410 likes | 421 Views
Learn how to navigate the potential risks and protect your brand in the world of social media. Topics discussed include user-generated content, employee engagement, privacy laws, and more.
E N D
Social Media 2016: Addressing Corporate Risks CCWC Social Media Panel September 21, 2016 Aria Hotel, Las Vegas, Nevada
Panel Introductions • Dionne Blake Senior Director, Assistant General Counsel, Target • Kimberly Cole Claims Counsel, United Educators • Nubiaa ShabakaExecutive Director, Technology, Data Protection and Sourcing Legal, Morgan Stanley • Sheryl Ann Yamuder Senior Managing Counsel, Privacy and Data Protection/Law and Franchise Integrity, Mastercard *
Overview Social Media Branding User Generated Content Employees and Social Media Impact of State Privacy Laws The Intersection of Social Media, Privacy and Cybersecurity
Social Media: Cyber “Real Estate” Many states take a broad approach: The more narrow approach: 5
Facebook is the world’s most popular social network with over 1.28 billion users. The more narrow approach: 6
Personal Branding Many states take a broad approach: Marketing Tool • Define who you are & what you have to offer (i.e., education, employment, experience) • Identify areas of expertise (differentiate) • Self-Promote (i.e., awards, publications) • Control your message The broader approach: The more narrow approach: 7
Leverage Many states take a broad approach: Search • Content • Jobs • People Connect • Industry • Areas of expertise • Subject matters of interest Publish • Articles • Blogs • Presentations 8
Potential Risks to Employer Many states take a broad approach: BEWARE: • Use of brand and other proprietary material • Identification of projects or targets • Conflicting messaging The broader approach: The more narrow approach: 9
Some General Principles of Privacy Protection • Notice / Transparency • Provide a Privacy Notice that gives consumer notice about: • The Personal Data that is being collected. • The purpose for collection. • How the Personal Data will be used and shared. • Consent/Choice • Consumers must have the ability to decideif and when information will be collected and how it will be used and shared. • Consumers can exercise their choicethrough both: • Opt-inmechanisms (e.g., unchecked boxes) AND • Opt-out (i.e., mechanisms to withdraw consent at any time). Key Principles: Fair Information Practices • Data Minimization • The collect and use of the data should be limited to what is needed for the intended use. • Use of data must be limited to the scope of the consent.
User Generated Content (“UGC”) • What Is It? • UGC is any form of content that is created by an individual consumer. • Includes personal images, video, audio, and text (e.g., tweets, posts, status updates, written contest entries). • May be posted to social media or elsewhere on the Internet, or submitted directly to the Brand. • Most elements of UGC are considered Personal Data. • Consent/Choice • Obtain Affirmative Opt-In consent to an applicable Privacy Notice before collecting or using UGC from an individual outside of the Social Media environment where it was posted. • Users must be able to opt-out/withdraw consent to future use of UGC, even if consent was previously provided.
Obtaining Consent to Use Social Media Posts • It may not be possible to obtain Affirmative Opt-In Consent through social media channels. • A Brand cannot re-use an individual’s post to the wall of a Facebook Page in another medium because the individual has not provided Consent. Facebook The Brand cannot modify its page on Facebook to obtain Affirmative Opt-In Consent to its Privacy Notice.
Obtaining Consent to Use Social Media Posts Twitter • Similarly, Twitter users can use the #Brand hashtag (or any other hashtag of interest to the Brand). • The Brand may wish to re-use these posts, but cannot do so in the absence of Consent.
A customized approach may be needed in order to obtain Affirmative Opt-In Consent via social media. • For example: • In the Facebook and Twitter examples above, where obtaining • prior Consent is not possible, the Brand must subsequently • obtain Consent in order to make any use of the post. • This will require contacting the poster to request consent. A Customized Approach to Consent If a Brand does not wish to make any additional use of content that has been posted on its social media page or otherwise associated with its brand, no additional action is necessary.
The Brand (or its agency) is able to search for Twitter posts by keyword, hashtag, etc. • When the Brand identifies a post it wishes to use, the Brand will “Send Rights Request.” Obtaining a Poster’s Consent via Thismoment Tool
The Brand sends a customized message directing the poster to a URL where consent will be obtained. Obtaining a Poster’s Consent via Thismoment Tool
The link directs a user to a landing page explaining that the Brand would like to use the post. • The user must be logged into the Twitter account originating the post and authorize the app. This ensures that the person making the post is the one providing consent. Obtaining a Poster’s Consent via Thismoment Tool
The user must affirmatively choose the content and accept the Terms & Conditions and the Privacy Policy. • Only after checking the boxes is it possible to click “I approve.” Obtaining a Poster’s Consent via Thismoment Tool
After the poster consents, the post is available for use by the Brand Obtaining a Poster’s Consent via Thismoment Tool
Rugby World CupUGC Fan Wall Overview: This page will promote social content – getting people excited and engaged in the tournament and the campaign. The hub will pull user generated content from a Thismoment feed, ICUC curate and moderate content. What is being collected? UGC with Consumer Consent.
Man of the Match - Player Voting Process Casting a vote Overview: Fans can cast a vote for the nominated player of their choice on Twitter by tweeting a specific hashtag that has been assigned to a player or retweeting a post that has the hashtag. What Data is being collected? A feed will be built by Digital Agency 1 to pull in all posts with the assigned hashtags. This will only be to calculate the votes cast for the players. We are not collecting personal information from the Fan. Who is collecting the data? Digital Agency 1. What will be done with this data? Digital Agency 1 will build a feed to pull in and calculate the votes.
Man of the Match Player Voting Process Priceless Surprises (on Twitter) Overview: Fans who cast a vote on Twitter may select to receive a Priceless Surprise. A Vendor will perform social listening during the voting timeframes and randomly select people who cast a vote for the Man of the Match. The Vendor will first reach out to the potential winner by publicly posting a request for them to follow MasterCard. Once the potential winner follows MasterCard the Vendor can then privately message them about their surprise and then collect their information so that the surprise can be sent to them. • What is being collected? • Fan’s contact information so that Digital Agency 2 can send • the Fan the Surprise they have been awarded. • Who is collecting the data? • Social Media Vendor. • What will be done with this data? • Social Media Vendor will pass the Priceless Surprise recipient's contact information on to Digital Agency 2 for fulfillment of the Surprise.
Social Media Financial Industry Regulatory Framework 25
Regulation Timeline April 2013 SEC Report on Regulation Fair Disclosure April 2014 SEC Compliance and Disclosure Interpretations on Hyperlinks in Proxy Contests and Securities Offerings Dec 2015 FINRA Broker Check Rule Regulatory Notice 15-50 Jan 2012 SEC Compliance Risk Alert Mar 2013 SEC Investment Management Guidance Jan 2011 Regulatory Notice 11-02 Jan 2010 Regulatory Notice 10-06 May 2015 FINRA Proposed Amendments to Communications Rule, Regulatory Notice 15-16 April 2001 NASD Notice to members 01-23 (Online Suitability) FINRA Broker Check Revised Proposal Feb 2013 FINRA Communication Rules 2210-2216 Mar 2014 Regulatory Notice 14-10 June 2013 FINRA Targeted Examination Letter Dec 2014 FINRA Review of Communications Rules Regulatory Notice 14-14 May 2009 Regulatory Notice 09-25 Aug 2011 Regulatory Notice 11-39 Jan 2013 FINRA Broker Check Proposal SEC Guidance on Testimonial Rule and Social Media SEC Proposed Amendments to Form ADV 2015 1998 2001 2007 2009 2010 2011 2012 2013 2014 May 2012 NLRB OM 12-59 Aug 2011 NLRB OM 11-74 Mar 2014 FTC Letter to Cole Haan May 2015 FTC Update to Endorsement Guides Oct 1998 Children’s Online Protection Privacy Act Dec 2007 Regulatory Notice 07-59 Mar 2013 FTC Guidance Sep 2014 NLRB Advice Memorandum Dec 2013 FFIEC Guidance Dec 2009 NFA Guidance Jan 2012 NLRB OM 12-31 July 2013 NLRB Advice Memorandum Dec 2015 FTC Guidance on Native Advertising and Enforcement Policy Jan 2013 NLRB OM 12-31 July 2014 IOSCO Survey Report SEC/FINRA July 2013 IOSCO Release Other regulatory bodies 27
State Social Media Legislation * applies only to academic institutions **applies only to prospective employees Last updated February 18, 2016 29 29
State Social Media Legislation Many states take a broad approach: Common themes: • The state statutes generally prohibit employers from requiring an employee to disclose user names or passwords to an employee’s personal social media account, or otherwise request access to his or her personal social media account. • The statutes also contain broad anti-retaliatory provisions. • Some states have broader language while others employ a more narrow approach in determining when an employer can require access to an employee’s personal social media account. The broader approach: • Some state statutes, for example, contain an exemption from the general prohibition on requesting access to an employee’s personal social media account to allow an employer to gain access in order to comply with state and federal laws, rules, and regulations, case law, and the rules of self-regulatory organizations. The more narrow approach: • Other state statutes, for example, either limit an employer’s access to an employee’s professional social media account (e.g., those accounts provided in whole or part by the employer) or permit access to an employee’s personal social media accounts in cases where there is a reasonable belief that the account is relevant to an investigation involving allegations of employee misconduct or violation of applicable laws and regulations. 30
Examples of State Laws and Securities Exemptions Rhode Island • In June 2014, the Rhode Island legislature passed a law that prohibits employers from requiring, coercing, or requesting that an employee disclose the passwords to a personal social media account, or to access the account in the presence of a representative. • Notably, the law does not prohibit an employer from complying with a duty to monitor or retain employee communications that is established by a self-regulatory organization or under state or federal law or regulation to the extent necessary to supervise communications of insurance or securities licensees for insurance or securities related business purposes. Wisconsin • In April 2014, the Governor of Wisconsin signed into law a bill that prohibits employers from requesting access to or observation of an individual’s personal internet account. • The law does not apply to a personal account or an electronic communications device of an employee engaged in providing financial services who uses the account or device to conduct the business of an employer that is subject to the content, supervision, and retention requirements imposed by federal securities laws and regulations or by a self-regulatory organization. 31
The Intersection of Social Media, Privacy and Cybersecurity: Where Are We Heading in the Market and in Regulation? 32
Privacy & Cybersecurity Overview 3 Basic Components of US Privacy Law • Notice: Operators of websites/mobile applications that collect personal information must post a compliant privacy notice, which includes information concerning collection, use and disclosure of such information and allows for choice (opt-in and opt-out). • Safeguards: Rule that requires companies to address “administrative, technical and physical safeguards” for protection of customer nonpublic personal information. • Safeguards are critical in light of ever evolving cybersecurity threat landscape. The primary threat vectors are: • Hactivists: politically motivated cyber attackers who hack in order to demonstrate their dissatisfaction with individuals, organizations and governments • Cyber criminals: motivated to steal valuables; often financed & headed by traditional criminal organizations • Nation states (or state-sponsored attackers): government funded and guided attackers often ordered to launch intellectual property theft or general disruption of critical infrastructure • Nation state-less attackers: not particular to a specific nation or state, predominantly focused on promoting their cause through attacks aimed at disrupting financial markets • Insiders: current or former employee, contractor or partner who intentionally misuses authorized access in a manner that negatively affects the confidentiality, integrity or availability of information or systems • Breach Notification: Response program to address incidents of unauthorized access/acquisition to certain personal information. 33
Intersection of Social Media, Privacy & Cybersecurity A Few Examples • Bad actor sets up a fake social media page impersonating a Financial Advisor (FA) • FA social media account hacked and bad actor spams contact list • Unwitting employee posts on social media site their detailed resume, work email address, detailed information about sensitive position or security clearance • Confusing social media privacy settings; be cognizant of amount of personal information disclosed A Few Takeaways – Your company needs: • policies & procedures (reviewed, tested & updated) • employee and third party privacy notices/consents • training • monitoring • cyber response plan (communications, take-down process, table-top exercises, etc.) • regular review of social media terms and conditions (e.g. restrictions concerning # of accounts) Future • Market: continued growth in mobile, cloud, big data and the Internet of things • Regulation: continued passage of regulation and guidance by federal and state regulators and quasi-regulators concerning social media, privacy and cybersecurity. * Information sharing increasing via legislation (e.g. CISA) as well as industry practice (e.g. FS-ISAC). 34
Employment Law based claims • Discrimination/Harassment claims • Title VII • ADA (Americans with Disabilities Act) • FMLA (Family and Medical Leave Act) • GINA (Genetic Information Nondiscrimination Act) • Wage and Hour claims • FLSA (Fair Labor Standards Act)– off the clock work • Expense Reimbursements • Protected Conduct or Speech • Constitutional • NLRA (National Labor Relations Act) • Privacy violations • “Monitoring” • Password use
Commercial/Corporate based claims • Brand/Reputational impact • Misuse of corporate logo • Unauthorized photos/video of employees • Unauthorized photos/video of clients, business partners, vendors • Photos/video of employee engaging in illegal conduct • Ineffective/discourteous interactions with customers/clients • Violation of client “privacy” • Controversial opinions • Unfavorable acts/conduct • Unfair Deceptive Trade Practices • Endorsements • Testimonials • Recruiting (Non Solicitation)
Pitfalls – What should you consider? • Notice • If and when, does proliferation on social media put an entity on notice of: • Product defects • Employee misconduct • Misuse of products • Potential liability • Unauthorized Disclosures • Proprietary • Confidential • Trade Secret • Malicious
Considerations for Use of Social Media • On or off the clock? • 31 states have laws prohibiting discipline for various forms of lawful off-duty conduct • Political activity • Tobacco use and use of other lawful products • Almost any lawful conduct (CA, CO, ND, NY) • Reproductive choices • “Expressive activity” (UT) • Does it affect, impact or pertain to their role/employment? • Use of time • Family and Medical Leave Act • Americans with Disabilities Act • Sick time provisions • Employer policies • Speaking on behalf of the Employer?
Potential Issues • Topic controversial – • Public v. Private Employers • Public employers – Constitutional Protections • Private employers • Safety • Terms and conditions of employment • Reputational or Brand Impact? • Conduct legal, but public perception/feedback is consequential • Endorsements or Testimonials?
These are presentation slides only. The information within these slides does not constitute definitive advice and should not be used as the basis for giving definitive advice without checking the primary sources. Thank you. 41