Dallas cybersecurity and data privacy attorney Shawn Tuma delivered this presentation on social media law to Social Media Breakfast on February 22, 2018.
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
"What Could Go Wrong?" - We're Glad You Asked!
1. Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
Scheef & Stone, LLP
Shawn.Tuma@solidcounsel.com
(214) 472-2135
@shawnetuma
What Could Go Wrong?
Avoiding the Legal Pitfalls of
Social Media Marketing
2. A smart man learns from his mistakes.
A wise man learns from the mistakes of others.
A fool never learns.
6. @shawnetuma
PhoneDog v. Kravitz
• PhoneDog (employer) / Kravitz (employee /
blogger)
• @PhoneDog_Noah had 17,000 followers
• Kravitz resigned, refused to turn over his
Twitter account, changed handle to
@noahkravitz and grew to 24,000 followers
• PhoneDog sued (7/15/11), heavy litigation,
settled (12/12) = 1.5 yrs of fees & Kravitz still
has @noahkravitz
THE TAKEAWAY
Every company needs a contractual agreement that
clearly states who owns social media accounts used on
behalf of the company.
Ownership &
Control Over
Accounts
7. @shawnetuma
• Unauthorized Access = hacking!!!
• Sale / M&A / Bankruptcy = company asset
• Personal – who updates when you pass?
• Blogs / Subscriber Sites with consumer
information?
• → Privacy Policy?
Sales & Transfers
of Accounts
9. @shawnetuma
Intellectual Property
i.e., copyrights, trademarks, trade secrets,
confidential and proprietary information
• Protect your content and brand
• Copyright & trademarks
• Example: client brand w/o trademark, then
negotiating to obtain
• Tip: use unique phrases + Google Alerts!
• Do you want to tell your competitors?
• Customer / vendor lists
• Who are you talking to or following?
• Departing employee’s LinkedIn?
• Secret business alliances, strategies, plans
• Business situational awareness
Your Intellectual
Property
10. @shawnetuma
• Infringement of trademark
• Right to publicity
• name, voice, signature, photo, likeness
(statutory after death)
• commercial v. educational or newsworthy
• audience picture v. company promo video
• Infringement of copyright
• attribution isn’t enough (this isn’t plagerism)
• DMCA Takedown Request
• Google penalizes for too many
• Must have a license or use creative
commons … but …
Other’s
Intellectual
Property
14. @shawnetuma
Reputation management
• Be nice – if legit, address the problem
• i.e., “who” are you and what is your “brand”?
• Compare: church with TM vs. Bullyville
• Healthcare / PHI???
• Outing the anonymous defamer
• Beaconing / email ping-back
• DMCA takedown request if IP (must respond)
• Pay a good PR firm instead of paying
lawyers (best advice!)
• Litigation – but …
Dealing with
Smack Talk!
15. Someone talking bad
about your business
online?
• Defamation rules apply online
but …
• The “Streisand Effect”
• Anti-SLAPP (Strategic Lawsuits
Against Public Participation
• ≠ assign copyright of reviews
• ≠ charge $500 per bad review
19. Tort Claims
What your company’s employees say or do can hurt you!
• communications
• tortious interference
• defamation (libel, slander, bus. disparagement)
• false advertising & false warranties
• privacy / data breaches
• online impersonation
• harassment and cyber-bullying
• “puffery” of facts
20. Regulatory Liability
Federal Agencies are Watching
• FTC – Investigated Hyundai for not disclosing incentives given to bloggers for
endorsements
• Big deal – FTC very active in this area
• Celebrity endorsements of ICOs = FTC, SEC & CFTC oversight!
• HHS & OCR – could have investigated hospital worker who posted patient
“PHI” on Facebook → “Funny, but this patient came in to cure her VD and get
birth control.”
• SEC – false statements in raising funds (SEC v. Imperia Invest. IBC) or insider
information → “Board meeting. Good numbers = Happy Board.” before official
release
22. Terms of Service / Use – Potential Trouble Spots
• Giveaways and contests can be trouble for many reasons – do not do
them on social media without careful consideration and vetting
• Service’s Terms of Service
• Jurisdiction gambling and contest rules
• Example: Facebook’s Terms of Service for Pages are very specific
about requirements for Promotions
• A complete release of Facebook by each entrant or participant
• Acknowledgement that Facebook is not sponsoring or affiliated
https://www.facebook.com/page_guidelines.php
23. Twitter Bots – On No, The Russians Did It!!!
#TwitterLockOut
Twitter’s Rules & Policies governing “Automated Activity”
26. New York Department of Financial Services Cybersecurity (NYDFS)
Requirements for Financial Services Companies + [fill in]
• All NY “financial institutions” + third party service providers.
• Third party service providers – examine, obligate, audit.
• Establish Cybersecurity Program (w/ specifics):
• Logging, Data Classification, IDS, IPS;
• Pen Testing, Vulnerability Assessments, Risk Assessment; and
• Encryption, Access Controls.
• Adopt Cybersecurity Policies.
• Designate qualified CISO to be responsible.
• Adequate cybersecurity personnel and intelligence.
• Personnel Policies & Procedures, Training, Written IRP.
• Chairman or Senior Officer Certify Compliance.
27. EU – General Data Protection Regulation (GDPR)
• Goal: Protect all EU citizens from privacy and data breaches.
• When: May 25, 2018.
• Reach: Applies to all companies (controllers and processors):
• Processing data of EU residents (regardless of where processing),
• In the EU (regardless of where processing), or
• Offering goods or services to EU citizens or monitoring behavior in EU.
• Penalties: up to 4% global turnover or €20 Million (whichever is greater).
• Remedies: data subjects have judicial remedies, right to damages.
• Data subject rights:
• Breach notification – 72 hrs to DPA; “without undue delay” to data subjects.
• Right to access – provide confirmation of processing and electronic copy (free).
• Data erasure – right to be forgotten, erase, cease dissemination or processing.
• Data portability – receive previously provided data in common elect. format.
• Privacy by design – include data protection from the onset of designing systems.
29. “The law has a right to every man’s evidence”
• Courts look to social media for public posts, private messages, “Likes”, etc.
• Club’s SM before Cowboys’ Josh Brent wreck killing Jerry Brown: “I have 12
#Cowboys in theeee building!!!!!!!!!! #Privae” … “These fools buying Ace on top of
Ace!!!!!!!”
• Danielle Saxton’s Facebook “selfie” wearing stolen merchandise – easy evidence!
• Daughter’s $80,000 Facebook “brag”: "Mama and Papa Snay won the case against
Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK
IT."
• Document Retention Policy
• No reasonable expectation of privacy (even private messages), usually
• If litigation is anticipated
• Cannot permanently delete account or posts; may be able to “take down”
• Cannot selectively delete posts
31. General Strategy for Policies
• Recognize and appreciate potential issues
• Decide how to handle those issues
• Educate your team on those issues
• Collaborate and train on how to comply with and resolve issues
• Create and outline procedures for using social media
• Monitor (to some degree) to ensure compliance
• Know your industry requirements (i.e., healthcare)
• If a “form” is given by your regulator, use it!!!
32. Social media policies are a “MUST HAVE”
• Ounce of prevention: less than 1 day of litigation
• If have, must enforce
• Trying to predict issues – but evolving – can’t get all
• Contractually resolve issues such as ownership and authority
• Great opportunity to set rules and document expectations
• Training - greater opportunity to explain and ensure understanding of
expectations
• Put on notice of monitoring – and actually monitor!
• Should address employment issues
33. But, will the National Labor Relations Board allow it?
• NLRB jurisdiction = impacts interstate commerce
• National Labor Relations Act (NLRA) sec. 7 gives employees right to
engage in “concerted activities for the purpose of … mutual aid and
protection”
• NLRB finds illegal any policy provision that (a) restricts or (b) an
employee would reasonably construe to chill concerted activities
• NLRB General Counsel has issued multiple Reports on Social Media
Policies – extraordinary activity
34. Can you guess who the NLRB is pulling for?
• Making it very difficult for businesses to protect themselves
• Social media policies must now be carefully tailored to
• Address unique business and legal needs of your business
• Be enforceable and lawful in a court of law
• Be legal in the eyes of the NLRB
• Examples of provisions found illegal by NLRB
35. Can you guess who the NLRB is pulling for?
“Bob is such a NASTY MOTHER F***** don’t know how to talk to
people!!!!!! F*** his mother and his entire f****** family!!!! What a
LOSER!!!! Vote YES for the UNION!!!!!!!”
39. @shawnetuma
39
Richmond Dist. Neighborhood Center v. Callaghan
“The question is whether
the conduct is so egregious
as to take it outside the
protection of the Act, or of
such character as to render
the employee unfit for
further service.”
40. Can you guess who the NLRB is pulling for?
56 Pier Sixty, LLC (NLRB March 31, 2015)
• Employee on Facebook: called his manager a “NASTY MOTHER
F****R” and a “LOSER,” said “f**k his mother and his entire f***ing
family,” and ended the post by saying “Vote Yes for the Union!”
• Company fired him.
• NLRB: Firing improper. Feeling of mistreatment motivated statements
and employees were simultaneously seeking redress through
upcoming union election which made statements protected,
concerted activity.
• Comments not egregious enough.
41. What is the NLRB really looking for?
• Clarity and precision
• Examples of do’s and don’ts that give context and real-life meaning to
the rules
• Implementation + training =
43. Cyber Liability Insurance
• If you are doing anything in cyber/digital, you need it. Period.
• Most traditional insurance does not cover cyber-events, even if you
think it does (really!)
• Cyber Insurance is relatively inexpensive
• Some policies include a cyber risk audit before being underwritten
• Policies can cover social media risk, computer fraud risk, data breach
/ hacking risk, and even social engineering
• But, they are tricky – you have to really know what you’re looking for
vis-à-vis your company’s risks
44. • Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, NorthTexas Cyber Forensics Lab
• Policy Council, NationalTechnology Security Coalition
• CybersecurityTask Force, IntelligentTransportationSociety of America
• Practitioner Editor, Bloomberg BNA –Texas Cybersecurity & Data Privacy Law
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-17
• Best Lawyers in Dallas 2014-17, D Magazine (Cybersecurity Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, CollinCounty Bench Bar Conference
• Past Chair,Civil Litigation &Appellate Section, CollinCounty Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American BarAssociation
• NorthTexas Crime Commission, Cybercrime Committee & Infragard (FBI)
• InternationalAssociation of Privacy Professionals (IAPP)
Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com