any opinions you express are your own, and not the views of your employer – don't associate your position at the company with your opinion.
    
5. Use privacy settings. 
    
6. Maintain business confidences by not posting information that may reveal confidential information – a deal that you are working on, a customer the company is pursuing, a new product that is being developed.
    

DON'TS:

1. No discriminatory or harassing posts.
    
2. Do not divulge any non-public private information.
    
3. Do not endorse the company's products without having your message reviewed by the company's marketing department, and approved for content and necessary legal disclosures. This is necessary to ensure compliance with the FTC Endorsement Guidelines.
    
4. Do not post defamatory content – don't insult your competition.
    
5. Do not embarrass and disparage the company.
    
6. Do not violate the privacy rights of other people by posting their personal image without their permission, or sharing their personal information.

And, finally, businesses should recognize that an effective social media policy is tailored to the particulars of the business for which it is being adopted. Consult with an attorney who is well versed in social media and the laws governing it, so an effective policy can be prepared and implemented.

This article was originally posted on Sheppard Mullin's Covering Your Ads blog, which can be found at www.coveringyourads.com.
 
For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)