I’ll be speaking on December 18 at a half-day seminar on “Ethics and Social Media: What Attorneys Need to Know.” The seminar is good for 3.0 hours of Hawaii MCPE credit and 3.0 hours of California CLE credit. You might be interested in attending if you have questions like:
- What are the rules on legal advertising on social media?
- Should lawyers even set up a social media account?
- Who should I friend on Facebook?
- What are the do’s and don’ts of tweeting?
For more information or to register, click here.
Photo by Ian Lamont (CC BY 2.0) via Flickr
You’ve probably heard of BYOD (Bring Your Own Device). But do you know about BYOC? It stands for Bring Your Own Cloud, and it’s more prevalent than you might think.
Cloud storage services like DropBox, Google Drive, and SkyDrive sport features that are attractive to an increasingly mobile workforce. They provide gigabytes of storage for free. Files in the cloud are accessible anywhere with an internet connection. Changes to a file in a cloud account are synced across all devices with access to the account. It’s not difficult to see why cloud services are gaining popularity among individuals and companies alike.
Therein lies the problem. Because personal cloud accounts are so handy and easy to set up, an employee can create a security risk for a company in a matter of minutes. An employee can essentially connect the organization to the cloud without the company’s knowledge via a private cloud account. This enables the transfer of confidential company data to a location outside the company’s reach.
ComRent International, LLC v. Palatini, 2013 WL 5761319 (E.D. Pa. Oct. 24, 2013), involved such a scenario. ComRent hired Clayton Taylor to serve as a vice president of product development. Taylor primarily worked on matters related to Experium, a company that he co-founded and of which he was a minority owner. Taylor set up a Google Drive account to store, access, and edit all of Experium’s intellectual property and confidential commercial information. Only Taylor knew the username and password necessary for the account. When ComRent hired an engineering firm to consult on options for the future of Experium, Taylor refused to grant the firm access to any of Experium’s intellectual property, believing that ComRent might appropriate the intellectual property for itself. As a result, ComRent terminated Taylor and filed a lawsuit seeking access to the Google Drive account containing Experium’s corporate files.
Here are some tips for avoiding problems with unauthorized use of personal cloud storage accounts by employees.
Set a Policy: Remaining silent—and therefore ambiguous—about the organization’s stance on cloud storage can lead employees to believe they may use personal cloud accounts for work purposes without letting management know. To eliminate such misconceptions, set a policy on whether or not the organization will use cloud storage. If the decision is yes, then adopt measures to ensure responsible use of cloud storage. If the decision is no, then clearly communicate to employees that storing work data in a personal cloud account is against company policy.
Maintain Control: If an organization decides to use cloud storage, it should retain control over the information necessary to access the cloud storage account (e.g., login credentials). It is advisable to create an account under the organization’s name for official work purposes instead of allowing employees to use their personal accounts.
Restrict Unauthorized Cloud Services: Consider restricting access to private cloud storage sites from any device that can also access company data, including mobile devices, through the use of blacklists, proxies, and other network security measures. This will prevent the transfer of work files to a private cloud account. Organizations with BYOD programs might find it challenging to eliminate all access to private cloud services, but it is worthwhile consulting with the IT department about the feasibility of implementing such restrictions.
Retain Ownership: Make it clear that company information remains property of the company regardless of where it is stored. It’s also a good idea to have employees sign written non-disclosure agreements.
Stay safe in the cloud!
Working remotely has never been easier thanks to the proliferation of mobile devices like smartphones and tablets. Enabling employees to do work outside of the office and standard work hours can be a boon for productivity, but it carries a legal risk for employers: unexpected claims for overtime pay. Under the federal Fair Labor Standards Act (FLSA), non-exempt employees must be paid overtime compensation for work they perform for the employer’s benefit in excess of forty hours in any workweek. Work done remotely, such as responding to emails on a smartphone or drafting a report on a laptop at home, could push an employee’s work hours in a given week beyond the forty-hour threshold. FLSA violations can occur unexpectedly because an employee need not have been asked to work beyond the 40-hour workweek to be entitled to overtime pay.
Two cases illustrate the risk of allowing employees to work outside of the office using mobile devices. In Allen v. City of Chicago, a Chicago officer sued the Chicago Police Department under FLSA for requiring him to work “off the clock” using a department-issued Blackberry device without receiving overtime pay. A Chicago federal district judge conditionally certified a collective action to allow 200 similarly situated officers to join in the lawsuit.
In O’Neill v. Mermaid Touring Inc., the former personal assistant of pop artist Lady Gaga, Jennifer O’Neill, sued for overtime compensation under FLSA. O’Neill alleged that she worked 24/7 because she was expected to have her phone on in order to respond to Lady Gaga’s calls at any time of the day. A New York federal district judge recently denied the defendants’ motion for summary judgment that O’Neill’s on-call time is not compensable, thus setting the stage for trial in the case to begin on November 4.
Allen and O’Neill highlight the need to institute clear policies spelling out the authorization an employee must obtain working remotely with a mobile device. Organizations that allow employees to use mobile devices for work purposes should require employees to keep track of the time they work remotely or consider installing software on that employee’s mobile device that automatically performs such a timekeeping function. Taking proactive measures to manage mobile device usage at work is crucial to preventing employees from secretly racking up overtime hours and then demanding compensation for it.
Social media can be risky business. Whether an organization embraces or ignores social media, it or its employees probably already have a presence on a social network. That simple reality can be costly for an organization without proper measures in place to deal with the risks of social media misconduct. Readers of this blog are familiar with cases where business saw their reputations marred by employees who post embarrassing photos online about work mishaps or found themselves in legal trouble for firing an employee who vented on Facebook about a co-worker.
To help organizations manage the risks of social media activity, I’m proud to introduce SM Safety, a new line of services offered by my law firm. The approach of SM Safety can be summarized in three words, each corresponding to a level of service that meets a particular need: checkup, plan, and audit.
A SM Safety Checkup is a low-cost way to ensure that an existing social media policy is legally compliant and effective.
A SM Safety Plan is for organizations who need assistance with preparing a new social media policy or enhancing an existing policy.
A SM Safety Audit is a comprehensive review of an organization’s overall presence in the social media space to identify exposure to legal risks due to social media use.
Each SM Safety service is offered for a flat fee. To learn more about SM Safety or to obtain a quote, visit the SM Safety Services page on this site.
Facebook comments about condition of company vehicles are protected under the NLRA; a Facebook rant about fake problems with the company car, not so much – Butler Medical Transport, LLC, 2013 WL 4761153 (N.L.R.B. Div. of Judges)
A recent decision by a National Labor Relations Board (NLRB) Administrative Law Judge (ALJ) gives employers insight on when they can and cannot fire an employee for their social media conduct outside of work. Particularly interesting is the fact that this decision involved two separate terminations, one of which the ALJ found illegal, and the other not.
The Norvell Termination
William Norvell worked as an emergency medical technician for an ambulance company, Butler Medical Transport (Butler). While on his personal computer at home, Norvell read a post by a co-worker (Zalewski) on her Facebook page stating that she had been fired. Zalewski attributed the firing to a patient report to management that she complained about the condition of Butler’s ambulances. Several people, including another Butler employee, posted comments inquiring into the incident, to which Zalewski responded with more posts about the patient’s report. Norvell responded to Zalewski with this comment:
“Sorry to hear that but if you want you may think about getting a lawyer and taking them to court.”
Another person posted a comment suggesting that Zalewski find a job with another ambulance company. After Zalewski asked where the company was located, Norvell posted the location and added, “You could contact the labor board too.”
Butler’s HR director obtained hard copies of these posts, and in consultation with the COO, decided to terminate Norvell. The HR director told Norvell that he was being terminated for violating Butler’s bullet point list of work rules, one of which prohibited employees from using social networking sites that could discredit Butler or damage its image.
The ALJ determined that Norvell’s Facebook posts were protected concerted activity. By advising Zalewski to see a lawyer or contact the labor board, Norvell was “making common cause” with a co-worker about a matter of mutual concern to the employees, i.e., the condition of Butler’s ambulances. Norvell’s posts had protected status even though they were accessible to people outside of the company because Section 7 of the National Labor Relations Act (NLRA) extends to employee efforts to improve the terms and conditions of employment through channels outside of the employer-employee relationship. The ALJ did not find posts to be so disloyal, reckless, or maliciously untrue as to lose their protected status. The termination of Norvell based on his Facebook posts therefore violated Section 8(a)(1) of the NLRA.
The Rice Termination
Another Butler employee, Michael Rice, posted this comment on Facebook:
“Hey everybody!!!!! Im fuckin broke down in the same shit I was broke in last week because they don’t wantna buy new shit!!!! Cha-Chinnngggggg chinnng-at Sheetz Convenience Store,”
Butler terminated Rice for making this post. At the trial hearing before the ALJ, Butler produced maintenance records showing that Rice’s vehicle was not in disrepair when he made the post. Rice had also testified at his unemployment insurance hearing that his post referred to a private vehicle rather than a Butler ambulance. There being no evidence to the contrary, the ALJ determined that Rice’s post was not protected by Section 7 because it was maliciously untrue and made with the knowledge of its falsity. As a result, Rice’s termination was not illegal.
Legality of Work Rules
Also under scrutiny was the legality of two of Butler’s work rules, one prohibiting the “unauthorized posting or distribution of papers,” and the other requiring employees to acknowledge that they “will refrain from using social networking sights [sic] which could discredit Butler Medical Transport or damages its image.” Butler argued that the rules were not official company policy because they were stated in a bullet point list. The ALJ rejected the argument as making a distinction without a difference. Butler relied on the bullet point rules in terminating Norvell and Zalewski, and new employees were required to acknowledge receipt of the list. As such, employees could reasonably understand that they would be disciplined for failing to follow the rules on the list. The ALJ found that the rules violated Section 7 activity because they prohibited employees from communicating to others about their work conditions.
LegalTXTS Lesson: This case doesn’t break new ground, but it does contain a few important reminders for employers grappling with how far they can go in regulating the social media activity of employees.
1. A policy by any other name … is still a policy. Butler’s failure to convince the ALJ that the bullet point list was not company policy should serve as a reminder that if a company communicates a rule to its employees in writing, expects them to follow the rule, and disciplines them if they don’t, the rule is effectively a policy. It doesn’t matter that the rule appears in a document whose title doesn’t include the word “policy,” or that the wording of the rule is informal.
2. Write it right. Given how easily a supposedly informal rule could qualify as a policy, a company should take care in articulating its work rules in the form of an official written policy. Consult with counsel to make sure the wording doesn’t inadvertently violate the law.
3. Don’t go overboard. The NLRB has consistently frowned upon work rules that flat out prohibit employees from posting content on social media that damages the reputation of their employer, or worse yet, bars them completely from speaking to others about work-related issues, whether on social networking sites or other media. (For examples, see the related posts below). Reject categorical bans on employee speech in favor of rules that focus on creating or avoiding specific results.
4. Context matters. Before disciplining an employee for a social media post, understand the context in which the post was made. Is the post about a work-related issue that other employees have discussed before? Does the post call for co-workers to take action? Asking such questions helps management determine if the post is protected under the NLRA.
NLRB dishes out confusion on social media policies
NLRB sanctions employees who fire employees for online “protected concerted activity”
DirectTV’s work rules invalidated by NLRB