social media

Digital Spring Cleaning

Spring is traditionally a time when people do a deep cleaning of their homes. Have you thought about taking this one step further and doing a digital security deep clean? We recommend reviewing at least every quarter to minimize the risk of identity theft. Here are four steps to get you started to protect your personal data. 

  • Change your passwords. Your company probably automatically asks you to switch passwords every 4-6 weeks. But when is the last time you changed your passwords on your personal social media accounts, subscriptions, or places you shop? You should consider updating these passwords, too. In fact, old passwords can be easy ways for hackers to steal your identity. Delete old accounts you no longer use. You might be surprised to find that some of those are decades old with easily guessed passwords. When you choose your new passwords, do not repeat them across various accounts. You’re just making it easier to get hacked.
  • Review your social media accounts. Have you been cloned on Facebook, Instagram, or other social media platforms? Take a moment and search for yourself on these sites and see if you appear more than once. Don’t wait for your friends to send you a text saying, “I just got a friend request from you, but we’re already friends.” If you’ve been cloned, report it and change your passwords.
  • Avoid oversharing. Think twice before you overshare information or play a social media game that asks you to list personal information about yourself. These simple activities are ways that hackers gather your data. The latest high-risk trend is sharing a picture of your COVID vaccination record with your full name and date of birth clearly visible. Instead, consider sharing a photo of an “I got vaccinated” sticker. 
  • Have you been hacked? A cybersecurity FBI agent once told me, “It used to be a case of not if, but when you’ve been hacked. Now it’s a case of you’ve been hacked, and you either know it or don’t know it yet.” HaveIBeenPwned is one of several free sites where you can check if you’ve been caught up in a security breach.

These four steps will help you do a simple yet effective spring cleaning of your digital presence and protect your online identity. 

Illinois amends its password protection law to exclude financial services firms

In August 2013, Illinois passed an amendment to its existing password protection law that lifts restrictions for financial services firms, enabling them to monitor their employees’ business-related social media communications. Effective January 1, 2014, the law will no longer apply when an employer requests access to a “professional account” to “monitor or retain employee communications as required under the state’s insurance or federal law or by a self-regulatory organization. The amendment also permits Illinois employers to seek access to a professional account when the employer has “a duty to screen applicants or employees prior to hiring.”

New Jersey enacts law for social media password protection

Continuing a nationwide momentum of restricting employers’ access to personal social media content of applicants and employees, in August 2013, New Jersey passed Act 2878 joining eleven other states (Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado, Washington, Oregon, and Nevada) with similar laws. Dozens more states and the U.S. Congress are considering comparable legislation. New Jersey’s new law, which becomes effective December 1, 2013, prohibits employers from asking or requiring that applicants or employees “provide or disclose any user name or password, or in any way provide the employer access to a personal account through an electronic communications device.”

FINRA is spot-checking social media communications

In posting a Targeted Examination Letter (often referred as a sweep letter) on its website earlier this month, FINRA invoked Rule 2210(c)(6), which states that each FINRA firm’s written (including electronic) communications are subject to a periodic spot-check procedure.

FINRA’s sweep letter seeks, among other things, an explanation of how the firm is using social media at the corporate level in conducting its business; the identity of all individuals who post and/or update content; how the firm’s registered representatives and associated persons generally use social media to conduct the firm’s business; written supervisory procedures concerning the production, approval and distribution of social media communications; the measures to monitor compliance with the firm’s social media policies; and a tabular list of the firm’s top 20 producing registered representatives (based on commissioned sales) who used social media for business purposes to interact with retail investors.

California limits social media use by employers and educational institutions

Effective January 1, 2013, California will join Maryland and Illinois in significantly restricting employers’ access to their employees’ and job applicants’ social media accounts. Signed into law by Governor Jerry Brown on September 27, 2012 and fittingly announced via Twitter, AB 1844 provides that an employer cannot require or request an employee or applicant to do any of the following:

  • disclose a username or password for the purpose of accessing personal social media;
  • access personal social media in the presence of the employer;
  • divulge any personal social media, except as provided in subdivision.

The law also prohibits an employer from discharging, disciplining, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions. However, an employer is not prohibited from terminating or taking an adverse action against an employee or applicant if otherwise permitted by law.

The law does preserve an employer’s rights and obligations to request that an employee divulge personal social media information reasonably believed to be relevant to an investigation of allegation(s) of employee misconduct or violation of applicable laws and regulations, provided that the information is used solely for purposes of that investigation or a related proceeding. An employer is also not precluded from requiring or requesting that an employee disclose a username or password for the purpose of accessing an employer-issued electronic device.

A companion law, AB 1349 that establishes similar requirements for postsecondary education institutions in regard to their students also goes into effect on January 1, 2013.

Social media evolving as new platform for investment scams

The Securities and Exchange Commission (SEC) today charged an Illinois-based investment adviser with offering to sell fictitious securities through social media sites. According to the SEC’s Division of Enforcement, Anthony Fields of Lyons, IL, offered more than $500 billion in fictitious securities, and in some instances, used LinkedIn discussions to promote fraudulent “bank guarantees” and “medium-term notes.”

The SEC’s order instituting administrative proceedings against Fields charges that he made multiple fraudulent offers through his two sole proprietorships – Anthony Fields & Associates (AFA) and Platinum Securities Brokers. Fields allegedly provided false and misleading information concerning AFA’s assets under management, clients, and operational history to the public through its website and in SEC filings. Fields also failed to maintain required books and records, did not implement adequate compliance policies and procedures, and promoted himself as a broker-dealer while he was not registered with the SEC.
Also today, in recognition that fraudsters are now turning to new and evolving platforms to peddle their scams, the SEC issued two alerts to highlight the risks investors and advisory firms face when using social media.

One of these alerts, a National Examination Risk Alert titled “Investment Adviser Use of Social Media,” provides staff observations based on reviews of investment advisers of varying sizes and strategies that use social media. The bulletin addresses issues that may arise from social media usage by firms and their associated persons, and offers suggestions for managing the antifraud, compliance, and recordkeeping provisions of the federal securities laws. The alert notes that firms need to consider how to implement new compliance programs or revisit their existing ones to align with the rapidly changing technology.

In the SEC’s second bulletin, an Investor Alert titled “Social Media and Investing: Avoiding Fraud” prepared by the Office of Investor Education and Advocacy, the aim is to help investors be aware of fraudulent investment schemes that use social media, and provide tips for checking the backgrounds of advisers and brokers.

Controversy abounds in employment decisions based on social media searches

In May 2011, the Federal Trade Commission (FTC) ruled that companies providing social media information to employers – and employers who use the reports – must follow the same Fair Credit Reporting Act (FCRA) regulations that apply to more traditional sources. The FTC also stated that postings on any social media site can be saved by on-line background screening companies for up to seven years.

According to the FTC’s letter dated May 9, 2011 to a company that sells information from social networking sites for employment purposes, such a company is considered a Consumer Reporting Agency (CRA) and thus must take reasonable steps to ensure the accuracy of the information obtained from online social networks (as well as other sources) and positively identify it with the subject. It also must comply with other FCRA provisions, such as providing a copy of the report to the subject and maintaining an established protocol if the subject disputes the reported information. As with “traditional” background investigations, employers who use a report prepared by a CRA must certify to the CRA that the report will not be used in violations of federal or state equal employment opportunity laws or regulations. Additionally, both the CRA and the employer have a legal obligation to keep and dispose of the reports securely and properly. (For more information, see the FTC blog, “The Fair Credit Reporting Act & Social Media: What Businesses Should Know.”)

Social media legal experts and various literature point to a multitude of issues and risks faced by both the CRA and the employer who uses social media checks, which include, but are not limited to:

  • Problems under FCRA section 607(b) in exercising “reasonable procedures to assure maximum possible accuracy” of the information.
    Since the information on social media sites is self-reported and can be changed at any time, it is often difficult if not impossible to ascertain that the information is accurate, authentic and belongs to the subject. Online identity theft is not uncommon, as are postings under another person’s name for the purpose of “cyber–slamming” (which refers to online defamation, slander, bullying, harassment, etc.)
  • Information may be discriminatory to job candidates or employees, or in violation of anti-retaliation laws.
    Social sites and postings may reveal protected concerted activity under the National Labor Relations Act (NLRA,) and protected class information under Title VII of the Civil Rights Act and other federal laws, such as race, age, creed, nationality, ancestry, medical condition, disability, marital status, gender, sexual preference, labor union affiliations, certain social interests, or political associations. And while the information may have no impact on the employment decision, the fact that the information was accessed may support claims for discrimination, retaliation or harassment.
  • Accessing the information may be in violation of the federal Stored Communications Act (SCA).
    To the extent that an employer requests or requires an employee’s login or password information, searches of social networking sites may implicate the SCA (18 U.S.C. § 2701) and comparable state laws which prohibit access to stored electronic communications without valid authorization. A California court recently ruled that the SCA also may protect an employee’s private information on social networking sites from discovery in civil litigation.
  • Assessing the information may violate terms of use agreements and privacy rights.
    While certain social media sites have stricter privacy controls than others, most if not all limit the use of their content. The terms of use agreements typically state that the information is for “personal use only” and not for “commercial” purposes. Although the definition of “commercial” in connection with employment purposes is interpretive, most legal experts indicate that employment screening fits that scope.
  • Information may be subjective and irrelevant to the employment decision.
    Blogs, photos and similar postings often do not provide an objective depiction of the subject or predict job performance. The California Labor Code, for example, specifically provides that an employer is prevented from making employment-related decisions based on an employee’s legal off-duty conduct. Employers may use such information only if the off-duty conduct is illegal, if it presents a conflict of interest to the business or if it adversely affects the employee’s ability to do his/her job. And the evidence of such activities must be clear.

The popularity of employment-related background checks that include social media searches is growing rapidly. But the unreliable and unverifiable information from these sources is a potential landmine of legal liabilities.

More on legal troubles from employer misuse of social media information

Legal experts say that litigation resulting from employer misuse of social media information is likely to rise, at least until more case law is established. And even if the company prevails in such lawsuits, there may be reputational risks as the cases grab national spotlight.

Media sources reported that next week, for example, a National Labor Relations Board judge will rule whether American Medical Response of Connecticut illegally fired a worker after she criticized her boss on
Facebook. In what labor officials and lawyers view as a ground-breaking case involving employees and social media, the NLRB stepped in to argue that workers’ criticisms of their supervisors or companies on social networking sites are generally a protected activity and
that employers are violating the law by punishing workers for such statements. According to media reports, American Medical denied the board’s allegations, stating they are without merit, and that “the
employee was discharged based on multiple, serious complaints about her behavior.” The company added that “the employee was also held accountable for negative personal attacks against a coworker posted publicly on Facebook…”

Media sources reported on another pending case, filed in Georgia against a school district, a former high school teacher is claiming that she was essentially forced to resign over Facebook photos that
showed her drinking alcohol during a European vacation.

And in a case settled in 2009, two workers in New Jersey sued their employer, Hillstone Restaurant Group, after they were fired for violating the company’s core values. According to court documents, their supervisors gained access to postings on a password-protected
Myspace page meant for employees but not managers. The jury found that the employer violated the federal Stored Communications Act and the equivalent New Jersey law, and awarded the employees $3,403 in back pay and $13,600 in punitive damages. Hillstone appealed before the parties reached an undisclosed settlement.

Labor relations pros caution that before taking any adverse action based on social media postings, the employer should consider whether the information could be construed as a complaint or report of inappropriate or unlawful behavior. This includes, but is not limited
to discrimination, harassment, unpaid overtime and other wage violations, or any activities that may trigger an employee’s whistleblower protection.

Lawsuit shows legal risks in using information from social media

Media sources reported that a settlement was reached January 18, 2011 in a civil rights case re C. Martin Gaskell v. University of Kentucky, whereby the University agreed to pay Gaskell and his attorneys $125,000. Gaskell was a leading candidate in 2007 to be the director of a new observatory at the University of Kentucky; however, he was denied employment allegedly in part because of his apparent views on evolution. Media reports and court documents stated that during the candidate selection process, committee members conducted searches on Gaskell on the Internet, and discovered his personal Web which contained an article entitled “Modern Astronomy, the Bible, and Creation” among other notes. The sources also reported that “Gaskell had given lectures to campus religious groups around the country in which he said that while he has no problem reconciling the Bible with the theory of evolution, he believes the theory has major flaws. He recommended students read … critics

[of evolution] in the intelligent-design movement.”

According to the Courier-Journal, the University “acknowledged that concern over Gaskell’s views on evolution played a role in the decision to choose another candidate.” But it argued that this was a valid scientific concern, particularly with regard to the prospect that “Gaskell’s views on evolution would interfere with his ability to serve effectively as director of the observatory. And there were other  factors, including a poor review from a previous supervisor and UK faculty views that he was a poor listener.”

Go to Top