In this issue of Socially Aware, our guide to the law and business of social media, we discuss a recent court decision extending the Communications Decency Act safe harbor to the forwarding of a defamatory email message; provide a status update on the closely watched NLRB case arising from a company's alleged firing of an employee in connection with her Facebook posts; summarize changes to Facebook's "Friend Finder" function resulting from German privacy law concerns; take a look at regulatory constraints on the financial services industry's use of social media; and explore ethical issues arising from the use of cloud computing by attorneys. We also highlight Facebook's new approach to contests and sweepstakes conducted on Facebook pages, and its decision to allow companies to turn user posts into ads. Finally, we provide an eye-popping statistical snapshot of Twitter's success in 2010.
Online Safe Harbor Immunity Extends to Forwarded Email Messages
With the dual — and, some would say, contradictory — aims of both encouraging the unfettered development of free speech on the Internet (in support of e-commerce) and encouraging interactive computer services to self-regulate obscene and offensive material (to aid parental restrictions), the Communications Decency Act ("CDA"), 47 U.S.C. § 230, walks a fine line between promoting and restricting content on the Internet. One of its key tools is to grant broad immunity from defamation and other claims to those who republish the work of others through Internet-based methodologies, such as websites and blogs. In a recent case, Mitan v. A. Neumann and Associates, LLC, No. 08-6154, 2010 U.S. Dist. LEXIS 121568 (D.N.J. Nov. 17, 2010), a federal district court in New Jersey held that the CDA immunized the defendant from liability for forwarding a defamatory email.
The Mitan case presents, in many ways, an easy application of the CDA's immunity doctrine. Acting pro se, Plaintiff and attorney Keith Mitan brought a claim of libel per se against a New Jersey-based business brokerage firm and its principal officer, Achim Neumann, arising from Neumann's republication of an allegedly defamatory email generated by a third party. The "Mitan Alert" email, forwarded to Neumann by a broker in Virginia, detailed the allegedly shady business dealings of the Mitan family, including a passing reference to the plaintiff, and embedded family photographs within the text accompanied by the screaming caption, "MITAN ALERT!!! HAVE YOU SEEN THESE PEOPLE?" The Virginia broker added introductory comments to the email before forwarding it to the defendant, warning him about the activities of the plaintiff's brother, but not the plaintiff himself. Neumann then forwarded the email chain to other business associates, prefacing it with the following: "He is our guy, a known convicted federal felon. Tried several deals before with other companies, supposedly tried this out-of-the country store before . . . ." Based on this act, the plaintiff claimed that Neumann was liable under a theory of libel per se, which covers statements that ascribe criminal behavior to an individual.
On summary judgment the defendants argued, among other things, that the plaintiff's claim was barred by the CDA, an argument that the court found convincing. According to the court, there was no doubt that, under the statute's terms and in line with California and New Jersey precedent, Neumann was a "user of an interactive computer service" as set forth in the CDA. As a user of an interactive computer service, the CDA prohibited Neumann from being considered a publisher or speaker of information provided by another person. Because Neumann's only addition to the Mitan Alert email chain concerned the plaintiff's brother and not the plaintiff, the plaintiff's entire claim rested entirely on Neumann's act of forwarding the text of the Mitan Alert to others. Even the plaintiff did not contend that Neumann was the originator (or, in CDA terms, the "information content provider") of the Mitan Alert. Under these facts, the court found that Neumann's actions were squarely within the safe harbor of the CDA: "[A]s the downstream internet user who received an email containing defamatory text and 'simply hit the forward icon on [his] computer,' Neumann's acts are shielded by the CDA, and Plaintiff's libel claim against Neumann is necessarily preempted under 47 U.S.C. § 230(e)(3)."
The case might have been closer had Neumann's introductory text said something about the plaintiff himself. Other courts dealing with the application of CDA immunity to forwarded emails, like the California Court of Appeal in Phan v. Pham, 105 Cal. Rptr. 3d 791 (Cal. Ct. App. 2010), cited in the Mitan case, have been forced to consider what level of active contribution to the creation of a defamatory email, such as by introductory text or forwarding commentary, is required before a provider or user of an interactive computer service will cross the line into liability. The Mitan case presented no such complexities, but email users might be wise to consider such issues before assuming that the CDA makes forwarding potentially defamatory emails completely risk free.
NLRB's "Facebook Firing" Case Settles
In the December 2010 issue of Socially Aware, we discussed the complaint issued by the National Labor Relations Board ("NLRB") against an employer that allegedly terminated an employee for making derogatory remarks about her supervisor on the employee's Facebook page. The complaint alleged, among other things, that this termination was in violation of federal labor law, that the company's social media policy was "overly broad" because it prohibited employees from posting disparaging remarks about the company, and that enforcement of this policy interfered with employees' rights to engage in concerted activity.
This case received significant media attention because it applies a well-established legal theory to a new context. Although it is long settled that employees have the right to engage in discussions about their wages, hours, and working conditions, this case signals to both union and nonunion employers that this right extends past the physical workplace and onto its employees' Facebook pages. Further, this case warns employers of the NLRB's intent to protect employees' use of the Internet as a forum to engage in concerted activity, even where the protected content is less than respectful.
On February 7, 2011, the NLRB announced that it entered into a settlement agreement with the company. Although the agreement was not released, public reports indicate that, as part of the settlement, the company agreed to change its "overly broad" social media policy to ensure that it does not interfere with employees' right to engage in concerted activity such as discussing their wages, hours, and working conditions. The company also agreed not to discipline employees for engaging in such activity and not to deny employees' requests for union representation or discipline them for making such requests. The employer separately settled with the terminated employee, but the terms of that agreement remain private.
Employers should remain aware of employees' right to communicate with one another regarding their wages, hours and working conditions, and their ability to do so over the Internet and still come under the protection of federal labor laws. Further, employers will want to keep this lesson in mind when drafting social media policies, so as to ensure that such policies will not be construed as interfering with protected employee rights.
The More Things Change: Regulated Financial Firms in the Age of Social Media
As chronicled in past issues of Socially Aware, social media is transforming the way that businesses communicate with their customers, with companies across most industries rushing to establish a presence on Facebook, Twitter, and other social media platforms. The financial services industry, however, is heavily regulated and, as a result, has been more cautious than other, less regulated industries in embracing Web 2.0, and for good reason.
For example, a traditional area of focus for the Financial Industry Regulatory Authority ("FINRA") has been the communications of its member firms and their employees with customers or potential customers. It has required that members retain records of communications that relate to its business as a broker-dealer and, if a communication constitutes an investment "recommendation," it triggers the rules governing "suitability" of such investments.
In the past, FINRA has issued guidance that made clear that these requirements apply to communications in interactive Web sites and interactive electronic forums, such as Internet "chat rooms." Nevertheless, FINRA members asked the organization review and offer guidance on the applicability of these requirements in the context of social media Web sites. In a response, FINRA has it made clear that while common forms of communication may be changing, FINRA's rules are adaptable, and still apply with the same force.
In 2010, FINRA issued a Regulatory Notice (10-06) (the "Notice") regarding the use of social media. The first, and perhaps most important, principle established in the Notice is that "[t] he content provisions of FINRA's communications rules apply to interactive electronic communications that the firm or its personnel send through a social media site." The same rules that governed FINRA members' use of chat rooms and other earlier forms of interactive Web sites also govern their use of Facebook, Twitter, and other social media platforms.
Therefore, firms are required to retain records of the communications made for business purposes, including communications made by a firm or its personnel using social media Web sites. To the extent the communication constitutes a "recommendation" to make an investment, the content of that communication is subject to the suitability requirements governing any other such communications. And firms are required to monitor these communications in a manner reasonably designed to ensure that these requirements are not violated. They must adopt policies and procedures so that their employees are appropriately supervised, have the necessary training and background to engage in such activities, and do not present undue risks to investors.
FINRA notes as well that firms should consider restricting the use of social media by any employee who has "presented compliance risks in the past" and consider policies that address situations in which the firm's supervisory systems demonstrate compliance risks. And firms should take disciplinary action if the firm's policies are violated.
FINRA's approach in the Regulatory Notice is very practical, instructing member firms that FINRA's rules continue to apply in this evolving area, while making clear that a firm is free to design an effective supervisory compliance system of its choosing. Much like FINRA's communications rules, that compliance system should be both tough and adaptable to circumstances specifically associated with the rapidly changing world of social media.
Facebook Modifies Its "Friend Finder" Function to Accommodate Hamburg's Data Protection Authority
Facebook has reached a compromise with the Hamburg Federal Data Protection Office, Germany, after long negotiations regarding Facebook's use of personal information imported via its "Friend Finder" function. Friend Finder enables Facebook users to find new "friends" by sending unsolicited emails to individuals listed in the user's personal electronic address book, including those who are not members of the online social network.
According to media reports, Facebook has agreed to ensure greater transparency and to better inform users about how to manage personal information and privacy settings when using Friend Finder. In particular, Facebook has agreed to inform users that, if they choose to upload their electronic address books to Friend Finder, Facebook will store the information contained in such address books, and may use this information to generate email solicitations to join Facebook. Facebook has also agreed to include a clearly-displayed opt-out link in its unsolicited email messages, and will no longer include photographs from user profiles in such email messages.
The agreement with the Hamburg Federal Data Protection Office follows a high number of complaints regarding Friend Finder, including from the German Federal Consumer Protection Association. However, a key issue surrounding Facebook's importation of user data via Friend Finder remains open: Although Facebook agreed to store imported data in hash value format (i.e., not in plain text), Facebook refused to agree to stop importing such data altogether. The Hamburg Federal Data Protection Office continues to pursue this issue, and the office's head, Johannes Caspar, stated in a January 24, 2010 German-language press statement that he hopes "Facebook maintains the readiness for cooperation" that it demonstrated in this first round of talks.
Stormy Weather: Legal Ethics and Cloud Computing
As companies seek to generate cost savings by moving their data to third-party vendors for storage in "the cloud", their law firms, battered by the global recession and focused on expense reduction, are taking a similar interest in cloud storage models. Such models, however, present potential ethical issues for lawyers; the primary concern arises from whether a lawyer's storage of information and documents incorporating client confidences in a third-party cloud environment can place such lawyer in breach of his or her ethical obligations to such client.
Until recently, attorneys who used cloud-based services could find little guidance on these risks (aside from principles gleaned from data privacy laws), and much of it indirect. For example, Section 1.6 of the American Bar Association's Model Rules of Professional Conduct forbids a lawyer from revealing information related to his or her representation unless, inter alia, the client gives "informed consent" or "the disclosure is impliedly authorized." Similarly, Section 1.15 of the Model Rules requires that a lawyer "appropriately safeguard" any property received by a client for safekeeping. Individual states, however, are beginning to provide specific guidance to attorneys interested in taking advantage of cloud storage models; to date, the bar associations of Alabama, California, New York, and North Carolina have all issued opinions on this timely topic.
The New York opinion, N.Y.S.B.A. Eth. Op. 842 NY, permits data storage in the cloud so long as lawyers "take reasonable care to ensure that client confidentiality will be maintained." As part of this duty of reasonable care, lawyers "should stay abreast of technological advances ... and should monitor the changing law of privilege to ensure that [online storage] will not cause loss or waiver of any privilege." The opinion further provides that "reasonable care" requires an investigation into particular security and operational aspects of any cloud service provider employed.
Similarly, the California Bar's decision, Formal Opinion Interim No. 08-0002, looks to the security of the service provider to establish reasonableness; but, unlike New York's opinion, California's requires attorneys to account for the legal ramification to any third party who intercepts the information, the degree of sensitivity of the information stored, the urgency of the situation, and the client's instructions.
These opinions are likely to influence the American Bar Association, which, on September 20, 2010, released an issues paper seeking comment on cloud computing and the digital storage of documents (for example, on flash drives and laptops). The issues paper describes a number of possible solutions, perhaps the most drastic being a potential amendment of the Model Rules, specifically Sections 1.1, 1.6, and 1.15, to accommodate cloud computing. Further, the ABA is seeking advice on whether cloud computing should be considered a form of outsourcing; if so, lawyers could have ethical obligations to supervise cloud service providers in the same manner in which they would be required to supervise nonlawyer independent contractors.
In response, the Legal Cloud Computing Association LCCA), a consortium of cloud service providers, offers one of the more comprehensive assessments of the impact of cloud computing on the legal industry. In its response to the ABA, the LCCA calls for the establishment of online resources describing best practice guidelines; the development of technology standards for legal cloud service providers, focusing on data security and fidelity; and a model terms of service for cloud computing providers, to ensure that all rights in the data are retained by the client, and that data will remain accessible and secure. Further, the LCCA's paper argues that cloud legal services should not be considered outsourcing, for the simple reason that most lawyers lack the technical skills to supervise cloud providers in a meaningful manner.
For attorneys and law firms interested in taking advantage of the cost benefits offered by cloud computing, they will want to monitor these developments closely to ensure compliance with their ethical obligations. Similarly, companies retaining legal counsel may wish to explore the data storage practices of such counsel.
Facebook Revamps Its Promotions Guidelines
Promotions and contests on social media platforms are becoming an increasingly important way for companies to reach their customers. It has been reported that half of all Internet users enter contests or sweepstakes at least once a month, and that companies that run contests or sweepstakes have twice as many fans on their sponsored social media pages as those who don't. As valuable as such promotions may be, however, many have complained that the terms that some social media sites impose on contests and sweepstakes are overly restrictive. It is no surprise, therefore, that Facebook's announcement on December 1, 2010, that it was releasing new and more permissive Promotions Guidelines has generally been met with enthusiasm, particularly the announcement that companies will no longer be required to obtain written approval before running a promotion. While the new Promotions Guidelines are more user friendly and less restrictive than the previous incarnation, however, other Facebook policies, such as Facebook's Statement of Rights and Responsibilities, have not yet been similarly updated, leading to potential inconsistency and confusion.
Facebook highlighted some of the recent changes in the Promotions Guidelines on its wall, including that "[w]e no longer require prior written Facebook approval to administer a promotion on Facebook." Facebook's Statement of Rights and Responsibilities, however, still requires Facebook's prior written consent before offering any promotion: "You will not offer any contest, giveaway, or sweepstakes . . . on Facebook without our prior written consent." Facebook may clear this up in the next iteration of the Statement of Rights and Responsibilities, but, for the time being, the two Facebook policies are in direct conflict, particularly given that the Promotions Guidelines specifically incorporate the Statement of Rights and Responsibilities. That said, some social media agencies have taken the new Promotions Guidelines at face value and are creating and launching promotions for clients without first obtaining approval from Facebook. Given the inconsistency in Facebook's policies, however, some companies may wish to seek further clarification from Facebook before launching a new promotion, in order to minimize the risk of Facebook sanctions for noncompliance.
Another interesting and potentially confusing aspect of Facebook's announcement was the statement that "[w]e no longer require a minimum media spend threshold to support the promotion." In fact, however, the prior version of the guidelines did not explicitly impose a minimum ad spend for a promotion. Instead, the original guidelines merely stated that a promotion required prior written approval from an account representative. This requirement may have imposed a minimum spend requirement in practical terms, however, because it has been reported that the only way to get access to an account executive is to spend roughly $10,000 on Facebook advertising. In any event, whatever Facebook's actual policy regarding ad spend was under the old guidelines, it seems clear that there is no such requirement under the updated Promotions Guidelines.
Like It or Not? Facebook Allows Advertisers to Republish User Posts as Ads
Facebook's recently announced "Sponsored Stories" advertising program lets advertisers promote user activity – such as "like" clicks on a company's brand page or checks-ins at a company's locations – so that the activity appears on the right rail of the user's friends' news feed page. In the past, when a user "liked" Volkswagen or checked-in to a Starbucks store, that activity might have appeared in the user's friends' organic news feeds. With Sponsored Stories, Volkswagen and Starbucks can promote these clicks and check-ins to make sure that all of the user's friends see that activity. Facebook says Sponsored Stories "let advertisers take these word-of-mouth recommendations and promote them".
The Sponsored Stories program does put some limits on such promotion. In particular, a user's activity relating to a brand can show up as a Sponsored Story only for that user's friends. According to Facebook's video announcement for the program, "a Sponsored Story never goes to somebody who is not one of your friends". Still, some have criticized Facebook's decision not to allow users to opt out of having their posts published as ads. One commentator called the move a quick "bait and switch" after the company's launch of check-ins just five months ago. Another critic elaborates, "What Facebook needs to do, if it wants to speak to its users in a way that shows it really understands them, is to offer Sponsored Stories on an opt-in basis."
Some of these comments echo criticism that Facebook has received over its privacy practices in the past, including with respect to its ill-fated Beacon program. Clearly, however, Facebook is betting that its users will accept Sponsored Stories and that advertisers will see the program as valuable new way to leverage the power of social networking to promote their brands.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
