California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019. Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now
There is no denying that social media continues to transform the way companies conduct business. In light of the rapid evolution of social media, companies today face significant legal challenges on a variety of issues ranging from employee privacy and protected activity to data practices, identity theft, cybersecurity, and protection of intellectual property.
Seyfarth Shaw is pleased to provide you with the 2017–2018 edition of our easy-to-use guide to social media privacy legislation and what employers need to know. The Social Media Privacy Legislation Desktop Reference:
- Describes the content and purpose of the various states’ new social media privacy laws.
- Delivers a detailed state-by-state description of each law, listing a general overview, what is prohibited, what is allowed, the remedies for violations, and special notes for each statute.
- Provides an easy-to-use chart listing on one axis the states that have enacted social media privacy legislation, and on the other, whether each state’s law contains one or more key features.
- Offers our thoughts on the implications of this legislation in other areas, including trade secret misappropriation, bring your own device issues and concerns, social media discovery and evidence considerations, and use of social media in internal investigations.
- Concludes with some best practices to assist companies in navigating this challenging area.
How To Get Your Desktop Reference
To request the 2017–2018 Edition of the Social Media Privacy Legislation Desktop Reference as a pdf or hard copy, please click the button below:
In Seyfarth’s final webinar in its series of 2017 Trade Secrets Webinars, Seyfarth attorneys Justin Beyer, Dawn Mertineit, and Ryan Behndleman presented Protecting Trade Secrets in the Social Media Age. The panel focused on how to define and protect trade secrets on social media.
As a conclusion to this well-received webinar, we compiled a summary of takeaways: Continue Reading Webinar Recap! Protecting Trade Secrets in the Social Media Age
On Tuesday, September 22 at 12:00 p.m. Central, Seyfarth attorneys Karla Grossenbacher and John Tomaszewski will present “Information Security Policies and Data Breach Response Plans.” With the recent uptick of high-profile data breaches and lawsuits being filed as a result by both employees and consumers as a result, every business should take a fresh look at its information security policies and data breach response plans with two thoughts in mind: compliance with applicable laws, and limiting liability in the event of litigation. Cybersecurity is a critical and timely issue for all businesses. If your company has employees and pays them or gives them benefits, then your company is maintaining their personally identifiable information and faces liability in the event of a data breach.
Currently, there is no comprehensive federal law that sets forth a uniform compliance standard for information security best practices or data breach response plans. Companies operating in the U.S. must comply with a patchwork of 47 different states’ laws that set forth a company’s obligations in the event of a data breach. In the wake of several high-profile data breaches, state legislators in the U.S. have been updating these state laws in the past few months, adding new requirements.
In addition to dictating how and when a company must respond in the event of a data breach in which personal information has been compromised, a number of these laws also contain substantive requirements about cybersecurity measures a company must take generally. Add into this mix that a U.S. Court of Appeals agreed with the Federal Trade Commission (FTC) that it has the right to file lawsuits against businesses that it deems have lax information security protocols – without informing companies in advance of the standard to which they will be held.
Against this backdrop, the presenters will provide a high-level discussion on how your business can structure an information security program to comply with applicable law and minimize liability – since waiting for a breach is not an option. They will discuss, from a legal perspective:
- Essential components of a comprehensive information security policy;
- Key elements of a data breach response plan including strategies for state law compliance; and
- Best practices for dealing with third party vendors that store personally identifiable information for your company.
Registration: There is no cost to attend this program, however, registration is required.
If you have any questions, please contact firstname.lastname@example.org.
*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.
This week, the Connecticut Supreme Court issued an opinion which upheld a state common law negligence action against a healthcare provider for violation of privacy and confidentiality laws and regulations using as evidence of the standard of care the Health Information Portability and Accountability Act (HIPAA) and its accompanying regulations. The court denied defense arguments that HIPAA, which expressly does not provide a private right of action, preempts such state law negligence claims.
While acknowledging that it was “well settled” law that HIPAA creates no private right of action, the Connecticut Supreme Court reversed the trial court’s decision, noting that the plaintiff was not asserting a statutory right or a private right of action under HIPAA, but rather was making a common-law negligence claim with HIPAA informing the standard of care. The court, in reviewing HIPAA’s preemption provisions, which apply to “contrary” provisions of state law and exempt “more stringent” state laws, concluded that HIPAA did not preempt a state common law theory of negligence. the court found that HIPAA was appropriately used to inform the standard of care applicable to such a negligence theory on the basis that HIPAA now sets standards for health information privacy and confidentiality among health care providers,. The court was able to identify multiple decisions in both federal and state courts throughout the country which came to similar conclusions regarding HIPAA’s failure to preempt common law claims of negligence.
This is an important decision that reflects how HIPAA non-compliance or breach can be used to establish claims of negligence based on breach of applicable standards of care extending to not only “covered entities” such as health care providers, insurers or clearinghouses, but also those organizations that do business with Covered Entities as Business Associates. Based on the Connecticut decision and other similar cases throughout the country, there is a likelihood we will see an increased number of claims using state common law negligence actions based on unauthorized release or disclosure of the plaintiff’s protected health information, or even an inadvertent breach, if appropriate physical and technological safeguards were not in place as required by federal and state privacy laws.
The case is Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (SC 18904).
The commercial and personal use of drones are becoming increasingly more prevalent. Indeed, there were allegations during the ongoing World Cup that a drone was purportedly used to spy on a team’s practices by an opponent who was looking to gain a competitive advantage. Josh Salinas weighs in on the potential threat drones may pose to the protection of trade secrets.
Cross Posted from Global Privacy Watch
The White House released a set of reports this month on Big Data and the privacy implications of Big Data. While a number of folks have been discussing the President’s Council of Advisors on Science & Technology (“PCAST”) report, I would offer that the Office of Science and Technology Policy (“OSTP”) report needs to be read in conjunction with the PCAST report. They do two different things. One is a report on the technical state of affairs, and the other is more of a policy direction piece, which is driven by the technologically-oriented findings. Various points-of-view have been put forth as to the relative merits of each report, but there seems to be an important element missing from both reports. Both reports discuss the need for policy decisions to be based on context and on desired outcomes. Unfortunately, neither report really gives a good taxonomy around the informatics ecosystem to allow for a clear path forward on “context” and “desired outcomes”. What I mean by this is best summed up in the comment in the PCAST report which states: “In this report, PCAST usually does not distinguish between “data” and “information”.”. “Data” and “Information” are very different things, and one really can’t have a coherent policy discussion unless the distinction between the two is recognized and managed. Continue Reading Talking About Big Data: A Framework
On Thursday, March 6, 2014 at 12:00 p.m. Central, Michael Wexler, Jim McNairy and Josh Salinas will present Seyfarth’s first installment of its 2014 Trade Secrets Webinar series. They will review noteworthy cases and other legal developments from across the nation this past year in the areas of trade secret and data theft, non-compete enforceability, computer fraud, and the interplay between restrictive covenant agreements and social media activity, as well as provide their predictions for what to watch for in 2014.
The panel will specifically address the following topics:
- Significant federal and state court non-compete, computer fraud, and trade secret decisions, including recent developments concerning how information may lose its protected status as “secret,” damages under the Computer Fraud and Abuse Act, procedural requirements when presenting employees with restrictive covenant agreements, and attorneys’ fees and sanctions for trade secret misappropriation claims brought in bad faith;
- Important legislative efforts, including efforts to strengthen federal criminal trade secret laws, recent states’ legislative proposals concerning non-compete enforceability, and enhanced social media privacy protection laws;
- Noteworthy jury trial verdicts, criminal prosecutions, and criminal sentences for trade secret misappropriation, data theft, and computer fraud;
- Trade secret preemption and courts’ difficulties in grappling with whether the theft of non-trade secret information is actionable in tort;
- Prominent social media cases discussing when social media activity may violate non-solicitation agreements.
There is no cost to access this program, however, registration is required.
If you have any questions, please contact email@example.com.
*CLE credit is available. Seyfarth has applied for CLE credit in IL, NY, and CA. If you would like us to pursue CLE credit in any additional states, please contact firstname.lastname@example.org. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.
Social media clearly has numerous uses and benefits, as hundreds of millions of users worldwide can attest. From connecting with a long lost friend, to marketing a new product or service, to organizing a high school reunion or even an uprising in the Middle East, social media has become a ubiquitous part of our lives. But its rapid proliferation comes with risks.
In addition to the hazards to individuals on which the media regularly reports — invasion of privacy, harassment, bullying and the like — the increased risks to employers are just as compelling, albeit perhaps not as sensational. Most employers today have implemented social media policies that govern such things as if and when employees may access social media during the workday and appropriate uses thereof, but many companies fall short in protecting their trade secrets and customer relationships or goodwill.
Employees, especially younger ones, may unwittingly put their employers at risk simply by connecting with customers and/or vendors on LinkedIn, or by boasting about their latest achievements on Facebook or Twitter. Or they may be using social media intentionally to solicit customers or employees after termination.
As the line between business and personal information becomes increasingly blurred, employers must be cognizant of the risks inherent with the increased use of social media and take affirmative steps to protect their trade secrets and customer relationships before it is too late. Once a trade secret has been disclosed, its protections cannot be recovered; and once a customer leaves, he or she may never return.
The most basic step that any employer should take to protect itself is to set expectations for its employees. In addition to creating the kind of culture where employees want to be protective of their employer, this can be accomplished by implementing policies that limit what employees are permitted to post on social media, and the security or privacy measures that must be put in place if they do so.
For instance, subject to the strictures of the National Labor Relations Act, employees should not be permitted to comment publicly on confidential projects or issues, even if they believe it is only to their “small” group of friends. While this is universally true, any policy should explicitly reference social media. Moreover, if employees are permitted to connect with customers and vendors on LinkedIn, their list of contacts should be set to private so that other LinkedIn users cannot view them. This type of policy is the building block for all others, and it isn’t enough simply to have such a policy in place; it must clearly and repeatedly be explained to employees, and perhaps even be the subject of an annual training.
While most employers have confidentiality and nondisclosure policies and agreements in place, they oftentimes do not specify that customer contact information, preferences, and the like that are maintained on LinkedIn and other social media sites fall within the strictures thereof. These policies and agreements should require that such information be deleted immediately from the employees’ accounts if they leave the company for any reason (just as hard copy customer lists must be returned or destroyed).
Although potentially difficult to enforce on their own, absent evidence of misappropriation or improper solicitation, policies such as this can influence a court’s opinion of a noncompliant former employee and add support to a request for injunctive relief should litigation be initiated. Of course, one purpose of these policies is to set clear expectations so as to avoid the need for litigation in the first place.
Who “Owns” Social Media?
Once employee expectations are established, the next thing an employer should do is assert an ownership interest over social media accounts and content, even if that content is already identified as confidential and must be deleted when the employment relationship ends. Few courts have addressed the issue of who “owns” social media. It is a difficult issue because accounts are often free and employees have already joined at the time of hire. Employers should, at the very least, have policies in place that inform employees that the company owns any content that was developed on the job or using the employer’s resources or confidential information.
For instance, the policy should be clear that customer information and goodwill are the company’s property even if posted on an employee’s LinkedIn account. (This policy must go hand in hand with the confidentiality policies discussed above or it will be ineffective.) There will always be disputes over whose goodwill it actually is, and social media ownership policies will certainly not be enforced by every court under every set of circumstances, but it is better to implement such a policy than face the risks of not doing so.
Last year, in Eagle v. Morgan, a federal court in Pennsylvania ruled that a company could not assume its former CEO’s LinkedIn account after she was terminated because although the company had expressed “an intense interest in the issue involving ownership of LinkedIn accounts,” it was clear that on the date the CEO was terminated “no policy had been adopted to inform the employees that their LinkedIn accounts were the property of the employer.” Had the company implemented such a policy, the outcome may have been different.
On the flip side, in Ardis Health LLC v. Nankivell, a federal court in New York ruled that a former employee must turn over the login, password and other access information to several websites, blogs, and social media pages that she had created and maintained for her former employer, because the employee had signed an agreement at the outset of her employment that all work created or developed by her “shall be the sole and exclusive property of [the employer], in whatever stage of development or completion,” and that she must return all confidential information upon request. The existence of such an agreement in this instance protected the company.
Where there is no policy or agreement, a court may leave the question of ownership to a jury, which is not a good result for employers, as jurors will not want to believe that their employers can appropriate or monitor their social media accounts. In PhoneDog v. Kravitz, a federal court in California denied a former employee’s motion to dismiss claims by his employer, alleging that the former employee unlawfully continued using the company’s Twitter account after he quit. There was no policy or agreement in place in this case, and the ultimate outcome will necessarily turn on who actually owns the Twitter account.
Similarly, in Christou v. Beatport LLC, the plaintiff claimed that a former employee misappropriated its trade secrets, including login information for profiles on MySpace and lists of MySpace “friends.” The defendants argued that a list of MySpace friends “is broadcast to the public via the Internet and thus cannot be considered a trade secret.” A federal court in Colorado denied the defendant’s motion to dismiss, holding that whether the information was a trade secret is a factual issue, but opined that:
Social networking sites enable companies … to acquire hundreds and even thousands of “friends.” These “friends” are more than simple lists of names of potential customers. “Friending” a business or individual grants that business or individual access to some of one’s personal information, information about his or her interests and preferences, and perhaps most importantly for a business, contact information and a built-in means of contact. Even assuming that employees generally knew the names of all of the “friends” on [the former employer’s] MySpace pages, it is highly unlikely, if not impossible, that employees knew the contact information and preferences of all those on the “friends” list from general experience.
This is an evolving area of law, and information that was protectable 10 years ago may not necessarily be protectable today.
In Sasqua Group Inc. v. Courtney, a federal court in New York ruled that LinkedIn connections and Facebook relationships with clients cultivated by a former employee were not trade secrets belonging to the firm because although that information “may well have been a protectable trade secret in the early years of [the company’s] existence when greater time, energy and resources may have been necessary to acquire the level of detailed information to build and retain the business relationships at issue … for good or bad, the exponential proliferation of information made available through full-blown use of the Internet and the powerful tools it provides to access such information [now] is a very different story.”
While this case is a classic example of bad facts making bad law, having policies in place at the very least sets expectations for employees, and at best it could carry the day in court.
Beware of Overreach
When implementing policies and agreements related to social media, employers must beware not to infringe upon employees’ rights under state or federal law, including the National Labor Relations Act, which safeguards employees’ right to engage in “protected concerted activities,” Additionally, many states have now enacted or proposed some form of social media privacy laws, some of which prohibit employers from requiring employees or applicants to disclose login information to social media accounts and retaliating against those who refuse to do so.
Employers must also ensure that their own conduct does not run afoul of any laws, including the federal Stored Communications Act, which prohibits the unauthorized access of electronic communications and has been applied to social media. Earlier this year, in Ehling v. Monmouth-Ocean Hospital Service Corp., a federal court in New Jersey held that an employee’s Facebook posts were protected by the Act because she had configured her privacy settings to restrict posts to her “friends” (but found that the employer had not violated the act by viewing the employee’s wall, because a co-worker, who was one of her Facebook friends, showed the post to their employer).
Similarly, in Maremont v. Susan Fredman Design Group Ltd., a federal court in Illinois refused to grant summary judgment to an employer on claims brought by an employee alleging that it had illegally accessed her Twitter and Facebook accounts while she was on medical leave, finding that there were factual disputes as to whether the employer exceeded its authority in accessing those accounts.
Legal issues aside, most employers do not want to create a culture where their employees are constantly in fear of being monitored, which will harm morale and decrease loyalty. This can have the exact opposite effect of what the policies are intended to promote, as disgruntled or disloyal employees are the most likely to take actions harmful to the company.
What Constitutes Solicitation on Social Media?
Regardless of what policies and agreements are implemented, employers must typically still establish that a former employee misappropriated trade secrets and/or improperly solicited customers or employees to obtain relief. The lines are not as clear as they were in the past, however. Does “friending” a customer on Facebook constitute solicitation? Updating one’s LinkedIn account to identify a new employer? Tweeting how great a new employer’s product or service is? These questions largely remain open and have not been addressed in most jurisdictions.
In fact, recent research has uncovered no published decisions in the employment context regarding what constitutes improper solicitation using LinkedIn, the most prolific business-centric social media site that has more than 225 million users worldwide.
However just last month, a Massachusetts court issued an unreported decision in KNF&T Staffing Inc. v. Muller, holding that updating a LinkedIn account to identify one’s new employer and to list generic skills does not constitute solicitation. In this rather narrow decision, the court did not address whether a LinkedIn post could ever violate a restrictive covenant, and several other cases involving this issue settled before it could be resolved.
Outside of the employment context, the Court of Appeals of Indiana, in Enhanced Network Solutions Group Inc. v. Hypersonic Technologies Corp., held that a nonsolicitation agreement between a company and its vendor was not violated when the vendor posted a job publicly on LinkedIn and an employee of the company applied and was hired for the position, because all major steps that led to the employment were initiated by the employee.
In the context of Facebook, a Massachusetts court ruled in Invidia LLC v. DiFonzo that a hairstylist did not violate her nonsolicitation provision by “friending” her former employer’s customers on Facebook because “one can be Facebook friends with others without soliciting those friends to change hair salons, and [plaintiff] has presented no evidence of any communications, through Facebook or otherwise, in which [defendant] has suggested to these Facebook friends that they should take their business to her chair.”
Likewise, in Pre-Paid Legal Services Inc. v. Cahill, a former employee posted information about his new employer on his Facebook page “touting both the benefits of [its] products and his professional satisfaction with [it]” and sent general requests to his former co-employees to join Twitter. A federal court in Oklahoma denied his former employer’s request for a preliminary injunction, holding that communications were neither solicitations nor impermissible conduct under the terms of his restrictive covenants.
In sum, common sense continues to reign supreme in determining what constitutes solicitation in the age of social media, and if it looks, tastes and smells like solicitation, it probably is. Nevertheless, it is imperative that employers protect their trade secrets and goodwill by setting clear expectations and implementing policies and agreements that clearly express those expectations and provide a means by which to enforce them if necessary.
As social media becomes more engrained in our lives, we hear more and more about its use among students. Although some of these uses are perfectly legitimate, others, such as the use of social media for bullying or defamatory purposes, are not. In a recent case in Oregon, Matot v. CH et al, the court addressed the question of whether the “subject of a fake social media account” could successfully claim a violation of the Computer Fraud and Abuse Act (“CFAA”) against the creators of the fake profile. The court answered the question with a resounding “No.”
Recently, students at a Oregon high school allegedly created a fake social media account for the school’s principal and allegedly began posting obscene materials on this page. Mr. Matot filed suit against both the students and their parents, alleging defamation and negligent supervision, as well as a violation of the CFAA. According to the principal, in allegedly creating these postings, the defendant students had allegedly used school computers in a manner which “exceeded authorized access” under the CFAA.
The federal district judge in Oregon, however, found otherwise, and held that there was no violation of the CFAA. In determining this, the court first addressed LVRC Holdings L.L.C. v. Brekka,, a Ninth Circuit case, where the court found that an employee’s misuse or misappropriation of an employer’s confidential or proprietary information is not “without authorization” as long as the employer has given permission to the employee to access this information. Here, unlike in Brekka, the defendants were not employees of the social media sites, and instead, their relationship with the website was entirely based on an alleged forgery. The court next addressed the United States v. Nosal case, where the Ninth Circuit previously held that lying on social media websites was common, and declined to recognize this as a CFAA violation.
Ultimately, the court in Matot concluded that the term authorization has been narrowly interpreted under Ninth Circuit law, and any ambiguity concerning criminal statutes should “be resolved in favor of lenity.” Here, if the court were to consider lying on social media websites a violation of the CFAA, millions of people could be charged with violations of this statute, including law enforcement officials. As such, the court found dismissal of this claim was proper. Furthermore, the court denied leave to add a RICO claim, finding, “Congress did not intend to target the misguided attempts at retribution by juvenile middle school students against an assistant principal in enacting RICO.”
Interestingly, as Venkat Balasubramani points out on the Technology and Marketing blog, the court failed to address the question of whether the principal actually had standing to pursue the claim. According to Balasubramani, civil claims under the CFAA can only be pursued where a computer is accessed without authorization and the principal failed to show the students lacked such authorization. Additionally, he points out that the court did not address the impact of the students’ First Amendment Rights, if any, or whether their parents could actually be held liable.
Based on this case and some other rulings in the Ninth Circuit, creating a fake social media profile, on its own, cannot be the basis for a CFAA claim, at least for now apparently.