Identification And Management Of Emerging Legal Risks In Social Media

Identification and Management ofEmerging Legal Risks in Social MediaElizabeth JohnsonPartnerPoyner Spruill LLP(919) 783-2971ejohnson@poyners.com@PoynerPrivacyThese materials have been prepared by Poyner Spruill LLP for informational purposes onlyand are not legal advice. This information is not intended to create, and receipt of it does notconstitute, a lawyer-client relationship. 2012 Poyner Spruill LLP. All rights reserved.

The Obvious Risks

The Obvious Risks Privacy– Negligent Disclosures– Inadvertent and Incidental Disclosures Security– Malware– Social Engineering– Phishing/Spoofing/Spam/Scams

Negligent Disclosures Mercy Walworth Medical Center in Lake Geneva, WI – Nurses fired forpatient photos (case referred to FBI)– Allegedly photographed patients and posted to Facebook Oakwood Hospital in Detroit, MI – Employee fired for Facebook postregarding “cop killer”– Local police officer murdered, killer treated at same hospital– Employee posted disparaging remarks about alleged killer/patient Lifequest Nursing Center in Pennsylvania – Registered nurse fired forFacebook posts regarding co-worker– Post timestamps occurred while nurse was actively engaged indispensing patient medication

“Glad the Legislature recognizes our dire fiscal situation. Lookforward to hearing their ideas on how to trim expenses.”– Mississippi Governor Haley Barbour“Schedule regular medical exams like everyone else instead ofpaying UMC employees overtime to do it when clinics areusually closed.”– Employee of Mississippi’s University Medical Clinic

Inadvertent, Incidental Disclosures Dr. Alexandra Thran – disciplined by RI’s licensing boardfor Facebook post– Westerly Hospital reported to board that it “terminated[Thran’s] clinical privileges at the hospital because she hadused her Facebook account inappropriately to communicatea few of her clinical experiences in the hospital’s EmergencyDepartment.”– Doc did not identify patient names in her posting, boardconcluded that “the nature of one person’s injury was suchthat the patient was identified by unauthorized third parties.”

It’s An Epidemic

“Special” Problem for Health Care ProfessionBroad definition of PHI High stakes penalties Expensive professional and reputational disaster– Almost any information about a patient is too muchinformation– Violating patient confidentiality revocation of license,lawsuits, violation of law (fines – 1.5M maximumHIPAA penalty)So how much is too much?– “Coffee Shop Rule”– But

Magnitude of Disclosure“Coffee Shop”Rule“Cover of The NewYork Times” RulePermanencyof DisclosureVerbal, so fairlytransientPrint copy, butunlikely to beretained permanently(longer for website )Internet, potentiallypermanent retentionSearchable?NoLimited (microfiche?)Word searchable and semiavailable via search enginesMaximumInitialDistributionStarbucks avg.daily customers 500Daily circulation 1MFacebook 750M users,Twitter 200M users (est.50% log in daily)Limited (somereaders selectivelypass article along)Indiscriminate posting(Facebook/Twitter users avg. 130 friends/followers)Potential forLimited (gossip)RedistributionSocial Media Reality

Security Risks Types of Attacks (general v. targeted)– Malware 18% of social network users report malware, up from 13% in 2010 and8% in 2009 (Webroot annual survey) Malware distributed via social network 10x as effective as malwarespread via email (Kaspersky Global Research)– Social Engineering– Phishing/spam/spoofing/scams Example “Friend in Distress” scam – 14% of users report receipt in2011, compared to 2% in 2009 (Webroot annual survey)– Overall, number of firms reporting an attack via social networkingrose 70% from 2008-2009 (Sophos 2010 Security Threat Report)– 93% increase in web-based attacks in 2010; 65% of maliciousURLs were shortened URLs (Symantec 2010 Internet SecurityThreat Report)

The Obscure Risks

User-Generated Content Risk Besides legal liability for disclosures Publication of private facts / invasion of privacyInfliction of emotional distressDefamation / libel“Cyberbullying”Negligence

Job Applicants and Employees Hostile workplace Discrimination– “Classic” discrimination (race, age, gender, disability, sexualpreferences, etc.) – EEOC has confirmed position– Genetic Information Nondiscrimination Act 14Wage and HourNational Labor Relations ActStored Communications ActFair Credit Reporting ActImpersonation / Misappropriation / Conversion / TradeSecrets

Employer’s companyFacebook page Photo of companyevent posted Someone (allegedly anemployee) posteddiscriminatorycomments aboutcoworker Hostile workplacecharge

National Labor Relations Board

National Labor Relations Board About a dozen cases involving social media Recent guidance issued summarized four cases thatended badly for employers:– Employee asked coworkers on her Facebook page for theirreaction to another employee’s complaints about work quality andstaffing levels– Employee complained on her Facebook page about supervisor’srefusal to permit union rep to assist her in developing a responseto a customer complaint filed against her– Employees’ Facebook posts reveal employer’s failure to withholdstate income taxes; state tax authorities issued payment demand– Social media policies prohibiting “solicitation,” “disparaging” theemployer,” “offensive” “defamatory” or “unprofessional” content

National Labor Relations Board More likely to be protected activity Subject matter related to terms and conditions of employment,exercise of union rights, or other matters traditionally considered“protected activity” Other employees were participating in the conversation(“concerted activity”) Content that is part of a continuing dispute with employer orongoing conversation with other employees Less likely to be protected activity if negative impact onproductivity, complaints amounted to “name calling,” orcontent was inappropriate Guidance also discusses over-broad social media policies

Stored Communications Act Applies to storedwire or electroniccommunicationsheld by ISPs Prohibitsintentional accessto suchcommunicationswithoutauthorization

“ this information should not be used foremployment, tenant screening, or any FCRArelated purposes ”

Impersonation / Publicity The Lanham Act (falseassociation/falseendorsement ) Right to publicity (statestatute) Right to privacy (statecommon law),dismissed

Conversion/Misappropriation of Trade Secrets Employee leaves with Twitter account Employer suesclaiming damagesof 2.50/mo perfollower ( 340K) Claims followersand password trade secret Case survivesmotion to dismiss

Other Problems – Self-Promotion FTC’s Guide Concerning the Use of Endorsements andTestimonials in AdvertisingUnfair and Deceptive Trade Practice

Other Problems – Federal Securities Law SEC Guidance on the Use of Company Web Sites– Covers websites, blogs, shareholder forums and other social media– “Since all communications made by, or on behalf of, a company aresubject to the antifraud provisions of the federal securities laws,companies should consider taking steps to put into place controlsand procedures to monitor statements made by or on behalf of thecompany on these types of electronic forums.” Fact-specific inquiry required:– When is information “public” for purposes of Reg FD compliance?E.g., Can company Facebook posts constitute public disclosures?– When are posts or tweets considered “republished” for purposes ofthe antifraud provisions of the federal securities laws?– How do the antifraud provisions apply to posts made byemployees? Officers? Third party commentators?

Now What?

Social Media – To Ban or Embrace? Biggest mistake ignoring it Two choices remain:1. Ban it (with appropriate limits)2. Embrace it (with appropriate limits) Is it feasible to ban effectively?– Tidal wave of adoption typically drowns out efforts to ban entirely Exacerbated by rapid adoption of mobile devices– First Amendment / NLRB– Customer / patient expectations– Powerful marketing and communication tool

Identify Your Business Need Not popular for communicating with doctors– Capstrat Survey, February 2011– 84% would not use social media to communicate with doctors– Among adults ages 18 – 29 (target audience for social media), only21% would use it to communicate with doctors Some potential for other use– Capstrat respondents more favorable toward email and onlinechannels for appointment setting, medical record access, andnurse consultation– Intuit Health 2011 survey showed 73% would use an onlinesolution to get lab results, request appointments, pay medical bills,and communicate with doctor’s office

You won’t talk to your doctor, but National Research CorpSurvey of 22,000: 16% use social media assource of health care info 82.3% trust health infoobtained from social mediaat a score of 3 or higher(on scale of 1 – 5) 78.8% gave score of 3 orhigher to likelihood ofsocial media influencingtheir health care decisions

Pew Research Center, September 2010 80% of internet users get health info online (59% of all adults) 34% of internet users (25% of all adults) have read someone else’scommentary or experience about a health issues on website, blog, etc. 24% of internet users (18% of all adults) have consulted online reviewsof particular drugs or medical treatments 18% of internet users (13% of adults) have gone online to find otherswho might have health concerns similar to theirs 16% of internet users (12% of adults) have consulted online rankings orreviews of doctors or other providers 15% of internet users, or (11% of adults) have consulted onlinerankings or reviews of hospitals or other medical facilities 62% of internet users also use social media, and 23% of those (11% ofall adults) followed friends’ personal health experiences on the site 15% of social media users (7% of all adults) have gotten health info

Identify Your Business Need Potential for recruiting clinical trial participants?– White Paper, June 2011, Blue Chip Patient Recruitment– 19% were comfortable receiving info through Facebook and 14%receiving info from Twitter– 81% of “e-patients” (actively engaged in health-related socialmedia) were interested in participating in clinical trials, but only16% had done so

Identify Your Business Need On substance, stick to information not communication Communication for administrative matters (appointments,billing, etc.) One-size-does-not-fit-all– Risk for physicians and practitioners may outweigh benefits, butmay not hold true for researchers, support staff, etc. Recognize marketing potential and demographics Self-selected audiences If no business need, may indicate that you should limit(ban) rather than promote (embrace) social media

Next Steps Develop a detailed policy (preferably more than one)–––– “Approved Population,” HR, everyone elseBe comprehensive (see foregoing slides)Do not be overly restrictiveRequire/discuss compliance with third party sites’ termsTrainAudit compliancePost disclaimers, terms of use and/or privacy noticesMonitor for reputational impacts (even if not postingyourself)– Policy and training for that monitoring also is beneficial

Other governance? Formal launch and implementation planSocial media agreement for employeesCommittee oversightSenior management approval of plan/oversightAnnual program refresh

Elizabeth JohnsonPartnerPoyner Spruill LLP(919) 783-2971ejohnson@poyners.com@PoynerPrivacyThese materials have been prepared by Poyner Spruill LLPfor informational purposes only and are not legal advice.This information is not intended to create, and receipt of itdoes not constitute, a lawyer-client relationship. 2012Poyner Spruill LLP. All rights reserved.Questions?

patient photos (case referred to FBI) - Allegedly photographed patients and posted to Facebook Oakwood Hospital in Detroit, MI - Employee fired for Facebook post regarding "cop killer" - Local police officer murdered, killer treated at same hospital - Employee posted disparaging remarks about alleged killer/patient