Login Lessons From the Hawaii Missile Alert Fiasco

Posted by on Feb 7, 2018 in Employment and Labor, Social Media

Phones across Hawaii lit up at 8:07 a.m. on January 13, 2018 with an alert that a ballistic missile was hurtling toward the state.  Two minutes later, Governor David Ige learned that the alert was mistakenly sent.  But it took another excruciating 15 minutes before the governor took to Twitter to clarify that there was “NO missile threat to Hawaii.”  Why the delay?  Governor Ige later confessed that he forgot his Twitter password.

Companies can learn a lesson or two from the governor’s login woes.  Ready access to login credentials for your company’s online assets is crucial.  Being locked out of your website, social media accounts, cloud services, and other digital assets can seriously damage your company’s operations and reputation.  Securing usernames and passwords is just as important as keeping track of the keys to your office or company safe.

Here are some tips for keeping company login credentials safe and accessible:

1.  Designate a location for storing login credentials.

Employees authorized to set up or modify an online account on behalf of the company should be instructed to store the login credentials in a designated location.  This will prevent a frantic search for account information in mission-critical situations.  The designated location can be a file stored in a specific drive or folder.  If the file is encrypted – a highly recommended practice – make sure the encryption code is stored in a safe place.  In some situations, simply writing down login credentials on a piece of paper can work.  Just make sure the paper is stored in a safe and identified location.

2.  Ensure access to login credentials to those who need it.

Employees who need access to the company’s online accounts should be told where the login credentials for those accounts are stored.  Supervisors of employees who regularly use the account should know where the credentials are stored in case those employees separate from the company.

3.  Develop a protocol for modifying login credentials.

Company policy should clearly articulate procedures for modifying login credentials to company accounts.  For example, employees who make the modifications should be required to inform their supervisor in writing about the change and update the account information stored in the designated location.

4.  Set up accounts with company email addresses.

Employees should not be allowed to use personal email addresses to register online accounts on behalf the company.  Only company email addresses should be used to register accounts.  If the login name or password for the account needs to be reset, a reset confirmation email is typically sent to the email address under which the account is registered.  If the registered email address belongs to an employee, the company might not be able to complete the reset process if the employee (or ex-employee) refuses to cooperate.

5.  Specify ownership of online assets.

Company policy should clearly specify that any online accounts created for the company are owned by the company, not the employee who registered them.  Such a policy is especially necessary for social media accounts, which might seem like they belong to the employee promoting the company using the accounts.

Having login credentials at your fingertips is important to your company’s success, even if the stakes don’t involve warnings of impending disaster.

Read More

Take Control of Negative Online Comments

Posted by on Apr 19, 2017 in Advertising and Marketing, Employment and Labor, Social Media

“Why did you fire my wife?”  Bradley Reid Byrd posted this question on the Facebook page of Cracker Barrel.  Byrd wanted to know why his wife was let go after working for the restaurant chain for 11 years.  The post remained largely unnoticed for about a month until a comedian uploaded a screenshot of it to his Facebook page and his 2.1 million followers.  The internet outrage machine then kicked into high gear.  Multiple hashtags were created (#JusticeForBradsWife, #BradsWifeMatters, #NotMyCountryStore).  Someone started a “Brad’s Wife” Facebook page.  A Change.org petition demanding answers from Cracker Barrel was launched.

Social media makes it easy to channel the furor of the masses against an organization.  The instigator could be anyone with some connection to the organization – a former or current employee, their relatives, or a customer.  What should an organization do if it finds itself at the center of an internet controversy?

Responding to negative online comments is a delicate exercise, and missteps early on can  damage an organization’s reputation tremendously.  From a human resources perspective, the first step is to control who, if anyone, should respond.  Employees should be prohibited from making “rogue” responses on behalf of the organization.  Employers should state this restriction clearly in their social media policy and train employees on the importance of compliance.

After deciding who will handle the response, the next step is figuring out what to say.  The knee-jerk reaction to inflammatory or untrue online comments might be to threaten a defamation suit against the posters, but that can backfire and damage the organization’s reputation even more.  Sometimes the best response is to say nothing and let the controversy pass.

If a response is warranted, consider who the audience will be and how they might respond to it.  Pointing out flaws in the negative comments could be perceived as overly defensive.  On the other hand, respectfully acknowledging the negative comments or posting positive content about to organization could defuse the controversy.

Whatever the response, it should be the product of careful consideration.  On the internet, it takes just a few clicks to set off a firestorm.

 

 

Read More

NLRB Advice Memorandum Provides Guidance on How to Revise an Illegal Social Media Policy

Posted by on Mar 22, 2017 in Employment and Labor, Social Media

On January 1, 2017, the National Labor Relations Board (NLRB) Office of the General Counsel released an advice memorandum (dated September 22, 2016) reviewing the social media policy in Northwestern University’s revised Football Handbook.  The memorandum contains valuable guidance in an area full of uncertainty, as the NLRB has struck down seemingly common sense social media policies because of their potential to chill employees’ rights under Section 7 of the National Labor Relations Act (NLRA) to engage in “concerted protected activities.”  Section 8 of the NLRA prohibits employees from restraining employees from exercising their Section 7 rights.

According to the memorandum, Northwestern voluntarily revised its Football Handbook after receiving a charge alleging that the handbook violated the NLRA.  The advice memorandum reviewed the revised handbook for compliance with the NLRA.  Assuming for the purpose of the review that Northwestern’s football players are “employees” under the NLRA, the advice memorandum concluded that the revised social media policy passed muster.

The memorandum reprinted the original language of the policies along with the revisions in redline, as follows (deleted language in strikeout and new language in bold):

[W]e are concerned about… protecting the image and reputation of Northwestern University and its Department of Athletics and Recreation. . . .

Publicly posted information on social networking websites can be seen may be regularly monitored by any person with a smart phone or internet access, including individuals a number of sources within Northwestern University (e.g., Athletics Department, Student Affairs, University Police). . . .

Northwestern student-athletes should be very careful when using online social networking sites and keep in mind that sanctions may be imposed if these sites are used improperly or depict inappropriate, embarrassing harassing, unlawful or dangerous behaviors such as full or partial nudity (of yourself or another), sex, racial or sexual epithets, underage drinking, drugs, weapons or firearms, hazing, harassment, unlawful activity or any content that violates Northwestern University, Athletics Department or student-athlete codes of conduct and/or state or federal laws.

….

Do not post any information, photos or other items online that contain full or partial nudity (of yourself or another), sex, racial or sexual epithets, underage drinking, drugs, weapons or firearms, hazing, harassment or unlawful activity could embarrass you, your family, your team, the Athletics Department or Northwestern University.

Although the advice memorandum did not elaborate on why the original policy could violate the NLRA while revised policy would not, it provides important clues on drafting lawful social media policies.  The modifications to the policy generally substituted vague terms like “inappropriate” and “embarrassing” with descriptions of the content that the policy prohibits.  For example, the revised policy specifically prohibits social media posts depicting “nudity,” “racial or sexual epithets,” and “underage drinking,” among other things.  The revised policy also eliminated protection of the employer’s “image and reputation” from the description of the policy’s purpose.  In previous guidance, the NLRB has determined that employers may not require employees to refrain from engaging in activity that generally damages the employer’s reputation because that could be construed to prohibit “concerted protected activity” such as criticism of work conditions or compensation policies.

The recent advice memorandum reinforces the need to be precise when drafting a social media policy.  Experienced counsel can assist in identifying the types of social media content that the NLRB has allowed employers to prohibit employees from posting.

Read More

Section 230 of the CDA: An Employer’s New Friend?

Posted by on May 19, 2014 in Defamation, Employment and Labor, Social Media

Employees can get carried away on social media. US Airways learned this the hard way when its employee responded to a customer complaint on Twitter with an obscene picture of a woman and a toy jet. An apology and deletion of the tweet followed an hour later (an eternity in cyberspace). US Airways claims its employee made an “honest mistake,” and the incident has not spawned a lawsuit, but one can imagine situations in which the malicious online statements of an employee land the employer in legal trouble.

So what’s an employer to do? Thankfully, employers can find some solace in Section 230 of the federal Communications Decency Act (“CDA”), as a recent Indiana case illustrates. In Miller v. Federal Express Corp., an employee of a non-profit organization, 500 Festival, Inc. (“500 Festival”), and an employee of FedEx separately posted comments on media websites criticizing the plaintiff’s leadership of Junior Achievement of Central Indiana, which he ran from 1994 to 2008. Although the employees posted the comments using aliases, the plaintiff traced the comments back to IP addresses assigned to 500 Festival and FedEx and sued them for defamation.

The Indiana Court of Appeals affirmed the trial court’s dismissal of the defamation claims against 500 Festival and FedEx based on the Section 230 of the CDA. Congress passed Section 230 to protect companies that serve as intermediaries for online speech from liability for harmful content posted by third parties. A defendant claiming Section 230 immunity must show that: (1) it is a provider or user of an interactive computer service; (2) the plaintiff’s claim treats it as the publisher or speaker of information; and (3) another information at issue was provided by another content provider. Satisfying these three elements immunizes the defendant from suit, although the author of the offensive content could still be held liable.

It’s not difficult to see how Section 230 applies where, for instance, the operator of an online discussion forum is sued for defamation based on a comment posted by a forum member. The operator easily qualifies as an “interactive computer service” and can argue it is not liable for content that someone else published. But could a corporate employer qualify for Section 230 immunity? The court in Miller said yes, siding with precedent set by California and Illinois courts. An employer that provides or enables multiple users on a computer network with Internet access qualifies as a provider of an interactive computer service. Since the defamation claims tried to hold 500 Festival and FedEx liable for allegedly publishing statements made by their employees, Section 230 barred the claims.

Controlling what employees say online can be a daunting task, but it’s nice to know that employers have some protection from legal liability for the “honest” (or not so honest) mistakes of employees.

Enhanced by Zemanta
Read More

Lawsuit filed by creator of Facebook news site warns public employers to beware the First Amendment when disciplining employees for their social media conduct

Posted by on Mar 20, 2014 in Employment and Labor, First Amendment, Social Media

“It’s my First Amendment right to say what I want!”  The First Amendment is commonly invoked to justify personal expression.  But did you know that the First Amendment applies only when the government is involved?  For example, the First Amendment wouldn’t prevent a private company from firing an employee for making offensive comments about the governor.  If the same employee worked for a government office, then the First Amendment might apply.  As a lawsuit recently filed against the County of Maui illustrates, the First Amendment adds a layer of complexity for public employers dealing with controversial social media activity of its employees.

The First Amendment Lawsuit Against Maui County

Neldon Mamuad is a volunteer Liquor Commissioner for Maui County and part-time aide to a Maui County Council member.  In July 2013, Mamuad started a Facebook fan page called “TAGUMAWatch,” named after a Maui police officer well-known for strict enforcement of parking and traffic violations.  The page was intended to enable Facebook users to post about “Taguma sightings” and share their thoughts about him.  TAGUMAWatch gained popularity quickly and evolved into a discussion forum on a variety of topics including news, traffic, and politics.

Mamuad claims that he didn’t publicize his involvement with TAGUMAWatch until a TV news story about the page named him as its creator.   Mamuad also didn’t identify himself as a County employee when posting to the page or suggest that he spoke for the County.

The County somehow linked Mamuad to the page.  Allegedly under pressure from the County, Mamuad changed the page’s name to MAUIWatch.  A few days later, Officer Taguma submitted a complaint to the County alleging harassment via the page.  After notifying Mamuad of the complaint and conducting an investigation, the County determined that Mamuad had engaged in harassment and cyber-bullying through social media and required him to enroll in an employee counseling program.

On March 3, 2014, Mamuad sued the County in federal court for violating his First Amendment rights.  As of the time of this post, Mamuad’s motion for a TRO was pending.

When Does Employee Discipline Violate the First Amendment?

Most forms of internet expression qualify as “speech” under the First Amendment.  That point has been driven home by recent legal developments,  including a court decision that Facebook “likes” are protected by the First Amendment, a Ninth Circuit opinion recognizing that bloggers have the same First Amendment protections as traditional journalists, dismissal of an appeal from the termination of a public school teacher, and a federal lawsuit filed by a gun rights group alleging that the Honolulu Police Department censored comments on its Facebook page.  Whenever the government is the one restricting speech, the First Amendment becomes relevant.

So how does a public employer know when it may discipline an employee for his or her social media conduct without violating the First Amendment?  The general test in the Ninth Circuit, as spelled out in Mamuad’s TRO motion, looks at these factors:

  1. Did the employee speak on a matter of public concern?
  2. Did the employee speak as a private citizen or public employee?
  3. Was the employee’s protected speech a substantial or motivating factor in the adverse employment action?
  4. Did the government have an adequate justification for treating the employee differently from other members of the general public?
  5. Would the government have taken the adverse employment action even absent the protected speech?

Dahlia v. Rodriguez, 735 F.3d 1060, 1067 (9th Cir. 2013) (en banc).  For a court to find that employee discipline violates the First Amendment, the first and third question must be answered in the affirmative, the fourth and fifth question answered in the negative, and for the second question, the employee must have spoken as a private citizen.  The employee also has the burden to prove the first three factors.  If the employee is successful, then the burden shifts to the government to prove the fourth and fifth factors.

Applying this test to employee social media conduct isn’t simple, but it helps government employers assess whether the First Amendment counsels against disciplinary action.

Links:

Complaint in the Mamuad lawsuit
Motion for TRO in Mamuad lawsuit (w/o attached declarations and exhibits)

Enhanced by Zemanta
Read More
%d bloggers like this: