Monitoring by Human Resources

IT should be able to provide the right tools for monitoring employee activity and monitoring public information regarding your company. We discussed a number of tools in Part III that you can use. The company’s reputation is directly tied to employees’ activities. The line is undefined when it comes to what employees do during off hours. The challenge is when an employee types a message on the job and then posts the message on her Facebook page when she gets home. In August 2008, a Burger King employee uploaded a video to YouTube and MySpace that showed him taking a bath in the restaurant sink.² The health department and Burger King’s management got involved and the employee was fired. However, Burger King also had to respond to the public to protect its brand. Burger King’s initial response was “We have sanitized the sink and have disposed of all other kitchen tools and utensils that were used during the incident. We have also taken appropriate corrective action on the employees that were involved in this video. Additionally, the remaining staff at this restaurant is being retrained in health and sanitation procedures.” The comments about the story on different news websites show a negative response to Burger King initial response.

²“Burger King Worker Fired for Bathing in Sink,” MSNBC/Associated Press (August 12, 2008), http://www.msnbc.msn.com/id/26167371/ns/us_news-life/.

If an employee’s personal posting about a company could be considered defamatory or is targeted at a customer or competitor, HR has to know what actions to take. Laws already cover the social media posts of employees when it comes to things like defamation, confidentiality, and intellectual property theft. Some level of monitoring of employee posts when they are not at work should be in place to track what is really being said. This can be accomplished by general tracking of online mentions of the company name and key words related to the company. In Chapter 14, we go into detail about the monitoring capabilities of specific tools. If employees have company laptops, you can track laptop usage and all data sent from that laptop, as it is corporate property. You may cross the privacy line, however, if you target specific employees by monitoring their specific social media accounts. The courts have not yet determined what is legally crossing the line in social media monitoring.

An example of a company definitely crossing the line is when Hewlett Packard hired subcontractors to conduct private investigations of employees in 2006.³ The investigators used pretexting, a controversial method of obtaining phone records and personal information under false pretenses to gain phone information. AT&T informed Thomas Perkins, an HP director, that someone had gotten an AT&T customer-service representative to send Perkin’s phone records to an e-mail account at Yahoo!. This type of information tracking and gathering goes far beyond monitoring public social media postings. It could have potentially violated the Telephone Records and Privacy Protection Act of 2006, which makes pretexting—the obtaining of phone records under false pretenses—a federal crime. Several employees either resigned or were terminated over using poor judgment in handling employee monitoring. If the company had placed the correct monitoring tools in place beforehand, it may not have had to go down this very questionable path.

³Patrick Hosking, “Snooping on HP Board a Pretext for Disaster,” The Times (September 9, 2006), http://business.timesonline.co.uk/tol/business/article633447.ece.

Employees must be made aware of any monitoring activities. Through training and distributed written policies, they should know that the company will be monitoring staff for confidential and proprietary information disclosure and activities such as defamation. As we discussed in Chapter 7, employees have to be made aware of the policies regarding the corporate brand image, intellectual property, who they befriend, who they endorse, customer information, and other confidential information.

Compliance

Human Resources also has a responsibility to monitor employee activity if the company is under any type of regulatory requirements (such as HIPAA privacy rules). For example, if an employee in a healthcare company posts any information about patients, then that employee is breaking HIPAA rules and the company can be fined. In June 2010, Tri-City Medical Center in Oceanside, California, had to fire five nurses for discussing patients on their Facebook accounts.⁴ This goes against HIPAA regulations and the hospital had to report the incident to the California Department of Public Health, which then conducted an investigation. HIPAA violations are more prevalent as the law actually can be applied very quickly to initiate firing.

⁴“Oceanside Nurses Fired for Facebook Postings,” San Diego 6 News (June 10, 2010), http://www.sandiego6.com/mostpopular/story/Oceanside-Nurses-Fired-for-Facebook-Postings/2grZXIQTR0my9tYMH73ZqQ.cspx.

In the financial world, banks and other financial institutions must comply with regulations on advertising. These regulations can be violated by those in the financial industry advertising deliberately or inadvertently over social media. Regulation Z (Truth-in-Lending) and Regulation DD (Truth-in-Savings and Overdraft Protection) advertising rules apply to advertising in any form, including social media. Other restrictions that can impact the use of social media include:

Traditional advertising compliance rules Financial firms are very restricted in terms of advertising.

Unfair and Deceptive Acts or Practices Act (FTC Act) If a company changes its privacy policies without warning or makes changes retroactive, the company could be in violation of this act. Social networks that collect and sell without informing users could also be in violation of this act.

Telephone Consumer Protection Act Part of this act restricts SMS text messages received by cell phones, and with social networks integrating texting into their platforms, this could cause problems for companies.

E-SIGN Act This act regulates the validity of electronically signed contracts.

State laws Many states have their own variation of the FTC Act plus additional laws that can impact how social media is used in business.

An example of how new forms of communications outside traditional monitored channels can lead to these laws being broken is the case of vFinance Investments, Inc. A chief compliance officer violated Section 17(a) of the Securities Exchange Act of 1934 and Exchange Act Rules 17a-4(b)(4) and 17a-4(j) by failing to preserve and promptly produce electronic communications.⁵ The compliance officer used instant messages and nonapproved e-mail accounts to communicate financial information, which violated the law. Social networks all have communications capabilities that can be used to circumvent monitored channels such as corporate e-mail systems.

⁵Bill Singer, “Significant New SEC Ruling: Compliance Officer Slammed Over Emails and Instant Messages,” BrokeandBroker.com (July 19, 2010), http://www.brokeandbroker.com/index.php?a=blog&id=488.

With the Truth-in-Lending and Truth-in-Savings acts, posts that are intended to promote a bank or its products and services are advertisements that are subject to compliance disclosure rules. If you have to disclose the official advertising statement about FDIC membership, tweeting all that in 140 characters is kind of hard. Certain regulatory agencies, including the FDA among others, have yet to determine a set of policies for corporate use of social media, despite strong demand by interested parties. As a result, some companies are exploring social media very conservatively and avoiding all possible risk by severely limiting their communication and promotional activity over these channels.

HIPAA Security rules are focused on privacy restrictions but the rules are actually vague on how to implement controls to control private data. Companies turn to external third parties for help in implementing security controls and many look to the American Medical Association for help. But guidance from the American Medical Association is just as weak in providing details on how to actually implement security controls over social media postings. Their new “AMA Policy Helps Guide Physicians’ Use of Social Media” is pretty generic. The new policy only “encourages” physicians to conduct processes but without offering specific implementation capabilities:

Use privacy settings to safeguard personal information and content to the fullest extent possible on social networking sites.

Routinely monitor their own [physicians’] Internet presence to ensure that the personal and professional information on their own sites and content posted about them by others is accurate and appropriate.

Maintain appropriate boundaries of the patient-physician relationship when interacting with patients online and ensure patient privacy and confidentiality are maintained.

Consider separating personal and professional content online.

Recognize that actions online and content posted can negatively affect their [physicians’] reputations among patients and colleagues and may even have consequences for their medical careers.

Focus of Monitoring

External monitoring by HR should focus on what employees are saying to customers and each other and posting in general public forums. Marketing should take the lead in focusing on customers’ positive and negative mentions. Marketing has to manage interactions that relate to language and social media etiquette used with the public, including any potential personal attacks on customers, content of messages, and methods of contact and follow-up with customers and potential customers. On the other hand, Human Resource monitoring, using tools provided by the IT department, should focus on:

Defamation Employees saying anything that could be considered defamatory about customers or competitors

Misinformation Employees posting misleading information about the company or competitors

Attacks Negative statements posted by employees that might reflect poorly on the company

Accuracy Employees being honest and accurate with the public about the information they share about the company

Confidentiality Employees breaking any confidentially restrictions on company information

Disclosure Employees providing the correct disclosures about how they represent the company on posted messages

Can HR Ban Activity?

There are many pros and cons to banning social media activity. A 2009 Robert Half Technology survey found that approximately 54 percent of companies ban social media activities at work. Another survey by an IT service firm, Telindus, found that 39 percent of 18- to 24-year-olds would consider leaving a company if they were not allowed to access applications like Facebook and YouTube. Whether this is a good or bad policy is yet to be determined. If you ban activity, you have different reporting challenges when using data loss prevention technologies. You will focus more on monitoring employees’ public profiles to see if they are talking about the company or your customers when they get home. The only way to really monitor home activity is if they use a company-issued computer on which you’ve installed monitoring software or by performing public searches for the company name and key words regarding the company and perhaps key employee names. Employees are pretty tech savvy, however, and they may find other ways around the bans; one obvious way is by accessing social sites and applications on their personal and corporate mobile devices. If you are not monitoring activity, you lose an opportunity to correct behavior that you have no idea is going on.

If you allow social media usage in the workplace, your monitoring and reporting rules are different. You can monitor activity and then train employees on appropriate use of social media at work. Hopefully, your employees will take those practices home with them. Engaging employees in how to interact properly with customers and the public, as we discussed in the policy section in Chapter 6, rather than the outright banning of social media is deemed to be the more positive, “employee friendly,” and realistic approach.