Escolar Documentos
Profissional Documentos
Cultura Documentos
George T. Tziahanas, Global Head, Legal and Compliance Solutions, Autonomy Inc. Eric T. Crespolini,Vice President, eDiscovery Technologies, Autonomy Inc.
Index
Introduction Background
A Trend Toward Interactive Content Memorializing Interactions
1 1
1 2
2
3
5
5 5 6
6
6 7 7 8 9
Conclusion Authors
9 9
Introduction
Within just a few short years, social media has gone from an emerging experiment in new ways to interact and connect to a legitimate channel in which businesses of all types engage. Certainly early engagement by businesses had largely been tied to consumer-focused companies, but this is changing as social media has become more accepted and widely used. Social media itself has evolved into a general term, which encompasses a variety of channels where an individual has the ability to interact with others, usually in a more one to many model than something like a phone call or even an email. Whether this is through common sites like Facebook, Twitter, and LinkedIn, or more generally through blogs and interactive posts on internal or external websites, in essence people are now communicating through many different avenues in unprecedented volumes and speed. For many regulated entities, the implications of social media are obvious: these innovative communication channels introduce new legal and compliance challenges. To the extent employees are engaging over social media channels to conduct business, obligations regarding those interactions may flow directly from existing regulatory requirements.1, 2 In some instances, regulatory authorities are issuing more specific guidance on social media, such as FINRAs Notice on social media.3 More generally, organizations are trying to understand the preservation and production responsibilities in the context of litigation. To address existing, new, and emerging requirements, it will be important to understand the nature of obligations, how business and employees engage in social media, and the solutions necessary to stay compliant. Social media models, along with associated legal and regulatory framework, will continue to evolve rapidly. As such, organizations should look to develop policies and deploy solutions that are flexible
Background
A Trend Toward Interactive Content
Even before social media became mainstream, there was a clear trend by regulators to incorporate interactive content into their requirements, even if they did not intend the effect. When email first became more prevalent, there were often discussions as to whether it merely represented a transient form of communication, or was actually subject to retention requirements. The SEC helped settle this argument when it codified that email must be preserved as a book and record for its regulated entities. The FSA took a similar (though later) stance when it required firms to record audio interactions between parties to a covered transaction.4 The regulators realized that account statements, trade blotters, or other transactional content did not provide a full context toward conduct of regulated parties. Interactive content helped fill that void. Perhaps more interesting than the regulations themselves was associated commentary by the regulators. In an interpretive release, the SEC noted its requirements (including email) were necessarybecause the preserved records are the primary means of monitoring compliance with applicable securities laws, including antifraud provisions.5 The FSA in its commentary to COBS 11.8 noted the requirement was not just about establishing greater transparency or some general compliance objective, but more specifically to increase the probability of successful enforcement.6 In both cases, the regulators are laying the case for use of interactive content for more effective enforcement activity.
1 2
See e.g. SEC 17a3-a4 or FSA COBS 11.8 See also, warning sent to Novartis regarding advertising links posted on corporate Facebook site. http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/EnforcementActivitiesbyFDA/ WarningLettersandNoticeofViolationLetterstoPharmaceuticalCompanies/UCM221325.pdf FINRA Regulatory Notice 10-6. Social Media Websites. Guidance on Blogs and Social Networking Sites. http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdf Ibid at Note 1. SEC Interpretation. Electronic Storage of Broker-Dealer Records. 17 CFR Part 241 [Release No. 34-47806], May 2003. http://www.sec.gov/rules/interp/34-47806.htm FSA Policy Statement 08/1: Telephone Recording: recording of voice conversations and electronic communications, at 2.1
4 5
Memorializing Interactions
Not long ago, most business was conducted through channels and media that were limited, and not easily memorialized or disseminated. Phone conversations occurred across a copper wire, fixed-physical documents were delivered or copied by hand, and the number of people engaged in any information exchange was usually small. The reality of business today is quite different for most organizations than traditional operating environments. Since 2004, the world economy has produced more transistors (the building blocks of microprocessors) at a lower cost than grains of rice.7 This has created unprecedented capabilities to create, store, and disseminate all types of increasingly rich content. The result is business conducted across many different electronic channels, where content and interactions are easily captured and recorded. One recent case exemplifies the new dynamic of highly interactive content that is easily memorialized, and of interest and use to regulators: the Galleon insider trading case. In 2007, while reviewing a set of materials from a fairly routine inquiry, an SEC attorney came across an instant message interaction that included a simple statement by one of the conspirators. It read dont buy [Polycom] till I get guidance, want to make sure guidance OK.8 And so began one of the most comprehensive insider trading investigations in history. The Galleon investigation did not just implicate a few isolated individuals in the hedge fund or investment banking community. Rather, it reached senior executives at such storied institutions as McKinsey, IBM, Intel, AMD, and others. Lower level consultants and networks of experts across diverse industries were also involved. And in nearly every instance, interactions including phone calls, emails, text messages, and other forms were central to building a case against the relevant parties.9 It demonstrated that even diverse channels of interactions were easily memorialized and available for use by investigators. This dynamic extends beyond broad-reaching criminal and civil investigations by regulatory authorities. Increasingly, potentially relevant information in traditional private party litigation is found in new interactive channels. Two examples include a traditional intellectual property infringement and contract claim10 where parties to the suit sought relevant information from MySpace, Facebook, and Media Temple, and an administrative claim brought by the National Labor Relations Board11 regarding company policies that violate individual workers rights as well as freedom of expression protections.
7 8 9
Semiconductor Industry Association, Annual Report 2005. http://www.sia-online.org/downloads/SIA_AR_2005.pdf Fund Chief Snared by Taps, Turncoats. The Wall Street Journal, December 30, 2009. Insider Inquiry Steps Up Its Focus on Hedge Funds. The New York Times-Deal Book, February 8, 2001. http://dealbook.nytimes.com/2011/02/08/3-hedge-fund-managers-face-insider-trading-charges/?partner=rss&emc=rss Crispin v. Audigier (C.D. Cal.) (May 26, 2010) NLRB v. American Medical Response (February 7, 2011). http://www.natlawreview.com/article/federal-scrutiny-social-media-policies-facebook-posting-subject-nlrb-settlement-employer
10 11
The assumption here is that the regulator would bring civil enforcement action, where the FRCPs would apply, and is a far more likely event for organizations than criminal cases. Any criminal cases brought by law enforcement agencies would fall under the Federal Rules of Criminal Procedure, which are generally more restrictive than Civil Procedures.
13 14
Rule 26 (a)(1)(A)(ii) See e.g. EEOC v. Simply Storage Mgmt., LLC, No. 1:09-cv-1223-WTL-DML (S.D. Ind. May 11, 2010), where the court applied general discovery requirements to social media sites. See also Romano v. Steelcase Inc., 2010 WL 3703242 (N.Y. Sup. Ct. Sept. 21, 2010). For example, a corporate Facebook page, or organization maintained Twitter account. An exception, discussed further below, would be where an organization was capturing social media interactions across its network, or through some other means, and storing a copy within its control. Facebook GC Tells Lawyers Hes Looking for a Fight. Law.com, February 2, 2010. See http://www.law.com/jsp/article.jsp?id=1202441887703&slreturn=1&hbxlogin=1 Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Circ. 2008)(citing Orin S. Kerr, A users Guide to the Stored Communications Act, and a Legislators Guide to Amending it, 72 GEO. WASH. L. REV. 1208, 1209-13 (2004))
15 16
17
18
at an extraordinary rate during this time. As such, Courts are left to interpret evolving social media issues in the context of inexact statutory language19. Regardless, to the extent social media issues are subject to review under Federal Law, the SCA is a critical statute that governs rights and restrictions of potential parties involved in litigation, or more generally in regulatory compliance. The most important aspect of the SCA is that it extends rights beyond fourth amendment protections. The statute itself is complex, and a precise definition of the services a provider renders alters the mechanisms and prohibitions for disclosure.20 In general, it prohibits covered providers from voluntarily disclosing information held by a service provider without court order or subpoena issued by a court or grand jury of competent jurisdiction. Increasingly, Courts are holding that this also includes third-party subpoenas. The Ninth and Sixth Circuits have held that text messaging service providers and online providers of email services represent Electronic Communications Service (ECS) providers under the SCA21. In essence, they are forms of electronic communication, communicated and stored (as backup) by the provider, for its benefit or the benefit of the user. Extending this rationale, social media seems to fall into this framework. The District Court in Crispin v. Audigier, relying on precedent in the Ninth Circuit, held that strictly private messages on social media sites were not subject to discovery per a third-party subpoena, since they are materially the same as text messages or emails.22 The Court in Crispin also held that to the extent Facebook wall postings or similar were displayed only to a specific list of approved friends, such interactions were also protected under the SCA, drawing an analogy to electronic bulletin boards.23 This is important, since trying to determine when something became public, if less than generally available, would create significant uncertainty. The court noted this also protects both individuals and potentially organizations with hundreds or thousands of employees. Only if these posts were available to the general public would these interactions fall under an exception to the protections afforded by the SCA. There is no question that additional cases will be tested under the SCA, potentially with conflicting results. However, two Federal Circuits appear to have solid precedent that the SCA is relevant to many forms of electronic communication, and access to content cannot be assured in discovery or a regulatory compliance setting. At the very least, organizations will need to develop policies and solutions that allow them to fulfill potential discovery and regulatory compliance obligations, with the potential restrictions of the SCA.
The SCA itself does not address private party rights in litigation to electronic information. Rather, it was focused on the duties of covered providers, and the rights and mechanisms for access by governmental authorities. However, it is generally agreed that private parties can not be assumed to have greater rights to access information than was afforded to the government under the SCA. The SCA distinguishes between a Remote Computer Service (RCS) and an Electronic Communications Services (ECS). For an analysis and application of the distinction, See Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010) See Quon at note 18. See also Theofel v. Farey-Jones, 359 F.3d 1066, 1070 (9th Cir. 2004.), and Warshak v. United States, 532 F.3d 521, 523 (6th Cir. 2008) Ibid at note 20. Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457, 462 (5th Cir. 1994)
20
21
22 23
It has been well established that the Fourth Amendment to the United States Constitution provides for individuals to have their privacy protected from unwarranted government intrusion. Going back to Katz v. United States, 389 U. S. 347 (1967), Fourth Amendment analysis has been the question whether a person has a constitutionally protected reasonable expectation of privacy.24 The Amendment does not protect all subjective expectations of privacy, but only those expectation[s] that society is prepared to recognize as reasonable.25 The issue with attempting to frame private employers intrusions into the privacy of their employees in the context of the reasonable expectation of privacy test, is that Fourth Amendment protections are limits on how the government may act and do not apply to private employers. More generally, in the context of electronic information, greater protections are often afforded under the SCA, as noted previously, in addition to state constitutions and statutes, and under common law remedies for invasion of privacy.
Ibid at 360. Ibid at 361. This includes the states of Alaska, California, Florida, Hawaii, Illinois, Louisiana, Montana, New York, South Carolina, and Washington. CA Labor Code 96(k); N.Y. Labor Code 201-d (2004); N.D. Cent. Code 14-02/4-03 (2003); Colo. Rev. Stat. 24-34-402.5 (2004) 29 U.S.C. 151169
27
28
employer discovered that the employee had criticized her supervisor on Facebook. In the NLRBs unfair employment practice claim, they contended that such a posting on Face bookas well as follow on comments from coworkersconstituted concerted action under the NLRA. The NLRA specifically prohibits an employer from interfering in an employees right to discuss the terms and conditions of their employment, which include their wages, hours, and working conditions with their coworkers. This case ultimately settled in February 2011, with the employer agreeing to revise their policies and discontinue disciplining employees for what is protected action. While ultimately this case didnt result in a court decision, it does illustrate that the NLRB considers concerted action that occurs on Facebook to be no different from what occurs in a more private setting and they intend to aggressively go after employers who attempt to punish their employees for such actions.
29 30 31
Ibid at note 21. 18 USC 2511(1)(a). Interception and disclosure of wire, oral, or electronic communications prohibited. At this point there is limited guidance on whether third parties must assent to monitoring or capture of social media, either the site owner itself or third parties posting to that site. This will be an area of law that will likely remain unsettled.
It may create an affirmative obligation to secure private information, and become responsible if protected information is otherwise disclosed or lost (e.g. health related information). Risk that individuals within the firm may make inappropriate comments regarding an individuals political or religious views, or their sexual orientation or conduct. Make hiring, firing, or promotion decisions based on unrelated private conduct, which is protected in at least some states. Increases the noise and irrelevant information that has to be captured, stored, and analyzed, increasing costs and complexity. In general, when viewed in the context of what organizations are compelled to govern in social media, most firms will find that a business identity that is separate from purely personal interactions is best for its employees and the firm itself. Some will argue that employees can subvert organizational policies by using non-authorized accounts for business interactions; that is true. However, it is no different than it is today with personal email accounts over which organizations rarely have controls, and if employees are intent on undermining governance mechanisms they will be creating unregistered identities regardless.
Second, firms should consider using solutions that can monitor aggregated feeds of publically available information, such as Twitter feeds, public LinkedIn and Facebook sites, blogs, forums, third-party websites, and news sites. This allows firms to see if individuals are discussing their firm, their people, or their products. This can provide another layer of surveillance and monitoring to see what other types of interactions or conversations may be occurring outside of authorized channels.
Conclusion
Social media presents unique opportunities for even the most tightly regulated or highly litigated organizations. As social media evolves, it will only become more pervasive and create changing methods for interacting with employees, clients, counter-parties, and the public at large. At the same time social media interactions present unique risk to organizations. As organizations develop their social media governance models, they should be mindful of the legal and regulatory environment that creates certain obligations, but also prohibit or limit some types of conduct. More importantly, they should look beyond merely the ability to capture social media interactions, and instead focus on what it all means.
Authors
George Tziahanas is Autonomys Global Head for Legal and Compliance Solutions. Responsibilities include solution design and oversight for Autonomys Regulatory Archiving, Supervision and Surveillance, Investigation, eDiscovery, and Information Governance solutions. His duties also include leading Marketing for the Protect business at Autonomy. On an individual basis, Mr. Tziahanas works closely with regulated entities on their compliance obligations, in particular financial services organizations. He also writes and speaks broadly on the implications of emerging technologies on corporate information environments. Prior to joining Autonomy, Mr. Tziahanas held leadership positions with Orchestria, Iron Mountain, and Intel Corporation. Mr. Tziahanas holds an MS in Molecular Systematics and Biological Sciences, and a JD from DePaul University. He is admitted to The Bar in the State of Illinois and the Federal District for the Northern District of Illinois. Eric T. Crespolini is Vice President of eDiscovery Technologies and part of the Protect subject matter expert team for Autonomy. Mr. Crespolini brings over a decade of experience building and overseeing teams in delivering eDiscovery expertise to leading enterprises, information technology management and consulting, implementing enterprisewide financial and project control systems, data warehousing, electronic collection, disaster planning, and operational process development. Prior to joining Autonomy, Mr. Crespolini held senior management positions at Clearwell Systems, Xerox, and Innovative System Design. Mr. Crespolini earned his JD from Rutgers University, a BS in Actuarial Science from St. Johns University, and holds an MBA in Corporate Finance.
The information contained in this document represents the current opinion as of the date of publication of Autonomy Systems Ltd. regarding the issues discussed. Autonomy's opinion is based upon our review of competitor product information publicly available as of the date of this document. Because Autonomy must respond to changing market conditions, it should not be interpreted to be commitment on the part of Autonomy, and Autonomy cannot attest to the accuracy of any information presented after the date of publication. This document is for informational purposes only. Autonomy is not making warranties, express or implied, in this document.
Autonomy Inc. and Autonomy Systems Limited are both subsidiaries of Autonomy Corporation plc.
20110802_RL_WP_Social_Media_Compliance