Having a social media presence has become a necessity of both private and professional life in the 21st century, and managing it effectively is more important than ever. A social-media presence can manifest itself in a variety of ways – from commenting fora on websites and live chat systems to more formalized social media platforms such as Twitter, LinkedIn, Facebook and beyond – but in all instances, it projects the company's brand to untold numbers of people.1 Many of the most popular social-media outlets – such as Facebook, which surpassed one billion users in 2012 – are blurring the lines between professional and personal social media.2 As a result, use of social media by companies has exploded, quickly overtaking previous methods of corporate outreach. For example, in 2012 73% of Fortune 500 companies reported using a corporate Twitter account (an 11% increase over the previous year), and 66% had a Facebook page.3 By comparison, only 28% of these companies had a corporate blog (still, a significant increase over previous years).
As discussed in further detail below, these activities create compliance obligations for regulated entities – such as financial institutions and financial advisors – that are in the process of being addressed and clarified by regulators. But even for non-regulated entities, social media activities can be the focus of potential litigation and discovery obligations. Therefore, in addition to addressing best-practices of social media management (using recent regulator guidance as a reference), this article will briefly discuss a party's obligations once in litigation.
The Importance, and Best Practices, of Social Media Management
As the use of social-media by companies has become nearly ubiquitous companies have begun to grapple with the implications of social media use by both the company and its employees. As summarized below, certain regulated industries are at various stages of implementation of social media policies based on guidance issued by government and industry regulators. Likewise, many professional organizations, such as the American Medical Association, and various legal associations and bar organizations, have issued social-media guidance to their members.4 However, even for companies in unregulated industries it is important to have a well thought out, and implemented, social-media policy. Certain lessons can be drawn from the guidance issued by the Federal Financial Institutions Examination Council ("FFIEC"), the Securities and Exchange Commission ("SEC"), and the Financial Industry Regulatory Authority ("FINRA") regarding the core principles of such a social-media policy. This advisory will examine the regulatory guidance issued or proposed for financial institutions with an eye to articulating those lessons for companies in other, unregulated industries.
Social Media Obligations of Regulated Financial Institutions
Recently, the FFIEC – a body that is empowered to "prescribe uniform principles, standards, and report forms for the federal examination of financial institutions" and to "make recommendations to promote uniformity in the supervision" of those financial institutions – promulgated a proposed "Social Media: Consumer Compliance Risk Management Guidance" (the "FFEIC Guidance") to its members.5 Although the proposed guidance is still in the 60-day comment period as of this writing, it is designed to address "the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media" by financial institutions.6
These institutions would be expected to "use the guidance in their efforts to ensure that their risk management practices adequately address the consumer compliance and legal risks, as well as related risks, such as reputation and operational risks, raised by activities conducted via social media." The FFIEC recognizes that this form of customer interaction "tends to be informal and occurs in a less secure environment" and therefore presents "unique challenges" to these institutions. According to the FFIEC, one of the principal ways risk can increase is from "poor due diligence, oversight, or control" of the social media activities by the financial institution.7 Therefore, the guidance is designed to "ensure institutions are aware of their responsibilities to oversee and control these risks within their overall risk management program." Specifically, the guidance provides that:
- A financial institution should have "a risk management program that allows it to identify, measure, monitor, and control the risks related to social media", and the "size and complexity" of the program should be "commensurate with the breadth" of its social media activities.
- The risk management program should be "designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing." As part of that process, it should have an "[a]udit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance."
- This program should include a "governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution" and "establishes controls and ongoing assessment of risks in social media activities." This would include parameters "for providing appropriate reporting to the financial institution's board of directors or senior management."
- The institution should have policies and procedures "regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance." These policies and procedures "should incorporate methodologies to address risks from online postings, edits, replies, and retention."
- The institution should have "[a]n employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities."
- The institutions should have a "due diligence process for selecting and managing third-party service provider relationships in connection with social media" and an "oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party."
The Proposed Guidance further provides that even if a financial institution "has chosen not to use social media" it should "still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms described above and provide guidance for employee use of social media" that is not run or managed by the company.8 Substantively, the Proposed Guidance identifies several laws that apply to various financial institutions. Although the laws addressed are beyond the scope of this article,9 generally they deal with the financial institutions' disclosure obligations, and the FFIEC explicitly warns that the "laws discussed in this guidance do not contain exceptions regarding the use of social media."10 In other word, although the communications are "less formal," laws that can expose "an institution to enforcement actions and/or civil lawsuits" must be observed even in that context.11
Social Media Obligations of Individuals and Entities Regulated by the SEC and FINRA
Other professionals in regulated industries also face compliance requirements with regard to their use of social media. For instance, a little over a year ago, the SEC Office of Compliance Inspections and Examinations, in consultation the staff of FINRA, issued a "National Examination Risk Alert" titled "Investment Adviser Use of Social Media" (the "Alert").12 Broadly, the Alert is aimed at helping registered investment advisers ("RIA's") in "designing reasonable procedures designed to prevent violations of the Advisers Act and other federal securities laws," (such as the antifraud, compliance and recordkeeping provisions of the Exchange Act) by, inter alia: issuing usage guidelines and content standards, providing sufficient monitoring, approving content, and providing training.13 The Alert contains recommendations from the staff about areas to consider with regard to these issues.
The Alert further stresses that special obligations arise with respect to third-party content and recordkeeping responsibilities. For instance, RIA's must consider whether statements made by third-parties on a social-media websites constitute "testimonials," the publication of which would constitute a "fraudulent, deceptive, or manipulative act" of the RIA prohibited by the Advisors Act.14 The SEC Staff has determined that "depending on the facts or circumstances" the use of "social plug-ins," such as the "like" button on Facebook, could be a testimonial under the Advisers Act. An example of prohibited conduct could include an invitation to the public to "like" an investment advisory representative's biography posted on a social-media site, since that election could be viewed as a type of testimonial prohibited by rule 206(4)-1(a)(1) of the Advisers Act. With respect to recordkeeping obligations under rule 204-2,15 the SEC Staff warns that the recordkeeping obligations do not "differentiate between various media" be they paper or electronic communications (including social-media posts) that relate to the advisers' recommendations or advice. Because these are third-party sites, firms are encouraged to "determine that [they] can retain all required records related to social media communications and make them available for inspection." 16
Similarly, FINRA issued at least two Regulatory Notices ("RN") that relate to the use of social media by its members (RN 10-06, issued January 2010, and 11-39, issued August 2011). These RN's are covered in greater detail in a previous article by Ethan L. Silver and Faith Colish, titled "FINRA Guidance on Social Media Used for Business Purposes."17 RN 10-06 made clear that firms had an obligation to have written policies and procedures to supervise employees' participation in social media, and one best practice alternative would be to "consider prohibiting all interactive electronic communications that recommend a specific investment product and any link to such a recommendation unless a registered principal has previously approved the content."18 In a precursor to the SEC's "testimonial" admonition, RN 10-06 warned that a FINRA member could become responsible for a third-party's post on a social network if "the firm or its personnel explicitly or implicitly" endorse or approve the post.19 RN 11-39 went into greater detail with respect to a FINRA member's record-keeping obligations under the Securities Exchange Act of 1934 and the NASD Rules.20 RN 11-39 also elaborated on interaction with third-persons (and an associated person's obligations in interacting with these actors), and again stressed that firms must (i) adopt appropriate training and education concerning its social media policies and (ii) and keep a close eye on compliance with those policies.21
Lessons For Companies and Professionals in Unregulated Industries
Even companies and professionals in unregulated industries are wise to develop a social-media policy to avoid reputational risk, and with an eye to potential litigation down the road. The FFEIC guidance with respect to reputational risk is particularly instructive in thinking about these dangers. As outlined in the guidance, activities "that result in dissatisfied customers and/or negative publicity could harm the reputation and standing" of the company even if it has violated no law.22 The reputational risks include: fraud and brand identity (which includes "spoofs" of institution communication and fraudsters masquerading as the institution), the activities of third parties contracted to manage the online identity of the company, privacy concerns arising from users posting sensitive information on the company's page, and consumer complaints made directly on the social-media website and how the company responds to such complaints.23 As mentioned above, a common thread emerges in the guidance issued by the FFIEC, the SEC and the FINRA regarding effective management. Although not nearly as detailed as the FFIEC proposals, both the FINRA and the SEC issued guidance tracks the core principles of an effective management of social-media policy: (1) well thought out, and detailed, written policies regarding use of social media by employees, (2) training of personnel regarding applicable laws and rules, and (3) effective supervision by management. These policies need to be developed, and implemented, in consultation with knowledgeable professionals familiar with your business and industry.
At the outset, the breadth and scope of the social-media policy needs to be carefully thought out. For instance, even companies in unregulated industries may be parties to collective bargaining agreements, and as a result must consider how to tailor their policies narrowly enough so as not to infringe on the protected rights of employees. In a paper published by the U.S. Chamber of Commerce in August of 2011, titled "A Survey of Social Media Issues Before the NLRB" the chamber observed that of the over 100 charges related to social-media activities before the NLRB between 2009 and May of 2011, the "vast majority" fell "into two general categories: employer policies restricting employee use of social media that are alleged to be overbroad and employer discharge or discipline based on an employee's comments posted through social media channels."24 Therefore, a careful balance must be struck between the employee's freedom of expression and expectations of privacy and the company's reputational risk.25
Needless to say, a policy is only as effective as its implementation and supervision. As the FFEIC guidance states, and the FINRA and SEC rules relating to supervision reinforce, ultimate responsibility for this implementation and supervision rests with the company's upper management. In many ways, the social-media presence is becoming the new "face" of the company, in the same way that more traditional public relations releases used to be. Therefore, the company as a whole can be harmed by the employees' actions, and it is important for higher management to be involved in the formulation and delegation of supervisory authority for the social-media training programs.
A Company's Obligations Regarding Social Media Once Litigation is Threatened or Commenced
As outlined above, regulated industries have numerous laws and rules governing the preservation of information, which can serve as an independent basis for liability should the company be the subject of a lawsuit or enforcement action. But even companies not subject to heightened retention policies should critically examine their policies regarding social-media information in anticipation of litigation.
Generally, once litigation has commenced, the scope of what information an opposing party may seek is very broad. For instance, the New York Civil Practice Law and Rules ("CPLR") provide that "[t]here shall be full disclosure of all matter material and necessary in the prosecution or defense of an action ... by [a] party ..."26 This discovery is not limited to "evidence" that could be used at trial, but to any information "reasonably calculated to lead to the discovery of information bearing on the claims." Crazytown Furniture v Brooklyn Union Gas Co., 150 AD2d 420, 421 (1989).27 Thus, once in litigation, an adversary may request and access any information that is "relevant" or "likely to lead to the discovery of relevant" evidence, and New York courts will routinely grapple with the balance between an adversary's legitimate requests for "relevant" information and "fishing expeditions" (designed in some cases to harass or embarrass an opponent and to make litigation more burdensome). These are the same considerations that underpin the federal rules.28
Company Facebook pages, as well as other forms of social-media interaction, are inherently "public" and therefore the company would be hard pressed to argue that it has any expectation of privacy, or any other basis, for withholding social-media information.29 Once the minimal burden of relevancy is established, postings are "not shielded from discovery merely because plaintiff used the service's privacy settings to restrict access just as relevant matter from a personal diary is discoverable." Patterson v Turner Const. Co., 88 AD3d at 618 (internal citations omitted). Such postings may even go as far as destroying the attorney-client privilege should litigation be commenced. See Lenz v. Universal Music Corp., No. 5:07-cv-03783, 2010 WL 4789099, at *1 (N.D. Cal., Nov. 17, 2010) (client waived privilege by discussing attorney's motivation to represent her pro-bono, her decision to abandon certain claims, and factual allegations of the case on social media).
Finally, it is crucial to note that an attorney cannot advise a client (and a party should not on its own undertake) to clean up or remove damaging postings from social media pages in connection with an ongoing litigation. An attorney in Virginia, and his client, were sanctioned $542,000 and $180,000, respectively, for engaging in such a Facebook "cleanup." See Lester v. Allied Concrete Co., No. 08-150, slip op. at 31 (Va. Cir. Ct., Sept. 1, 2011).
In conclusion, companies must develop, implement, and monitor, an effective social media strategy from the very top. As social-media presence become more and more ubiquitous, this task becomes more and more critical.
1 A comprehensive definition of "social-media" is nearly impossible, but the Federal Financial Institutions Examination Council's working definition is helpful. It defines social-media activities broadly, including "micro-blogging sites (e.g., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review web sites and bulletin boards (e.g., Yelp); photo and video sites (e.g., Flickr and YouTube); sites that enable professional networking (e.g., LinkedIn); virtual worlds (e.g., Second Life); and social games (e.g., FarmVille and CityVille)." The central criterion being that the "communication tends to be more interactive."
2 Examples of this blurring include Facebook's move into the job search sector and the company's new "Facebook Graph Search," and its "Pages," which are a company's web-site on the Facebook platform that allows constant, two-way, interaction with other Facebook users. Likewise, LinkedIn has introduced company pages (which allow varied degrees of interaction with users). Other examples include Twitter, which allows organizations to have official, or "verified," handles and Google which is attempting to make web searching "social" by allowing individual users to endorse, or "+1", search results.
3 See Barnes, Lescault & Andonian, "Social Media Surge by the 2012 Fortune 500: Increase Use of Blogs, Facebook, Twitter and More," Charlton College of Business and Marketing Research, University of Massachusetts Dartmouth. Available at http://www.umassd.edu/cmr/socialmedia/2012fortune500/(lastaccessed January 24, 2013).
4 See "New AMA Policy Helps Guide Physicians' Use of Social Media" (Nov. 8, 2010) available at http://www.ama-assn.org/ama/pub/news/news/social-media-policy.page ; American Bar Association Division for Bar Services, "Social Media Resources for Bar Associations" available at http://www.americanbar.org/groups/bar_services/resources/socialmedia.html; National Center for State Courts, "Social Media and the Courts Resource Guide" available at http://www.ncsc.org/Topics/Media/Social-Media-and-the-Courts/Resource-Guide.aspx; Meritas(R) "Social Media Guide for Lawyers v. 2.0" available at http://docs.meritas.org/Resources/SMGuide.pdf .
5 See FFIEC Docket No, FFIEC-2013-001 "Social Media: Consumer Compliance Risk Management Guidance" (January 17, 2013). The FFIEC Council is composed of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau, as well as the State Liaison Committee ("SLC") which includes representatives from the Conference of State Bank Supervisors, the American Council of State Savings Supervisors, and the National Association of State Credit Union Supervisors. See http://www.ffiec.gov/. The request for comments is available at:http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf(lastaccessed January 24, 2013).
6 They include banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau, and those entities that are supervised by the SLC members.
7 FFIEC Guidance at pp. 4-6.
8 See FFIEC Guidance at pp. 9-11.
9 For instance, according to the proposed guidance, social media communications can trigger, among other things, obligations under (i) the Truth in Savings Act, (ii) the Equal Credit Opportunity Act, (iii) the Fair Housing Act, (iv) the Truth in Lending Act, (v) the Real Estate Settlement Procedures Act, (vi) the Fair Debt Collection Practices Act, (vii) unfair and deceptive practices under the Federal Trade Commission Act and Dodd-Frank, as well as various other Regulations. See, generally, FFIEC Guidance § IV ("Risk Areas").
10 See FFIEC Guidance at p. 12.
11 For instance, the FFIEC guidance suggests that depository institutions subject to the Community Reinvestment Act should "ensure their policies and procedures" addressing public comments maintained in their public file also "include appropriate monitoring of social media sites run by or on behalf of the institution."
12 See National Examination Risk Alert, Vol. 2, Issue 1 (January 4, 2012). Available at http://www.sec.gov/about/offices/ocie/riskalert-socialmedia.pdf
13 See Alert at p. 1.
14 See Alert at 6, n. 15; 17 C.F.R. 275.206(4)-1(a)(1).
15 17 C.F.R. 275.204-2
16 See Alert at 6.
17 Available at http://www.clm.com/publication.cfm?ID=345&Att=119 (September 22, 2011).
RN 10-06 (Guidance on Blogs and Social Networking Web Sites) is available at http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdf ;
RN 11-39 (Guidance on Social Networking Websites and Business Communications) is available at http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p124186.pdf
Last June FINRA also issues RN 12-29, which advises members of the SEC's approval of FINRA's proposed rule change to adopt NASD Rules 2210 and 2211, together with NASD Interpretive materials, as FINRA Rules 2201, and 2212-2216 (collectively the Communication Rules). These Communication Rules become effective February 4, 2013, and in relevant part address the requirement, and exceptions to the requirement, of principal pre-approval of "Retail Communications" (defined to include "any written (including electronic) communication that is distributed or made available to more than 25 retail investors within any 30 calendar-day period.") Although FINRA regulated entities should become familiar with these Communication Rules, they are beyond the scope of this article. See RN 12-29 (SEC Approves New Rules Governing Communications With the Public) available at http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p127014.pdf
18 See RN 10-6, Q&A No. 3. Among other things, RN 10-06 made clear that (1) communications with customers through social-media were subject to the retention requirements of the Exchange Act and the NASD Rules, (2) investment recommendations made through such social-media could triggered the suitability requirements under NASD Rule 2310, and (3) participation in Blogs, Facebook, Twitter and LikedIn (as well as other social media) had to be supervised, and could constitute advertisement under NASD Rule 2210 if the communications were "static." See RN 10-6 Q&A Nos. 1-5.
19 See RN 10-6 Q&A No. 8.
20 See RN 11-39 Background § 1, Q&A No. 1.
21 See RN 11-39 Background § 1, Q&A Nos. 10-12. RN 11-39 also introduced a "knowledge" requirement to links to third-party websites, whereby a statement may be deemed "adopted" by virtue of knowledge of its falsity (even if the firm has not otherwise "adopted" or become "entangled" with the content of the website). See Q&A No. 11.
22 See FFIEC Guidance at pp. 26-27.
23 See FFIEC Guidance at pp. 26-30.
24 See http://www.uschamber.com/sites/default/files/reports/NLRB%20Social%20Media%20Survey.pdf("Survey") at p. 4. The survey was based on a FOIA request response by the NLRB, which included 117 charges, 7 complaints, and 5 settlement agreements, relating to social-media activities, between 2009 and May of 2011. Id. at p. 2. In addition to the general categories outline above, additional issues concerned "whether the employer bargained with a union over a social media policy and union communications during an organizing campaign." Id. at p. 4. The survey included "Examples of Issues Raised in Charges," at Section VI, and "Examples of Employer Policies Alleged to be Overbroad," at Section VII.
25 As the FFIEC Guidance stresses, employee activities, even through their personal social media accounts, "may be viewed by the public as reflecting the financial institution's official policies" or otherwise reflect poorly on the institution. Id. at p. 29.
26 See CPLR 3101(a)(1). Similarly, the Federal Rules of Civil Procedure ("FRCP") provide that "Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense ... [and] [f]or good cause, the court may order discovery of any matter relevant to the subject matter involved in the action." See FRCP 26(b)(1).
27 The FRCP make this explicit by stating that the information sought "need not be admissible" if the discovery "appears reasonably calculated to lead to the discovery of admissible evidence." See FRCP 26(b)(1).
28 See Collens v City of New York, 222 FRD 249, 253 (S.D.N.Y. 2004) ("While Rule 26(b)(1) still provides for broad discovery, courts should not grant discovery requests based on pure speculation that amount to nothing more than a "fishing expedition" into actions or past wrongdoing not related to the alleged claims or defenses.")
29 See, e.g., United States v Meregildo, 11 CR. 576 WHP, 2012 WL 3264501 (S.D.N.Y. Aug. 10, 2012) (finding that "[w]hether the Fourth Amendment precludes the Government from viewing a Facebook user's profile absent a showing of probable cause depends, inter alia, on the user's privacy settings."); Romano v. Steelcase, Inc., 907 N.Y.S. 2d 650 (Sup. Ct., Suffolk Ct'y, 2010) ("as neither Facebook nor MySpace guarantees complete privacy, Plaintiff has no legitimate reasonable expectation of privacy ... Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings. Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist. Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy.") Id at 656.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.