How to Manage Social Media Liability in the Workplace: RIMS
“I remember when the worst thing you had to worry about at work was a misdirected reply-to-all on an email.”
Joann Lytle, a partner with the law firm McCarter & English in Philadelphia, knows things have changed and there are many ways for employees and businesses to get caught up in legal trouble these days using electronic communications and social media from Facebook to Twitter to YouTube to LinkedIn and more.
Jennifer Reno, risk manager at the shopping network QVC, notes that businesses use social media to market, provide customer service, conduct research and even hire employees. It is popular because it can be low cost compared to other forms of marketing.
But both experts warn that if it’s not properly managed or insured, low-cost social media can lead to unexpected high costs. The potential for abuse by employees, as well as employers, is considerable.
Reno and Lytle discussed some of the risks, management strategies and insurance issues during the 2021 RIMS virtual annual conference in a session entitled, “Social Media in the Workplace: Litigation Risks and Insurance Coverage.”
“Basically, the speed and ease of communication is going to lead people to make impulsive ill-considered comments. There’s a lack of privacy, lack of filter. This is a permanent record and obviously regulations and case law are still at the formative stage and are evolving every day,” she said.
Employees can be especially prone to misuse social media. “They can engage in discrimination, harassment, talking about their employer, disclosing proprietary information, security breaches, union organizing,” Reno added, noting that “youthful indiscretions” can follow people.
Privacy rights violations are among the most common risks.
A Minnesota woman sued a health clinic after a clinic employee posted a photo of her and the fact she had tested positive for a sexually transmitted disease. The employer was off the hook because the webpage where the photo and comment were posted was a personal page of the employee, and not the employer’s.
“You can imagine there would be a different result if the employee had done it on company property from her own mobile device,” Lytle commented. She said employers who allow employees to use their own devices at work without any restrictions might want to think about the risks of such situations.
Reno cited a case where a hospital employee was fired for posting her boyfriend’s ex-girlfriend’s medical history on Twitter. Another involved a nurse posting on a Facebook anti-vaccine group about a child who was admitted to the hospital with measles. The nurse’s name and place of employment were on her Facebook profile. Parents whose child was a patient of the hospital shared the post to the hospital’s Facebook page and the nurse was fired for violating health privacy law.
An employer may violate privacy rights by viewing an employee’s restricted site and providing information from that site to others. Reno said that 26 states have enacted laws to prevent employers from requesting or requiring passwords to any employees’ personal internet accounts.
Employees using their personal email or other accounts for business purposes with their employer’s permission raises issues. Lytle referred to a 2019 case in which an employer authorized an employee’s use of a private Dropbox account for work-related matters. That password-protected Dropbox account contained both work-related and personal folders. Some of the personal photos were of parties and the employee’s boyfriend that “one might consider to be borderline explicit,” Lytle said. The employer’s IT administrator accessed the username and password of the Dropbox account, found the photographs, and forwarded them to executives in the company. The employee was forced to resign and later sued. While the employer argued that the Dropbox folder with the personal photos was a work account, the court said the employer’s actions clearly intruded on the employee’s private affairs.
“The result might have been different if there were any claims that the employee had stored the photographs or even viewed the photographs from Dropbox on a work computer, which could change the expectation of privacy. So these are ways an employer can really get into trouble depending on what their employees are doing and what conduct the employer takes in response,” Lytle said.
Lytle offered one other case from California where a school principal came across derogatory comments about the school posted on MySpace by a former student and shared them with the local newspaper. The former student and her family were forced to move after they received death threats. They sued the newspaper, the principal and school district. But the court dismissed the suit saying that, “No reasonable person would have any expectation of privacy after posting something like that on MySpace.”
Managing the Risk
Reno stressed the importance of employers establishing a framework to manage social media risk, even before worrying about insurance. She advises employers to draft a social media use policy and distribute it to employees.
“You really do need to know what your company, your employees, your management, are they doing on social media,” she said. “Also, what is the purpose of your social media marketing platform?”
She suggests at least an annual training program on the authorized use of social media, posting, disclosure and other issues.
It’s also important to have a monitoring program. “You want to trust everybody, but you can’t trust every single person. You also want to know how your employees are using [social media] and how they’re putting forth your brands into social media,” she explained.
The framework should also include a complaint resolution process.
“We monitor our social media on a minute-by-minute basis and we use it to make sure that if customers do actually complain even in the smallest bit about the format of a broadcast, something that someone is wearing, or about a reporter, that information is actually transmitted to a myriad of departments,” she explained. If it is something that needs to be addressed, they’ll respond to the poster and then make sure that the poster receives some type of resolution.
In managing situations where a company’s reputation might be damaged by derogatory comments, Reno suggests it is best to act as quickly as possible. “The most important thing is to take full responsibility. Make no excuses, have an immediate response. There should not be a day’s delay; it should really be within hours, minutes if possible.”
Beware Exclusions
Lytle stressed the necessity of reading the entire policy such as a standard ISO commercial general liability policy, with coverage for personal and advertising injury liability, in order to understand how any exclusions might apply. One exclusion is for injury caused by or at the direction of the insured, with knowledge that the act would violate the rights of another and would inflict personal and advertising injury. The CGL policy also has an exclusion for injury arising out of electronic chatrooms or bulletin boards over which the insured has control.
It’s also important to check whether the organization or the individual is actually an insured under the policy, Lytle added.
Faced with CGL exclusions, insureds may turn to other coverages such as employment practices liability insurance.
This might come into play where an employer fires an employee after checking out his or her pages, or decides between two applicants after scanning their social media and learning one is pregnant, or an employee alleging a hostile work environment after some employees engaged in text harassment or cyber bullying.
“Each of these examples could lead to a lawsuit for wrongful termination, discrimination or creating a hostile work environment,” Reno said.