Post on 11-Jun-2020
Do’s & Don’ts – Social Media Policy
Michael J. Sciotti, Esq.
msciotti@barclaydamon.com
Barclay Damon LLP
Barclay Damon Tower
125 East Jefferson Street
Syracuse, New York 13202
(315) 425-2774 (Direct)
(315) 256-2314 (Cell)
www.barclaydamon.com
Melissa Zambri, Esq.
MZambri@barclaydamon.com
Barclay Damon LLP
80 State Street
Albany, NY 12207
(518) 429-4229(Direct)
www.barclaydamon.com
Disclaimer
This PowerPoint and the presentation of Barclay
Damon LLP are for informational and educational
use only. Neither the PowerPoint nor Barclay
Damon’s presentation should be considered legal
advice. Legal advice is based on the specific facts
of a client’s situation and must be obtained by
individual consultation with a lawyer. Please
consult a labor and employment lawyer before
attempting to address any legal situation raised in
this seminar.
Agenda
• General Information & Background
• Best Practices
• New York State Labor Law (“NYSLL”)
Issues
• National Labor Relations Board (“NLRB”)
Issues
• HIPAA and Privacy Issues
General Information & Background
Statistics
• 90% - 95% of businesses now use social media for business purposes.
• 80% of businesses reported taking disciplinary action against employees for misuse.
• 80% of businesses now have social media policies in place.
• 40% of employers actively block access to social media sites.
• 45% of businesses permit employees to access social media sites.
Big Deal?
• From novelty to normalcy in short time.
• Mainstream use = greater risks.
• As numbers demonstrate, employers have
increased policies, but landscape
regarding treatment of such policies is
changing at light speed.
Big Deal?
• NLRB’s General Counsel under the
Obama Administration aggressively
expanded authority of that office.
• NLRB regional offices were required to
submit all social media cases to the
Division of Advice.
Big Deal?
This is not really a change in
the law, but where it is
applied is new.
Monitoring Rights
Are employers permitted to monitor social
media use by employees at work?
Answer: Yes, but with constraints.
Need to consider data protection laws,
privacy laws, and consent, among other
things.
Monitoring Rights
National Labor Relations Act (“NLRA”),
and NYSLL play pivotal parts in an
analysis of whether or not an employee’s
violation of a Company’s Social Media
Policy should result in disciplinary Action.
General Questions
What limits and considerations apply to
employers monitoring of social media use
by employees at work?
Answer: Legitimate business interest vs.
privacy and Section 7 rights.
Apply best practice approach.
Best Practices
Best Practices
• Implement clear, well-defined policies (no
overreaching);
• Obtain acknowledgment or consent;
• Only go so far as to protect business
interests;
• Monitoring and decision-making by
designated employees, who have been
trained;
Best Practices
• Personal data obtained should be stored
safely and not disseminated;
• Apply training to employees regarding
appropriate use of IT;
• Document, document, document; and
• Do not overreact (i.e. make sure you know
what you are looking at), but do not
underreact.
Google: Michael Sciotti Mugshot
Google: Michael Sciotti Mugshot
• Michael Sciotti was booked in Volusia
County, FL on 08/06/2006.
• Thank you Mugshots.com
Employee on Beach
Employee Drinking
Twins
Employee Posts
• I hate my job.
• I hate my supervisor.
• My supervisor is a miserable SOB
because he refuses to pay me minimum
wage.
• I quit.
• I am going to quit.
• My salary is $52,000.00 – what is yours?
Sexual Harassment
Employees Who Hate
• KKK
• Confederate Flag
• Nazi Flag
Religion Issues
• Church of the Flying Spaghetti
Monster a/k/a Pastafarianism
• Church of Satan
• Vampirism
• Voodoo
• International Church of Cannabis
Religion Issues
• In 2013, Jediism was actually the seventh
largest religion in the United Kingdom with
an incredible 175,000 followers.
Confront the Employee
• Save the material and ask about it:
• (1) Did you post it?
• (2) Why did you post?
• (3) Impact of statement.
Employees & Facebook
Ignore
•Don’t be afraid to
ignore!!!
NYSLL §201-d
Recreational Activities Law
Political Activities
• Political Activities - shall mean:
• (1) Running for public office;
• (2) Campaigning for a candidate for public
office; or
• (3) Participating in fund-raising activities
for the benefit of a candidate, political
party or political advocacy group.
Employee Loves President Trump
Employee Hates President Trump
Recreational Activity
• Recreational Activities - shall mean any
lawful, leisure-time activity, for which the
employee receives no compensation and
which is generally engaged in for
recreational purposes, including but not
limited to sports, games, hobbies,
exercise, reading and the viewing of
television, movies and similar material.
Drug User
Good Reason To Fire?
What is “Work Hours”?
• Work Hours - Shall mean…all time, including paid and unpaid breaks and meal periods, that the employee is suffered, permitted or expected to be engaged in work, and all time the employee is actually engaged in work.
– This definition shall not be referred to in determining hours worked for which an employee is entitled to compensation under any other law.
Prohibitions
• Unless otherwise provided by law, it shall
be unlawful for any employer or
employment agency to refuse to hire,
employ or license, or to discharge from
employment or otherwise discriminate
against an individual in compensation,
promotion or terms, conditions or
privileges of employment because of:
Prohibitions
• (1) An individual's political activities
outside of working hours, off of the
employer's premises and without use of
the employer's equipment or other
property, if such activities are legal…
Prohibitions
• (2) An individual's legal use of consumable
products prior to the beginning or after the
conclusion of the employee's work hours,
and off of the employer's premises and
without use of the employer's equipment
or other property;
Prohibitions
• (3) An individual's legal recreational
activities outside work hours, off of the
employer's premises and without use of
the employer's equipment or other
property; or
Prohibitions
• (4) An individual's membership in a union
or any exercise of rights granted under the
NLRA or New York State Civil Service
Law.
No Protections
• The provisions of the Recreational
Activities Law shall not be deemed to
protect activity which:
• Creates a material conflict of interest
related to the employer's trade secrets,
proprietary information or other proprietary
or business interest…
No Protections
• An employer shall not be in violation of the
Recreational Activities Law where the
employer takes action based on the belief
either that:
• (1) The employer's actions were required
by statute, regulation, ordinance or other
governmental mandate;
No Protections
• (2) The employer's actions were
permissible pursuant to an established
substance abuse or alcohol program or
workplace policy, professional contract or
collective bargaining agreement; or
No Protections
• (3) The individual's actions were deemed
by an employer or previous employer to be
illegal or to constitute habitually poor
performance, incompetency or
misconduct.
NLRA & Section 7 Rights
Covered Employee?
• Most employees in the private sector are covered by the NLRA.
• However, the Act specifically excludes individuals who are:
• 1. Employed by Federal, state, or local government;
• 2. Employed as agricultural laborers;
• 3. Employed in the domestic service of any person or family in a home;
• 4. Employed by a parent or spouse;
Covered Employee?
• 5. Employed as an independent contractor;
• 6. Employed as a supervisor (supervisors who have been discriminated against for refusing to violate the NLRA may be covered);
• 7. Employed by an employer subject to the Railway Labor Act, such as railroads and airlines; and
• 8. Employed by any other person who is not an employer as defined in the NLRA.
NLRA – Section 7 Rights
• Employees shall have the right to self-
organization, to form, join, or assist labor
organizations, to bargain collectively
through representatives of their own
choosing, and to engage in other
concerted activities for the purpose of
collective bargaining or other mutual aid or
protection, and shall also have
NLRA – Section 7 Rights
• the right to refrain from any or all of such
activities except to the extent that such
right may be affected by an agreement
requiring membership in a labor
organization as a condition of employment
as authorized in NLRA § 8(a)(3).
NLRA – Section 7 Rights
• Employees who are not represented by a
union also have rights under the NLRA.
• Specifically, the NLRB protects the rights
of employees to engage in “concerted
activity”, which is when two or more
employees take action for their mutual aid
or protection regarding terms and
conditions of employment.
NLRA – Section 7 Rights
• A single employee may also engage in
protected concerted activity if he or she is
acting on the authority of other employees,
bringing group complaints to the
employer’s attention, trying to induce
group action, or seeking to prepare for
group action.
Examples
• A few examples of protected concerted
activities are:
• Two or more employees addressing their
employer about improving their pay.
• Two or more employees discussing work-
related issues beyond pay, such as safety
concerns, with each other.
Examples
• An employee speaking to an employer on
behalf of one or more co-workers about
improving workplace conditions.
Attacks on Employee Handbooks
Evaluation Standard –
Employee Handbook
• A handbook provision is illegal
if it restricts a right under
NLRA § 7 on its face.
Evaluation Standard –
Employee Handbook
• If the handbook provision does not restrict
a right under NLRA § 7 on its face, it still
may violate the NLRA if:
– Employees would reasonably construe the
language to prohibit a § 7 activity;
– The rule was put in place in response to
union activity; or
– The rule as applied restricts a § 7 right.
Provisions Under Attack by NLRB
• E-Mail Policies
• Disclosure of Confidential Information
• Confidentiality of Internal Investigations
• Media Contact Rule
• Contact with Governmental Agencies Rule
Provisions Under Attack by NLRB
• Internal Complaint Procedure
• Code of Conduct
• At-Will Disclaimers
Provisions Under Attack by NLRB
• Logos, Trademarks, and Graphics
• No Photography Rule
• Defamation of Company Products and
Services
Notable NLRB Decisions Design Technology Group
Employee Facebook posts criticizing
employer for refusing to close store early
when employees had to walk through
dangerous neighborhood in evenings was
protected. Design Technology Group
(2013)
Notable NLRB Decisions University of Pittsburgh Medical Center
ALJ found that medical center’s social
media policy which prohibited employees
from describing any affiliation with the
medical center violated the NLRA because
it severely inhibited the discussion of union
activity and the terms/conditions of
employment. UPMC (2013).
Notable NLRB Decisions Pier Sixty, LLC
Catering company violated an employee’s
Section 7 rights when it fired him for what
the Board considered protected, concerted
comments that were posted on his
personal social media account. The
employee, who worked as a server for the
catering company, was unhappy with what
he believed was disrespectful treatment by
an assistant manager.
Notable NLRB Decisions Pier Sixty, LLC
While on a work break, the employee his personal phone to post a message on FB, which stated that the manager was a “NASTY MOTHER F****R” and a “LOSER.” The post went on to state “f**k his mother and his entire f***ing family,” and ended the post by saying “Vote Yes for the Union!” Two days later, the bargaining unit voted in favor of being represented by the union.
Notable NLRB Decisions Pier Sixty, LLC
The Board found that the statements were
protected concerted activity regarding the
employee’s working conditions and
vulgarities in the workplace. Pier Sixty,
LLC, Case Nos. 02-CA-068612 and 2-CA-
070797.
Unbelievable!!
Disclosure of Confidential
Information
American Red Cross Blood Services,
Western Lake Region
• Employer Rule Defined Confidential
Information
– Personnel Information
– Other information relating to employees
• General Counsel – the rule encompassed
benefits, wage and working conditions
Disclosure of Confidential
Information
American Red Cross Blood Services,
Western Lake Region
• ALJ agreed
• Saving Clause: “This Agreement does not
deny any rights provided under the
National Labor Relations Act to engage in
concerted activity, including but not limited
to collective bargaining.”
Disclosure of Confidential
Information
Design Technology Group, LLC d/b/a
Bettie Page Clothing
• “Compensation programs are confidential
between the employee and employer.
Disclosure of wages or compensation to
any third party or other employee is
prohibited.”
Disclosure of Confidential
Information
DirectTV U.S. DirectTV Holdings, LLC
• “Never discuss details about your job,
company business or work projects with
anyone outside the company…[and] never
give out information about customers or
DirectTV employees.”
Confidentiality of Internal
Investigations
Banner Health Systems
• Do not speak with other employees about
investigation
• NLRA v. Title VII
• Must have legitimate business justification
– Witness Protection
– Evidence Destruction/Fabrication
– Prevent Cover up
Contact With Media Rule
DirectTV U.S. DirectTV Holdings, LLC
• “Do not contact the media, and direct all
media inquiries to the Home Services
Communications Department.”
• “Employees should not contact or
comment to any media about the company
unless pre authorized by Public Relations.”
Communication With Government
Entities
DirectTV U.S. DirectTV Holdings, LLC
• No talking to government.
• No talking to government without
preapproval.
Internal Complaint Procedures
• Follow chain of command or face
discipline rules
• Preference v. Mandatory
No Complaining to Clients
• Rule in essence says you cannot discuss
with a client or customer any complaints
about the employer or working conditions.
Code of Conduct
• “No one should be disrespectful or use
profanity or any other language which
injuries the image or reputation of the
employer”
• Do not engage in “harmful gossip”
• Do not exhibit a “negative attitude toward
or lose interest in your work assignment”
At-Will Statements
• One ALJ so found, but generally the NLRB
is not there yet.
Other Rules
• Logo, trademarks and graphics
• Photographs
• Speak Up Rule
• Defamation of Products/Services
HIPAA & Privacy Issues
Social Media:
It is everywhere
HIPAA Privacy Concerns
• HIPAA privacy regulations apply to protected health information
(“PHI”), which generally includes any oral, written or electronic
information that is:
– Created or received by a health care provider, health plan,
employer, or health care clearinghouse;
– Relates to past, present or future physical or mental health or
condition of an individual, the provision of care to an individual,
or the past, present or future payment for the provision of health
care to an individual; and
– Identifies the individual (or could reasonably be expected to be
used to identify the individual).
Social Media: Privacy &
Confidentiality
• Areas of Concern
• Violations of HIPAA and other laws
protecting privacy and confidentiality of
protected health information
• Consequences can include criminal and
civil monetary penalties and licensure
actions
Privacy Concerns
• Disclosing/Using Information
– HIPAA
– NYS Mental Hygiene Law
– NYS Public Health Law
– Licensure Issues
• Office of Professional Discipline
• Office of Professional Medical Conduct
HIPAA Privacy Concerns
• Social Media & Electronic
Communications have opened the door to
a new range of potential HIPAA privacy
violations:
– Unauthorized and impermissible uses of PHI.
– Unauthorized and impermissible disclosures
of PHI.
Social Media HIPAA Violations
• Posting verbal “gossip” about a patient to unauthorized individuals, even if the name is not disclosed.
• Sharing of photographs, or any form of PHI without written consent from a patient.
• A mistaken belief that posts are private or have been deleted when they are still visible to the public.
• Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath.
HIPAA Security Rule
Security Rule: secure electronic protected health information (“e-PHI”).
• Email NOT expressly prohibited for sending e-PHI.
• Must implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access of e-PHI sent and received.
• Encryption is addressable but hard to argue it is not best practice.
• The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.
HIPAA Reforms
• Changes to the HIPAA regulations
dramatically enhance risks relating to
privacy and security violations:
– Increased penalties,
– New enforcement mechanisms,
– Audits, and
– Breach notification.
HIPAA and Email
• Precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.
• Patient initiated email: the health care provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.
• Early intervention example.
HIPAA and Email
• Teach Staff:
– Double check email addresses
– Be careful of autofilled addresses
– Minimum necessary
• Other patients included
– Be careful of reply to all
– Be careful of cc’s
– No PHI to personal email
– Use of personal phones
– Danger of pictures
– Encryption only as good as use.
HIPAA and Email:
Summary
• Email communications are permitted, but you must take
precautions;
• It is a good idea to warn patients about the risks of using
email that includes patient health information (PHI);
• Providers should be prepared to use email for certain
communications, if requested by the patient, but must
ensure they are not exposing information the patient
does not want shared; and
• Providers must take steps to protect the integrity of
information and protect information shared over open
networks.
ENCRYPTION IS ALWAYS PREFERABLE.
Email & Privacy: OMIG Breach
Employees sending PHI to personal email accounts:
• OMIG Security Breach Example:
– On October 12, 2012, an OMIG employee sent 17,743 records of Medicaid recipients to their own personal email account.
– The private information which may have been exposed included: first and last names, dates of birth, Medicaid client information numbers, and Social Security numbers.
Archived Emails
Why should covered entities archive emails?
• Compliance: Do you need it for audits or investigations? False Claims Act statute of limitations – 10 years.
• Litigation Support: Defense in litigation.
• Disgruntled Employees: Archived emails protect against actions of sabotage or erasing evidence of wrongdoing.
• Proof of Email Delivery: Provides proof of email delivery to restore missing emails.
Email Tips
• Must you reply all?
• Beware of groups
• Before forwarding or adding a person to a
chain, what is at the bottom of the chain?
• Write for publication.
• Should that be in writing?
• Don’t forward privileged communication
too far (watch your Board).
Cyber Liability and Insurance
Related to Breach of PHI
• Created to protect against losses from
hacking PHI or other breaches.
• These policies also include protection from
defense costs.
• Privacy lawsuits not under HIPAA – under
a negligence theory – breach, duty,
causation, damages.
HIPAA Hot Topics
• Failure to perform privacy/security risk analysis
• Records on the road
• Laptops, thumb drives and encryption
• Knowing you have an issue and not fixing it
• Failure to report breaches timely
• Malware and ransomware
• Shared log ins
• Disposal of information
• Hybrid entities
Best Practice Policies
What do your employees agree to?
Does it extend beyond their employment?
Social Media? Device policy?
Bringing PHI out of office?
Using home computer?
Staff understand what they can and cannot
discuss with ex-employees?
Best Practice Policies
Policies and procedures stale?
Minimum Necessary – Significant
violators? Auditing? Training?
Is your training stale?
Board informed? Trained?
Photos? Development Office
Trained?
Policies for HIV? Required to be
updated annually in New York.
I Feel Like I Must Share This
Please be aware of:
http://cheaper-than-tuition.com/
Questions
Thank you for having us.