15T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Love it or hate it, social media is here to stay. Eliminating risk of social media is not possible—instead, organizations must embrace pragmatic mitigation strategies.

As an ever-evolving and pervasive tool fraught with both risk and opportunity, social media demands organizations stay agile and continually responsive to its challenges. This article will discuss, from a legal perspective, how organizations can protect themselves against the risks of social media as they realize the benefits.

Popular and QuickThere are, on average, 500 million tweets posted each day

and 1.55 billion monthly active Facebook users.1 A few years ago, we were confronted with the real impact of social media in our lives and in the workplace. Primarily we were discuss-ing Twitter, Pinterest, and Facebook. Since then, the available

media the public has at its literal fingertips to engage with friends, “followers” and the public at large have exploded into a staggering plethora of existing and new apps.

One key component of social media, as opposed to blog-ging and online journaling, is timing. An individual is able to, with relative speed, create and publish a post. While this is also true of bloggers, the difference with social media is that it enables individuals to instantly opine or react on a single topic.

What makes social media a real challenge is effectively addressing the volume and complexity of issues and the break-neck pace of change. Compounding the challenge is the fact the laws we have available at our disposal to help us manage these issues are lagging far behind the technology.

An excellent rule of thumb is to treat social media as simply another vehicle of communication. Organizations can take

feature article

Helping Clients Mind Their Social Media Ps & Qs:Best Practices for Identifying and Managing Risk

by Rebecca H. Davis and Sara J. B. English

Rebecca H. DavisRebecca H. Davis is Asst. General Counsel at Wal-Mart Stores, Inc., where she provides counsel to the company’s Privacy Office and Information Security division. She is experienced in compliance, risk management, and contract negotiations, with special atten-tion to issues involving employee data, information security, vendor oversight, cloud, social media and

international data transfers. Rebecca is a certified informa-tion privacy professional (CIPP) and teaches privacy law at the University of Arkansas School of Law. Rebecca is a 2007 graduate of the University of Iowa College of Law.

Sara J. B. EnglishSara J. B. English is a Partner of Kutak Rock LLP in the Omaha office. She is a member of the firm’s Intellectual Property and Information Technology group, where she routinely advises cli-ents from a variety of commercial sectors such as health care, retail, and finance in all aspects of tech-nology transactions and the use and handling of sensitive personal

information. Sara is a certified information privacy profes-sional (CIPP) and a 2005 graduate of the University of Iowa College of Law.

➡

16T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

comfort in knowing that they are well-equipped and have years of experience handling communications, whether with the media, their customers, or potential and existing employees. Social media is not a unique animal; it simply adds another layer to constructs that already exist. The hitch lies in the fact that this layer adds a velocity and volume heretofore unknown. The speed and reach of social media means organizations, particularly employers, would be well-advised to look before leaping on a social media circumstance.

“Look before you leap” is common-sense advice, but what does it mean exactly in the social media context? We suggest that it involves several steps:

1. Figure out what your organization’s risks are with respect to social media.

2. Establish a risk mitigation plan.

3. Articulate the benefits social media offers your organization.

4. Develop a strategy for realizing these benefits.

Risk Management Quantifying the Peril

Even if your organization does not believe the benefits of social media outweigh the risks, opting out of social media entirely is not an option. Your employees and your customers

are inevitably going to post information about you, regardless if you provide the platform (e.g., a company Facebook page or Twitter account). Consequently, your organization needs to be prepared to handle the worst.

The first step in this preparation is to assess the risk social media presents to your organization. In order to prioritize, an organization must attain visibility into all relevant risks and tackle those risks in an intelligent and methodical way. Although risk assessments are essential, many organizations do not engage in this exercise. The most common reason for this, according to the Altimeter group, is due to organizations not having the needed resources.2 If this is the case for your orga-nization, you should reconsider your position and take the long view. While risk assessments may consume resources at the outset, they ultimately enable an organization to prioritize and use resources intelligently and more efficiently. Additionally, it is acceptable to take a scaled-down approach to risk manage-ment sized appropriately for your organization.3

At its core, a risk assessment involves the following equation:

Risk = Threat x Vulnerability

A threat is an agent that can take action to cause harm to your organization. A vulnerability is an issue your organization could improve upon (or is not doing at all). Following are some examples of threats and vulnerabilities related to social media:

Social MEDia Ps & Qs

IPE 1031 • 1922 INGERSOLL AVENUE • DES MOINES, IOWA 50309515.279.1111 • 888.226.0400 • FAX 515.279.8788 • INFO@IPE1031.COM

WWW.IPE1031.COM

Manage Exchange and Professional Risk with the Midwest’s

Premier Exchange Resource

17T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Social MEDia Ps & Qs

Operational risk is the risk of loss resulting from inadequate or failed processes, people or systems, stemming from internal or external root causes. Examples include loss of an intellectual property right by failure to police trademarks or a trade secret leak; information security vulnerability due to poor security or presence of malware in social media applications; and hostile workplace or customer environment due to defamation or harassment via social media.

Below are examples of how to evaluate risk using the threat/vulnerability formula above:

Example 1: Reputation Risk

• Threat: Dissatisfied customers using social media to lambaste company for creating inferior product.

• Vulnerability: Customer service agents are not empowered to resolve customer complaints effec-tively.

• Risk: Widespread negative press.

Example 2: Legal/Regulatory Risk

• Threat: Disgruntled employees post comments regarding working conditions directly on an orga-nization’s Facebook page.

• Vulnerability: Lack of appropriate training for moderators charged with maintaining the Facebook page.

• Risk: Moderator pulls down protected Section 7 speech in violation of the National Labor Relation Board (NLRB) guidelines.

Example 3: Operational Risk

• Threat: Employees use social media at work to transmit links and attachments to employee e-mail account.

• Vulnerability: Organization neither blocks social media sites nor trains employees on safe use of links and attachments.

• Risk: Malware introduced into organization systems, impairing functionality and/or enabling exfiltration of regulated data or organization’s intellectual property.

An effective way to quantify and communicate risk is to use a heat map, as illustrated by Figure 1.4 It is important to note that a heat map does not actually analyze the risk; it is only a way of representing what the organization has already con-cluded. After doing the threat/vulnerability analysis and deter-mining the resulting risks, one then evaluates the likelihood and impact of each risk by assigning it a relative value. The end result is that risks are quantified, and can then be ranked, so the organization can prioritize its attention and resources.

• Likelihood: The probability of occurrence. Note the probability table directly below the x-axis.

• Impact: The expected effect or consequence of an event or

Threats: Disgruntled customers, suppliers or employees; security-naïve employees who are more susceptible to social engineering; uneducated or naïve employees susceptible to making privacy and security mistakes such as posting nonpublic confidential information or violating the FTC endorsement guidelines; hackers; social engineers; and malware.

Vulnerabilities: Human resources management (poor employee morale/low productivity or poor internal communi-cation/escalation channels for employees); poor collaboration or sharing tools such as using unsecure vendors for document sharing of confidential business material; Facebook groups to discuss employee issues; poor customer service; poor supplier oversight; poor information technology security infrastructure; unfamiliarity with constantly-changing third-party platforms (policy or functionality); and poor oversight of trade/service marks.

Each organization faces different threats and vulnerabilities based on its unique characteristics, such as: (1) highly-regulated industry; (2) handling and storing high volumes of person-ally identifiable information; (3) trade secrets instrumental to financial success; (4) level of public exposure; (5) speed of effecting institutional change; and (6) controversial industry, product, or reputation.

Quality Problem Solving

There are a number of social media-based risks on which organizations must focus. Broadly speaking, these risks are either reputational, legal/regulatory, or operational in nature.

Reputation risk is the impact of negative public opinion on an organization’s goodwill. Activities that result in dissatisfied consumers or employees and/or negative publicity can cause reputational harm. A damaged reputation with customers can lead to lost sales; impaired recruiting and retention of employ-ees; impaired relations with vendors and related stakeholders; and potential supply chain disruption. Social media enables a constant stream of dissatisfaction and discord.

Another kind of reputation risk takes the form of fraud impacting brand identity. Risks arise through false statements made by social media users, spoofs of your company’s com-munications (e.g., phishing e-mails), and activities in which fraudsters masquerade as a well-known company.

Legal/regulatory risks arise from potential for violations of or nonconformance with laws, rules, regulations, proscribed prac-tices, internal policies and procedures or ethical standards. A failure to manage these risks leads to enforcement actions and/or civil lawsuits. As we will explore in more detail below, some of the legal and regulatory risks associated with social media include: privacy laws and regulations; employment and labor law; advertising and endorsement guidelines; copyright and trademark infringement; securities law; and credit report laws.

➡

18T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Social MEDia Ps & Qs

bulk of its resources and funds to one or two highly challenging areas. In our example above, creating a policy and training the employee charged with handling social media is very low-cost and can be handled quickly to reduce the overall risk.

Patchwork Quilt

There are a variety of laws and regulations directly related to social media and others that indirectly affect the use of social media. Several of these laws include state social media password laws, the National Labor Relations Act (NLRA), FTC Section 5 and the Endorsement Guides, the Fair Credit Reporting Act, defamation laws, and marketing laws such as the Telephone Consumer Protection Act of 1991 (TCPA) and the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM Act).

State Social Media Password Laws: In the hiring and employment context, there is no federal law directly addressed at whether and how employers may request or require appli-cants and employees to divulge their social media account login credentials (user ID and password). However, states are quickly rallying to this issue, passing laws that forbid employers from requiring applicants or employees to share this account information. As of the date of this article, 22 states7 have passed this kind of law, but there has been no universal unifor-mity in the substance.

Most of the laws forbid an employer from requiring that an

occurrence (often this is a financial impact).

• Multiply the likelihood score and impact score together to receive an overall score for each risk.

Using the second example above, let’s say that for a regional company with an organized labor force, the potential impact of an adverse NLRB action is high (4), but the likelihood of the company’s social media moderator taking down protected speech is unlikely (2) because there are, on average, only 50 comments to all social media pages controlled by the company per year, and no comments have been taken down to date. As such, the score for that risk is 8 (2 x 4 = 8), placing it in the low-to-medium risk range.

After scoring all risks in the different color zones of the heat map, the organization can choose how to scale its resourc-es to handle the relative risks. While it may be tempting to go after the highest-ranked risks first, some experts recommend that organizations take a more measured approach based on a cost/benefit analysis.

According to the 2012 Verizon Data Breach Investigations Report, 96% of cyber attacks perpetrated on organizations were not highly difficult to execute5, and according to the 2015 report, 98% of web app attacks are opportunistic in nature, aimed at easy marks.6 This means an organization could poten-tially cover more risk in total with fewer resources by quickly and efficiently handling lower-level risks instead of diverting the

Figure 1

19T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Social MEDia Ps & Qs

for the FTC Section 5 violations of its endorsers, should an endorsement convey any express or implied representation that would be deceptive if made directly by the organization.

All of this means organizations need to train their employ-ees, have a solid social media policy that addresses not acting as a spokesperson for the company and disclosing the employee’s relationship to the organization when promoting the company, keeping a tight rein on publicizing customer feedback, and establishing training and governance when engaging bloggers or other customer spokespeople.

The FTC recommends several practices to help mitigate your risk: (1) given your responsibility for substantiating objective product claims, explain to your potential endorsers what they can (and cannot) say about you or your products; (2) instruct potential endorsers on the need for disclosure of their connection to you; (3) regularly conduct searches to see what is being said about you, specifically if your endorsers are disclos-ing their material connection to you, if any, and confirm that the claims they are making can be substantiated; and finally (4) follow up on any questionable practices you may uncover.

The FTC does not expect an organization to be aware of every single statement made about it, but it does expect reason-able efforts. As a reminder, “reasonable” is tied to the level of risk faced by an organization, as well as creating and adhering to documented policies and procedures.

FCRA: An organization that uses its own employees to search and scour social media sites for publically-available information concerning current or prospective employees is free to use the information it finds without restriction. However, the moment you obtain such information from a third party, the requirements of the Fair Credit Report Act (“FCRA”) are triggered. The FCRA applies to users of consumer reports prepared by a consumer reporting agency. A consumer report is any information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or lifestyle and is used as a factor in establishing the consumer’s eligibility for, among other things, credit, insurance, or employment.

For example, if your organization obtained the Facebook profile, photos and posts of its employees from a third party and used that information to guide demotion and firing decisions, it would first have to provide notice and receive employees’ consent, then fulfill the Act’s adverse action notice and correction requirements. Failure to do so could result in significant liability for your organization.

Defamation Laws: Since social media platforms are another method of public communication, the potential to defame a third party is high. There are not many cases in this area testing how courts will interpret a disparaging remark made on a social

employee or applicant disclose his or her username, password, or other means for accessing a social media account though their mobile phone. There are normally exceptions for access-ing this information from an existing employee for specific internal investigations. Many of these laws also include that employers may not even request this information from appli-cants and employees. Nebraska has not passed such a law, but Senator Tyson Larson (District 40) did introduce the Workplace Privacy Act on in January of 2013, which eventu-ally died in committee.8 The key takeaway from these new and emerging laws is that employers are well-served by minding these laws and watching for new legislation, and employers continue to be cautioned that if they conduct business in a jurisdiction where these laws are not present, it is not a carte blanche to gather employees’ and applicants’ Facebook creden-tials, since the existing discrimination laws still apply.9

Labor Law: Section 7 of the NLRA states that employ-ees have a “right to … engage in … concerted activities for the purpose of collective bargaining or other mutual aid or protection.”10 An exhaustive list of current NLRB decisions related to social media is outside the scope of this article, but it suffices to say that employers must treat an employee’s social media posts with care if that employee is being critical of the company.

Furthermore, employee policies and handbooks that seek to limit by policy how employees are permitted to discuss employ-ment conditions and activities (which is easily translated into a social media setting) are likely to be found running afoul of the NLRA. These NLRB social media decisions are not being directed only from the largest employers in the U.S. We are seeing all sizes of companies running into trouble, which highlights the need for addressing these risks in an appropriate fashion.11

Endorsement Guides: The FTC Endorsement Guides12 pose another risk to organizations, making them liable for statements made on social media by employees or others who have a material connection to the company. The guidelines require any individual who endorses an organization or its products and is an employee of the organization or has a material connection to the organization to disclose his or her relationship to the company.

The disclosure must reflect the honest opinions, findings, beliefs, or experience of the endorser. Additionally, it must meet specific requirements with respect to the font size (or clarity of verbal communication in the case of video), proximity of the disclosure to the endorsement statement, and sufficiency of disclosure—even when practical considerations make doing so nearly impossible, such as in the case of mobile-device interfaces. It is irrelevant if the organization played no role in the endorsement; you are responsible for what others do on your behalf. Furthermore, the organization is potentially liable ➡

20T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Social MEDia Ps & Qs

municating to customers and potential customers there is a scam afoot can potentially mitigate harm done to customers and the organization.

Natural disasters offer another example of how social media can benefit organizations. Through their vast reach and real-time communication speed, social media platforms are an excellent way for organizations to stay connected to their employees and customers during times of crises. Both customers and employees can be made aware of aid available by the organization, such as water, shelter and meeting points, and learn of the status of other individuals who are connected to them.

Perpetual Quarry of Data

Powering the engine of social media is a vast treasure trove of personal information regarding its users. Social media is frequently offered without charge to end users, but there is a reason Facebook was the largest IPO of any technology com-pany to date. On the surface, social media is an easy way to track social chatter—organizations can easily harness this to look for the right time to introduce a new product or service and keep tabs on the pulse of threatened labor strikes that may affect city transportation or supply chains. Organizations can watch social media to learn of a potential demonstration or flash mob and translate such information into risk awareness and management for potentially impacted employees.

Logic tells you those reasons are not why Facebook remains profitable, yet free to users. Social media applications collect every byte of information from each user, store it all, and mon-etize it in ways that go beyond simply serving up appropriate advertisements to its users. We remind the reader this article is not about privacy law, but glibly point out that, at least under U.S. law, social media is not about privacy—social media users freely give up that right.

conclusionAt the end of the day, aside from its viral and real-time

nature, social media is not that different from any other com-munication tool; and, like any communication tool, it presents organizations with great opportunities for risk realization as well as risk management. The risks that organizations can realize through social media are typically the same risks that exist offline; however, due to the nature of social media, the impact of those risks can be drastically accelerated and ampli-fied. At the same time, by giving organizations visibility into offline risks, and bringing people together in times of disaster, for example, social media is a tool that all organizations should consider embracing. It is critical for organizations to conduct a threat/vulnerability analysis or take some other customized approach tailored to their business.

media platform, but it suffices to say we will see more of these claims, and it is real. Conversely, your organization should note that if you are a victim of libel via Twitter (“Twibel”), you should seek advice from counsel regarding addressing it from all aspects, including your state’s defamation laws.13

Marketing Laws: Not to be overlooked are laws associated with marketing to customers via social media, including websites and mobile devices. Organizations have long had to contend with the CAN-SPAM Act14 and TCPA15 when developing marketing and telemarketing programs for e-mail, telephone calls, and text messaging. While a discussion of these laws is outside the scope of this article, organizations need to exercise caution when offering an online or mobile application providing functionality to users to contact or message third parties (e.g., Facebook friends, phone contacts, Gmail contacts, etc.).

Broadly speaking, this functionality does not normally rise to the level of a CAN-SPAM Act issue, because the “sender” under that particular law is ostensibly the customer/user. However, TCPA is less generous, and as such, if the applica-tion sends a text message to the users’ “friends,” liability could result for the organization under the TCPA, which includes a potential for class action.16 The key takeaway here is to careful-ly examine how the social functions of an organization’s online or mobile application will be construed under marketing laws.

After assessing the landscape of social media-related threats and vulnerabilities and determining organizational risk, orga-nizations may accept, transfer, ignore or mitigate each risk. Organizations that choose to mitigate the risk will find the governance checklist located on page 19 helpful.

Realizing the Benefits of Social MediaPowerful

We’ve discussed several challenges to social media, but there are many potential opportunities, such as the way social media can be used to reduce risks facing an organization. For exam-ple, many retail organizations use social media to assess threats of violence. Facebook posts of “I’m going to blow that place up” or other similar threats are not uncommon. Organizations can appropriately respond to such threats by monitoring social media and having governance in place to assess the credibility of threats and escalate to an organizational threat assessment team and even law enforcement when needed.

Another benefit to organizations having a social media presence on sites such as Facebook or Twitter is that customers can quickly communicate to the organization, and the orga-nization can quickly respond. For example, if there is a scam in place where criminals are masquerading as the organization and obtaining financial or other valuable information from customers, customers may alert the organization through its social media channels. Receiving that alert and quickly com-

21T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Social MEDia Ps & Qs

Governance checklistOne of the best tools for managing social media risk is documented, implemented governance. Below is a checklist for organizations.

1. Written Governance Policies and Guidelines that address:a. Established governance structure with clear roles and responsibilities.b. Federal Financial Institutions Examination Council (FFIEC) guidance which recommends having the Board of Directors or senior management involved:17

i. To direct organization’s strategic goals (e.g., brand awareness or product advertising).

ii. To establish controls and ongoing assessment of risk in social media activities.

2. Written Policies and Procedures that address: a. Employees:

i. Compliance with all applicable consumer protection laws, regulations and applicable industry guidance.

ii. Acceptable and unacceptable uses of social media (taking into account other relevant corporate policies such as eth-ics, discrimination and harassment, information security, workplace behavior, trade secrets and related business asset protection.

b. Administration and Management:

i. Methodologies to address risks of using social media—posts, edits, replies and records retention.

ii. Tools associated with specific technology assets internal to the organization (e.g., Sharepoint, intranet, etc.).

iii. Oversight tools for internal and external social media.

iv. Moderation procedures/playbook for social media.

v. Escalation procedures for the above.

3. Training for all stakeholders:a. Add appropriate social media training to existing training:

i. Discrimination and harassment training includes social media.

ii. Information security training includes discussion of spear phishing, etc. b. Document training.

4. Incident Response Guidelines and Requirements for existing teams to address negative social media situations: a. Complianceb. Technologyc. Information Security and Physical Security (asset protection; emergency response)d. Human Resourcese. Legal f. Marketingg. Corporate Communications

5. Vendor Diligence for selecting and managing third-party service providers who are handling social media functions (e.g., analytics, post filters, fraud management services/brand abuse monitoring and takedowns).

6. Audit and Compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regula-tions and guidance.

7. Feedback/Reporting: Parameters and methodology for providing appropriate reporting to the governance structure (FFIEC recommends BOD or senior management) to enable periodic evaluation of the social media program’s effectiveness and whether it is achieving its objectives.

22T H E N E B R A S K A L A W Y E R M A R c H / A p R i L 2 0 1 6

Social MEDia Ps & Qs

ponent of the security clearance program. 10 29 U.S. Code § 157. 11 Note, for example, Three D, LLC, 361 N.L.R.B. No. 31 (2014)

(sports bar found to have violated Section 8(a)(1) by discharging two employees for their participation in a Facebook discussion involving claims employees unexpectedly owed additional state income taxes because of the sports bar’s owner withholding mistakes) and Pier Sixty, LLC, 362 NLRB 59 (2015) (cater-ing company violated sections 8(a)(1) and (3) of the NLRA by terminating an employee for insulting a supervisor in a Facebook post two days before a union certification election, even though the insult was offensive and laced with profanity).

12 https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-endorsement-guides-what-people-are-asking.

13 A full analysis of recent defamation laws in the social media space is outside the scope of this article. For an excellent, recent primer on this subject, see “Characters of Defamation: The Developing Law of Social Media Libel,” Matthew E. Kelley & Steven D. Zansberg, Journal of Internet Law 18 J. Internet L. 1, July, 2014.

14 CAN-SPAM Act of 2003, Pub. L. No. 108-187, 117 Stat. 2699. 15 Telephone Consumer Protection Act of 1991, 47 U.S.C. § 227. 16 A highly watched case in this space is Wright v. Lyft, No.

2:14-cv-00421-MJP, 2014 WL 1379073 (W.D. Wash. Mar. 24, 2014) (class action against ride-sharing service, Lyft, regarding its “Invite Friends” feature).

17 Social Media: Consumer Compliance Risk Management Guidance, 7, FFIEC, FIL-56-2013 (December 2013) (available at https://www.fdic.gov/news/news/financial/2013/fil13056.html).

Endnotes1 http://www.internetlivestats.com2 Webber et al., Altimeter Group, Guarding the Social Gates:

The Imperative for Social Media Risk Management (August 9, 2012), p. 9.

3 For more information about risk management scaling, the authors recommend reading Benjamin Tomhave’s article “Scaling Risk Management” available at http://www.secureconsulting.net/2011/09/scaling-risk-management.html.

4 This graphic is from CGMA and can be located at http://www.cgma.org/Resources/Tools/essential-tools/Pages/risk-heat-maps.aspx?TestCookiesEnabled=redirect.

5 Verizon 2012 Data Breach Investigation Report, p. 3. 6 Verizon 2015 Data Breach Investigation Report, p. 41. 7 State Laws About Social Media Privacy, NAT’L CONF.

ST. LEGISLATURES (January 29, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-prohibiting-access-tosocialmediausernames-and-passwords.aspx (listing states that impose limitations on employ-ers: Arkansas, California, Colorado, Connecticut, Delaware, Illinois, Louisiana, Maine, Maryland, Michigan, Montana, Nevada, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Vermont, Washington and Wisconsin.

8 Nebraska L.B. 58 (2013). 9 Contrast, for example, H.R. 2029 (114th Congress 2015-2016)

that creates an enhanced personal security program and requires federal agencies, under the direction of the Director of National Intelligence, to develop a plan for investigating multiple sources of information, now expressly including social media, as a com-