Do’s & Don’ts – Social Media Policy

Michael J. Sciotti, Esq.

msciotti@barclaydamon.com

Barclay Damon LLP

Barclay Damon Tower

125 East Jefferson Street

Syracuse, New York 13202

(315) 425-2774 (Direct)

(315) 256-2314 (Cell)

www.barclaydamon.com

Melissa Zambri, Esq.

MZambri@barclaydamon.com

Barclay Damon LLP

80 State Street

Albany, NY 12207

(518) 429-4229(Direct)

www.barclaydamon.com

Disclaimer

This PowerPoint and the presentation of Barclay

Damon LLP are for informational and educational

use only. Neither the PowerPoint nor Barclay

Damon’s presentation should be considered legal

advice. Legal advice is based on the specific facts

of a client’s situation and must be obtained by

individual consultation with a lawyer. Please

consult a labor and employment lawyer before

attempting to address any legal situation raised in

this seminar.

Agenda

• General Information & Background

• Best Practices

• New York State Labor Law (“NYSLL”)

Issues

• National Labor Relations Board (“NLRB”)

Issues

• HIPAA and Privacy Issues

General Information & Background

Statistics

• 90% - 95% of businesses now use social media for business purposes.

• 80% of businesses reported taking disciplinary action against employees for misuse.

• 80% of businesses now have social media policies in place.

• 40% of employers actively block access to social media sites.

• 45% of businesses permit employees to access social media sites.

Big Deal?

• From novelty to normalcy in short time.

• Mainstream use = greater risks.

• As numbers demonstrate, employers have

increased policies, but landscape

regarding treatment of such policies is

changing at light speed.

Big Deal?

• NLRB’s General Counsel under the

Obama Administration aggressively

expanded authority of that office.

• NLRB regional offices were required to

submit all social media cases to the

Division of Advice.

Big Deal?

This is not really a change in

the law, but where it is

applied is new.

Monitoring Rights

Are employers permitted to monitor social

media use by employees at work?

Answer: Yes, but with constraints.

Need to consider data protection laws,

privacy laws, and consent, among other

things.

Monitoring Rights

National Labor Relations Act (“NLRA”),

and NYSLL play pivotal parts in an

analysis of whether or not an employee’s

violation of a Company’s Social Media

Policy should result in disciplinary Action.

General Questions

What limits and considerations apply to

employers monitoring of social media use

by employees at work?

Answer: Legitimate business interest vs.

privacy and Section 7 rights.

Apply best practice approach.

Best Practices

Best Practices

• Implement clear, well-defined policies (no

overreaching);

• Obtain acknowledgment or consent;

• Only go so far as to protect business

interests;

• Monitoring and decision-making by

designated employees, who have been

trained;

Best Practices

• Personal data obtained should be stored

safely and not disseminated;

• Apply training to employees regarding

appropriate use of IT;

• Document, document, document; and

• Do not overreact (i.e. make sure you know

what you are looking at), but do not

underreact.

Google: Michael Sciotti Mugshot

Google: Michael Sciotti Mugshot

• Michael Sciotti was booked in Volusia

County, FL on 08/06/2006.

• Thank you Mugshots.com

Employee on Beach

Employee Drinking

Twins

Employee Posts

• I hate my job.

• I hate my supervisor.

• My supervisor is a miserable SOB

because he refuses to pay me minimum

wage.

• I quit.

• I am going to quit.

• My salary is $52,000.00 – what is yours?

Sexual Harassment

Employees Who Hate

• KKK

• Confederate Flag

• Nazi Flag

Religion Issues

• Church of the Flying Spaghetti

Monster a/k/a Pastafarianism

• Church of Satan

• Vampirism

• Voodoo

• International Church of Cannabis

Religion Issues

• In 2013, Jediism was actually the seventh

largest religion in the United Kingdom with

an incredible 175,000 followers.

Confront the Employee

• Save the material and ask about it:

• (1) Did you post it?

• (2) Why did you post?

• (3) Impact of statement.

Employees & Facebook

Ignore

•Don’t be afraid to

ignore!!!

NYSLL §201-d

Recreational Activities Law

Political Activities

• Political Activities - shall mean:

• (1) Running for public office;

• (2) Campaigning for a candidate for public

office; or

• (3) Participating in fund-raising activities

for the benefit of a candidate, political

party or political advocacy group.

Employee Loves President Trump

Employee Hates President Trump

Recreational Activity

• Recreational Activities - shall mean any

lawful, leisure-time activity, for which the

employee receives no compensation and

which is generally engaged in for

recreational purposes, including but not

limited to sports, games, hobbies,

exercise, reading and the viewing of

television, movies and similar material.

Drug User

Good Reason To Fire?

What is “Work Hours”?

• Work Hours - Shall mean…all time, including paid and unpaid breaks and meal periods, that the employee is suffered, permitted or expected to be engaged in work, and all time the employee is actually engaged in work.

– This definition shall not be referred to in determining hours worked for which an employee is entitled to compensation under any other law.

Prohibitions

• Unless otherwise provided by law, it shall

be unlawful for any employer or

employment agency to refuse to hire,

employ or license, or to discharge from

employment or otherwise discriminate

against an individual in compensation,

promotion or terms, conditions or

privileges of employment because of:

Prohibitions

• (1) An individual's political activities

outside of working hours, off of the

employer's premises and without use of

the employer's equipment or other

property, if such activities are legal…

Prohibitions

• (2) An individual's legal use of consumable

products prior to the beginning or after the

conclusion of the employee's work hours,

and off of the employer's premises and

without use of the employer's equipment

or other property;

Prohibitions

• (3) An individual's legal recreational

activities outside work hours, off of the

employer's premises and without use of

the employer's equipment or other

property; or

Prohibitions

• (4) An individual's membership in a union

or any exercise of rights granted under the

NLRA or New York State Civil Service

Law.

No Protections

• The provisions of the Recreational

Activities Law shall not be deemed to

protect activity which:

• Creates a material conflict of interest

related to the employer's trade secrets,

proprietary information or other proprietary

or business interest…

No Protections

• An employer shall not be in violation of the

Recreational Activities Law where the

employer takes action based on the belief

either that:

• (1) The employer's actions were required

by statute, regulation, ordinance or other

governmental mandate;

No Protections

• (2) The employer's actions were

permissible pursuant to an established

substance abuse or alcohol program or

workplace policy, professional contract or

collective bargaining agreement; or

No Protections

• (3) The individual's actions were deemed

by an employer or previous employer to be

illegal or to constitute habitually poor

performance, incompetency or

misconduct.

NLRA & Section 7 Rights

Covered Employee?

• Most employees in the private sector are covered by the NLRA.

• However, the Act specifically excludes individuals who are:

• 1. Employed by Federal, state, or local government;

• 2. Employed as agricultural laborers;

• 3. Employed in the domestic service of any person or family in a home;

• 4. Employed by a parent or spouse;

Covered Employee?

• 5. Employed as an independent contractor;

• 6. Employed as a supervisor (supervisors who have been discriminated against for refusing to violate the NLRA may be covered);

• 7. Employed by an employer subject to the Railway Labor Act, such as railroads and airlines; and

• 8. Employed by any other person who is not an employer as defined in the NLRA.

NLRA – Section 7 Rights

• Employees shall have the right to self-

organization, to form, join, or assist labor

organizations, to bargain collectively

through representatives of their own

choosing, and to engage in other

concerted activities for the purpose of

collective bargaining or other mutual aid or

protection, and shall also have

NLRA – Section 7 Rights

• the right to refrain from any or all of such

activities except to the extent that such

right may be affected by an agreement

requiring membership in a labor

organization as a condition of employment

as authorized in NLRA § 8(a)(3).

NLRA – Section 7 Rights

• Employees who are not represented by a

union also have rights under the NLRA.

• Specifically, the NLRB protects the rights

of employees to engage in “concerted

activity”, which is when two or more

employees take action for their mutual aid

or protection regarding terms and

conditions of employment.

NLRA – Section 7 Rights

• A single employee may also engage in

protected concerted activity if he or she is

acting on the authority of other employees,

bringing group complaints to the

employer’s attention, trying to induce

group action, or seeking to prepare for

group action.

Examples

• A few examples of protected concerted

activities are:

• Two or more employees addressing their

employer about improving their pay.

• Two or more employees discussing work-

related issues beyond pay, such as safety

concerns, with each other.

Examples

• An employee speaking to an employer on

behalf of one or more co-workers about

improving workplace conditions.

Attacks on Employee Handbooks

Evaluation Standard –

Employee Handbook

• A handbook provision is illegal

if it restricts a right under

NLRA § 7 on its face.

Evaluation Standard –

Employee Handbook

• If the handbook provision does not restrict

a right under NLRA § 7 on its face, it still

may violate the NLRA if:

– Employees would reasonably construe the

language to prohibit a § 7 activity;

– The rule was put in place in response to

union activity; or

– The rule as applied restricts a § 7 right.

Provisions Under Attack by NLRB

• E-Mail Policies

• Disclosure of Confidential Information

• Confidentiality of Internal Investigations

• Media Contact Rule

• Contact with Governmental Agencies Rule

Provisions Under Attack by NLRB

• Internal Complaint Procedure

• Code of Conduct

• At-Will Disclaimers

Provisions Under Attack by NLRB

• Logos, Trademarks, and Graphics

• No Photography Rule

• Defamation of Company Products and

Services

Notable NLRB Decisions Design Technology Group

Employee Facebook posts criticizing

employer for refusing to close store early

when employees had to walk through

dangerous neighborhood in evenings was

protected. Design Technology Group

(2013)

Notable NLRB Decisions University of Pittsburgh Medical Center

ALJ found that medical center’s social

media policy which prohibited employees

from describing any affiliation with the

medical center violated the NLRA because

it severely inhibited the discussion of union

activity and the terms/conditions of

employment. UPMC (2013).

Notable NLRB Decisions Pier Sixty, LLC

Catering company violated an employee’s

Section 7 rights when it fired him for what

the Board considered protected, concerted

comments that were posted on his

personal social media account. The

employee, who worked as a server for the

catering company, was unhappy with what

he believed was disrespectful treatment by

an assistant manager.

Notable NLRB Decisions Pier Sixty, LLC

While on a work break, the employee his personal phone to post a message on FB, which stated that the manager was a “NASTY MOTHER F****R” and a “LOSER.” The post went on to state “f**k his mother and his entire f***ing family,” and ended the post by saying “Vote Yes for the Union!” Two days later, the bargaining unit voted in favor of being represented by the union.

Notable NLRB Decisions Pier Sixty, LLC

The Board found that the statements were

protected concerted activity regarding the

employee’s working conditions and

vulgarities in the workplace. Pier Sixty,

LLC, Case Nos. 02-CA-068612 and 2-CA-

070797.

Unbelievable!!

Disclosure of Confidential

Information

American Red Cross Blood Services,

Western Lake Region

• Employer Rule Defined Confidential

Information

– Personnel Information

– Other information relating to employees

• General Counsel – the rule encompassed

benefits, wage and working conditions

Disclosure of Confidential

Information

American Red Cross Blood Services,

Western Lake Region

• ALJ agreed

• Saving Clause: “This Agreement does not

deny any rights provided under the

National Labor Relations Act to engage in

concerted activity, including but not limited

to collective bargaining.”

Disclosure of Confidential

Information

Design Technology Group, LLC d/b/a

Bettie Page Clothing

• “Compensation programs are confidential

between the employee and employer.

Disclosure of wages or compensation to

any third party or other employee is

prohibited.”

Disclosure of Confidential

Information

DirectTV U.S. DirectTV Holdings, LLC

• “Never discuss details about your job,

company business or work projects with

anyone outside the company…[and] never

give out information about customers or

DirectTV employees.”

Confidentiality of Internal

Investigations

Banner Health Systems

• Do not speak with other employees about

investigation

• NLRA v. Title VII

• Must have legitimate business justification

– Witness Protection

– Evidence Destruction/Fabrication

– Prevent Cover up

Contact With Media Rule

DirectTV U.S. DirectTV Holdings, LLC

• “Do not contact the media, and direct all

media inquiries to the Home Services

Communications Department.”

• “Employees should not contact or

comment to any media about the company

unless pre authorized by Public Relations.”

Communication With Government

Entities

DirectTV U.S. DirectTV Holdings, LLC

• No talking to government.

• No talking to government without

preapproval.

Internal Complaint Procedures

• Follow chain of command or face

discipline rules

• Preference v. Mandatory

No Complaining to Clients

• Rule in essence says you cannot discuss

with a client or customer any complaints

about the employer or working conditions.

Code of Conduct

• “No one should be disrespectful or use

profanity or any other language which

injuries the image or reputation of the

employer”

• Do not engage in “harmful gossip”

• Do not exhibit a “negative attitude toward

or lose interest in your work assignment”

At-Will Statements

• One ALJ so found, but generally the NLRB

is not there yet.

Other Rules

• Logo, trademarks and graphics

• Photographs

• Speak Up Rule

• Defamation of Products/Services

HIPAA & Privacy Issues

Social Media:

It is everywhere

HIPAA Privacy Concerns

• HIPAA privacy regulations apply to protected health information

(“PHI”), which generally includes any oral, written or electronic

information that is:

– Created or received by a health care provider, health plan,

employer, or health care clearinghouse;

– Relates to past, present or future physical or mental health or

condition of an individual, the provision of care to an individual,

or the past, present or future payment for the provision of health

care to an individual; and

– Identifies the individual (or could reasonably be expected to be

used to identify the individual).

Social Media: Privacy &

Confidentiality

• Areas of Concern

• Violations of HIPAA and other laws

protecting privacy and confidentiality of

protected health information

• Consequences can include criminal and

civil monetary penalties and licensure

actions

Privacy Concerns

• Disclosing/Using Information

– HIPAA

– NYS Mental Hygiene Law

– NYS Public Health Law

– Licensure Issues

• Office of Professional Discipline

• Office of Professional Medical Conduct

HIPAA Privacy Concerns

• Social Media & Electronic

Communications have opened the door to

a new range of potential HIPAA privacy

violations:

– Unauthorized and impermissible uses of PHI.

– Unauthorized and impermissible disclosures

of PHI.

Social Media HIPAA Violations

• Posting verbal “gossip” about a patient to unauthorized individuals, even if the name is not disclosed.

• Sharing of photographs, or any form of PHI without written consent from a patient.

• A mistaken belief that posts are private or have been deleted when they are still visible to the public.

• Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath.

HIPAA Security Rule

Security Rule: secure electronic protected health information (“e-PHI”).

• Email NOT expressly prohibited for sending e-PHI.

• Must implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access of e-PHI sent and received.

• Encryption is addressable but hard to argue it is not best practice.

• The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.

HIPAA Reforms

• Changes to the HIPAA regulations

dramatically enhance risks relating to

privacy and security violations:

– Increased penalties,

– New enforcement mechanisms,

– Audits, and

– Breach notification.

HIPAA and Email

• Precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.

• Patient initiated email: the health care provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.

• Early intervention example.

HIPAA and Email

• Teach Staff:

– Double check email addresses

– Be careful of autofilled addresses

– Minimum necessary

• Other patients included

– Be careful of reply to all

– Be careful of cc’s

– No PHI to personal email

– Use of personal phones

– Danger of pictures

– Encryption only as good as use.

HIPAA and Email:

Summary

• Email communications are permitted, but you must take

precautions;

• It is a good idea to warn patients about the risks of using

email that includes patient health information (PHI);

• Providers should be prepared to use email for certain

communications, if requested by the patient, but must

ensure they are not exposing information the patient

does not want shared; and

• Providers must take steps to protect the integrity of

information and protect information shared over open

networks.

ENCRYPTION IS ALWAYS PREFERABLE.

Email & Privacy: OMIG Breach

Employees sending PHI to personal email accounts:

• OMIG Security Breach Example:

– On October 12, 2012, an OMIG employee sent 17,743 records of Medicaid recipients to their own personal email account.

– The private information which may have been exposed included: first and last names, dates of birth, Medicaid client information numbers, and Social Security numbers.

Archived Emails

Why should covered entities archive emails?

• Compliance: Do you need it for audits or investigations? False Claims Act statute of limitations – 10 years.

• Litigation Support: Defense in litigation.

• Disgruntled Employees: Archived emails protect against actions of sabotage or erasing evidence of wrongdoing.

• Proof of Email Delivery: Provides proof of email delivery to restore missing emails.

Email Tips

• Must you reply all?

• Beware of groups

• Before forwarding or adding a person to a

chain, what is at the bottom of the chain?

• Write for publication.

• Should that be in writing?

• Don’t forward privileged communication

too far (watch your Board).

Cyber Liability and Insurance

Related to Breach of PHI

• Created to protect against losses from

hacking PHI or other breaches.

• These policies also include protection from

defense costs.

• Privacy lawsuits not under HIPAA – under

a negligence theory – breach, duty,

causation, damages.

HIPAA Hot Topics

• Failure to perform privacy/security risk analysis

• Records on the road

• Laptops, thumb drives and encryption

• Knowing you have an issue and not fixing it

• Failure to report breaches timely

• Malware and ransomware

• Shared log ins

• Disposal of information

• Hybrid entities

Best Practice Policies

What do your employees agree to?

Does it extend beyond their employment?

Social Media? Device policy?

Bringing PHI out of office?

Using home computer?

Staff understand what they can and cannot

discuss with ex-employees?

Best Practice Policies

Policies and procedures stale?

Minimum Necessary – Significant

violators? Auditing? Training?

Is your training stale?

Board informed? Trained?

Photos? Development Office

Trained?

Policies for HIV? Required to be

updated annually in New York.

I Feel Like I Must Share This

Please be aware of:

http://cheaper-than-tuition.com/

Questions

Thank you for having us.