Protecting social media contacts as trade secrets

Social media contact lists have become an increasingly important part of a business's customer lists. This trend has only accelerated during the COVID-19 pandemic as tens of millions of employees have intensely, if not exclusively, focused their networking efforts through social media. While courts are still grappling with who legally "owns" the contact lists that an employee developed on the employer's dime -- such as LinkedIn customer connections or access to a list of Twitter-feed recipients -- there are many steps an employer can take to strengthen its claim of ownership over employee-generated social media contacts developed during work.

The versions of the Uniform Trade Secrets Act adopted by every state but New York and the federal Defend Trade Secrets Act define a "trade secret" as information that derives its economic value from not being generally known to the public and is the subject of reasonable efforts to maintain its secrets. Customer lists and contact lists may also be deemed trade secrets if they meet these criteria, but social media contact lists raise unique concerns that employers should consider specifically addressing in their policies and practices.

For example, in Eagle v. Morgan, 2013 WL 943350 (E.D. Pa. Mar. 12, 2013), the court held that all of the connections of a former employee's LinkedIn account belonged to the employee because the company had no official social media policy on ownership of the information. Conversely, in Cellular Accessories for Less, Inc. v. Trinitas LLC, 2014 WL 4627090 (N.D. Cal. Sept. 16, 2014), the court held that where a former employee signed an employment agreement that specifically stated customer lists were the property of the employer, customer contacts in the employee's personal LinkedIn account could qualify as trade secrets because the employee had the ability to limit others' ability to view his contacts. On the other hand, in BH Media Group Inc. v. Bitter, 2018 WL 3768425 (W.D. Va. Sept. 27, 2018), the court found that a newspaper employer failed to establish that it owned the Twitter account of its former writer (and access to its 27,000 followers), despite the former employee's signing an employee handbook with an intellectual property assignment provision that applied to social media accounts

Therefore, employers who value their social media contact lists as trade secrets may want to consider using employee policies that designate these lists as the employer's property and that require the employees to protect the confidentiality of their social media content on behalf of the employer.

Here are some potential steps for employers to consider (reasonable steps do not necessarily require those suggested here):

Implement a Comprehensive Social Media Policy

Employers should consider implementing a comprehensive social media policy that:

1. requires employees to maintain appropriate privacy settings for all social media accounts used for business (so the account's contacts are not accessible by others who know duty of confidentiality);

2. instructs employees not to discuss customers and customer preferences (or other potentially confidential information) in social media posts that are accessible by others who owe no duty of confidentiality;

3. specifies, without limitation, what social media accounts and related data the company owns, and advises that social media technology, accounts and data are fluid; and

4. defines the steps the employee must take upon separation/termination to (i) transfer to and ensue access to all social media lists and related data belonging to the employer; (ii) eliminating the employee's access to same; and (iii) purging from the employee's possession customer contact information and data.

Require Employees to Sign Stand-Alone Agreements

Likewise, employers should consider requiring employees to sign stand-alone confidentiality and nondisclosure agreements whereby the employee acknowledges:

1. the employer's ownership of social media accounts relating even in part to the employer's customers (or other aspects of its business except provided by applicable law) and related data;

2. the employee's duty to protect on behalf of the employer the confidentiality of customer information wherever the information may be maintained; and

3. the employee's obligations upon separation/termination (e.g., give the employer access to the information and then follow the employer's instructions about its deletion from the employee's media, and refrain from using or disclosing it further without the employer's written consent).

Restrict Unauthorized Use of Employee Data on Social Media

Employers should also consider prohibiting employees from injecting employer customer data into a personal social media account absent advanced written permission. In situations involving severe potential risk, consider requiring employees to acknowledge that, in the event of violation of this policy, the employer must be given prompt access to the account and the employee must comply with all directives needed to recover the data and rectify the misuse, including, if necessary, the transfer of the underlying account to the employer.

Control Access to Business Social Media Accounts

Employers should also consider setting up their own social media accounts for business use where possible and making those accounts inaccessible to the employee upon separation/termination. As a practical matter, a designated email account for registering and operating social media accounts, e.g., social.media.admin@business.com, could help establish the account as the employer's property and also facilitate password recovery and communication with the platform's administrators to undo any changes by a departing employee. Where applicable, employers may also want to state in the company's social media policy and agreements above the procedure for employees to transfer access to an account back to the company.

Provide Periodic Trainings and Reminders

The use of periodic trainings and reminders can increase compliance and reduce the need for future litigation to address misappropriation incidents.

Treat Social Media Contacts Akin to Traditional Customer Lists

More generally, employers should consider training employees to view social media contact lists in the same protected light as the employers' internal customer lists. Maintaining these contact lists in the same secure manner, restricting access on a need-to-know basis, and tracking the company's investment in building those contact lists may further bolster their protection.

Document the Investment

The more clearly an employer can show that a social media contact list was the product of the employer's resources, as opposed to the employee's, the stronger its ownership claim will be. CDM Media USA, Inc. v. Simms, No. 14 CV 9111, 2015 WL 1399050 (N.D. Ill. Mar. 25, 2015) illustrates this principle. There, an employer launched a LinkedIn group, titled the "Speaker Bureau," to provide a "private online community of chief information officers and senior IT executives interested in participating in or speaking at [the employer's] events." The employer designated its employee, Simms, as the point person for the group, who maintained and controlled access to the group, which grew over time to more than 600 members. The employee resigned, and refused to transfer access and control of the LinkedIn group to the employer, claiming it belonged to him. The court denied the former employee's motion to dismiss, holding that "the Speaker Bureau's membership list" could qualify as a trade secret, given that it was developed over four years by CDM through great expenditures of time, cost and effort."

In sum, the more an employer can show that it considered social media contacts to be valuable, invested resources in developing them, and took steps to notify employees to preserve the security and secrecy of those contacts, the stronger its position will be when it demands sole access to those contacts upon an employee's departure.

The list above is far from exhaustive, and employers should consult with qualified counsel before implementing and finalizing agreements, policies and procedures to protect its social media contact lists. 