What You Need to Know Before
Embracing Social Networking
Summary: Begin with a formal and well-understood policy for employees' use of public sites like Facebook and Twitter. Then follow the five recommendations in this article for balancing the risks and opportunities presented by social networking.
When Adam Savage, the tech-savvy host of the popular TV show "MythBusters," posted a picture on Twitter of his Toyota Land Cruiser, he was sharing a lot more information than he realized. As The New York Times reported last August: "Embedded in the image was a geotag, a bit of data providing the longitude and latitude of where the photo was taken. Hence, he revealed exactly where he lived. And since the accompanying text was "Now it's off to work," potential thieves knew he would not be at home."
Fortunately for Savage, nothing untoward resulted from his inadvertent revelation. But the incident highlighted a point that security experts and privacy advocates have been making for some time now: namely, that the growing use of social networking sites can have serious, if unforeseen, consequences. This article looks at some of the important risks and legal issues organizations need to be aware of as employees increasingly use social networking sites.
The unprecedented popularity
of social networking
Today social networking sites such as Facebook, MySpace, and Twitter are used by businesses large and small for everything from marketing to corporate communications to customer relations.
Gartner Inc. has gone so far as to predict that 50% of enterprises will be "micro blogging" by 2012. (Micro blogging refers to a form of blogging that allows users to exchange small elements of content, such as sentences or images.)
The huge popularity of the consumer micro blogging service Twitter has led many organizations to look for an "enterprise Twitter" that provides micro blogging functionality with more control and security features to support internal use between employees. According to Gartner, enterprise users want to use micro blogging for many of the same reasons that consumers do: to share quick insights, to keep up with what colleagues are doing, and to get quick answers to questions.
However, as a recent white paper by Osterman Research observed, many of the communications issued on social networking sites today contain business records, which may be subject to discovery, government "sunshine" laws, or an increasing number of regulations.
Last January, the Financial Industry Regulatory Authority (FINRA) released Regulatory Notice 10-06, which provides guidance on how financial firms should use blogs and social networking sites. While financial advisors may not think of a blog posting or a tweet as a business record, FINRA made it very clear that all communication via the Internet, including social networks, will be considered the same as in-person or written communication.
According to FINRA:
Organizations also need to be aware that, as social networking sites become more popular, the content on these sites may be subject to electronic discovery in legal cases. In one case, Romano v. Steelcase, the court went so far as to state that the plaintiff, who had brought a personal injury action against the defendant, had no reasonable expectation of privacy "notwithstanding her privacy settings" because Facebook and MySpace did not guarantee "complete privacy." The court ruled that private information sought from the plaintiff's social networking website accounts was material and necessary for the defendant's defense.
For its part, Facebook says it may "disclose information pursuant to subpoenas, court orders, or other requests (including civil and criminal matters) if we have a good faith belief that the response is required by law."
A social media policy is
Symantec recognizes the risks posed by social networking on corporate IT systems but believes that a balance can be struck between legitimate use and security. Companies can significantly reduce risk by developing a social media policy that lays out specific employee policies and guidelines. Companies should also implement training to help employees understand best practices in this new world where personal and work content collide both in the workplace and at home.
As dictated in FINRA Notice 10-06, financial firms must have a social media policy in place before engaging in social media for business use. Contrast this with the recent results of a study on social media usage among financial advisors, where 43% of respondents either did not have a social media policy in place or were unclear whether a policy was in place.
This divide illustrates the confusion around social media usage and highlights the need for organizations to take action. By not employing a policy, all businesses (not just those in the financial services industry) leave themselves open to unnecessary risk. In essence, regulatory bodies treat social media compliance no differently from instant messaging compliance. Consequently, in addition to simple chat transcripts, enterprises in regulated industries will have to archive and supervise everything from Facebook groups to re-tweets.
Recommendations for social