In mid-April, US Airways found itself in a precarious situation. In response to a complaint a customer posted to the airline’s Twitter account, US Airways inadvertently attached a pornographic image, tweeting it to hundreds of thousands of followers. The airline immediately recognized its error, removed the tweet, and posted an apology. Fortunately for US Airways, as offensive as the pornographic image was, a couple days’ worth of embarrassing press coverage was about the only consequence the airline faced.
But the fact that it happened at all should raise an alert for any company concerned about the role social media plays in sharing information—particularly because it can happen so easily and quickly. Had that lewd photo been a piece of highly confidential information, US Airways could have been in much hotter water.
Social media poses a serious threat to companies’ ongoing attempts to protect their confidential information. Public companies can violate Securities and Exchange Commission regulations if non-public information is published on Facebook, Twitter or the social media site du jour. And both public and private companies alike face consequences — ranging from the loss of attorney-client privilege to delivering trade secrets to their competitors — if their confidential communications or information are disclosed.
For employers, ensuring that confidential information stays private can be tricky, as a 2010 case, Sasqua Group v. Courtney, demonstrates. In that suit, Sasqua sued one of its former employees for stealing confidential customer lists after she left Sasqua and started her own consulting business. The employee, Lori Courtney, argued that the lists weren’t confidential because the information Sasqua accused her of stealing was readily available online. She proved in court that Sasqua was connected to all the customers in question through its LinkedIn account. The court ruled in Courtney’s favor, essentially deciding that if a company links to a customer on LinkedIn (or other social media sites) that customer information can’t be considered a trade secret.
We’ve seen it before: The law is slow to catch up with technology, and in the context of social media, the Sasqua ruling is just one example. Meanwhile, companies and legal departments can take steps to stave off the very real threat that important corporate secrets will be breached via social media. Effective policies and employee training are at the top of the list.
While companies must be careful about how they define “confidential information” so they don’t run afoul of the National Labor Relations Act, it is critical for them to create clear guidance in their social media policies and other agreements on how to treat confidential information. In response to Sasqua, for example, some companies have replaced traditional “no solicitation” agreements with “no acceptance of business” clauses; the blanket prohibition on accepting business from certain of the company’s customers for a set period of time removes the question of who solicited who or who used what information. Other companies have begun requiring employees on the way out to “unlink” or “unfriend” customers before they make their departure announcements. The enforceability of such requirements isn’t entirely clear, but they may be a step in the right direction in jurisdictions in which they are allowed.
But even more importantly, companies must make sure that their social media policies track their other policies and agreements and that employees understand their confidentiality obligations. Confidentiality agreements and policies should have sections discussing social media. Non-solicits and other employment agreements should also deal with how confidential information — including customer contact information — is to be protected in our social media world.
Of course, it’s not enough for policies to provide for protection — companies also need to make sure their employees understand what business information is confidential, why it is so important that they respect its confidentiality and the ways in which disclosure can harm the company. While some employees may disclose confidential information in an attempt to harm their employer, most such sharing is inadvertent or the result of an employee not understanding what he or she is doing.
Say, for example, an employee who has included his employer in his profile posts on Facebook on Dec. 23, “Ding dong the deal is dead! Turns out I won’t have to work all week…. Christmas is saved!” The employee probably meant no harm in his post, but if his employer hadn’t yet disclosed that the deal was off, the employee has not only shared information before the company was ready to share it but has also opened his employer to liability under non-disclosure agreements, potentially caused issues with financing, and, if his employer is a public company, exposed it to liability under SEC regulations.
Similarly, an employee who has recently told his followers about a new job may Tweet “First sale is in the books! Thanks XYZ company!” The employee may think she’s just sharing with her friends that she’s succeeding in a new job, but she’s disclosed that her employer and XYZ company are doing business together — something that her employer likely would have preferred to keep confidential or at least disclose in a manner it chose. It may seem like common sense to in-house attorneys, but often employees don’t recognize the crossover between their professional and personal worlds and the ways that seemingly personal updates can reveal business information. Providing ample training and education on what and why certain pieces of information are confidential thus is critical to protecting the business.
For legal departments, it’s time to start paying attention. For years, many companies have been ignoring the risk social media poses to their confidential information. It is critical to communicate to all employees the most effective ways to avoid negative results from “oversharing” on social media: updating restrictive covenant agreements, updating social media policies, and above all else, creating robust training programs.