By its own recent estimates, Facebook currently boasts around 1.06 billion active monthly users. While many of these users grapple with questions about their privacy settings or news feed notifications, a growing trend indicates that they might have a new issue to contend with: the possibility that they could be served with legal process via their Facebook account.

Service by Facebook was addressed in a recent decision from the U.S. District Court for the Southern District of New York, wherein the Court authorized the Federal Trade Commission to serve multiple defendants using email and private Facebook messages. In Fed. Trade Commission v. PCCARE247 Inc., 2013 U.S. Dist. LEXIS 31969 (S.D.N.Y. March 7, 2013), Judge Paul Engelmayer detailed his reasoning for granting the FTC’s request to be permitted to serve multiple foreign defendants with case filings (other than the Summons and Complaint) by email and by Facebook. Judge Engelmayer outlined the multiple attempts that the FTC had made to effect process on five Indian defendants the FTC had accused of engaging in a scheme to induce consumers to pay for unnecessary computer repairs, noting that conventional service required by the Hague Convention had not been completed by the Indian Central Authority more than five months after it had been sent by the FTC. The defendants had actual knowledge of the lawsuit (and had in fact at one time appeared by counsel therein), and the FTC introduced facts establishing a high likelihood that service by email and Facebook would provide the defendants with actual notice of the filings. The Court found it significant that the documents the FTC sought to serve were not case-initiating documents and was convinced that where conventional service methods involved a multiple-month delay, service by Facebook and email comported with Due Process requirements. The Court also observed that the defendants’ own “zealous embrace” of email and Facebook communications (for example, the defendants had used the email addresses at issue to blind copy the Court on emails they sent to counsel for the FTC) further supported this method of service.

A new piece of proposed legislation in Texas would carry Judge Engelmayer’s holding even further. Texas State Rep. Jeff Leach (R-Plano) recently introduced House Bill Number 1989, which proposes that a Texas court may authorize substituted service on a defendant using a social media website “if the court finds that: (1) the defendant maintains a social media page on that website; (2) the profile on the social media page is the profile of the defendant; (3) the defendant regularly accesses the social media page account; and (4) the defendant could reasonably be expected to receive actual notice if the electronic communication were sent to the defendant’s account.” The bill is currently in committee, and while some Texas lawyers have expressed concern about whether the bill would adequately ensure that the recipient of service actually receives it, others acknowledge that service using non-conventional methods such as email or social media is becoming increasingly important as the way that businesses and people interact and exchange information continues to evolve.

Neither the New York federal court decision nor the proposed Texas legislation endorse using email or social media as the preferred method of service on a party, and both require the serving party to make a significant showing that the recipient is likely to actually receive the service by social media. However, the growing trend of utilizing these types of accounts to effect service indicate efforts by the legal profession to adapt to new technological trends. In an age where seemingly everyone has a social media account, it just may be the case that Facebook service notifications will be coming to your news feed someday soon.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

In a precedent-setting decision that was published in September, the National Labor Relations Board (NLRB) issued its first formal position regarding employee handbook policies restricting use of social media, and the extent to which such policies may violate the National Labor Relations Act (NLRA).

In the September 7, 2012 Order, the NLRB weighed in on a variety of policies contained in Costco’s employee handbook that were the genesis of a complaint filed with the NLRB by the United Food and Commercial Workers’ union in 2010. There were seven provisions of the handbook in dispute. Although the NLRB ultimately concluded that two of the challenged policies (one requiring employees to use “appropriate business decorum” in communicating with others and the other prohibiting employees from leaving company premises during a work shift without management permission) did not violate the NLRA, the Board concluded that five others did violate the Act and ordered Costco to cease and desist from maintaining the five provisions in its employee handbook. The provisions that were found to violate the Act prohibited employees from: (1) unauthorized posting of material on company property; (2) discussing “private matters of members and other employees”; (3) failing to keep sensitive information (including payroll information) confidential; (4) sharing other employees’ names, addresses, and other contact information, and, most notably; (5) from electronically posting statements that tended to “damage the [c]ompany…or damage any person’s reputation.”

Although the fifth policy may appear innocuous or even reasonable on first glance, the NLRB concluded that it was the wholesale prohibition of ambiguously-defined “damaging” communications or postings that was objectionable. Specifically, the NLRB explained that the fifth policy could be reasonably construed as a prohibition of communications that protest Costco’s treatment of its employees, in violation of Section 7 of the NLRA.

Notably, the decision – and Costco’s policy – made no explicit reference to social media, Facebook, Twitter, or any other specific social networking site. However, as this decision represents the first formal statement by the NLRB weighing in on employer policies that could have an impact on employees’ use of social media, it has been considered especially noteworthy.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

In a recent filing with the SEC, Facebook estimated that about 8.7 percent of user accounts—more than 83 million profiles—are actually fake. This figure represents a substantial increase from the social media giant’s estimate in its initial SEC filings in March, when it stated that between 5 and 6 percent of accounts (in other words, 42 to 50 million profiles) were phony. Facebook has broken down its false profiles into three categories: nearly 5 percent of the fake accounts are “duplicate accounts,” referring to users who have multiple personal accounts. Another 2.4 percent are “misclassified”: these may consist of anything from a person who sets up a Facebook account for the pet to businesses mistakenly using a personal profile instead of the designated “Facebook Page” for businesses format. Finally, 1.5 percent of the accounts are “undesirable,” consisting of pages designed to spread spam or malware.

The connection between the fake profiles and Facebook’s business and profitability may seem remote at first glance. But as Facebook’s stock values continue to drop since debuting at $38 per share at the time of its IPO, fake user profiles present a legitimate obstacle for the company. Such profiles diminish Facebook’s ability to sell its services to advertisers, who obviously have a vested interest in ensuring that the advertisements they purchase are reaching real people.

Facebook and its advertisers are not the only groups that should be concerned about made-up profiles. As social media profiles increasingly serve as a way for colleagues, clients and others to judge a person’s character, false accounts threaten both employers who mistakenly rely on inaccurate social media information as well as the victims of the mistakes. Worse yet, sometimes false profiles are the result of intentional efforts to ruin a person’s reputation. A recent article notes multiple instances in which false social media profiles were created as a means of exacting revenge—most notable, perhaps, was the case of a female doctor who was described as a prostitute in a false profile created on a dating website. In response to this improper use of social media as a weapon, the Texas state legislature recently enacted a law imposing stiff criminal penalties on any person who impersonates another online in order to “harm, defraud, intimidate or threaten” another. The penalties are serious, indeed: if convicted, violators could face up to ten years in prison and a fine of $10,000. Concerns regarding Facebook’s advertising and share prices must have seemed small by comparison to a pair of Texas middle school girls who were recently charged with third degree felonies under the statute after creating a fake Facebook page in the name of a classmate.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

German data protection officials have re-opened an investigation into Facebook’s “photo tag suggest” feature and privacy policy. According to a December 2010 Facebook blog post, the feature uses face-recognition technology, suggesting names of friends to be tagged in an uploaded photo. Users can opt-out of photo tag suggest, but the default privacy setting allows the technology to match an uploaded photo to any given user.

According to a New York Times report, German data protection commissioner Johannes Caspar claims that Facebook’s policy violates European privacy law, which requires explicit consent rather than an opt-out. The original investigation was suspended in June while Facebook worked with the Office of the Data Protection Commissioner in Ireland, where its European headquarters are located. However, Caspar told the New York Times that, since then, his office has “met repeatedly with Facebook but have not been able to get their cooperation on this issue which has grave implications for personal data.”

A Facebook spokesperson told Mashable that the company believes its photo tag feature is fully compliant with EU data protection laws: “During our continuous dialogue with our supervisory authority in Europe, the Office of the Irish Data Protection Commissioner, we agreed to develop a best practice solution to notify people on Facebook about photo tag suggest.” Additionally, Facebook agreed to suspend the practice with regard to new European while it continues working with authorities.

According to Caspar, who also led Germany’s investigation into Google’s street view project, this is not enough. Instead, he believes Facebook must destroy its photographic database of faces and revise its privacy policy to require explicit consent before making a digital file of a user’s biometric facial data. He is quoted by the BBC: “It is to be welcomed that Facebook clearly recognises that the process of collecting biometric data is at least not in accordance with data protection law in Europe. But Facebook can’t just stay halfway there.”

Facebook has come under almost constant fire regarding its privacy policies over the last several years. In November 2011, Facebook agreed to a settlement with the Federal Trade Commission regarding charges that it deceived customers regarding the privacy of their information.

For more information on complying with privacy regulations and protecting your privacy online, contact info@theiceloop.com.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

In 2009, six employees working for Sheriff B.J. Roberts in Hampton, Va. were fired for “Like”-ing the Facebook page of the Sheriff’s competition during a reelection. Shortly thereafter, the employees filed a complaint alleging that a “Like” should be considered protected speech under the First Amendment.

Public sector employees are generally afforded protection in an employment situation when speaking on matters of public concern, provided that the speech is not disruptive or subversive to the employer’s interest in maintaining an efficient workplace. Nevertheless, the employees’ complaint was dismissed by U.S. District Judge Raymond Jackson who stated the following:

“Simply liking a Facebook page … is not the kind of substantive statement that has previously warranted constitution protection. . . . It is the Court’s conclusion that merely ‘liking’ a Facebook page is insufficient speech to merit constitutional protection. In cases where courts have found that constitutional speech protections extended to Facebook posts, actual statements existed within the record.”

The issue has since been appealed and the ACLU and Facebook both have filed amicus briefs which relate a Facebook “Like” to pure speech at best and protected symbolic expression, similar to burning a draft card, at worst. In one example, Facebook likens the activity to placing a sign showing support of a political candidate on your front lawn. Their argument is that by “Like”-ing someone, you are showing your support through an express activity, and this activity should be afforded the same protections.

It is unclear as to how the issue will be decided on appeal. However, in the age of ever-expanding social media platforms and the ability to “Like”, Follow, Check in, Pin, +1, and Connect, the ramifications of the pending appeal cannot be understated and may far surpass issues related to public employment.

If you would like more information on the pending appeal or to learn more about how activities in social media may impact your business, contact info@theiceloop.com.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

In an effort to address a hot button employment law issue, Illinois Governor Pat Quinn recently signed into law a measure prohibiting employers from asking job applicants to provide their passwords to social media accounts as part of the application process. The law, which takes effect on Jan. 1, 2013, does not permit any exceptions—even for those jobs where background checks are ordinarily required—and also applies to existing employees in addition to new applicants.

Earlier this year, Maryland became the first state to pass legislation of this type. Like the Illinois law, the Maryland statute bans employers from requiring that current or prospective employees provide access to their social media sites. The Maryland law will go into effect on Oct. 1, 2012. The legislation was the result of a dispute that arose between a corrections officer and the state department of corrections that employed him after the department asked the officer to provide his Facebook login information in order to screen for any potential gang affiliations. The officer and the ACLU, however, filed a complaint asserting that the request violated the officer’s privacy. The department revised the practice to allow employees to participate in such screens voluntarily after the complaint was filed, but also noted that the background check of social media websites had resulted in denial of employment to seven potential correctional facility employees who had posted images of themselves displaying “verified gang signs.” Ultimately, however, the Maryland legislature determined that even the demonstrated benefits of gaining access to an applicant or employee’s private social media site were outweighed by the individual’s interest in privacy.

In Illinois, in addition to significant privacy concerns, legislators also noted that allowing an employer unfettered access to a potential employee’s personal social media site could provide information that cannot be considered in the application process, including religious affiliation, political leanings, or sexual orientation. Notably, though, the Illinois law does not prohibit employers from reviewing information on an applicant’s social media page that the site user makes visible to the public. Additionally, employers will still be permitted to monitor and enforce any company policies governing employees’ internet use when social media sites are accessed during working hours with company property.

Illinois and Maryland are not outliers in the movement to legislate social media privacy in the workplace. Other states, including California, Michigan, Minnesota, New Jersey, Washington and Delaware, have considered similar types of laws to those that have already been passed in Illinois and Maryland. On the federal level, Senators Chuck Schumer (D-N.Y.) and Richard Blumenthal (D-Conn.) have asked the Department of Justice and the EEOC to investigate the legality of employers requesting behind-the-scenes access to employees’ or applicants’ social media pages. Even absent a statutory prohibition on requesting current or potential employees’ social media passwords, employers should be aware that such practices may still expose them to civil lawsuits claiming discrimination or invasion of privacy.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

Twitter’s decision to suspend the account of NBC’s No. 1 Tweeting Critic raises issues of free speech, censorship of the press and corporate control of social media. Guy Adams, a Los Angeles-based reporter for The Independent, has been sharply critical of NBC’s coverage of the Olympics. Adams’ caustic Tweets prominently feature the #nbcfail hashtag and include:

• “America’s left coast forced to watch Olympic ceremony on SIX HOUR time delay.  Disgusting money-grabbing by @NBColympics.”

• “I have 1000 channels on my TV.  Not one will be showing the Olympics opening ceremony live.  Because NBC are utter, utter bastards.”

The Tweet that apparently crossed the line provided the email address of NBC executive Gary Zenkel and told followers to “tell him what u think.” NBC filed a complaint after Twitter alerted the network to the disclosure. Soon after, Adams was suspended.

Critics call attention to the partnership between NBC and Twitter to promote the games and suggest that the suspension of Adams’ account may have been an act of reprisal. Twitter claims that Adams was suspended because he posted a private email address in violation of its terms of service. This raises two questions. First, was the email address, in fact, private? And second, did Adams’ Tweet actually violate Twitter’s terms of service?

The issue of whether Zenkel’s email address is public or private has no easy answer. Adams argues that it is a corporate email and formatted in such a way as to be fairly easy to figure out – FirstName.LastName@nbcuni.com. Furthermore, the email address was posted as a direct result of and in the context of his work. On the other hand, many people’s home addresses are available on the Internet in some form, but tweeting them would be considered a violation of Twitter’s terms of service.

The issue of whether Adams’ Tweet violated Twitters terms of service seems more straightforward. Regarding the posting of private information, Twitter states:

Posting another person’s private and confidential information is a violation of the Twitter Rules.

Some examples of private and confidential information are: credit card information, social security or other national identity numbers, addresses or locations that are considered and treated as private, non-public, personal phone numbers, non-public, personal email addresses.

Keep in mind that although you may consider certain information to be private, not all postings of such information may be a violation of this policy. If information was previously posted or displayed elsewhere on the Internet prior to being put on Twitter, it is not a violation of this policy.

(Emphasis added)

Adams argues that the email address is listed elsewhere on the internet. Indeed, Chris Taylor, journalist for Mashable, searched for the address and, while he admitted that the search was not as easy as he anticipated, he discovered the email address in a blog post from 2011.

Adams’ account was reinstated after NBC retracted its complaint, but Twitter’s PR nightmare is likely to linger long past the 48 hours that Adams was out of circulation. Twitter’s General Counsel, Alexander Macgillivray, apologized to Adams, while maintaining that Twitter “should not and cannot be in the business of proactively monitoring and flagging content, no matter who the user is – whether a business partner, celebrity or friend.”

However, as stated above, there are no easy answers. Critics of Twitter’s actions argue that it should not be allowed to hide behind a policy because it is individuals who make the decisions and they are capable of understanding the nuances involved. Alexis Madrigal, journalist for the Atlantic, points out that these individuals “knew the email address was publicly available and a business address. They knew they were banning a journalist. And they did it anyway.”

Adams had about 4,500 followers before Twitter suspended his account. Now that Twitter has reinstated his account, he has more than 16,300.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

YouTube has released a new privacy tool, which allows users to obscure faces in videos uploaded to the site.  In a July 18, 2012 blog post by policy associate Amanda Conway, YouTube wrote “[w]hether you want to share sensitive protest footage without exposing the faces of the activists involved, or share the winning point in your 8-year-old’s basketball game without broadcasting the children’s faces to the world, our face blurring technology is a first step towards providing visual anonymity for video on YouTube.”

To enable the feature, a user chooses a video to edit within the “video enhancement” tool, selects “additional features” and then chooses to apply the “blur all faces” feature.  Before the video is published, the user can view the edited, and can delete the original, un-blurred video from the site.  Other online and social media sites, most notably Google’s Street View, have been testing and implementing similar features over the last several years. 

Protecting the identify of political activists in online video has become a major focus of human rights groups, particularly in light of recent events in places like Syria, Eqypt and Iran.  International human rights group WITNESS recently published its “Cameras Everywhere” report detailing the challenges faced at the intersection of video technology and human rights:

Video has emerged as a key means though which human rights abuses can be exposed, while also contributing more broadly to ensuring that transparency, accountability and good governance are upheld.  But while video and other communications technologies present new opportunities for freedom of expression and information, they also present challenges and expose vulnerabilities. […] It is alarming how little discussion there is about visual privacy and anonymity.  Everyone is discussing and designing for privacy of personal data, but almost no-one is covering the right to control one’s personal image or the right to be anonymous in a video-mediated world.  The human rights community’s understanding of the importance of anonymity as an enabler of free expression must now develop a new dimension – the right to visual anonymity.    

YouTube cited the Camera’s Everywhere report as an influential factor in its decision to release the new feature, writing “[a]s citizens continue to play a critical role in supplying news and human rights footage from around the world, YouTube is committed to creating even better tools to help them.”

The feature is still in its early stages, and will likely improve over time.  Conway writes, “[t]his is emerging technology, which means it sometimes has difficulty detecting faces depending on the angle, lighting, obstructions and video quality.”  Additionally, as this CNET article points out, “you might want to hide the faces of activists, but reveal the faces of say, brutal policemen.  That doesn’t seem yet possible.”  Despite its apparent shortcomings, YouTube’s new feature has received praise from human rights groups.  On the day of its release, WITNESS wrote on its website: “WITNESS has advocated for YouTube and other platforms to take this step for a number of years […] and applauds YouTube for leading the way in including this functionality.”

For more information on preparing an online privacy policy or protecting your privacy online, contact info@theiceloop.com.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

In early June 2012, LinkedIn suffered a security breach resulting in the disclosure of 6.4 million hashed passwords and corresponding account names to the service. LinkedIn confirmed the breach and implemented measures to limit the exposure of its users by disabling impacted accounts and salting its password databases. Further, LinkedIn disclosed details about the breach and LinkedIn’s efforts to protect its members.

The breached disclosed a subset of LinkedIn’s password database which included passwords that have been passed through SHA-1, a one-way, cryptographic hash function. Specifically, the SHA-1 algorithm takes any plaintext input and produces a 160-bit output that contains no reference or ability to reproduce the plaintext input. Upon a user inputting a password onto a website, the password may be passed through the SHA-1 algorithm and then compared to the stored hash in the password database, thereby authenticating the user.

A list of hashed passwords provides a layer of security by allowing a business to not store a plaintext password for a user. Nevertheless, in the event that an attacker obtains a list of hashed passwords, the attacker may sequentially provide plaintext inputs to the SHA-1 algorithm until matches are found within the list of hashed passwords, thereby obtaining a correct plaintext value for a corresponding hashed password.

This disclosure may present a unique privacy problem for LinkedIn under various state breach notification laws. Most states have enacted state breach notification laws that require a company that maintains personal information of its customers to notify impacted customers in the event that information has been disclosed to an unauthorized third party. The National Conference of State Legislatures maintains a list of various state breach notification laws here. As an example of a company attempting to abide by these state statutes, most consumers may remember the Sony Playstation Network data breach that resulted in an immense disclosure on April 28, 2011.

Although each state breach notification law is different, a few common elements are prevalent that are on point to LinkedIn’s breach. First, most state breach notification laws only require notification in the event that personal information has been disclosed or may have been disclosed to an unauthorized third party. See, for example, Indiana Code 24-4.9-3-1. LinkedIn could take the position that the disclosure did not include personal information because all that was disclosed was potentially the opportunity for an attacker to obtain personal information through misuse of a LinkedIn account, not personal information itself.

Further, LinkedIn in its analysis may need to take the extra step of determining whether information potentially able to be obtained by an attacker would even constitute personal information. Each state defines personal information differently. In Indiana, personal information may include a first name and last name in combination with financial information. In North Carolina, personal information may include a person’s first name and last name in combination with an email address. 

Second, most state breach notification laws do not require disclosure in the event that the personal information disclosed is encrypted. Indiana, for example, defines encrypted data to include data that ” (1) [has] been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or (2) are secured by another method that renders the data unreadable or unusable.” Indiana Code 24-4.9-2-5.

As discussed above, the disclosure includes a list of hashed passwords. LinkedIn could argue that, even if account names and hashed password constitute personal information, hashed passwords fall under the definition of encrypted data and, therefore, disclosure is not required. Specifically, hashed passwords are secured in a one-way hash that renders the data unusable.

A counter-argument would be that attackers are crowd sourcing computing power to try to obtain plaintext passwords from the disclosed list. Moreover, LinkedIn did not use additional security measures to protect the password database even in the event that disclosure occurred, such as, for example, salting the passwords in addition to hashing.

As shown above, most state breach notification laws present a gray area to this fairly routine security breach from LinkedIn. Although LinkedIn saw a lot of press on this issue, many businesses go through a security breach requiring a similar analysis without such press. Businesses may want to consider evaluating their strategies regarding security breaches to determine the appropriate response in this type of situation.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

When an employee starts a new job, she might expect to receive information about salary, benefits, or the employee handbook. But for those entering the medical profession, it has become increasingly common to also receive advice regarding the appropriate use of social media when beginning a job in their chosen field. A recent article, for instance, detailed a letter a soon-to-be medical school graduate received from the hospital where he will be beginning work soon. The letter requested that he refrain from making or accepting Facebook “Friend requests” with patients, and even suggested that he should edit his Facebook account privacy settings to ensure that any material that would not be helpful to establishing a professional reputation would not be visible to others. While this may appear to be a surprising level of oversight of an employee’s use of social media, there is an ever-growing list of reasons why healthcare providers need to be concerned about the way that doctors and patients interact online.

Perhaps the primary concern relating to a medical professional’s use of social media is the potential for a violation of the Health Insurance Portability and Accountability Act (or, as it is more commonly known, HIPAA). Although it is clear that a patient’s HIPAA identifiers (name, date of birth, social security number, full-face photos, etc.) should not be posted in any public forum, even a seemingly anonymous description of a patient can still be problematic if a patient or others are able to identify the patient in question from the description. In addition to general HIPAA compliance concerns, a recent study indicated that more than 90 percent of state medical boards in the United States have received at least one report of a professional violation relating to a healthcare provider’s online activities. These problems included inappropriate patient contact online, inappropriate prescribing, and misrepresentation of a doctor’s credentials. Anecdotal evidence abounds as well, with stories such as a patient becoming uncomfortable when her therapist “friended” her on Facebook providing further support for an argument that medical professionals should have a set of standardized guidelines outlining the appropriate use of social media in their practice.

To that end, in April 2012, the Federation of State Medical Boards issued Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice. The Guidelines outline many of the ways that social media use can go wrong for a medical professional: a disrespectful Tweet directed at a colleague going viral, a patient learning that her doctor referred to her as “lazy” and “ignorant” on a doctor’s blog that contained enough detail for the patient to realize the story was about her, a patient becoming concerned about seeing photos of a doctor frequently intoxicated on the doctor’s Facebook page, or even a doctor using an online dating website to ask a patient on a date, making the patient uncomfortable.

To address these potentially uncomfortable at best—and ethically questionable at worst—scenarios, the Guidelines suggest that physicians refrain from interacting with current or past patients on personal social networking sites, that any use of online resources relating to the practice of medicine be secure and password-protected, and that physicians should always be aware that they are representing themselves, their employer, and the medical profession in general when deciding what content to post online. The Guidelines specifically note that state medical boards have the authority to sanction physicians for professionally inappropriate behavior relating to physicians’ use of social media.

Of course, social media or other online sites can be a valuable tool in facilitating a professional doctor-patient relationship. In fact, some healthcare providers are even arranging online portals to allow patients to interact with their treating physician and ask questions relating to their treatment. However, medical professionals must take care to not let the Internet blur the distinction between their professional obligations and their private lives.  

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.