SOCIAL MEDIA SECURITY RISKS WITH BYOD
By Michael Beygelman, CEO, Joberate
The increasing popularity of BYOD (“bring your own device”) programs in the workplace have improved employee morale and lowered operating costs for many organizations that have embraced this new approach. At the same time, there is a darker side – unlikely or sometimes unanticipated security risks emerge as a result of employees using Social Media on their own devices. After all, it is the employees’ personal device, so why should an organization have the right to police it?
Most organizations will encounter some difficulties policing Social Media activities, especially on BYOD devices, because today’s society views their ability to use Social Media almost like a constitutional right, while there are also possible issues stemming from recent National Labor Relations Board (“NLRB”) rulings that must be taken into consideration.
One approach might be to consider inserting appropriate language in organizational Social Media and BYOD usage policies and insure that employees sign acknowledgement of compliance with such policies, and to develop employee-training programs around BYOD and Social Media. However, caution must be applied so that company policies aren’t prohibitively restrictive to the extent that they’re unenforceable or non-defensible against employee complaints, or act as a deterrent to employee retention and recruitment.
In the fall of 2012, the NLRB began to issue decisions on cases the Board reviewed, some of which involved disciplining employees for their social media postings. The decisions made by the NLRB will likely prove to be significant for years to come because they served to establish precedent, which might be used in future cases.
In one decision, the NLRB found that “the firing of a BMW salesman for photos and comments posted to his Facebook page did not violate federal labor law, because the activity was neither concerted nor protected. The question came down to whether the salesman was fired exclusively for posting photos of an embarrassing and potentially dangerous accident at an adjacent Land Rover dealership, or for posting mocking comments and photos with co-workers about serving hot dogs at a luxury BMW car event. Both sets of photos were posted to Facebook on the same day; a week later, the salesman was fired from Knauz BMW in Lake Bluff, IL.”
The NLRB had sided with Judge Biblowitz’s finding that the salesman was fired solely for the photos he posted of the Land Rover accident – both dealerships are owned by the same employer – and not because of the hot dog incident photos, so the employer prevailed. However, in another decision issued later that year, the NLRB found that “it was unlawful for a non-profit organization to fire five employees who participated in Facebook postings about a co-worker who intended to complain to management about their work performance.” In it’s decision, the NLRB applied already-settled law to Social Media and found that “the Facebook conversation was concerted activity and was protected by the National Labor Relations Act,” so in this case the terminated employees prevailed.
One area that organizations will have to examine closely is their confidentiality policies about the kind of information an employee is allowed to share externally on Social Media sites like Glassdoor, or similar sites using their BYOD device. Confidentiality policies that are overly broad are often unenforceable, so even though a company thinks they’re protected they might not be. The NLRB recently struck down a confidentiality policy stating that “dissemination of confidential information within [the company], such as personal or financial information, etc., will subject the responsible employee to disciplinary action or possible termination.” MCPc, Inc., 360 N.L.R.B. 39 (2014). The panel concluded that MCPc, Inc.’s confidentiality policy was unlawful because employees could reasonably construe it as prohibiting discussion of wages or other conditions of employment with their co-workers, so once again the employees prevailed. Although the NLRB’s decision regarding confidentiality and Social Media could be revisited by the United States Supreme Court in NLRB v. Noel Canning, 573 U.S. (2014), based on a technicality that the 2012 NLRB appointments were invalid, the MCPc, Inc. NLRB decision is still in force and should be treated as such by all employers.
Clearly it shouldn’t be a surprise to organizations that the debate is heating up, and the number of class actions is on the rise. The pace of BYOD and Social Media adoption globally will only accelerate in the coming decade so organizations need to look at the confluence of these two trends holistically rather than independently.