Social Media, User Generated Content and Liability

Social media platforms and applications are dependent upon communal participation. Members of the community share everything from names, professions and scholastic and corporate affiliations to names and photos of family and friends as well as up-to-the-minute updates on current events. Little is too personal on social media, and the greater the extent of the sharing the greater the personal reward for all involved.

As in the non-Internet world, people often do and say things that are not always appropriate - whether intentional or not. Examples include a personal opinion, a piece of confidential information about oneself, one's company or an acquaintance. Through social media, such communication can take the form of a written comment, photos, videos or other form of communication. The result of these communications can result in claims of defamation, incorrect statements of fact, harassment, etc.

Unfortunately for social media operators such as banks that decides to host their own social media sites (e.g., Bank of America, American Express, etc.) and not utilize a commercially available site such as Facebook, there can be a potential legal risk. Fortunately for social media operators operating in the U.S., there exists some form of protection to the extent that certain procedures are maintained.

COMMUNICATIONS DECENCY ACT

Section 230 of the Communications Decency Act of 1996 is a landmark piece of Internet legislation. Section 230(c)(1) of the CDA provides immunity from liability to providers and users of an "interactive computer service" that publishes information provided by others (e.g., user-generated content). Courts generally apply the following three-prong test to determine whether a defendant is subject to the protections afforded by Section 230.

1. The defendant must be a "provider or user" of an "interactive computer service;"

2. The cause of action asserted by the plaintiff must treat the defendant as a "publisher or speaker" of the harmful information at issue; and,

3. The information must be "provided by another information content provider," (i.e., the defendant must not be the information content provider of the harmful information at issue).

This section of the CDA was enacted to enhance free speech by making it unnecessary for Internet service providers and other service providers to unduly restrict customers' actions for fear of being found legally liable for customers' conduct. This law effectively protects social media operators since it covers computer services that involve user-generated content

As a result of its effective protections, Section 230 is considered quite controversial because courts have interpreted Section 230 as providing complete immunity to Internet service providers and other service providers with regard to torts committed by their users. Critics of Section 230 are primarily concerned with its effectiveness at leaving victims with no hope of relief in instances where the true tortfeasors cannot be identified or are judgment proof.

Courts have upheld Section 230 in a variety of factual contexts and on numerous legal theories, including posting of:

• Defamatory information;
• Opinions;
• Private information;
• False information;
• Pornographic information;
• Harassing commentary; and,
• Discriminatory and/or illegal advertising.

Section 230, however, is not absolute protection. For example, plaintiffs have successfully argued in a handful of cases that an "interactive computer service" was not entitled to Section 230 immunity because the person or entity in question was an "information content provider" with respect to the information at issue, thereby failing the third test noted above. Notwithstanding certain plaintiff successes, generally the social media operator is protected against liability for postings made by others so long as the operator does not contribute in whole or in part, in the creation or development of the content and provides a mechanism for detecting objectionable content.

As such, in order for social media operators to obtain the maximum protection under Section 230 of the CDA, the operator should strictly adhere to the following:

• Do not alter any contribution of user-generated content. To the extent that user-generated content is repackaged - no matter how insignificantly, the social media operator potentially voids one of the three tests and risks exposure. Competent legal counsel should opine on the risk to the social media operator to the extent that any user-generated content is repackaged or reformatted.

• Maintain the ability for users to alert the operator of questionable content. Users should at all times be provided with the ability to report user-generated content that violates the terms of use or is generally considered offensive or specifically offensive. Additionally, users should be provided with the ability to promptly delete user-generated content that is directly posted to their profiles or personal space within the social media platform.

• Maintain formal policies and procedures for addressing complaints of questionable content. The policies should include both external terms of use policies and internal policies and procedures for the timely management of complaints. Periodic audits and compliance with recommended corrective actions should be performed and well documented to serve as support in the event of legal action.

• The Terms of Use should explicitly state that the user is fully responsible and liable for any legal action attributed to their user generated content and the TOU should include indemnification language that contractually indemnifies the social media operator as a result of user-generated content. Any subsequent changes to the TOU should require the user to accept the changes prior to permitting the user access to the social media platform.

I am not an attorney and this information should not be taken as legal advice. However, it should be something to think about and explore further to the extent that your bank will host its own site.

Today it is very possible for community banks to launch their own social networks. If that decision makes sense, an appropriate risk assessment should be conducted that includes within it questions related to legal liability. Legal counsel should be well versed in these emerging risks in order to provide strong advice.

As I state over and over in this blog, these risks should not deter the use of social media. However, the risks should be considered and appropriate internal controls, policies and procedures put into place to allow everyone to sleep at night.