Companies would be legally remiss not to add a social media component to their corporate compliance and ethics program. As we have seen and reported on, agencies such as FINRA, the FTC, and the NLRB are bringing complaints against companies arising from their social media activity or employee related activity, thus, highlighting the need for companies to demonstrate that they are exercising due diligence to promote ethical conduct and prevent criminal conduct in the context of social media activity [e.g. Federal Sentencing Guidelines, § 8B2.1].
The following list is a good starting point, however, there may be additional items that a social media attorney will recommend you include in your policy depending on the nature of your business. A companion article to this one, for example, includes additional items that government contractors should have in their social media policies.
- Adopt a social media policy. Include the basic list of “Dos” and “Don’ts” in your policy. Don’t try to prohibit lawful protected activity such as complaining about work conditions or compensation/benefits, or whistle blowing. However, employees should be advised of the importance of communicating possible wrongdoing at the company through established internal channels so an appropriate investigation can be conducted.
- Implement an effective training program on how your employees should use social media, with emphasis on areas of particular concern for your company which may include, for example, protecting the privacy interests of your company clients, complying with FINRA/SEC social media guidelines, antitrust compliance, not disclosing confidential, proprietary information, and brand protection.
- Update your e-discovery approach and make sure that you include social media activity and cloud computing because it is discoverable.
- Update your document retention policy to make sure you are capturing and storing the social media activities of your company, and don’t forget employees conducting business from their smart phones and tablets.
- Update your Sarbanes-Oxley Act compliance program to ensure that financial information posted on your Facebook fan page, Twitter, website, etc., is updated to reflect material changes in financial condition and operations. Do not release financial information on social networking sites that you have not also published in a press release.
- Audit the social media activity of potential targets for mergers and acquisitions to identify any legal risks and liabilities, including, without limitation, the target failing to comply with the Sarbanes-Oxley Act.
- Train your HR department, managers and anyone making employment decisions so they do not use information from social networking sites to discriminate against anyone based on protected factors under federal or state law. Set up protocols so protected factors are not considered.
- Take reasonable measures to protect your trade secrets. Update your confidentiality agreements and computer use policies with employees. Clearly communicate what are the company’s trade secrets and the ways in which use of them is restricted. One of the essential elements for a misappropriation of trade secrets case is that the company has taken reasonable measures to protect its trade secrets, which would include, in the social media era, a social media policy with training for employees so they are not inadvertently disclosing the company's trade secrets.
- Incorporate privacy protections into your business practices such as data security, the collection of a reasonable amount of information and not more, sound retention practices (not an unduly long period of time), and data accuracy (so misinformation is not reported on consumers).
- Review the FTC guidelines for online endorsements with employees, including the prohibition on employees giving reviews for the company’s products (or the products of it’s competitors) without disclosing their biased relationship with their employer company.