An Innocent Tweet or a Data Leak: Guidance for Drafting Social Media Policies to Protect Confidential Information
By Michael A. Shadiack, Esq. & Caitlin Petry Cascino, Esq.
Posted: 17th June 2015 08:58
The concurrent expansion of social media platforms and proliferation of related regulatory/agency guidance, case law, and legislation is giving rise to a new set of challenges for employers. As the use of social media increases and new guidance is issued almost daily, employers may find it difficult to remain in compliance while protecting their business interests. To meet these challenges, employers are well-advised to carefully draft and maintain a comprehensive social media policy to avoid liability as a result of their employees’ social media activity and to properly protect their confidential business information.
The National Labor Relations Board’s (“NLRB”) general counsel recently issued guidance to both unionised and non-unionised employers as to permissible proscriptions on employees’ use of social media both within and outside of the workplace. The focus of the NLRB’s guidance is on outlining the types of employer-issued rules that have a chilling effect on employees’ rights under the National Labor Relations Act (“NLRA”). Most employees, whether unionised or not, have certain rights under Section 7 of the NLRA. Specifically, employees have the right to take action of a concerted nature intended to address issues related to the employees’ terms and conditions of employment. The NLRB has broadly interpreted the scope of Section 7 rights. Non-unionised employers are sometimes surprised to learn that the NLRB has the authority to review and monitor their workplace rules and employment practices and just how far an employee’s Section 7 rights can reach.
Employers must take caution when drafting social media and other policies because the NLRB consistently finds that many policies that appear neutral and appropriate on their face violate the NLRA and interfere with employees’ Section 7 rights. Many non-unionised employers have been found by the NLRB to have violated their employees’ Section 7 rights by too broadly proscribing social media usage or by maintaining social media polices that are deemed too vague and, thus, do not specifically inform employees of the nature of social media activity that is prohibited as well as the rationale for the prohibition. In such instances, among other remedies, the NLRB has the authority to invalidate those purportedly overbroad or vague policies, require the employer to re-write the policies in accordance with the NLRB’s standards, and order the employer to post a notice to employees informing them of the policy changes.
Due to the significant risks that are at stake, employers must be cautious about their proscription of employees’ use of social media, especially in the area of confidential business information. The NLRB’s recent guidance focused heavily on this topic and provided certain examples of lawful and unlawful confidentiality rules. The inclusion of just one or two words could convert an otherwise-legal policy into an illegal one, in the eyes of the NLRB.
Employees have a Section 7 right to discuss wages, hours, and other terms and conditions of employment with their co-workers and/or union representatives, if they have any. Thus, if a social media policy prohibits employees from posting about their terms and conditions of employment – such as wages, hours, or workplace complaints – or if employees would reasonably understand the policy to prohibit social media discussions about such topics, that policy would violate the NLRA. For example, the NLRB has found the following policy language, among others, to be overbroad:
- “Do not discuss customer or employee information outside of work, including phone numbers [and] addresses”
- “You must not disclose proprietary or confidential information about [the Employer, or] other associates (if the proprietary or confidential information relating to [the Employer’s] associates was obtained in violation of law or lawful Company policy).”
- “[I]f something is not public information, you must not share it.”
On the other hand, the NLRB has identified certain confidentiality provisions within social media and other policies that are permissible. These policies all have common features: (i) they do not reference information regarding employees or employee terms and conditions of employment; (ii) although they use the general term “confidential,” they do not define it in an overbroad manner; and (iii) they do not otherwise contain language that would reasonably be construed to prohibit Section 7 communications between employees. The following policies were found to be facially lawful by the NLRB:
- “No unauthorised disclosure of business ‘secrets’ or other confidential information.”
- “Misuse or unauthorised disclosure of confidential information not otherwise available to persons or firms outside [Employer] is cause for disciplinary action, including termination.”
- “Do not disclose confidential financial data, or other non-public proprietary company information. Do not share confidential information regarding business partners, vendors, or customers.”
Employers also understandably have a significant interest in protecting their intellectual property. When drafting policies with that interest in mind, though, employers must be sure not to prohibit employees from their fair use of the employer’s intellectual property in the course of protected concerted activity. For example, a company’s name and logo will usually be protected by intellectual property laws, but employees have a right to use the name and logo on protest materials. The NLRB has found the following workplace rules within a social media policy to be unlawful:
- “Do not use any Company logos, trademarks, graphics, or advertising materials in social media”
- “Do not use other people’s property, such as trademarks, without permission in social media.”
- “Use of [the Employer’s] name, address, or other information in your personal profile [is banned.] In addition, it is prohibited to use [the Employer’s] logos, trademarks, or any other copyrighted material.”
Alternatively, the NLRB declared that social media policies that simply require employees to respect trademark and copyright laws and that simultaneously permit fair use of such material are permissible. Thus, the NLRB has concluded that employers may be able to protect their confidential material by including the following language in their social media policies:
- “Respect all copyright and other intellectual property laws. For [the Employer’s] protection as well as your own, it is critical that you show proper respect for the laws governing copyright, fair use of copyrighted material owned by others, trademarks and other intellectual property, including [the Employer’s] own copyrights, trademarks, and brands.”
- “Do respect the laws regarding copyrights, trademarks, rights of publicity, and other third-party rights. To minimise the risk of a copyright violation, you should provide references to the source(s) of information you use and accurately cite copyrighted works you identify in your online communications. Do not infringe on [Employer] logos, brand names, taglines, slogans, or other trademarks.”
Because social media is an emerging area, the full gamut of legal implications for both employers and employees is not fully developed in the United States. Nevertheless, it is readily apparent that employers must carefully craft social media policies in accordance with the NLRB’s developing guidance in this area as well as any state-specific laws in the state(s) in which they maintain operations. Employers are encouraged to consult with employment counsel to keep abreast of the legal developments regarding social media in the workplace and to draft/update their social media policy in keeping with those developments.