The use of online social networking by lawyers traverses many different areas of the law and regulation. Some are more obvious, and frankly, more likely to be relevant than others. As a lawyer, there is clearly some (if not, a lot of) merit in using online social networking in the practice of law. But this article does not seek to enter that debate. Instead, this article will look at the potential issues and risks from a legal and professional stand point for law firms, their partners and other staff (which we will refer to as ‘employees’) with using online social networking. In addressing these issues and risks, most require perhaps no more than the exercise of common sense (and a pause for consideration before you ‘post’ your next comment) with a few requiring a little more consideration.

What we mean by online social networking?

Online social networking includes: web logs abbreviated to ‘blogs’ that the author owns or writes and those to which the author posts comments, such as media sites provided by television networks, newspapers and magazines which allow readers to post comments; social networks (eg Facebook); professional networks (eg LinkedIn and Legal OnRamp); live-blogging tools (eg Twitter); photo or videosharing services (eg YouTube and Flickr); social bookmarking services (ie those used to consolidate internet links to websites identified with the user’s web browser as ‘favourites’ or ‘bookmarks’ such as Digg and Delicious); and participation on listservs, or mailing lists, or similar services.

In short, online social networking is communication which happens online. Such communications are not easily removable and can reach a very broad audience very quickly.

Where are the pitfalls?

There are obvious risks that a firm and its employees will need to recognise and manage associated with the use of online social networking. Some of these overlap and some are more real in terms of being more likely to occur than others.

Disclosure of confidential information
One of the key professional obligations of a lawyer is to keep client confidential information confidential. Therefore, preventing the disclosure of confidential information through online social networking is a risk that cannot be ignored. Social media sites provide an open forum for individuals to post and exchange information. Due to the nature of social media sites, there is risk that an employee may post confidential information about the firm, other employees and/ or clients of the firm (whether inadvertently or deliberately). This could obviously result in significant damage to the firm’s business and reputation, as well as disciplinary proceedings against the lawyers involved. A recent practice note from the Law Society of England and Wales on social media suggests that simply being ‘contacts’ with a client on LinkedIn, and thereby acknowledging that you have a link with that client may, in fact, breach the rule on confidentiality. Similarly, comments on Twitter that you are in a certain location at a certain time which could ‘inadvertently disclose that you are working for a client’ could also breach the rule on confidentiality.

Damage to reputation
Aside from breaches of confidentiality which could damage the reputation of a firm as discussed above, other comments posted on social media sites could affect the reputation of a firm or third party and, in some circumstances, constitute defamation. While an employee can say things to try to hurt the reputation of a firm or a third party outside the context of online social networking, the situation is more acute if done online given the reach, and the ease with which it can be done and the permanent nature of the internet. The firm may be vicariously liable for the defamatory conduct of an employee. The fact that the firm may have a claim against the employee concerned will be of little comfort compared to the damage to the reputation of the firm.

Unlawful harassment
Comments posted on a social media site could relate to a protected attribute, such as disability, race or sex. If an employee were to make such comments in the course of their employment, and a reasonable person would be offended, humiliated and intimidated by such comments, there is a danger that such comments could constitute unlawful harassment under the relevant anti-discrimination legislation. In such circumstances, the firm could be vicariously liable for the actions of that employee. A firm will not be held vicariously liable for any claim of unlawful discrimination or harassment if it can demonstrate that it has taken all reasonably practicable steps to prevent the employee from committing the relevant act in question. If a firm permits access to social media sites using work equipment and systems during work hours, and the conduct took place in the workplace to create a hostile or intimidating work environment, this could also amount to unlawful harassment.

Inappropriate behaviour affecting employment
For an employee, what he/she does online (eg criticizing the employer, bullying, misconduct) can be grounds for disciplinary action and/or termination of employment. An employee could post negative comments about a fellow employee, the firm or a client on a social media site, or could disclose confidential information. In addition to express duties under the contract of employment, an employee will also owe implied duties of good faith and fidelity to his or her firm. These duties can be breached, even if the relevant posting of negative statements online took place outside of work hours.

Monitoring
Some firms may want to monitor their employees’ use of online social networking. The collection, use and handling of personal data of an individual is governed by the Personal Data (Privacy) Ordinance (Cap 486) (PDPO) including the six data protection principles (DPPs). The Commissioner for Personal Data Privacy has issued guidelines for monitoring at work entitled ‘Privacy Guidelines: Monitoring and Personal Data Privacy at Work’ (the ‘Guidelines’). The Guidelines are not definitive statements of law (so not following them will not of itself create liability separate to the PDPO), but they are illustrative of best practices or guidance to employers on the application of the PDPO in the context of employee monitoring. Following the Guidelines will generally result in compliance with the PDPO and may provide a defence, if (somehow) an employer faces any challenge by an employee in respect of violation of the PDPO in respect of workplace monitoring. In essence, the Guidelines focus on the concept of ‘fair’ collection of personal data from monitoring (see DPP1). The Guidelines recommend a framework involving:

• assessment of the appropriateness of employee monitoring, ie looking at the purpose of monitoring, the risks that the monitoring is seeking to manage, the adverse impact on employees the monitoring may have and the benefits derived from the monitoring. Mere perception of risk unconnected with the nature of the business would be insufficient to justify employee monitoring;
• alternatives to employee monitoring; and
• accountability of the employer by having appropriate policies and practices in relation to collection and handling of personal data arising from the monitoring.

Use in recruitment: discrimination and data privacy
A firm could also risk facing unlawful discrimination claims if it uses information obtained from social media sites about potential employees relating to a protected attribute as the basis for treating them in a detrimental way. Information on social media sites will often contain personal details of the job applicant, which may include the protected attributes under the four anti-discriminationordinances: the Sex Discrimination Ordinance (Cap 480); the Disability Discrimination Ordinance (Cap 487); the Family StatusDiscrimination Ordinance (Cap 527); and the Race Discrimination Ordinance (Cap 602). These protected attributes are sex, marital status, pregnancy, disability, family status and race, which include the colour, descent or national or ethnic origin of an individual. A firm who treats a job candidate less favourably on the grounds of any of these protected attributes (eg decides not to hire the candidate), absent any relevant applicable exemption, will be engaging in unlawful discrimination.

Information about a job applicant on a social media site will most likely contain personal data of the job applicant. As such, where a firm collects information or personal data of a job applicant from a social media site for the purpose of vetting that job applicant, such collection and subsequent handling of the personal data will be subject to the PDPO.

Under DPP1, an employer must have a lawful purpose for the collection of personal data, the data collected must be necessary for, or directly related to, that purpose, and the amount of data collected should be adequate, but not excessive, in relation to that purpose. In addition, where the person from whom the data are to be collected is the data subject (ie job applicant), the employer is required to take all reasonably practicable steps to ensure that the job applicant is informed, at the time of or before the collection of personal data, of the purpose for which the data are to be used, and the classes of persons to whom the data may be transferred.

Under DPP2, an employer must ensure that any personal data collected from a social media site are accurate. Therefore an employer must be careful not to collect and rely on personal data that are inaccurate or out of date.

If a job applicant considers that the employer has breached the DPPs, the job applicant may make a complaint to the Privacy Commissioner for Personal Data. The Privacy Commissioner may investigate the matter and issue an enforcement notice requiring remedy of the breach. Failure to comply with the enforcement notice issued by the Privacy Commissioner is an offence, and the employer may be subject to a fine and imprisonment.

Inadvertent lawyer-client relationship
It is not inconceivable that an inadvertent lawyer-client relationship can arise through the use of online social networking, especially through the use of a professional network site such as LinkedIn that allows users to pose and answer questions. The more specific the legal question and detailed response, the greater the risk. If the advice is incorrect or misleading the lawyer may have opened himself or herself, or the firm, to negligence claims. Certainly, any lawyer should not accept that any legal advice obtained from others through online social networking would be a good substitute for conducting his/her own research. Even if a lawyer-client relationship is not established, there may be conflict of interest issues to consider, particularly if confidential information or details about a particular matter are obtained (even if unsolicited).

Unauthorised practice of law
This may seem strange, but online posts will be seen by everyone whom you permit to see (and some whom you do not permit to see), whether or not they are in Hong Kong. You may only have a practising certificate to practise Hong Kong law. Unless it is clear from the post which jurisdiction’s laws are being commented upon, a lawyer may fall foul of other countries’ regulations regarding the practise of law.

Advertisement and solicitation
While online social networking can be a powerful and effective form of promoting the firm’s or its lawyers’ practice, lawyers should be cognisant of the Solicitor’s Practice Promotion Code (Chap 25 of the Hong Kong Solicitors’ Guide to Professional Conduct). The Code requires practice promotion to be, inter alia, ‘decent, legal, honest and truthful’ and embodies a number of ethical obligations such as protecting clients’ confidentiality. There are provisions relating to practice promotion outside of Hong Kong that also ought to be borne in mind when engaging in online social networking.

Loss of clients
Networking sites such as LinkedIn allows an individual to connect online with others whom they may encounter during employment (eg client contacts and suppliers) and provide the individual with a ready ‘contact list’ or ‘client list’ which may be accessed after cessation of employment. A recent high profile case in the United States has highlighted the issue of ownership in relation to online social networking. In the first case of its kind, a small company in the US known as ‘Phone Dog’ is suing a former employee who blogged under the name ‘@PhoneDog_Noah’ for taking 17,000 Twitter followers with him when he left the company. After his departure, he continued tweeting under the same account (instead of setting up a new one) but under his own name ‘@Noah Kravitz’. The company contends that the follower list is equivalent to that of a customer list and is intellectual property owned by the company. While banning the use of such networking sites might be impractical or undesirable, a firm can consider whether its legitimate interests can be protected through the use of appropriately worded contracts and post-termination restrictive covenants.

In discussing the above, we have left aside issues where an individual may use social media fraudulently. The setting up of fake friends or passing-off of a person, or even pretending to be a friend to obtain more information about a particular matter, is perhaps the more extreme and unlikely situation that can occur from the abuse of online social networking.

What can firms do to manage their risks?

A firm can take the following steps:

1. Impose an outright ban on access to social media sites at work. This approach could prove to be unpopular among employees and have an adverse impact on the morale within a workforce. A complete ban would not address the potential problems that could arise from postings by employees outside of working hours.
2. Manage and set expectations. Firms can put in place a social media policy which deals with the use of online social media sites during and outside of work hours. Policies will vary according to business needs but broadly such a policy should have provisions dealing with online social media activity by its employees and, in particular should:

• set out the parameters governing the use of the firm’s IT systems;
• contain guidelines as to what can be discussed, commented on or promoted through social media sites;
• prohibit discrimination, harassment or bullying of other employees, which could include negative comments about employees posted on social media sites;
• prohibit negative comments about the firm, its employees or third parties; and
• prohibit the disclosure of any confidential information that relates to the firm, its business, its clients and/or its employees.

The policy should set out the consequences of breaching the policy, which could include disciplinary action and dismissal. To be effective, the policy should be communicated and enforced and not just given ‘lip service’. This means providing training and taking disciplinary action in the event of breach.

3. Provide awareness training to employees on the risks that online social networking present. In order to guard against incidents involving harassment and discrimination, to the extent that one does not already exist, put in place and implement a written antidiscrimination and anti-harassment policy and conduct training for the employees on conduct that could constitute harassment or discrimination. An employer would have a defence to any claim for unlawful discrimination or harassment if it can show that it took all reasonably practicable steps to prevent the employee from committing the discriminatory act in question.
4. Monitoring the use of online social media sites at work could help to determine any breaches of the policy and whether there is a loss of productivity as a result of employees accessing such sites.
However, it is important to bear in mind that such monitoring will be subject to the PDPO. Early detection of issues and remedial action could prevent small issues becoming bigger, more difficult ones.
5. Incorporate within employment contracts an appropriate confidentiality clause, which could afford protection to the firm in the event that an employee posts confidential information on a social media site.
6. Consider the use of post-termination restrictive covenants where an employee could build a ‘client list’ of contacts acquired during employment through a networking site (like LinkedIn) which the employee can subsequently use after cessation of employment.

As for using social media sites to vet job applicants there are a number of steps a firm can take to minimize the legal risks. Applicants should be told at the start of the recruitment process that the firm may conduct a vetting exercise using information available on social media sites. They should be provided with a personal data collection statement which sets out the arrangement on the collection, use and handling of personal data. The firm should of course comply with the provisions in the statement. The firm should provide appropriate guidelines and training to employees responsible for vetting the application using information available on social media sites to ensure that only relevant and necessary information for the recruitment process will be retrieved. Those scanning social media sites as part of the recruitment process should be instructed to extract only legitimate, relevant and accurate information for the job application process. Ideally, the person scanning the social media sites should not be the same as the person who makes the hiring decision. This way, the irrelevant material (which might contain details of protected attributes) will not make its way through to the decision maker.

What can employees do?

When engaging in online social networking, employees should be aware of their ethical obligations and their obligations to the firm. Even when using social media sites for personal use, they should consider the implications of doing so as they may be accessible to a much wider audience and used in ways that were not anticipated (for example, in recruitment). The Law Society of England and Wales’ practice note on social media reminds lawyers that personal integrity is central to their role as a practitioner and must characterize all of their professional dealings (similar to Rule 2 of the Solicitors’ Practice Rules). It cautions lawyers to think about their or their practice’s image which may be affected by any comments they make and the potential impact it may have on their professional standing, as well as the profession generally. Employees should consider privacy settings on the social media sites they are using, exercise common sense, pause and reflect on the content before posting and if in doubt, do not post.

Conclusion

While the use of online social networking can present real opportunities for firms and lawyers to promote their practices, there are clearly pitfalls associated with it. What has been covered in this article are but some of the risks. There are, no doubt, many others. The law in many instances has yet to catch up with technological advances of the Internet Age and this can obviously present further challenges. However, with the implementation of appropriate policies and the application of some common sense, the risks can be navigated more safely.

Hong Tran
Partner
Mayer Brown JSM

Noeleen Farrell
Partner
Regional General Counsel
Mayer Brown JSM