Monitoring Employees' Use of Social Media

Facebook currently boasts 700 million users, Twitter 200 million, and LinkedIn 100 million. Chances are your employees frequent at least one of these social media sites from time to time. And chances are compliance departments aren't quite clear on what their oversight role can be when employees post something that mentions their employer.

Fear that employees will say things that could come back to haunt their employers certainly isn't new, says Jack Greiner, a partner at law firm Graydon Head & Ritchey in Cincinnati; social media's blistering speed and global scope simply have made employer's concerns much more urgent. “The ability to control it has lessened a bit,” Greiner says.

So far the regulatory leadership on social media has emerged (as it often does) from the financial sector. The Financial Industry Regulatory Authority closely regulates how its member firms communicate to customers, and social media is no exception. FINRA Notice 10-06, “Guidance on Blogs and Social Networking Sites,” identifies two types of content on social media sites: static and interactive content.

Static content is relatively straightforward: An employee posts it somewhere online, and it remains there unchanged and available for all visitors to a Website to see. “As with other Web-based communications such as banner advertisements, a registered principal of the firm must approve all static content on a page of a social networking site established by the firm or a registered representative before it is posted,” the FINRA guidance says.

Interactive content, such as posts on LinkedIn or Twitter, doesn't require prior approval—but FINRA does still require firms to supervise these communications, “in a manner reasonably designed to ensure that they do not violate the content requirements of FINRA's communication rules.” FINRA offers several examples of what it considers appropriate supervision, such as reviewing a sample of employees' posts, either before or after they appear online.

Those rules give financial firms several challenges. One is simply ensuring that they have a system in place to comply with FINRA's monitoring requirements efficiently; in a world of smart phones and other mobile devices, manual review of employees' online activity is nearly impossible.

Enter the software vendors, such as the Belmont, Calif.-based Actiance Inc. Its new product Socialite allows firms to monitor content posted by employees and to establish an approval process for potential changes to static content, says Sarah Carter, director of marketing. The reviewer can approve, reject, or suggest changes to the information that's about to be posted, she says. Actiance also can archive the content. Socialite was designed to meet the guidelines of FINRA, as well as those issued by its northern counterpart, the Investment Industry Regulatory Organization of Canada, Carter adds.

The software works with more than 1,000 social media platforms and includes features specific to each. For example, when a FINRA-registered representative hits the “like” button in response to a Facebook post, regulators might view that as providing an endorsement, Carter says. Socialite can be configured to restrict employees' ability to use that function.

Actiance has a partnership with LinkedIn that gives Actiance access to LinkedIn's programming interface—the technical bridge that allows Socialite to monitor employees' LinkedIn activity, including any updates employees make via devices not issued by the company, such as their personal mobile phones or laptops, Carter says.

“Employees can talk to each other about their work conditions, and if employers try to stop them, it can be a problem.”

—Jack Greiner,

Lawyer,

Graydon Head & Ritchey

The Legal Issues

A nifty idea for compliance departments, to be sure. But that monitoring ability still presents employers—particularly in regulated industries—with several potentially conflicting expectations about employees' use of social media.

On one hand, “I own what I do as a private citizen,” says Eric Goldman, a law professor at Santa Clara University who studies technology issues. On the other hand, employees can use the sites to conduct communications that are regulated by FINRA and other authorities.

Several lawsuits have determined that employees are free to state their thoughts, and even to criticize their bosses or workplaces, using social and other media. “Employees can talk to each other about their work conditions, and if employers try to stop them, it can be a problem,” Greiner says.

A 2009 lawsuit in New Jersey involved two employees who were fired by the restaurant chain Houston's after a manager was provided with the password to a private MySpace group employees had established to vent about their work conditions. The employees didn't access the group at work. The jury found that the company had violated the Stored Communications Act and the New Jersey Wire Tapping and Electronic Surveillance Act, although they rejected the plaintiffs' claim for invasion of privacy, according to the summary by the Citizen Media Law Project.  

More recently, the National Labor Relations Board has begun investigating employees' claims of termination over comments posted on social media sites, says Susan Freiwald, professor of law at the University of San Francisco.

SUPERVISION OF SOCIAL MEDIA SITES

The following excerpt from FINRA guidance answers the question: How must firms supervise interactive electronic communications by the firm or its registered representatives using blogs or social networking sites?

The content provisions of FINRA's communications rules apply to interactive

electronic communications that the firm or its personnel send through a social

media site. While prior principal approval is not required under Rule 2210 for

interactive electronic forums, firms must supervise these interactive electronic

communications under NASD Rule 3010 in a manner reasonably designed to

ensure that they do not violate the content requirements of FINRA's

communications rules.

Firms may adopt supervisory procedures similar to those outlined for electronic

correspondence in Regulatory Notice 07-59 (FINRA Guidance Regarding Review

and Supervision of Electronic Communications). As set forth in that Notice, firms

may employ risk-based principles to determine the extent to which the review of

incoming, outgoing and internal electronic communications is necessary for the

proper supervision of their business.

For example, firms may adopt procedures that require principal review of some

or all interactive electronic communications prior to use or may adopt various

methods of post-use review, including sampling and lexicon-based search

methodologies as discussed in Regulatory Notice 07-59.We are aware that

technology providers are developing or may have developed systems that are

intended to address both the books and records rules and supervisory procedures

for social media sites that are similar or equivalent to those currently in use for

emails and other electronic communications. FINRA does not endorse any

particular technology. Whatever procedures firms adopt, however, must be

reasonably designed to ensure that interactive electronic communications do

not violate FINRA or SEC rules.

Firms are also reminded that they must have policies and procedures, as

described in Regulatory Notice 07-59, for the review by a supervisor of employees'

incoming, outgoing and internal electronic communications that are of a specific

subject matter that require review under FINRA rules and federal securities laws,

including:

NASD Rule 2711(b)(3)(A) and NYSE Rule 472(b)(3), which require that a firm's

legal and compliance department be copied on communications between

non-research and research departments concerning the content of a research

report;

NASD Rule 3070(c) and NYSE Rule 351(d), which require the identification

and reporting of customer complaints; NYSE Rule 401A requires that the

receipt of each complaint be acknowledged by the firm to the customer

within 15 business days; and

NASD Rule 3110( j) and NYSE Rule 410, which require the identification and

prior written approval of every order error and other account designation

change.

Source: FINRA Guidance on Social Networking Sites.

At the same time, individuals working in regulated industries have been penalized for comments on social media sites that were deemed inappropriate. One case involved Jenny Quyen Ta, who was fined $10,000 and suspended from association with any FINRA member for one year. Among other things, “FINRA determined that Ta's tweets were unbalanced, overwhelmingly positive, and frequently predicted an imminent price rise, and Ta did not disclose that she and her family members held a substantial position in the stock,” according to a FINRA statement. 

Communications on employee-owned systems can be held to a higher standard of monitoring. According to the Electronic Communications Privacy Act, where a company owns a communication system such as a corporate network, it can monitor whatever flows through that network, Greiner says. What's more, while experts generally recommend that companies let employees know that their communications are being monitored, they aren't required to do so.

Laws are also changing to consider the blurring of lines between work and non-work activities. While it used to be that an employee's location—whether at work or at home—at the time he or she sent a message was important in determining what regulations might apply to the communication, that's no longer automatically the case, Greiner says. “When someone sends an e-mail, where they are when they send it isn't all that relevant.”

What is relevant is the content of the message. For instance, the Securities and Exchange Commission prohibits employees from selectively disclosing material information about a company before announcing it publicly. If an employee violates that rule (Regulation Fair Disclosure) via social media, his employer probably has some liability, Greiner adds. In addition, “the FINRA regulations would limit the employee's reasonable expectation of privacy,'” Greiner says.

The most effective way to balance the various responsibilities is to ask for employees' consent to be monitored, Greiner says. In addition, once a company establishes a monitoring policy, it must consistently follow through. If companies use monitoring only sporadically, or only to discipline certain groups of employees, that can create problems. 

Making matters worse for compliance officers, there are still plenty of unsettled legal issues surrounding employee use of social media. The current regulations leave “a lot of gray areas,” Goldman says. Many electronic publication sites allow individuals to discuss their work and private lives simultaneously, without a good way to separate the two. “The whole regulatory structure needs to be re-thought,” he adds.

Until then, employers need to be sensitive not only to the laws, but expectations, Freiwald says. “There's the law and then there are norms. Companies run the risk of being seen as insensitive to employees' privacy” if their monitoring is seen as overly aggressive. Given the speed with which news can travel—often via social networks—that's a real risk.