The Digital MinefieldMay 1, 2017

Liabilities and Due Diligence in Managing Data, Email, Websites and Social Media By
May 1, 2017

The Digital Minefield

Liabilities and Due Diligence in Managing Data, Email, Websites and Social Media

CIT-2017-05May-Legal_Risks_Of_Email-860x418Email, websites, social media and other digital communication tools have given corporate event planners new ways to promote conferences and other gatherings. But they’ve also unleashed a flood of ways companies can run into legal troubles.

Planners and their bosses have a lot to think about in the digital age. How do we protect attendees’ privacy? How do we keep employees from landing the company in hot water with irate Facebook posts or inappropriate Instagram photos? What are the emerging risks and how can we avoid them?

Two attorneys who specialize in the event industry provide some guidance to help corporations navigate the tricky waters surrounding digital communications. While this should not be interpreted as legal advice, it will provide a framework for evaluating the legal issues companies should consider before upcoming events.

Protecting Attendee Privacy

There are two important elements to protecting the privacy of people who attend your events. The first is being clear about when and what information you’re collecting. The second is actually keeping that information private.

“You need to advise people that you’re collecting their information,” says John S. Foster, Esq., CHME, founding partner with Foster, Jensen & Gulley, an Atlanta-based firm that specializes in the legal aspects of meetings, conventions, trade shows and association management. “You also need to tell them what information you’re collecting, and you need to give them the opportunity to change that information and opt out if they don’t want to give you the information.”

“Social websites don’t have any protection. You’re responsible for anything that’s posted on a social website.”
— John S. Foster, Esq.

Beacons provide a good example of the former. Jonathan Howe is the Chicago-based founding partner and president of Howe & Hutton Ltd., a firm that serves the association and meeting industries. He suggests having a written statement about what information you’re collecting, how that data will be used and who it will be shared with. “Make sure you have affirmative permission from the person to collect their information,” he says.

Foster uses Amazon.com as an example of the latter. Their website makes it very clear where users can go to change their personal information or disallow the site from collecting their details in the future.

Companies that gather personal data must make every effort to ensure consumers’ information remains private. “The key element is making sure you’ve exercised due diligence when collecting data,” Howe says. Among other best practices, due diligence includes having good firewalls in place so networks are as safe as possible; not using unsecured and non-password-protected wireless connections; and making sure vendors are working just as hard to protect attendees’ privacy. Keep in mind that cellphones and tablets can be hacked, not just computers.

The guidelines credit card companies ask businesses to meet before they set up merchant accounts can be a good source of best practices for guarding customer data. One of the most important of these, Howe says, is having a written policy detailing how consumers will be notified if the company’s network is hacked and people’s information is compromised. Following these guidelines to the letter if any information is stolen is crucial.

Don’t fall into the trap of thinking an event is too small for anyone to pay attention, or so big that vendors will automatically put protections in place. “The most hacked institution in the world is the U.S. government,” Howe says. “Everybody is vulnerable. What we do is just try to protect data to the extent we can.”

If your firm is unusually vulnerable to cyber break-ins, or plans to collect or disseminate highly sensitive information, it’s possible to purchase cybersecurity insurance. Premiums vary depending on the size of the company, as well as what vertical they’re in. “If you’re in health care, they’re going to be substantial,” Howe notes.

Technology, Vendors and Contracts

Remember that apps can cause the same privacy headaches as online software programs. “Make sure you do due diligence on who’s going to be your supplier, and that they have the appropriate firewalls and other protections in place,” Howe says.

“You also need to make sure your vendor contracts provide a very clear understanding of what they can do with the information they gather on your behalf,” he adds. Can the company utilize the data they collect for their own purposes? Some companies will insert permission for this into their contracts; look for it and ask them to remove it. It’s a good idea to make sure the vendor is required to delete attendees’ information off the app after an appropriate period of time. That ensures the data isn’t vulnerable to hackers or accidentally mixed in with other data the company plans to keep.

Make sure there’s a clause that defines who is liable if information on the app is compromised. The vendor, not your company, should bear the burden for dealing with hacks and other privacy breaches.

Howe says hotels are another vendor attempting to insert language giving them permission to collect and share attendee data. A nuance is that the hotel is placing the burden of gathering attendee consent for this on the event host.

“That’s a contract clause you want to strike immediately,” he says.

Another consideration when negotiating with hotels is how they make attendees aware of their privacy policy. Foster recommends that contracts contain wording requiring the hotel to make their policies regarding the collection of personally identifiable information available to guests at the time the reservation is made. Each individual should be able to determine what information he or she will disclose to the hotel.

Write It Down

One of the most important things any company can do to protect itself in the digital age is have written guidelines for how people use communications tools, Foster says. The business should have policies for how employees use email, as well as instructions for how they interact with the company’s website and social media platforms.

This is particularly important for employees who manage the company’s digital sites, but all employees need some guidance about how to use online resources. For example, everyone should be instructed not to state that they represent the company when they post online, even if they’re sharing information on their personal social media accounts (unless the company has expressly granted them permission, of course).

It’s easy to require employees to review company policies and agree to them during a new employee orientation or department meeting. It’s harder to get outside users to agree to company policies, but it’s still possible. Businesses can require that members of the public log in to their site and click on a user policy before they post comments, for example. Whenever possible, “make people click on a statement saying use of your website means they agree to your rules and guidelines before they get into the site,” Foster says. For social media, businesses should have a policy in a public place (like a website) that they can point to if people are using the sites inappropriately.

There’s one key component of protecting your company that doesn’t involve writing it down. “I always tell people that with email, if you never want to see it again, don’t put your fingers on the keyboard,” Howe says. “Nobody is hack-proof.”

Emphasize to employees that there’s no guarantee any written communication will stay private. Besides the growing risk of hacking, emails can be subpoenaed if the company gets involved in a lawsuit. In addition, the company may choose to monitor email and other electronic communications as a way to decrease the company’s liability.

Because of that, Foster says, remind employees that email is not a good way to communicate sensitive or confidential information, including proprietary details about the company or its events. It should never be used to make derogatory statements about others.

It’s also a good idea to continually remind employees that they’re the first line of defense against viruses and malware that can compromise a company’s systems. They should never open attachments or click on links unless they’re absolutely certain they’re safe.

One of the more frightening malware programs is one that allows criminals to enter your system and lock it down until you pay them. The most common way this so-called “ransomware” enters a company’s network is through email. Often messages are designed to look like an e-card from a friend. But when the recipient opens the attachment or clicks the link, the malware quickly spreads through the system.

Remind employees: “When in doubt, don’t open it,” Howe says. “Send it to the IT people and let them see if it’s legit or not.” Also, make sure the IT department has the resources it needs to keep firewalls and other protections up to date.

Digital Communications and the CAN-SPAM Act

In 2003, Congress passed the CAN-SPAM Act. It created several rules that companies must follow when using emails for commercial purposes.

Foster explains that email messages cannot have misleading information in any part of the header, including the To, From and Reply To fields. The Subject line must accurately reflect the content of the message and not be written to mislead the recipient. The email message must somehow disclose that the email contains an advertisement; the Federal Trade Commission (FTC), which enforces the act, gives guidelines for how to do this. Each message also must identify where the business is located by providing a mailing address.

The law requires that message recipients have a way to opt out of future solicitations from the company. When a person asks to be removed from the mailing list, you must do so promptly. Most email marketing services will automatically do both of these things for you, but the law makes it clear that the burden is on you to ensure these services are carried out.

FTC Endorsement and Advertising Guidelines

The FTC also sets rules for advertising, and there are a few things corporations should know on this subject as well. Many companies allow vendors or sponsors to run advertising on their event websites. You have a duty to ensure that advertising is not fraudulent or misleading. Once you receive the ad, it’s a good idea to visit the company’s website and make sure their ad seems consistent with what they’re sharing there. If it doesn’t pass the “smell test,” ask them about it.

In addition, “Have a contract with them that says they will hold you harmless, indemnify and defend you if their advertising is misleading or violates any government guidelines,” Foster says. “That transfers the risk back to the company that is doing the advertising.”

The FTC has promulgated rules regarding endorsements and testimonials in advertisements — an important thing to pay attention to in this age of influencer marketing. The goal of these rules is to ensure the public isn’t misled about the voluntary nature of the third-party endorser.

If a business or individual receives a material benefit in exchange for endorsing or advertising an event, they must disclose that they’re receiving compensation. That’s easy to remember when a company hires a celebrity or spokesperson to promote an event.

But Foster reminds firms to look for less obvious examples. If a business gives a customer a discount or free ticket to an event in exchange for promoting it on their Facebook or Instagram account, that counts as a material benefit and must be disclosed.

Intellectual Property and Copyright

The World Intellectual Property Organization defines intellectual property as creations of the mind, including inventions, literary and artistic works, and logos and names used in commerce. Chances are most of your speakers will be speaking about or sharing something (such as a handout, video or PowerPoint presentation) that’s considered intellectual property. Depending on the type of meeting, people also may be discussing items that are patented or topics that include trade secrets, which also fall under intellectual property.

Speakers also may be presenting information with another legal protection: a copyright. Copyrights can be registered with the U.S. Copyright Office, and they give an individual or company the exclusive right to disseminate that item or piece of information. But even if an individual never registers a copyright, copyright law says their work is still protected as soon as it is “fixed in a tangible form that it is perceptible either directly or with the aid of a machine or device.” (The main advantage to registering a copyright is that it gives the copyright holder the right to bring a lawsuit and collect damages if their copyright is violated.)

Since many companies choose to post copies of speaker handouts or presentations on their website following a meeting, they can run into issues around violating intellectual property or copyright laws. There are two important things firms can do to avoid problems. “Make sure you have the speaker’s written permission to post their materials on your website so there’s no copyright issue,” Foster says. If the work was done by an employee, and the employment agreement states that the employer has the right to use that work, the company is also protected.

“If you have a speaker, have them warrant to you that the information they’re presenting is their own, or, if it’s not their own, that they have permission to use it,” Howe says. Get this information in writing in case an issue arises later on.

Defamation and Social Media

Defamation is defined as any statement that’s false and injures the reputation of a person or business. Libel is written defamation, while slander is spoken defamation. It’s important to note that if someone shares a negative opinion, that doesn’t count as defamation. It’s only when that information is presented as a fact that a person or company can be held liable for their comments.

Defamatory statements posted to a company’s online platform can get them in trouble in some circumstances, but not all. If a company owns and is considered the publisher of a platform — that is, they are solely responsible for what goes on the site — the company can be held accountable. This is typically true with websites. But if the company is considered a distributor — which is the case for the comments section of a website, since virtually anyone can post information — the company is not liable.

“Social websites don’t have any protection,” Foster says. “You’re responsible for anything that’s posted on a social website.” Make sure employees who will be posting and sharing content on sites such as Facebook and Twitter are educated about defamation, and are trustworthy enough not to write a negative statement in the heat of the moment.

Businesses also should note that if intellectual property or copyrighted material is posted to social media sites without the owner’s permission, the company is open to liability. According to Foster, the Digital Millennium Copyright Act exempts online service providers from liability if they post and follow procedures for removing copyrighted material if they receive notice from the copyright owner.

If you’re not already doing it, it’s wise to continually monitor social media sites before, during and after an event to see what’s being said. Remove information that’s inappropriate or defamatory per the company’s publicly posted social media policy.

“Real time now is becoming more and more of a factor,” Howe says. “Corporations today monitor everything that might be said about them. That way if something bad is happening, they can step in early and say ‘We’re on top of it’ and put a stop to things.” C&IT

Back To Top