10 SOCIAL MEDIA MUST HAVES FOR YOUR CORPORATE COMPLIANCE AND ETHICS PROGRAM

Ed. Note-Today we have a guest post from Michelle Sherman 

Companies would be legally remiss not to add a social media component to their corporate compliance and ethics program.  As we have seen and reported on, agencies such as FINRA, the FTC, and the NLRB are bringing complaints against companies arising from their social media activity or employee related activity, thus, highlighting the need for companies to demonstrate that they are exercising due diligence to promote ethical conduct and prevent criminal conduct in the context of social media activity [e.g. Federal Sentencing Guidelines, § 8B2.1].

The following list is a good starting point, however, there may be additional items that a social media attorney will recommend you include in your policy depending on the nature of your business.  A companion article to this one, for example, includes additional items that government contractors should have in their social media policies.

1.  Adopt a social media policy.  Include the basic list of “Dos” and “Don’ts” in your policy.  Don’t try to prohibit lawful protected activity such as complaining about work conditions or compensation/benefits, or whistle blowing.  However, employees should be advised of the importance of communicating possible wrongdoing at the company through established internal channels so an appropriate investigation can be conducted.

2.  Implement an effective training program on how your employees should use social media, with emphasis on areas of particular concern for your company which may include, for example, protecting the privacy interests of your company clients, complying with FINRA/SEC social media guidelines, antitrust compliance, not disclosing confidential, proprietary information, and brand protection.

3.  Update your e-discovery approach and make sure that you include social media activity and cloud computing because it is discoverable.

4.  Update your document retention policy to make sure you are capturing and storing the social media activities of your company, and don’t forget employees conducting business from their smart phones and tablets.

5.  Update your Sarbanes-Oxley Act compliance program to ensure that financial information posted on your Facebook fan page, Twitter, website, etc., is updated to reflect material changes in financial condition and operations.  Do not release financial information on social networking sites that you have not also published in a press release.

6.  Audit the social media activity of potential targets for mergers and acquisitions to identify any legal risks and liabilities, including, without limitation, the target failing to comply with the Sarbanes-Oxley Act.

7.  Train your HR department, managers and anyone making employment decisions so they do not use information from social networking sites to discriminate against anyone based on protected factors under federal or state law.   Set up protocols so protected factors are not considered.

8.  Take reasonable measures to protect your trade secrets.  Update your confidentiality agreements and computer use policies with employees.  Clearly communicate what are the company’s trade secrets and the ways in which use of them is restricted.  One of the essential elements for a misappropriation of trade secrets case is that the company has taken reasonable measures to protect its trade secrets, which would include, in the social media era, a social media policy with training for employees so they are not inadvertently disclosing the company’s trade secrets.

9.  Incorporate privacy protections into your business practices such as data security, the collection of a reasonable amount of information and not more, sound retention practices (not an unduly long period of time), and data accuracy (so misinformation is not reported on consumers).

10.  Review the FTC guidelines for online endorsements with employees, including the prohibition on employees giving reviews for the company’s products (or the products of it’s competitors) without disclosing their biased relationship with their employer company.

 Michelle Sherman is special counsel at Sheppard Mullin Richter & Hampton where she practices business litigation and consults with businesses on legal and regulatory compliance issues relating to social media and the Internet.  Michelle is the editor and contributing author to the law firm’s Social Media Law Update blog.

United Breaks Guitars: Lesson Learned for Companies and Whistleblowers

One of the ongoing debates in the compliance world has been over the Whistleblower Provision of Dodd-Frank and whether this provision will aid or diminish a company’s overall compliance program. One of the points in this debate is whether or not a whistleblower should be required to go through an internal hotline, or other reporting mechanism, before going to the Securities and Exchange Commission (SEC) and reporting alleged violations of the Foreign Corrupt Practices Act (FCPA) or other US Securities laws which may apply to the company in question.

Many compliance professionals argue that the entire purpose of an internal reporting structure will be destroyed if a whistleblower can report to the SEC, receive anti-discriminatory employment protections and a potential monetary bonus for any fines and penalties collected by the SEC. Whistleblower proponents point to examples of employees who reported violations or made complaints and were terminated or in other ways discriminated against in their continued employment with the company.

Even without the above debate, one of the ongoing discussions in any compliance department is how much of any compliance investigation to share within the company and the attendant question of whom to share the results of any investigation with inside the company. I can attest to this debate from personal experience. In my last corporate position, I was sent to investigate an alleged compliance violation in a South American country. After completing the investigation, the Compliance Department determined that the remedy was that the employee be reprimanded; receive additional training and a Letter of Reprimand was placed in their file. However, there was no indication to the business unit where the hotline complaint was initiated that any action had been taken and the person who made the compliant was never told of the resolution. Needless to say this led to some very hard feelings by the employees who had jointly reported the compliance allegation and loss of credibility for the Compliance Department.

All of the above came to mind when I was reading an article entitled “>When Unhappy Customers Strike Back on the Internet” in the MIT Sloan Management Review, Spring 2011 Issue. In the article authors Thomas Tripp and Yany Grégorie explored the topic of “How should companies respond to, or prevent, irate customers’ online public complaints?” The authors began their article with the very omnipresent example of musician Dave Carroll and his experiences with United Airlines. After traveling on a United flight, Carroll found that his $3,500 guitar had been damaged during baggage handling. He initially attempted to resolve the issue with United personnel at the arrival airport who  could not or would not provide any assistance to Carroll. He then spent “nine months of running the company’s customer service gauntlet” to eventually be told “that he was ineligible for compensation.”

Perhaps treating a professional musician in such a manner in the YouTube age is not the best PR move as Carroll wrote a song and created a music video, entitled “United Breaks Guitars” about his experiences; as of the writing of the article the video has had over 9 million viewings. Eventually United conceded that perhaps compensation was appropriate by “offering to compensate Carroll for the damage” and promised to re-evaluate its policies.

Tripp and Grégorie provide suggestions for the understanding and managing of online public complaints. However, their points have application for the compliance practitioner in the context of the Dodd-Frank Whistleblower issues identified above. So the question becomes, what can a company do to manage its internal whistleblower process so that an employee does not become so dissatisfied that he or she subsequently runs to the SEC?

The authors break their analysis down into two components, which I believe relate to the compliance context. The first is to understand what would drive an employee to go outside the internal reporting process? It is usually due to what the employee feels is a sense of betrayal. That is the employee has made a compliant in good faith but either nothing happens or nothing seems to happen. After the internal compliant has been initiated it must be triaged based on its severity. Just as a battlefield or hospital triage, the more serious a complaint, the quicker it should be investigated and resolved.

In my experience the initial compliant was made in October and I was not sent to investigate until early of the following year. So just as customer complaints should be dealt with expeditiously and efficiently, internal employee hotline complaints must also be dealt with in such a manner and the issue should not be allowed to fester.

The second component is that the employee must understand the internal reporting system and expectations should be set. This can begin through overall compliance training but it must also be specifically tailored to the report. At a recent conference I attended, a member of the audience asked a Department of Justice (DOJ) representative why 6 years after making a complaint regarding an export control violation at his company, there was no DOJ resolution. The audience member asking the question had recognized the DOJ representative as the person who had initially interviewed him after he made his complaint. The DOJ representative replied that the investigation was ongoing so he could not make any formal comments, but he then proceeded the time and difficulty it took to develop evidence across many different US and foreign jurisdictions and coordinate an investigation with several US agencies. Perhaps if all of that had been explained at the beginning, or at some point throughout the process, it would have set a more realistic expectation of the whistleblower. The key is that the company must strive for fairness in the entire process.

The authors end their article with what I believe to be the key component to resolve the issue and that is “that process matters more than outcomes.” They point to the “fair process effect” from the labor-management context in which employees are willing to tolerate disappointing outcomes as long as they believe the ‘decision making processes surrounding the outcomes to be fair.” This drives home the point that a best practices compliance program is about process; having the right process in place is an important starting point for any compliance program, moreover, the process should be communicated throughout the company and administered in a fair and equitable manner.

While I do not believe that most Compliance Departments will face the PR disaster that United has had to endure over “United Breaks Guitars”, the failure to have a fair and equitable process for managing employee compliance complaints, which are reported internally, can lead to very serious financial consequences. One need only to look at the recent example of GlaxcoClineSmith which agreed to pay a $750 million fine to the US Food and Drug Administration based on a whistleblowing employee who had tried to internally alert the company to the issues which led to the fine. Now whistleblowing employees can go directly to the SEC and if there is a monetary fine, they get a piece of the action.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011