FCPA Compliance and Ethics Blog

March 16, 2012

Navigating Social Media And Legal Ethics[1]

Ed. Note-today we have a post from our colleague, Michelle Sherman, a frequent commentator on social media issues.

If you cannot do it offline, you probably cannot do it online.  This is a good way to think about social media and legal ethics. We know that attorneys are not allowed to communicate with a represented party on the other side of a legal action, so it should not be surprising that trying to “friend” a party on Facebook in order to see all of their Facebook activity is not allowed by the ABA or the assorted state bar rules of professional responsibility. Cal. Rules of Professional Conduct, Rule 2-100. It is also unethical to direct someone to “friend” the other party. Some state bars have also extended this rule to unrepresented parties and witnesses. Namely, it is fine to look at their public social media presence, but attorneys cannot “friend” them or arrange for it to be done on their behalf.

A. Maintain The Confidentiality Of Your Client Communications.

Another bright line is that attorneys cannot disclose confidential information about their clients on social media. Cal. Rules of Professional Conduct, Rule 3-100. In fact, many companies prefer for their outside counsel not to publicize their courtroom wins for their clients out of concern that it will invite similar actions to be filed against the company. Companies have media relations departments to tell their story for them so attorneys should coordinate any press releases of their own with their clients. This is something to keep in mind when an attorney writes her LinkedIn profile, or posts about her work day on Facebook or Twitter.

Preserving the confidentiality of attorney-client communications, and not waiving the attorney work product protection means attorneys need to think carefully about how they post status updates on LinkedIn, and the “conversations” they are having on LinkedIn discussion groups, or on listservs. Even if a listserv is treated as a private forum for qualifying members to confer about legal issues, it does not mean that a court will treat those discussions as privileged or confidential. A plaintiff’s attorney in an employment discrimination case learned this the hard way when he was trying to quash a document subpoena seeking his writings on a listserv. In Muniz v. United Parcel Service, Inc., CV 09-1987 (N.D. Cal.), the plaintiff’s attorney allegedly made posts on the listserv in which he accused the judge of being “defense-biased”, and described the defense counsel as aggressively defending the case to the point of absurdity. Professor Georgene M. Vairo, a professor at Loyola Law School, was reported in a January 18, 2011 Los Angeles Daily Journal article, as saying that the fact that the attorney’s writings appeared on a confidential listserv does not mean work product privilege applies to them. “Given the way social media is, even when you try to keep things private, can you really have an expectation of privacy?” Vairo said.

B. Make Social Media Part Of Your Litigation Strategy.

Yet, attorneys may fall short of their duty to zealously represent their clients if they ignore social media entirely. It is a rich resource for discovery about the other side, witnesses and even prospective jurors. In Johnson v. McCullough, the Missouri Supreme Court discussed how trial attorneys should take advantage of technological advances and research prospective jurors. Thereby, hopefully avoiding the need for a motion for new trial because it is discovered much later that a juror was deliberately concealing his bias on voir dire in order to remain on the jury.

However, this research and monitoring of jurors during the case comes with some bright line rules as well.

1. Do Not Have “Contact” With Jurors Through Social Media.

Again, offline rules provide a bright line for social media contact with jurors. A study done by Reuters Legal using data from Westlaw online found that tweets from people describing themselves as prospective or sitting jurors appeared at the rate of one nearly every three minutes. Increasingly, parties are filing motions for new trials or to overturn a verdict based on juror misconduct on the Internet. In a criminal case in Camarillo, California, a juror posted a cell phone picture of the murder weapon on the Internet, and invited people on his blog to ask him questions about the case.

Thus, attorneys and courts have good reason to be concerned about what jurors are saying on social media. Courts are tackling the problem by instructing the jury not to discuss the case anywhere including on social media. However, just as jurors still talk about pending trials with their friends and family despite the court’s admonitions, jurors are sometimes ignoring (or forgetting) the court’s admonitions and posting on social media. Consequently, attorneys should have someone monitoring the jury during voir dire, trial and deliberations.

This monitoring needs to be done so it does not result in “contact” with the jurors. Cal. Rules of Professional Conduct, Rule 5-320. Friending jurors, or following them on Twitter, is taking it too far. On the other hand, attorneys can monitor the public posts of jurors on Facebook and Twitter without jurors realizing it.

2. Bring Jury Misconduct To The Court’s Attention.

Now assume the plaintiff’s attorney learns from social media that a juror intentionally failed to disclose she was prejudiced against the defendant manufacturer in the case, because the juror had been a victim of a similar industrial accident. The juror is someone that the attorney thought was sympathetic to his client’s case and the last thing he wants to do is lose the juror. This is the ethical question that is likely to come up for attorneys, and the answer is the same as other offline misconduct of jurors. As an officer of the court, the attorney is required to bring it to the attention of the court.

C. Avoid The Unintentional Creation Of An Attorney-Client Relationship.

Attorneys are using blogs and social media to try and develop business. A February 2012 survey by ALM Legal Intelligence, “Social Media ROI for Law Firms” found that of the law firms that are using social media and blogs – 85 percent and 70 percent respectively of the responding law firms – almost 50 percent of those firms are receiving leads from their efforts. In doing so, law firms are understandably concerned about not creating an inadvertent attorney-client relationship when someone comments on a blog or tries to engage one of their attorneys about the specifics of their particular legal issue.

These are legitimate legal concerns. In addressing an analogous situation, the State Bar of California issued a formal opinion for attorneys who have call in radio shows on legal issues. The State Bar recommended that the attorney radio host: (1) remind callers that they are speaking on a public forum so nothing they are saying is confidential; and (2) encourage callers to seek advice from an attorney about their specific problem. Formal Opinion No. 2003-164. It is also recommended that the law firm pre-screen comments before they are posted on the blog site to edit posts that may potentially create a problem. Also, do not answer fact specific questions – rephrase the question to a broader legal issue that may be of interest to the broader audience to whom you are writing or speaking. And, finally, keep your responses in the public forum so there is no expectation of a confidential attorney-client relationship.

[1] 4851-4734-3630, v.  1

Michelle Sherman practices at Slater Hersey & Lieberman LLP. She can be reached at Msherman@slaterhersey.com. Follow Michelle on Twitter: @MShermanEsq


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

December 28, 2011

Facebook’s Settlement With The FTC Is A Wake Up Call For Businesses To Review And Update Their Website Privacy Policy And Agreements

Ed. Note-there are many forms of compliance convergence. Today we have a guest post from Michelle Sherman, a frequent contributor on compliance and  social media issues. 

The Federal Trade Commission (“FTC”) is working hard to make sure consumers are not being misled about how websites and social networking sites are using their personal information.  Companies that do not follow their own privacy policies are finding themselves the subject of FTC complaints.  It is therefore even more important for businesses to review and update their “privacy policy,” “terms of use,” and other legal agreements on their websites.  This review should also include any company apps.

1.         When Businesses Do Not Comply With The Terms Of Their Website Privacy Policy, Then They May Be In Violation Of Section 5(a) Of The FTC Act

The recent consent decrees that the FTC entered into with Facebook, Google and online advertiser ScanScout highlight the need for businesses to make sure they are acting in accordance with their privacy policies.  Businesses are well advised to take the following actions:

(1) Ensure that the published policies on their websites for terms of use and privacy reflect what information the businesses are collecting from consumers, and that the disclosures are clearly stated without unnecessary and lengthy legalese;

(2) Examine how the businesses are using personal information or anticipate using it, and that these uses are being fully disclosed to consumers; and

(3) Take reasonable measures to safeguard consumer information.  Because of the risks of cyberhacking, it is also worthwhile to conduct an audit on how consumer information is being safeguarded, and what information is being stored and for how long a period.  The FTC settled a complaint against Twitter for its alleged failure to take reasonable safeguards to protect users’ accounts against hackers.

In all of these complaints, the FTC alleged that the respondents made false or misleading representations about their privacy policies in violation of Section 5(a) of the FTC Act.  The FTC Act prohibits unfair or deceptive acts or practices.  15 U.S.C. § 45(a).

The consent decrees entered into by Facebook, Google and ScanScout in order to avoid more costly litigation and possibly stiffer penalties are similar in some key respects, and include some terms that will increase their costs of doing business.  As is sometimes the case with the FTC, the FTC conditioned the settlements on these businesses agreeing to change their business practices in ways that may place them at a competitive disadvantage to their competitors because some of the additional privacy measures they must now take are not required under current law.

2.         Lessons To Be Learned From The FTC Settlements With Facebook And Others

It is instructive to know how these businesses allegedly violated the terms of their privacy policies with users because the same may be true for many companies.

(a)  Facebook Complaint

In its complaint against Facebook, the FTC alleged:

(1) Facebook told its users that third-party apps that users installed – such as Farmville by Zynga– would have access only to user information that they needed to operate.  In fact, the apps could access nearly all of the users’ personal data.

(2) Facebook told users that they could restrict sharing of data to limited audiences – for example, with “Friends Only.”  In fact, selecting “Friends Only” did not prevent their information from being shared with the third-party applications their friends used.

(3) Facebook promised users it would not share their personal information with advertisers.  Facebook did according to the FTC.

(4) Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, when in fact Facebook allowed access to the content according to the FTC.

(5) Facebook also claimed that it complied with the U.S. – EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union, but it did not.

(b)        Google Complaint

Google is also faulted for making use of its users’ data in ways that was contrary to what Google was telling users about the launching of Google’s Buzz social network through its Gmail web-based email product.  The FTC alleged that “Google led Gmail users to believe that they could choose whether or not they wanted to join the [Buzz] network, [but] the options for declining or leaving the social network were ineffective.”  Google was apparently trying to immediately ramp up its social network in order to compete with Facebook.  The Buzz launch ended up being a public relations nightmare for Google with thousands of consumers reportedly complaining that they were concerned about public disclosures of their email contacts from which Google tried to create immediate Buzz connections for users.  In some cases, use of the emails disclosed ex-spouses, therapists, employers or competitors.

According to the FTC, Google breached its privacy policy when it launched Buzz, its social networking site, because Google’s policy told Gmail users that “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information.  If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.”  According to the FTC, Google used Gmail users’ information for a different purpose without telling them by starting a social networking site with the information.

            (c)  Online Advertiser ScanScout Complaint

The FTC is not just pursuing these actions against social media behemoths such as Facebook and Google.  In November 2011, the FTC reached a settlement with an online advertiser ScanScout.  ScanScout is an advertising network that places video ads on websites for advertisers.  ScanScout collects information about consumers’ online activities (aka behavioral advertising) in order to post video ads targeted to the people visiting the website.  In ScanScout, the FTC alleged that there was a discrepancy between the online service and their website privacy policy:

“[F]rom at least April 2007 to September 2009, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior.  The privacy policy stated, ‘You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.’  However, changing browser settings did not remove or block the Flash cookies used by ScanScout….  The claims by ScanScout were deceptive and violated Section 5(a) of the FTC Act.”

In the ScanScout action, the company Tremor Video, Inc. is also subject to the settlement order because ScanScout merged with Tremor Video.  This settlement also highlights the importance of doing an audit of a target company’s social media activity before acquiring or merging with it so your company will have more information concerning the legal risks of the deal.

3.         Business Costs Of Not Updating Your Privacy Policy And Following It

In each of these cases, the FTC is making the settling party do some things that are more than they would have been required to do in the normal course of business, thereby, making it more challenging and expensive for them to do business.

These consent decrees require the settling party to do the following:

(1) Tell users what information is being collected and for what purpose, with the right to “opt out” of the targeted advertising (ScanScout);

(2) Obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences (Facebook; Google);

(3) Establish and maintain a comprehensive privacy program to address privacy risks associated with new and existing products and service, and protect the privacy and confidentiality of consumers’ information (Facebook; Google); and

(4) Every two years, for the next 20 years, obtain independent, third party audits certifying that the privacy program meets or exceeds the requirements of the FTC order (Facebook; Google).

4.         Conclusion

Considering that the vast majority of consumers simply click through the legal agreements to get to the applications on a website, there is no real downside to companies spending a little time and money to ensure that their privacy policy, terms of use and other legal agreements reflect their current practices.  Similarly, updating these agreements should be a routine part of changing how the company is collecting and using information from its users.  It should be coordinated between marketing, IT and legal with each checking off on the updates being accurate.  And, finally, the website should clearly indicate that the privacy policy and/or agreements have been updated so users have the option to review any changes.  If experience is any indicator, virtually all users will continue to visit the website notwithstanding the updated policy or agreements.

 Michelle Sherman is special counsel at Sheppard Mullin Richter & Hampton where she practices business litigation and consults with businesses on legal and regulatory compliance issues relating to social media and the Internet.  Michelle is the editor and contributing author to the law firm’s Social Media Law Update blog.

November 17, 2011


Ed. Note-we are pleased to host a posting today from Michelle Sherman.

Agatha Christie had a novel take on invention being the mother of necessity.  She disagreed and said, “[I]nvention, in my opinion, arises directly from idleness, possibly also from laziness.  To save oneself trouble.”  She may have been onto something when you think about businesses that are turning to outside vendors to research employees and job candidates for them.  Whether or not these outside vendors are the best solution, however, remains to be seen.

1.  Companies Should Have An Internal Procedure For Researching Job Candidates And Employees On The Internet

We recommended in a January 2011 blog post, that businesses establish an internal procedure for making employment decisions based on Internet research, so they would not run afoul of state and federal laws that prohibit job discrimination based on protected factors.  See http://www.socialmedialawupdate.com, Social Media Research + Employment Decisions: May Be A Recipe For Litigation.  The protected factors include, for example:  (1) Race, color, national origin, religion and gender under Title VII of the Civil Rights Act of 1964; and (2) Sexual orientation, marital status, pregnancy, cancer, political affiliation, genetic characteristics, and gender identity under California law.  Most states have their own list of protected factors, which should be considered depending on where your company has employees.

Not surprisingly, the legal risks of making employment decisions using the Internet have become a real concern for businesses, especially when you consider that 54% of employers surveyed in 2011 acknowledged using the Internet to research job candidates.  The actual number of employers using the Internet is probably higher, and sometimes companies may not even be aware that their employees are researching job candidates and factoring that information into their evaluations.  This is yet another reason to establish an internal procedure for researching job candidates, and communicating your procedure to employees who are participating in the employment process.

There is nothing wrong with researching people on the Internet so long as it is done properly.  The Internet has a wealth of useful information, some of it intentionally posted by job applicants for employers to consider such as LinkedIn profiles.

With this “necessity” to do Internet searches properly, some businesses have turned to outside vendors to do the research for them, and, thereby, try to reduce their legal exposure and the administrative inconvenience of doing it themselves.  At least one of these vendors has received letters concerning its business practices from the Federal Trade Commission (“FTC”) and, more recently, two U.S. Senators.

2.  The Business Practices Of Outside Vendors That Provide Social Media Background Checks Are Being Examined For Compliance With Privacy And Intellectual Property Laws

On May 9, 2011, the staff of the FTC’s Division of Privacy and Identity Protection sent a “no action” letter to Social Intelligence Corporation (“Social Intelligence”), “an Internet and social media background screening service used by employers in pre-employment background screening.”  The FTC treated Social Intelligence as a consumer reporting agency “because it assembles or evaluates consumer report information that is furnished to third parties that use such information as a factor in establishing a consumer’s eligibility for employment.”  The FTC stated that the same rules that apply to consumer reporting agencies (such as the Fair Credit Reporting Act (“FCRA”)) apply equally in the social networking context.  These rules include the obligation to provide employees or applicants with notice of any adverse action taken on the basis of these reports.  Businesses should also be mindful of similar state consumer protection laws that may be applicable and may afford additional rights to employees and applicants (e.g. California Investigative Consumer Reporting Agencies Act).

The FTC concluded by stating that information provided by Social Intelligence about its policies and procedures for compliance with the FCRA appears not to warrant further action, but that its action “is not to be construed as a determination that a violation may not have occurred,” and that the FTC “reserves the right to take further action as the public interest may require.”  This FTC “no action” letter was reported fairly widely, and probably increased the comfort level of businesses that wanted to use an outside service for Internet background checks.

On September 19, 2011, Senators Richard Blumenthal (D-Conn) and Al Franken (D-Minn) sent a letter to Social Intelligence with 13 questions regarding whether the company is taking steps to ensure that the information it is gathering from social networks is accurate, whether the company is respecting the guidelines for how the websites and their users want the content used, and whether the company is protecting consumers’ right to online privacy.  The letter raises some legitimate concerns, and requests a prompt response from Social Intelligence to the questions presented.

3.  Legal Assurances That Your Company May Want To Seek If Using An Outside Vendor

Some of the questions also warrant due consideration on the part of businesses receiving reports from outside vendors about how much weight they want to give the information provided.  Further, what the business may want in the form of legal assurances from the outside vendor that no laws (e.g. FCRA, privacy, copyright, or other intellectual property laws) have been violated in gathering the information or providing screenshot copies of pages from social networking sites.

Some of the questions from the Senators which raise these concerns include, for example:

1.  “How does your company determine the accuracy of the information it provides to employers?”  [Social Intelligence is reportedly collecting social networking activity dating back 7 years, and, therefore, may capture something that was later removed, or was a “tag” post through a picture that the job candidate was not responsible for making public, and may have removed once it came to his attention.]

2.  “Is your company able to differentiate among applicants with common names?  How?”  [e.g. Have they researched the correct “Jane Smith” of the hundreds on Facebook since social security numbers or other specific identifying information is not useful on social networking sites as it is with the standard background check.]

3.  “Is the information that your company collects from social media websites like Facebook limited to information that can be seen by everyone, or does your company endeavor to access restricted information.”

4.  “The reports that your company prepares for employers contain screenshots of the sources of the information your company compiles…These websites are typically governed by terms of service agreements that prohibit the collection, dissemination, or sale of users’ content without the consent of the user and/or the website….. Your company’s business model seems to necessitate violating these agreements.  does your company operate in compliance with the agreements found on sites whose content your company compiles and sells?”

5.  There appears “to be significant violations of user’s intellectual property rights to control the use of the content that your company collects and sells.  …. These pictures [of the users], taken from sites like Flickr and Picasa, are often licensed by the owner for a narrow set of uses, such as noncommercial use only or a prohibition on derivative works.  Does your company obtain permission from the owners of these pictures to use, sell, or modify them?”

4.  Conclusion

Establishing an internal procedure for using the Internet to make employment decisions is one more piece of a sound ethics and compliance program that addresses how your company is using social media.  If using an outside vendor to perform social media background checks is part of that policy, you should assure yourself that the company is acting in compliance with the relevant laws.  Further, if your company does decide to use an outside vendor, the company should not assume that employees will forego their own Internet searches of job candidates unless they are specifically instructed to follow the company’s procedure.

Michelle Sherman is special counsel at Sheppard Mullin Richter & Hampton where she practices business litigation and consults with businesses on legal and regulatory compliance issues relating to social media and the Internet.  Michelle is the editor and contributing author to the law firm’s Social Media Law Update blog.

Blog at WordPress.com.