A WHITE PAPER

DISCLOSURE OF CORPORATE INFORMATION THROUGH THE USE OF SOCIAL MEDIA

Identifying Risks and Adopting Best Practices by Paul Rubell, Esq.

190 Willis Avenue * Mineola, NY 11501 * (516) 747-0300 * www.meltzerlippe.com

MELTZER, LIPPE, GOLDSTEIN & BREISTONE LLP

A WHITE PAPER

Social networks can provide an easy conduit for the leakage of mission-critical corporate trade secrets and con dential information. is white paper identi es some of the ways that information may be compromised, and recommends best practices that may be employed to protect the information and mitigate the risk of loss. Generally, information may lose its protection as a trade secret after it has been disclosed. For this reason, businesses need to take a rmative steps to ensure that protectable information remains secret. Meaningful measures have pragmatics as their basis, but they also enable a corporation to demonstrate in court that the disclosed information is indeed a trade secret, thereby entitled to judicial protection. Speci cally, information that is disclosed through the use of social media needs rst to be identi ed as a potential trade secret, and then measures need to be designed and put into e ect that protect the information. One of the reasons why social media can result in the unintentional release of con dential information is the illusion of intimacy and privacy that is created online. People lose the heightened sense of awareness that they usually maintain with respect to company information while they are posting on social media. Twitter and Facebook use can prompt people to share information that they would not otherwise make publicly available. e use of social media can almost be likened to an addiction. Once hooked on the practice of posting, people tend to post more and more information, sometimes in a mindless way. C-level corporate executives are no more immune to the lure of social media than rank-and- le employees. Indeed it is their unique access to non-public information that may pose the greatest risk to the disclosure of corporate trade secrets and con dential information. e chief executive of Net ix, Reed Hastings, once posted, in his personal Facebook feed, words of congratulations that also amounted to the disclosure of proprietary company information: Congrats to Ted Sarandos, and his amazing content licensing team. Net ix monthly viewing exceeded 1 billion hours for the rst time ever in June. When House of Cards and Arrested Development debut, we'll blow these records away. Keep going, Ted, we need even more!1 To illustrate the way that this kind of web posting can be broadly disseminated: 293 Facebook users liked this posting, and their names are publicly available on the Facebook page; 2 users commented on Hastings posting; and most dangerously 45 people shared his post. George Morphis, the former CFO of Francescas Holdings, was red after he posted non-public information about the company:

190 Willis Avenue * Mineola, NY 11501 * (516) 747-0300 * www.meltzerlippe.com

MELTZER, LIPPE, GOLDSTEIN & BREISTONE LLP

A WHITE PAPER

Earnings released. How do you like me [k]now, Mr. Shorty?2 After Sir John Sawers was selected to become the chief of the British secret service MI6, his wife, in her excitement about her husbands new position, revealed details on her Facebook page about their home address, the names of their friends, and she even posted a photo of the couple at a party (which unfortunately was hosted by a Holocaust denier).3 Rep. Peter Hoekstra, a congressman who was at the time also a member of House Intelligence Committee, exposed his secret trip to Iraq when he tweeted his arrival in Baghdad using his Blackberry, and continued to post his whereabouts and itinerary every few hours: Just landed in Baghdad. I believe it may be rst time I've had bb service in Iraq. 11 th trip here. 4 Mission-critical information was also the subject of inadvertent disclosure when a soldier in the Israeli military posted the location and the time of an upcoming raid on his Facebook page: home." "On Wednesday we clean up Qatanah, and on ursday, God willing, we come

As a direct result, the military operation had to be canceled.5 e persistent and pervasive pressure of todays online world has even impelled the United States Marine Corps to eliminate its prior ban on the use of social media.6 ere are many ways that company information can be misappropriated, including the scraping and crawling of social media sites by competitors, marketers, and disgruntled employees. Hidden as well as visible online data can be procured in these and other ways. In order to develop and enhance corporate best practices to limit the disclosure of important data, it is important to understand what is, and what is not, a company trade secret. One of the broadest de nitions of a trade secret is found in the Economic Espionage Act of 19967: e term trade secret means all forms and types of nancial, business, scienti c, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (A) and the owner thereof has taken reasonable measures to keep such information secret;

(B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.

190 Willis Avenue * Mineola, NY 11501 * (516) 747-0300 * www.meltzerlippe.com

MELTZER, LIPPE, GOLDSTEIN & BREISTONE LLP

A WHITE PAPER

Prudent counsel may consider using this statutory de nition as the basis of con dentiality and other agreements and policies. e intentional disclosure of trade secrets is barred by federal and state statutes (such as the Computer Fraud and Abuse Act8 and the Stored Communications Act9) and the common law. e Computer Fraud and Abuse Act governs data in transit. is statute prohibits improper access to electronic information in two ways: either by (1) an outsider who accesses a computer or (2) a person (such as an employee or contractor) who, although authorized to use a computer, goes beyond the scope of his or her authorization. With respect to outsiders, sophisticated network security should be put into place to prevent invasive attacks on a corporations computer system. With regard to corporate personnel, legal and technological limits on their levels of authorization should be employed. e Stored Communications Act applies to data at rest. is law requires electronic communications storage providers to safeguard emails and other electronic information that they are storing. Notably, the statutes reach is not limited to ISPs and telecommunications providers. Any corporation, school or library that o ers its employees, students or members the means to access the Internet or otherwise communicate via an electronic network may covered by this law. 10 For reasons of statutory compliance as well as sound business, practices need to be deployed to protect con dential information. e extent of the information that is covered by the act extends beyond visible information; metadata and geolocation data are also vulnerable to intruder attack as well as statutory protection. Location data is the very sort of information that the New York District Attorney sought to obtain from Twitter with respect to a participant in the Occupy Wall Street movement. e tweet itself was publicly available; a subpoena was not necessary to simply read the tweet. e District Attorney sought to identify other participants who read the tweet while marching on the Brooklyn Bridge. e reasoning was that if someone read the tweet at the time it was posted, and if she were located on the bridge at the same time, then one could conclude that she was participating in the unpermitted march. Courts have considered, and in some cases approved, the expansion into the digital age of the common law tort of trespass to chattels. is ancient tort is de ned as intentionally dispossessing another of the chattel, or using or intermeddling with a chattel in the possession of another.11

190 Willis Avenue * Mineola, NY 11501 * (516) 747-0300 * www.meltzerlippe.com

MELTZER, LIPPE, GOLDSTEIN & BREISTONE LLP

A WHITE PAPER Corporate data collection practices through the use of social media are regulated by law, and it is also subject to public and media scrutiny. In particular, today there is increased sensitivity as well as regulation related to nancial data, personal health information, and data collected from children. Not only is the data itself con dential; the ways that a company seeks to collect, sell, and protect information may also be considered proprietary. Inadvertent social media usage can cause a company to stumble and violate the way it approaches the storage of its own information and customer information. is, despite having adopted both internal corporate policies as well as procedures made accessible to the public that are set forth on a companys website. Corporate best practices may include, among others, the following sensible steps: e secrecy of con dential corporate information should be spelled out in employee o er letters and employment agreements. Employees login and password information should be maintained with respect to their company-related social media accounts. Best practices include changing the passwords frequently, and promptly terminating access when employees leave. Ironically, companies that routinely terminate and/or redirect email accounts of former employees forget to take the same preventive steps with their social media accounts. Responsible company personnel should be identi ed, and tasked with the duty to monitor employees online activities, and to report to management about improper usage. All companies ought to establish a written social media policy, and require employees to sign an acknowledgement of its receipt. e policy should, among other things, de ne and address both the acceptable as well as prohibited uses of social media. e corporate policy needs to con rm that all work-related social media is company property. Lip service should not be given to this policy. Once put into place, it needs to be implemented and applied on a transparent and non-discriminatory basis. As with all company protocols, a one size ts all policy makes no sense; and the degree of protectibility that such a policy provides is suspect at best. If disclosure is inadvertently made, the information needs to be taken down as rapidly as possible. Customer lists are historically one of the crown jewels of a companys trade secrets. rough social media (especially LinkedIn), employees can gain access to the names and contact information of a companys customers and business partners. e ownership of the employees social media site, and control over access, password protection, and network security, is paramount to retaining the status of a customer list as a trade secret.

190 Willis Avenue * Mineola, NY 11501 * (516) 747-0300 * www.meltzerlippe.com

MELTZER, LIPPE, GOLDSTEIN & BREISTONE LLP

A WHITE PAPER

e mere act of posting an employees status online throughout the day, from numerous computing platforms (including work and home computers and portable devices) can also pose a risk to company data. is seemingly innocuous information can be used by a competitor or cybercriminal to deduce mission- critical information about a corporation. Competitors and attackers alike are able to make deductions from non-private information and aggregate them to become useful and valuable. ird-party applications also present a real risk in the social media arena. Despite the internal controls that are maintained by well-established social media sites such as Facebook and Twitter, there is an utter lack of control over the use and misuse of information that is garners by the developers of third-party applications that are used in tandem with the site. Although Facebook and Twitter have established policies and contracts to bind the developers of third-party apps, they have only a limited ability to control and monitor what is really done with information, once an app has been launched and incorporated into a users social media presence. For instance, through the use of third-party software, spyware can be introduced into corporate computer networks; intellectual property can be obtained and monitored; and computing platforms can be compromised. In light of the integration of voice and data on phone and mobile devices, once a platform has been compromised, not only is written and digital data susceptible of abuse; even voice communications and phone calls may be tracked and intercepted. Frequently the content of the information is not as important as its very existence, or the metadata and location data contained in the communication. Another avenue by which corporate information can be misappropriated is through friend and follow requests to a corporate or work-related employee social media site. Requesting as well as accepting friend requests on Facebook and Foursquare, and following and follower status on Twitter, are among the easy ways that nefarious individuals and organizations can garner access to a persons and thereby a companys most highly prized information. Once added to a social media presence, a friend can result in contact with people who are actually enemies. Photo and video sharing social media sites also pose a risk of data compromise. Companies that upload images for business use throughout the organization are at the same time enabling the downloading of these very same images, including by unauthorized personnel. Corporate training videos can allow leaks about new product launches. is information can be used to a competitors private gain, or it can be made public via YouTube. For a public company, Regulation FD may require broad disclosure of non-public information that has been leaked on a social media site. Phishing presents yet another risk to proprietary information. Emails that appear to be legitimate may trick an unsuspecting employee to divulge sensitive information. Social media simpli es this process by providing ready avenues for attackers to install and transport spyware, viruses, and other malicious codes to users computing platforms by merely clicking on links and attachments sent by their seemingly legitimate friends or using applications on these sites. When the malware is installed, it allows the attackers to gain access to, and control of, a corporations network by using valid employee credentials that make them undetected. Even a seemingly innocent tweet can lead an unsuspecting user to access a landing page that contains compromising malware.

190 Willis Avenue * Mineola, NY 11501 * (516) 747-0300 * www.meltzerlippe.com

MELTZER, LIPPE, GOLDSTEIN & BREISTONE LLP

A WHITE PAPER

Conclusion In todays world, a corporations most pragmatic goal may be to mitigate, rather than to eliminate, the leakage of information via social media. In order to protect the corporation and its most important secrets, legal protocols and best business practices should be designed and put into place.

Paul Rubell is an equity partner in the New York law rm Meltzer, Lippe, Goldstein & Breitstone, LLP. He leads the rms privacy law, social media, and technology practices. A 1983 graduate of Georgetown University Law Center, Paul is a founding member of Stony Brook Universitys Center for Wireless and Internet Technologies; he is counsel to the Social Media Association; and he is a founding member of the advisory board of the Institute for Business, Law, and Technology at Touro College Law School. He is also a Special Professor of Law at Hofstra University Law School. Paul can be reached at prubell@mlg.com and by phone at (212) 201-1720.

About the Author

About the Firm

Meltzer Lippe is a cutting edge law rm combining the best features of small rms with top level talent from major metropolitan law rms and functions in a full range of business areas: tax, corporate, real estate, wealth planning for high net worth individuals, trusts and estates, labor and employment and commercial litigation. Since its formation in 1970, Meltzer Lippe has attracted clients who are private business owners, corporate executives working at both public and private companies, real estate developers, venture capitalists and individuals. For more information visit: www.MeltzerLippe.com.
1 https://www.facebook.com/reed1960/posts/10150955446914584 2 http://www.forbes.com/sites/abrambrown/2012/05/14/francescas-stock-jumps-5- after-it- res-executive-for-social-media-use/ 3 http://www.dailymail.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes- Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html 4 https://twitter.com/petehoekstra/statuses/1182334669 5 http://news.bbc.co.uk/2/hi/middle_east/8549099.stm 6 http://www.marines.mil/Portals/59/Docs/Marines-Social-Media-Handbook%5B1%5D.pdf 7 18 USC 1839. 8 18 U.S.C. 1030 et seq. 9 18 U.S.C. 2701 et seq. 10 United States v. Mullins, 992 F.2d 1472 (9th Cir. 1993) (airline that provides travel agents with computerized travel reservation system accessed through separate computer terminals can be covered entities). 11 Restatement 2d on Torts, Section 1217, found at http://law.lclark.edu/live/ les/12795-restatementpdf

190 Willis Avenue * Mineola, NY 11501 * (516) 747-0300 * www.meltzerlippe.com

MELTZER, LIPPE, GOLDSTEIN & BREISTONE LLP