Identification and Management of Emerging Legal Risks in...
Transcript of Identification and Management of Emerging Legal Risks in...
Identification and Management of
Emerging Legal Risks in Social Media
These materials have been prepared by Poyner Spruill LLP for informational purposes only
and are not legal advice. This information is not intended to create, and receipt of it does not
constitute, a lawyer-client relationship. © 2012 Poyner Spruill LLP. All rights reserved.
Elizabeth Johnson
Partner
Poyner Spruill LLP
(919) 783-2971
@PoynerPrivacy
The Obvious Risks
The Obvious Risks
• Privacy
– Negligent Disclosures
– Inadvertent and Incidental Disclosures
• Security
– Malware
– Social Engineering
– Phishing/Spoofing/Spam/Scams
Negligent Disclosures
• Mercy Walworth Medical Center in Lake Geneva, WI – Nurses fired for
patient photos (case referred to FBI)
– Allegedly photographed patients and posted to Facebook
• Oakwood Hospital in Detroit, MI – Employee fired for Facebook post
regarding “cop killer”
– Local police officer murdered, killer treated at same hospital
– Employee posted disparaging remarks about alleged killer/patient
• Lifequest Nursing Center in Pennsylvania – Registered nurse fired for
Facebook posts regarding co-worker
– Post timestamps occurred while nurse was actively engaged in
dispensing patient medication
“Schedule regular medical exams like everyone else instead of
paying UMC employees overtime to do it when clinics are
usually closed.”
– Employee of Mississippi’s University Medical Clinic
“Glad the Legislature recognizes our dire fiscal situation. Look
forward to hearing their ideas on how to trim expenses.”
– Mississippi Governor Haley Barbour
Inadvertent, Incidental Disclosures
• Dr. Alexandra Thran – disciplined by RI’s licensing board
for Facebook post
– Westerly Hospital reported to board that it “terminated
[Thran’s] clinical privileges at the hospital because she had
used her Facebook account inappropriately to communicate
a few of her clinical experiences in the hospital’s Emergency
Department.”
– Doc did not identify patient names in her posting, board
concluded that “the nature of one person’s injury was such
that the patient was identified by unauthorized third parties.”
It’s An Epidemic…
“Special” Problem for Health Care Profession
Expensive professional and reputational disaster
+ High stakes penalties = Broad definition of PHI
So how much is too much?
– “Coffee Shop Rule”
– But…
– Almost any information about a patient is too much
information
– Violating patient confidentiality = revocation of license,
lawsuits, violation of law (fines – $1.5M maximum
HIPAA penalty)
“Coffee Shop”
Rule
“Cover of The New
York Times” Rule
Social Media Reality
Permanency
of Disclosure
Verbal, so fairly
transient
Print copy, but
unlikely to be
retained permanently
(longer for website…)
Internet, potentially
permanent retention
Searchable? No Limited (microfiche?) Word searchable and semi
available via search engines
Maximum
Initial
Distribution
Starbucks avg.
daily customers
= 500
Daily circulation = 1M Facebook = 750M users,
Twitter = 200M users (est.
50% log in daily)
Potential for
Redistribution
Limited (gossip) Limited (some
readers selectively
pass article along)
Indiscriminate posting
(Facebook/Twitter users avg.
~130 friends/followers)
Magnitude of Disclosure
Security Risks
• Types of Attacks (general v. targeted)
– Malware
• 18% of social network users report malware, up from 13% in 2010 and
8% in 2009 (Webroot annual survey)
• Malware distributed via social network 10x as effective as malware
spread via email (Kaspersky Global Research)
– Social Engineering
– Phishing/spam/spoofing/scams
• Example = “Friend in Distress” scam – 14% of users report receipt in
2011, compared to 2% in 2009 (Webroot annual survey)
– Overall, number of firms reporting an attack via social networking
rose 70% from 2008-2009 (Sophos 2010 Security Threat Report)
– 93% increase in web-based attacks in 2010; 65% of malicious
URLs were shortened URLs (Symantec 2010 Internet Security
Threat Report)
The Obscure Risks
User-Generated Content = Risk
• Besides legal liability for disclosures…
• Publication of private facts / invasion of privacy
• Infliction of emotional distress
• Defamation / libel
• “Cyberbullying”
• Negligence
Job Applicants and Employees
• Hostile workplace
• Discrimination
– “Classic” discrimination (race, age, gender, disability, sexual
preferences, etc.) – EEOC has confirmed position
– Genetic Information Nondiscrimination Act
• Wage and Hour
• National Labor Relations Act
• Stored Communications Act
• Fair Credit Reporting Act
• Impersonation / Misappropriation / Conversion / Trade
Secrets
14
• Employer’s company
Facebook page
• Photo of company
event posted
• Someone (allegedly an
employee) posted
discriminatory
comments about
coworker
• Hostile workplace
charge
National Labor Relations Board
National Labor Relations Board
• About a dozen cases involving social media
• Recent guidance issued summarized four cases that
ended badly for employers:
– Employee asked coworkers on her Facebook page for their
reaction to another employee’s complaints about work quality and
staffing levels
– Employee complained on her Facebook page about supervisor’s
refusal to permit union rep to assist her in developing a response
to a customer complaint filed against her
– Employees’ Facebook posts reveal employer’s failure to withhold
state income taxes; state tax authorities issued payment demand
– Social media policies prohibiting “solicitation,” “disparaging” the
employer,” “offensive” “defamatory” or “unprofessional” content
National Labor Relations Board
• More likely to be protected activity
• Subject matter related to terms and conditions of employment,
exercise of union rights, or other matters traditionally considered
“protected activity”
• Other employees were participating in the conversation
(“concerted activity”)
• Content that is part of a continuing dispute with employer or
ongoing conversation with other employees
• Less likely to be protected activity if negative impact on
productivity, complaints amounted to “name calling,” or
content was inappropriate
• Guidance also discusses over-broad social media policies
Stored Communications Act
• Applies to stored
wire or electronic
communications
held by ISPs
• Prohibits
intentional access
to such
communications
without
authorization
“…this information should not be used for
employment, tenant screening, or any FCRA
related purposes…”
Impersonation / Publicity
• The Lanham Act (false
association/false
endorsement )
• Right to publicity (state
statute)
• Right to privacy (state
common law),
dismissed
Conversion/Misappropriation of Trade Secrets
• Employee leaves with Twitter account
• Employer sues
claiming damages
of $2.50/mo per
follower ($340K)
• Claims followers
and password =
trade secret
• Case survives
motion to dismiss
Other Problems – Self-Promotion
• FTC’s Guide Concerning the Use of Endorsements and
Testimonials in Advertising
Unfair and Deceptive Trade Practice
Other Problems – Federal Securities Law
• SEC Guidance on the Use of Company Web Sites
– Covers websites, blogs, shareholder forums and other social media
– “Since all communications made by, or on behalf of, a company are
subject to the antifraud provisions of the federal securities laws,
companies should consider taking steps to put into place controls
and procedures to monitor statements made by or on behalf of the
company on these types of electronic forums.”
• Fact-specific inquiry required:
– When is information “public” for purposes of Reg FD compliance?
E.g., Can company Facebook posts constitute public disclosures?
– When are posts or tweets considered “republished” for purposes of
the antifraud provisions of the federal securities laws?
– How do the antifraud provisions apply to posts made by
employees? Officers? Third party commentators?
Now What?
Social Media – To Ban or Embrace?
• Biggest mistake = ignoring it
• Two choices remain:
1. Ban it (with appropriate limits)
2. Embrace it (with appropriate limits)
• Is it feasible to ban effectively?
– Tidal wave of adoption typically drowns out efforts to ban entirely
• Exacerbated by rapid adoption of mobile devices
– First Amendment / NLRB
– Customer / patient expectations
– Powerful marketing and communication tool
Identify Your Business Need
• Not popular for communicating with doctors
– Capstrat Survey, February 2011
– 84% would not use social media to communicate with doctors
– Among adults ages 18 – 29 (target audience for social media), only
21% would use it to communicate with doctors
• Some potential for other use
– Capstrat respondents more favorable toward email and online
channels for appointment setting, medical record access, and
nurse consultation
– Intuit Health 2011 survey showed 73% would use an online
solution to get lab results, request appointments, pay medical bills,
and communicate with doctor’s office
You won’t talk to your doctor, but…
• National Research Corp
Survey of 22,000:
• 16% use social media as
source of health care info
• 82.3% trust health info
obtained from social media
at a score of 3 or higher
(on scale of 1 – 5)
• 78.8% gave score of 3 or
higher to likelihood of
social media influencing
their health care decisions
Pew Research Center, September 2010
• 80% of internet users get health info online (59% of all adults)
• 34% of internet users (25% of all adults) have read someone else’s
commentary or experience about a health issues on website, blog, etc.
• 24% of internet users (18% of all adults) have consulted online reviews
of particular drugs or medical treatments
• 18% of internet users (13% of adults) have gone online to find others
who might have health concerns similar to theirs
• 16% of internet users (12% of adults) have consulted online rankings or
reviews of doctors or other providers
• 15% of internet users, or (11% of adults) have consulted online
rankings or reviews of hospitals or other medical facilities
• 62% of internet users also use social media, and 23% of those (11% of
all adults) followed friends’ personal health experiences on the site
• 15% of social media users (7% of all adults) have gotten health info
Identify Your Business Need
• Potential for recruiting clinical trial participants?
– White Paper, June 2011, Blue Chip Patient Recruitment
– 19% were comfortable receiving info through Facebook and 14%
receiving info from Twitter
– 81% of “e-patients” (actively engaged in health-related social
media) were interested in participating in clinical trials, but only
16% had done so
Identify Your Business Need
• On substance, stick to information not communication
• Communication for administrative matters (appointments,
billing, etc.)
• One-size-does-not-fit-all
– Risk for physicians and practitioners may outweigh benefits, but
may not hold true for researchers, support staff, etc.
• Recognize marketing potential and demographics
• Self-selected audiences
• If no business need, may indicate that you should limit
(ban) rather than promote (embrace) social media
Next Steps
• Develop a detailed policy (preferably more than one)
– “Approved Population,” HR, everyone else
– Be comprehensive (see foregoing slides)
– Do not be overly restrictive
– Require/discuss compliance with third party sites’ terms
• Train
• Audit compliance
• Post disclaimers, terms of use and/or privacy notices
• Monitor for reputational impacts (even if not posting
yourself)
– Policy and training for that monitoring also is beneficial
Other governance?
• Formal launch and implementation plan
• Social media agreement for employees
• Committee oversight
• Senior management approval of plan/oversight
• Annual program refresh
Questions?
Elizabeth Johnson
Partner
Poyner Spruill LLP
(919) 783-2971
@PoynerPrivacy
These materials have been prepared by Poyner Spruill LLP
for informational purposes only and are not legal advice.
This information is not intended to create, and receipt of it
does not constitute, a lawyer-client relationship. © 2012
Poyner Spruill LLP. All rights reserved.