Our series over the next 10 days will highlight the top issues, as we see them, in privacy and security for 2013. Yesterday, we looked at the increase in cybcersecurity disclosure by public companies, triggered by the Securities and Exchange Commission’s Cybersecurity Guidance.

As more and more employees take to social media to conduct business, questions remain about how, if at all, employers may legally regulate and monitor employees’ conduct on social media. For example, employees use LinkedIn, not just for networking, but to conduct business – whether mining potential sales contacts and growing pipelines.  But who owns the contacts and what can employers tell employees about how to conduct themselves while mining them?  And what happens when an employee leaves?  Can the employee take “their” contacts on LinkedIn or does the employer “own” those contacts? Is ownership truly in question if an employee uses LinkedIn to obtain the contacts at the employer’s behest, utilizing the employer’s resources and while on the employer’s payroll?  These are questions some courts are beginning to address.

Related to this issue is the National Labor Relations Board’s growing interest in defining what employers with unionized and non-unionized workforces can and cannot do with respect to limiting communications in the workplace. The NLRB says that employees may air grievances about wages and working conditions without employer restriction – note the now infamous “Facebook” firings and related cases.  The NLRB has also invalidated employer social media policies for failing to comply with the National Labor Relations Act.  Twitter seems to be the next natural stop for the NLRB’s growing influence.  Many people “tweet” at their employer’s behest and with their employer’s blessings. What happens when the employee strays from the script? And who has the time and energy to undertake the “community curation” required to keep the employer’s finger on the pulse of these communications in a consistent and non-discriminatory manner?

Then, of course, there is the issue of an employer’s right to monitor an employee’s use of social media in the first instance.  In order to protect the corporate reputation, prohibit unlawful competitive activity, including the theft of trade secrets, or to affirmatively comply with certain government regulations, some employers now require employees (and prospective employees) to provide their social media passwords or other account information.  Fourteen state legislatures (like California) have recently enacted laws prohibiting this practice, and other states are likely to follow suit.  Social media privacy bills are under consideration in Missouri, Texas, and other jurisdictions. Whether a particular state prohibits this practice or not, employers must give serious thought before implementing (or continuing to implement) this practice.  Specifically, they must be mindful of the “Big Brother” perception and the potential exposure to claims under the anti-discrimination laws, labor laws, and state privacy laws.

In 2013, employers, employees, lawmakers, regulatory authorities and courts will continue to struggle to strike the right balance between privacy, corporate culture, ownership of business information, free expression, and creativity. Recommendation for action in 2013:  If your business has a social media policy, review it in light of emerging state laws and the NLRB cases.   If your business does not have a social media policy, 2013 is the time to take another look.

See part one of this Series:  Privacy and Security Issues for 2013 (First of a series): The SEC Will Require Greater Disclosure Related to Data Security Risks and Breaches