Social Media Checklist

Top Five Things You Can Do to Legally Protect Your Company

By Jennifer A. Mansfield

Social media has had a vast and positive effect on business marketing. A quick tweet or Facebook posting can reach billions of consumers at almost no cost to the company.

Below is a list of the top five things your company can do to protect itself legally in this new communications world. This list is by no means comprehensive. But it can provide a useful jumping off point for getting your legal social media house in order–and potentially saving your company millions in liability.

1. Have a Security Plan–and Follow It.

New media present new means for a company’s employees, through wrongdoing or inadvertence, to release confidential or sensitive information. Hackers are also a constant threat. The improper release of confidential information can lead to unwanted publicity and legal exposure. Make sure your computer data is protected.

The FTC has taken the position that if a company is not taking reasonable steps to protect personally identifiable information (PII) in its possession, it is participating in a deceptive act under federal law. Are your company’s data–including laptops–encrypted? If the PII of your customers is too easy to access, you may be facing the FTC in the future.

Thus, due diligence in selecting and monitoring your IT security vendors is essential. Establish policies on how PII is handled and be sure the policies are followed. Technology continues to evolve at a rapid pace. Consequently, your company should review its IT systems and vendors on a regular basis.

2. Have an Emergency Breach Plan.

Notwithstanding all the efforts your company may make, hackers will always exist and people will make mistakes. Since a good defense is often a good offense, the company should plan for the worse case scenario–a breach. The plan should include a checklist of who should be contacted internally at the company, and who legally needs to be contacted outside the company. Create an emergency response team, including key personnel from IT, risk management, legal, and PR. Have key contractors in place BEFORE you need them, and a list of critical steps that must be taken to both mitigate the breach and complete the required legal notifications.

Having a plan developed before a breach could save both time and money later in the event a breach occurs.

3. Have Terms of Use and Privacy Policies for Your Websites.

Government regulations concerning advertising or communicating to others via social media can impose restrictions and regulation, as well as safe harbors from liability. Terms of Use and Privacy Practices govern not only how your company interacts with its website users, but are also tools to ensure that your company is complying with applicable regulations.

When drafting Terms of Use or Privacy Policies, keep in mind that according to the FTC, your Terms of Use and Privacy Policies are contracts between you and your website users. So, be honest and realistic. It might sound like great advertising to boast that you have the most up-to-date data security programs and procedures to protect your clients’ data, but is that a promise you can keep? How often would you be required to buy more software or hardware to keep that promise? If you have a breach, would an investigator conclude that your system was the “most up-to-date” available at the time of the breach? Terms of Use and Privacy Policies are not marketing tools; they are contracts. Careful thought must be taken when deciding what a company can promise to its social media users.

4. Have Employment Policies That Address Social Media

Employers are increasingly using social media to support their recruitment efforts and to research job candidates. But sometimes employers will receive information via social media that they cannot lawfully consider when hiring, such as race or religion. If the employer receives that information anyway, it must take steps to ensure that it does not base hiring decisions on the protected status. Company policies should be implemented setting out what information can be considered when hiring, and whether or when an Internet search will be conducted on candidates.

Social media posts on company sites also provide fertile fodder for disparate treatment claims. A mid-level manager’s discriminatory animus or statements could support a discrimination claim against the company. While employers should not be held liable for comments made on non-work related social media sites they don’t know about, they are potentially liable when they learn about harassing posts, but do nothing to stop the conduct.

Workplace use of social media can also bring federal labor law claims. Even in right-to-work states like Florida, the law protects employees’ discussions of the “terms and conditions of employment.” For this reason, the National Labor Relations Board has ruled in a number of cases that employers have violated the National Labor Relations Act by firing employees for their social media posts reacting to the terms and conditions of their employment. Likewise, the NLRB has found employee policies that violate the act when they can be interpreted to prevent or punish employees for speaking about the terms or conditions of employment with their coworkers. Therefore, even non-unionized companies should consult an attorney before firing someone over a social media post or implementing social media policies.

Companies should implement clear policies that address which employees can use social media in the workplace, what types of materials they may post, and that the company expects all employees to safeguard proprietary and private information at all times.

Employee policies should also include the proper use of intellectual property. Many people have the mistaken impression that if they find a photograph or video on the Internet, it’s okay to reuse it. But the copyright to any creative work on the Internet presumptively remains the property of the creator or the creator’s assignee. Companies, therefore, need to be careful before lifting material off the Internet and using it for themselves.

5. Train Your Employees Regularly

The above steps will be meaningless without training your employees. Company managers should be trained in employee privacy rights, laws against discriminatory communications in the workplace, federal labor relations laws, and other legal issues protecting employee communications. Appropriate Internet use on company time should become a regular part of new-employee training, and should be reinforced through company in-services and written internal communications.

With proper training and risk management, social media can provide a low-cost and reasonably safe environment for companies to expand their businesses and engage their consumers.


By Jennifer A. Mansfield

She is with the Data Security and Privacy Team and National Media Practice Team of Holland & Knight LLP and is resident in the firm’s Jacksonville, FL office.

Leave a Reply