Shawn E. Tuma

Cybersecurity & Data Privacy Attorney

Scheef & Stone, LLP

Shawn.Tuma@solidcounsel.com

(214) 472-2135

@shawnetuma

What Could Go Wrong?Avoiding the Legal Pitfalls of

Social Media Marketing

A smart man learns from his mistakes.

A wise man learns from the mistakes of others.

A fool never learns.

3@shawnetuma

“An ounce of prevention is cheaper thanthe first day of litigation” – Shawn Tuma

@shawnetuma

OWNERSHIP / CONTROL / TRANSFER

@shawnetuma

PhoneDog v. Kravitz

• PhoneDog (employer) / Kravitz (employee /blogger)

• @PhoneDog_Noah had 17,000 followers

• Kravitz resigned, refused to turn over hisTwitter account, changed handle to@noahkravitz and grew to 24,000 followers

• PhoneDog sued (7/15/11), heavy litigation,settled (12/12) = 1.5 yrs of fees & Kravitz stillhas @noahkravitz

THE TAKEAWAY

Every company needs a contractual agreement thatclearly states who owns social media accounts used onbehalf of the company.

Ownership &Control Over

Accounts

@shawnetuma

• Unauthorized Access = hacking!!!

• Sale / M&A / Bankruptcy = company asset

• Personal – who updates when you pass?

• Blogs / Subscriber Sites with consumerinformation?

• → Privacy Policy?

Sales & Transfersof Accounts

@shawnetuma

INTELLECTUAL PROPERTY

@shawnetuma

Intellectual Property

i.e., copyrights, trademarks, trade secrets,confidential and proprietary information

• Protect your content and brand

• Copyright & trademarks

• Example: client brand w/o trademark, thennegotiating to obtain

• Tip: use unique phrases + Google Alerts!

• Do you want to tell your competitors?

• Customer / vendor lists• Who are you talking to or following?

• Departing employee’s LinkedIn?

• Secret business alliances, strategies, plans

• Business situational awareness

Your IntellectualProperty

@shawnetuma

• Infringement of trademark

• Right to publicity

• name, voice, signature, photo, likeness(statutory after death)

• commercial v. educational or newsworthy

• audience picture v. company promo video

• Infringement of copyright

• attribution isn’t enough (this isn’t plagerism)

• DMCA Takedown Request

• Google penalizes for too many

• Must have a license or use creativecommons … but …

Other’sIntellectual

Property

@shawnetuma

Copyright Example

Attribution: prthugp @http://www.officialpsds.com/prthugp-Profile9747.html

License: Creative Commons Attribution 3.0

@shawnetuma

@shawnetuma

ONLINE SMACK TALKING

@shawnetuma

Reputation management

• Be nice – if legit, address the problem

• i.e., “who” are you and what is your “brand”?

• Compare: church with TM vs. Bullyville

• Healthcare / PHI???

• Outing the anonymous defamer

• Beaconing / email ping-back

• DMCA takedown request if IP (must respond)

• Pay a good PR firm instead of payinglawyers (best advice!)

• Litigation – but …

Dealing withSmack Talk!

Someone talking badabout your businessonline?

• Defamation rules apply online

but …

• The “Streisand Effect”

• Anti-SLAPP (Strategic LawsuitsAgainst Public Participation

• ≠ assign copyright of reviews

• ≠ charge $500 per bad review

@shawnetuma

AGENCY ISSUES

@shawnetuma

@shawnetuma

TORTS & REGULATORY LIABILITY

Tort Claims

What your company’s employees say or do can hurt you!

• communications

• tortious interference

• defamation (libel, slander, bus. disparagement)

• false advertising & false warranties

• privacy / data breaches

• online impersonation

• harassment and cyber-bullying

• “puffery” of facts

Regulatory Liability

Federal Agencies are Watching

• FTC – Investigated Hyundai for not disclosing incentives given to bloggers forendorsements

• Big deal – FTC very active in this area

• Celebrity endorsements of ICOs = FTC, SEC & CFTC oversight!

• HHS & OCR – could have investigated hospital worker who posted patient“PHI” on Facebook → “Funny, but this patient came in to cure her VD and getbirth control.”

• SEC – false statements in raising funds (SEC v. Imperia Invest. IBC) or insiderinforma� on → “Board meeting. Good numbers = Happy Board.” before officialrelease

@shawnetuma

CONTRACT LIABILITY

Terms of Service / Use – Potential Trouble Spots

• Giveaways and contests can be trouble for many reasons – do not dothem on social media without careful consideration and vetting

• Service’s Terms of Service

• Jurisdiction gambling and contest rules

• Example: Facebook’s Terms of Service for Pages are very specificabout requirements for Promotions

• A complete release of Facebook by each entrant or participant

• Acknowledgement that Facebook is not sponsoring or affiliated

https://www.facebook.com/page_guidelines.php

Twitter Bots – On No, The Russians Did It!!!

#TwitterLockOut

Twitter’s Rules & Policies governing “Automated Activity”

@shawnetuma

Privacy & Data Security

@shawnetuma

Come on, people???

New York Department of Financial Services Cybersecurity (NYDFS)Requirements for Financial Services Companies + [fill in]• All NY “financial institutions” + third party service providers.

• Third party service providers – examine, obligate, audit.

• Establish Cybersecurity Program (w/ specifics):• Logging, Data Classification, IDS, IPS;• Pen Testing, Vulnerability Assessments, Risk Assessment; and

• Encryption, Access Controls.

• Adopt Cybersecurity Policies.

• Designate qualified CISO to be responsible.

• Adequate cybersecurity personnel and intelligence.

• Personnel Policies & Procedures, Training, Written IRP.

• Chairman or Senior Officer Certify Compliance.

EU – General Data Protection Regulation (GDPR)• Goal: Protect all EU citizens from privacy and data breaches.

• When: May 25, 2018.

• Reach: Applies to all companies (controllers and processors):• Processing data of EU residents (regardless of where processing),• In the EU (regardless of where processing), or• Offering goods or services to EU citizens or monitoring behavior in EU.

• Penalties: up to 4% global turnover or €20 Million (whichever is greater).

• Remedies: data subjects have judicial remedies, right to damages.

• Data subject rights:• Breach notification – 72 hrs to DPA; “without undue delay” to data subjects.• Right to access – provide confirmation of processing and electronic copy (free).• Data erasure – right to be forgotten, erase, cease dissemination or processing.• Data portability – receive previously provided data in common elect. format.• Privacy by design – include data protection from the onset of designing systems.

@shawnetuma

EVIDENCE

“The law has a right to every man’s evidence”

• Courts look to social media for public posts, private messages, “Likes”, etc.• Club’s SM before Cowboys’ Josh Brent wreck killing Jerry Brown: “I have 12

#Cowboys in theeee building!!!!!!!!!! #Privae” … “These fools buying Ace on top ofAce!!!!!!!”

• Danielle Saxton’s Facebook “selfie” wearing stolen merchandise – easy evidence!• Daughter’s $80,000 Facebook “brag”: "Mama and Papa Snay won the case against

Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCKIT."

• Document Retention Policy

• No reasonable expectation of privacy (even private messages), usually

• If litigation is anticipated• Cannot permanently delete account or posts; may be able to “take down”• Cannot selectively delete posts

@shawnetuma

SOCIAL MEDIA POLICIES

General Strategy for Policies

• Recognize and appreciate potential issues

• Decide how to handle those issues

• Educate your team on those issues

• Collaborate and train on how to comply with and resolve issues

• Create and outline procedures for using social media

• Monitor (to some degree) to ensure compliance

• Know your industry requirements (i.e., healthcare)

• If a “form” is given by your regulator, use it!!!

Social media policies are a “MUST HAVE”

• Ounce of prevention: less than 1 day of litigation

• If have, must enforce

• Trying to predict issues – but evolving – can’t get all

• Contractually resolve issues such as ownership and authority

• Great opportunity to set rules and document expectations

• Training - greater opportunity to explain and ensure understanding ofexpectations

• Put on notice of monitoring – and actually monitor!

• Should address employment issues

But, will the National Labor Relations Board allow it?

• NLRB jurisdiction = impacts interstate commerce

• National Labor Relations Act (NLRA) sec. 7 gives employees right toengage in “concerted activities for the purpose of … mutual aid andprotection”

• NLRB finds illegal any policy provision that (a) restricts or (b) anemployee would reasonably construe to chill concerted activities

• NLRB General Counsel has issued multiple Reports on Social MediaPolicies – extraordinary activity

Can you guess who the NLRB is pulling for?

• Making it very difficult for businesses to protect themselves

• Social media policies must now be carefully tailored to• Address unique business and legal needs of your business

• Be enforceable and lawful in a court of law

• Be legal in the eyes of the NLRB

• Examples of provisions found illegal by NLRB

Can you guess who the NLRB is pulling for?

“Bob is such a NASTY MOTHER F***** don’t know how to talk topeople!!!!!! F*** his mother and his entire f****** family!!!! What aLOSER!!!! Vote YES for the UNION!!!!!!!”

@shawnetuma

@shawnetuma

@shawnetuma

@shawnetuma

Richmond Dist. Neighborhood Center v. Callaghan

“The question is whetherthe conduct is so egregiousas to take it outside theprotection of the Act, or ofsuch character as to renderthe employee unfit forfurther service.”

“The question is whetherthe conduct is so egregiousas to take it outside theprotection of the Act, or ofsuch character as to renderthe employee unfit forfurther service.”

Can you guess who the NLRB is pulling for?

56 Pier Sixty, LLC (NLRB March 31, 2015)

• Employee on Facebook: called his manager a “NASTY MOTHERF****R” and a “LOSER,” said “f**k his mother and his entire f***ingfamily,” and ended the post by saying “Vote Yes for the Union!”

• Company fired him.

• NLRB: Firing improper. Feeling of mistreatment motivated statementsand employees were simultaneously seeking redress throughupcoming union election which made statements protected,concerted activity.

• Comments not egregious enough.

What is the NLRB really looking for?

• Clarity and precision

• Examples of do’s and don’ts that give context and real-life meaning tothe rules

• Implementation + training =

@shawnetuma

CYBER / MEDIA INSURANCE

Cyber Liability Insurance

• If you are doing anything in cyber/digital, you need it. Period.

• Most traditional insurance does not cover cyber-events, even if youthink it does (really!)

• Cyber Insurance is relatively inexpensive

• Some policies include a cyber risk audit before being underwritten

• Policies can cover social media risk, computer fraud risk, data breach/ hacking risk, and even social engineering

• But, they are tricky – you have to really know what you’re looking forvis-à-vis your company’s risks

• Board of Directors & General Counsel, Cyber Future Foundation• Board of Advisors, North Texas Cyber Forensics Lab• Policy Council, National Technology Security Coalition• Cybersecurity Task Force, Intelligent Transportation Society of America• Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law• Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016)• SuperLawyers Top 100 Lawyers in Dallas (2016)• SuperLawyers 2015-17• Best Lawyers in Dallas 2014-17, D Magazine (Cybersecurity Law)• Council, Computer & Technology Section, State Bar of Texas• Privacy and Data Security Committee of the State Bar of Texas• College of the State Bar of Texas• Board of Directors, Collin County Bench Bar Conference• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association• Information Security Committee of the Section on Science & Technology

Committee of the American Bar Association• North Texas Crime Commission, Cybercrime Committee & Infragard (FBI)• International Association of Privacy Professionals (IAPP)

Shawn TumaCybersecurity PartnerScheef & Stone, L.L.P.214.472.2135shawn.tuma@solidcounsel.com@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.com