The Federal Trade Commission is deeply involved in the intersection of emerging technology and the employer-employee relationship. Two such areas merit a closer look: social media endorsements and cybersecurity. (I have previously written about the FTC on the subjects of big data and IoT in the workplace).
Endorsements and Social Media
It is well-settled that if there’s a connection between an endorser and the marketer that consumers would not expect and it would affect how consumers evaluate the endorsement, that connection must be disclosed. Social media makes it easier for employees to endorse employer products without a disclosure. The FTC recently took enforcement action against Sony and its advertiser on these very grounds:
According to the FTC’s press release regarding the allegations against Deutsch LA and Sony, Deutsch LA used the term “#gamechanger” in its ads to direct consumers to online conversations about Sony’s PS Vita console on Twitter. About a month before the gaming console was launched, one of Deutsch LA’s assistant account executives sent a company-wide email to staff asking them to help with the ad campaign by posting comments about the PS Vita on Twitter and using the same “#gamechanger” hashtag, according to the complaint.
The FTC alleged that, in response to the company-wide email, various Deutsch LA employees posted positive tweets about the PS Vita to their personal Twitter accounts, without disclosing their connection to Deutsch LA or Sony. The FTC charged that the tweets were misleading, as they did not reflect the views of actual consumers who had used the PS Vita, and because they did not disclose that they were written by employees of Deutsch LA.
The FTC recommends that employers:
- ensure that their social media policies are up-to-date to require disclosure of the employee’s affiliation with the employer;
- ensure that employees are adequately trained on endorsement guidelines; and
- “To ensure compliance, employee posts/social media activity should be reviewed.”
The last recommendation has huge implications for the employer-employee relationship – routinely reviewing social media activity of employees is both intrusive and expensive (although, of course, it is done).
Worse, this last recommendation may run afoul of the NLRB, which concludes that employer surveillance or creation of an impression of surveillance constitutes unlawful interference with Section 7 rights because employees should feel free to participate in protected activity without the fear of being monitored. See NLRB Advice Memorandum dated July 28, 2011 regarding Buel, Inc., Case 11-CA-22936 (here).
The FTC also routinely holds employers accountable for failing to properly train employees on cybersecurity when cybersecurity failures are deemed to be unfair trade practices, that is, promising a secure product and not delivering on that promise.
Such training must ensure that employees understand the enterprise’s security and privacy rules and knows their role in implementing them – and therefore do not play a role in a data breach (a.k.a. an unfair trade practice).
These training and procedural requirements are very specific and require our careful attention. Consider this 2014 brief on behalf of the FTC, which shows the depth of the FTC’s concern:
LabMD did not adequately train its employees to safeguard Personal Information or provide appropriate opportunities for its IT employees to receive security-related training about evolving threats. Proper training is integral to a defense in depth strategy. A company should provide its employees with training regarding security mechanisms, acceptable use of computer equipment, current threats, and best practices. A company should also provide its IT employees with periodic training on protecting against evolving threats.
LabMD did not provide its non-IT employees with any training regarding security mechanisms or the consequences of reconfiguring security settings in applications. Many LabMD employees could change security settings on their computers because they were given administrative rights over their workstations. Likewise, LabMD did not provide its IT employees with formal security-related training regarding evolving threats. LabMD’s security practices were, as a result, reactive, incomplete, ad hoc, and ineffective. Among other consequences of LabMD’s inadequate training…:
Penetration testing was never done before May 2010;
Software with known flaws was not updated on servers that contained Personal Information;
Firewalls were disabled on servers that contained Personal Information;
Servers executed software that was no longer supported by vendors, including operating system and antivirus software
There was no uniform policy requiring strong passwords or expiration of passwords;
Personal Information was transmitted and stored in an unencrypted format;
At least some employees were given administrative access accounts and were able to download and install software without restriction.
More on both of these items in the coming weeks.