Social networking is a truly remarkable vehicle for advancing communications. Whether participating in LinkedIn, Facebook, MySpace, Twitter, or another of the latest networking tools, participants can quickly reach out to a host of individuals and effectively initiate mass communications within their social networks. Intentionally, social networks are designed to grow exponentially to an unlimited number of users in a short amount of time.

Information that is posted, perhaps innocently, within a social network can be spread quickly to others connected to the network – much like a virus. In turn, the recipients of such information can further transmit communications to others outside the networks. Similarly, information that is posted on blogs, microblogs, and elsewhere on the Internet is susceptible to being retransmitted in ways unimaginable by prior generations in the workforce.

Today's communication vehicles, including social networking and blogging, raise a number of risks for companies. This article identifies and discusses several of the more important legal issues presented by employee activities through these vehicles.

What is posted in cyberspace may be used against you (and your employer)

Perhaps the most pervasive issue presented by social networking and similar online communications are that such activities create evidence that is often recoverable and can be admissible in court. For example, the Federal Rules of Civil Procedure have been amended to require litigants to preserve and produce evidence, including electronically stored information (ESI). Information posted on social networks can be ESI that is discoverable in litigation and may be used as evidence in court.

Online activities by company employees are increasingly becoming a source of evidence, particularly when the activities are undertaken using company-supplied equipment and/or systems, and are probative of employee, management or company behavior that is relevant to allegations such as breach of confidentiality or non-disclosure agreements, employment discrimination, theft of trade secrets, or infringement. For this reason, employees should be advised by employers to conduct themselves at all times, including online, within a particular code of conduct required by the employer.

An interesting example of online misconduct is that of Michael "Woody" Hanscom who chose imprudently to post in cyberspace without authorization information gained from his workplace. On his way to work at Microsoft one day, Mr. Hanscom saw a number of Apple G5 computers being delivered on Microsoft's loading dock, some of which had fallen off a pallet. Thinking his friends might find the event amusing, Mr. Hanscom took a picture of the Apple computers and later posted the photo on his blog. Mr. Hanscom titled the photo "Even Microsoft wants G5's," and mentioned "the print shop I work in is in the same building as MS's shipping and receiving."

While his posts may have garnered a few laughs, they also led to the termination of his employment – ultimately due to breaching Microsoft's security guidelines. Of particular interest, however, is the fact that Mr. Hanscom did not work for Microsoft. He had gained access to Microsoft's campus through his employment with a temporary staffing firm, Today's Staffing, on a contract job with Xerox, which handled Microsoft's copy service. As a temporary worker, Mr. Hanscom claimed he was not told of Microsoft's security guidelines, but had followed Xerox regulations and did not know photography on Microsoft's campus was a violation of any confidentiality agreement. Also, since the loading dock was visible from a public road along with much of Microsoft's campus, there was some question as to whether the photo captured information that was truly confidential. Nevertheless, Mr. Hanscom's employment on Microsoft's campus was terminated.

This example highlights a number of issues presented by online posting, whether in a blog or a social network, including:

Trail of Evidence – Using social networks and blogs creates a trail of evidence that is likely discoverable in litigation. All sorts of ESI relevant to a matter in court may be recoverable for proving or disproving facts at issue. Consider, for example, if there had been litigation surrounding Mr. Hanscom's taking of the photo(s) in question and subsequently posting it online, what devices might have stored information relating to these events: security card systems enabling his access onto the Microsoft campus and certainly within his building; PDAs, cell phones or cameras used to take the photo(s), store them, and post them online; laptops, desktops, copiers, etc. or other devices used to upload the photo(s); and ESI relating to the Web site and server where the blog was posted ultimately. Virtually anywhere electronic information may be stored can be a source of discoverable information. To the extent employer-supplied devices and systems are used to store such information, the employer possesses ESI concerning such activities and might be compelled to produce such ESI. In addition, it should be appreciated that online activities by employees, business partners and others on social networks and blogs are available for investigation, which can make for better-informed hiring and partnering decisions.

Content Rights – Once posted on a social network or blog, there is a considerable risk that ownership and control of the content posted belongs to the entity operating the social network or blog. The terms of use for the social network or blog commonly require users that post content to grant very broad rights to use and reproduce – and sometimes commercialize – the content posted. In our example, Mr. Hanscom posted the photos and other information on his own blog, and therefore did not jeopardize his content rights. However, when posting on others' social networks or blogs, the terms of use should be reviewed carefully to understand what rights are being granted to the owner of the site upon the posting of any information.

Copyright Considerations – Use of social networks and blogs may infringe someone else's copyright. Copyright protection is directed to the form in which a work of art is expressed, not the content or subject matter. Using third party content – e.g., photos, graphics, songs, etc. developed by others – without permission, certainly increases the risk of infringement and can result in both civil and criminal liability under the Copyright Act, 17 U.S.C. §101 et seq. Such liability can result in treble damages and attorneys fees being awarded. Publishing rights are often owned by the author, licensed from the author, or publicly available. Before publishing content authored or owned by a third party, it is advisable to determine whether permission to publish is needed from the third party and if so, to obtain such permission. For Mr. Hanscom, the fact that the subject matter photographed was viewable from a public road may have provided a basis for him to claim that permission was not needed to publish the photographed matter since it was accessible to the public (and also that the subject matter was not confidential), and was not owned or controlled by Microsoft. In other words, even if Microsoft owned the Apple computers and other subject matter shown in the picture, by displaying the subject matter publicly rather than protecting the subject matter under lock and key from disclosure, Microsoft effectively consented to the subject matter being published.

Defamation, Disparagement, Breach of Contract, and Other Actions – Defamation and disparagement claims involve publishing a false statement of fact to another that is understood to be referring to a person or product/service and tends to harm the person or product/service's reputation. Perhaps, the best way to minimize the risks of potential defamation or disparagement with online publications is to assure that the information posted is in fact true and not false. For sales personnel, particularly those who may be aggressive in their efforts at times, it may be advisable to emphasize the company's policies, if any, concerning false advertising or improper product/service comparisons that are not sanctioned by the company.

In addition, if a blog or social networking post interferes with some existing, or in some cases prospective, contractual relations, such interference can subject the posting party to liability and damages proven to result from the interference. For example, if a post on a social network or blog concerning an existing or potential employee intentionally causes an employer to change the contractual relation (e.g., not hire or fire the employee), the posting party could be found liable to the employee and/or employer for damages resulting from the interference.

Similarly, nondisclosure agreements are common among parties seeking to keep non-public, sensitive information confidential. Because of the potential for mass communications through social networks and blogs, and the transfer of ownership and control over content upon posting, care should be taken to assure that confidential information subject to non-disclosure agreements is not published on social networks or blogs. For example, in Mr. Hanscom's situation, the photo(s) of the Apple computer if considered alone, may not have been confidential. However, in combination with the other information Mr. Hanscom posted, including the title he posted concerning an alleged desire by Microsoft for the G5's and the comments he made concerning where specifically he worked and what he had seen, Mr. Hanscom's posts, particularly when viewed together, posed a threat to Microsoft's security by making otherwise non-public information public.

Employer Policies – Mr. Hanscom's situation highlights not only the ease with which confidential information may be leaked publicly by employees, but also the need for employers to have policies in place that limit the risks employers face for employee activities online. An employee may gain access – even temporarily like Mr. Hanscom – to a company's sensitive information by agreeing to perform certain work for the company. Once inside the company's walls and systems, an employee's contemporaneous access to company information and to social networks, blogs and other online venues increases the risk that company information may be transmitted to unintended recipients. Accordingly, companies should seek to minimize exposure to this risk by implementing and/or tightening policies and procedures designed to:

a.    Limit access to sensitive information (i.e. trade secrets, proprietary information, specifications, source code, customer lists, and the like) to employees on a need-to-know basis only;
b.    Educate employees concerning ESI and its potential use in court;
c.    Adopt a code of conduct that educates employees as to the type of conduct expected wherever the employees are, including online;
d.    Implement non-disclosure agreements and no camera policies where appropriate, even for temporary staffing situations;
e.    Incorporate an electronic media and social networking policy as part of the company's employee handbook, or its employment or independent contractor agreements, including identifying the types of information the company considers confidential and setting forth the procedures and disciplinary actions the company will take if the employee violates the policy;
f.    Clearly distinguish supervisors' public recommendations and positive referrals from formal employee evaluations utilized for promotional, disciplinary, and compensation purposes; and
g.    Clarify that harassing, demeaning or unprofessional conduct directed at coworkers on social networks will be investigated and treated in the same manner as harassing letters, phone calls, and related behavior occurring outside of the workplace.

Conclusion

Like the opening of Pandora's box, the consequences to a business whose employees use social networking and/or blogs can be unpredictable and the effects quite damaging. Companies with a need to protect sensitive, confidential information from public dissemination should be particularly concerned about the threats social networking and blogging pose. Company policies and employee guidelines concerning social networking are available for implementation and are recommended to reduce the risks to businesses caused by online activities.

Michael J. Powell and David Gevertz are shareholders in the Atlanta office of Baker, Donelson, Bearman, Caldwell & Berkowitz, PC. Mr. Powell, who focuses his practice representing companies in intellectual property matters, can be reached at (678) 406-8707 or mpowell@bakerdonelson.com. Mr. Gevertz, vice chair of the firm’s Labor and Employment Department, can be reached at (404) 221-6512 or dgevertz@bakerdonelson.com.