What You Need to Know Before Embracing Social Networking
used with permission from Symantec

Summary: Begin with a formal and well-understood policy for employees' use of public sites like Facebook and Twitter. Then follow the five recommendations in this article for balancing the risks and opportunities presented by social networking.

When Adam Savage, the tech-savvy host of the popular TV show "MythBusters," posted a picture on Twitter of his Toyota Land Cruiser, he was sharing a lot more information than he realized. As The New York Times reported last August: "Embedded in the image was a geotag, a bit of data providing the longitude and latitude of where the photo was taken. Hence, he revealed exactly where he lived. And since the accompanying text was "Now it's off to work," potential thieves knew he would not be at home."

Fortunately for Savage, nothing untoward resulted from his inadvertent revelation. But the incident highlighted a point that security experts and privacy advocates have been making for some time now: namely, that the growing use of social networking sites can have serious, if unforeseen, consequences. This article looks at some of the important risks and legal issues organizations need to be aware of as employees increasingly use social networking sites.

The unprecedented popularity of social networking
It's hard to believe, but not that long ago social networking was thought to be the exclusive preserve of teenagers and college students. What a difference a few years can make. Consider these statistics about Facebook, the largest and most popular social networking site:

  • More than 500 million active users.
  • 50% of active users log on to Facebook in any given day.
  • Average user has 130 friends.
  • People spend over 700 billion minutes per month on Facebook.
  • About 70% of Facebook users are outside the United States.
  • There are more than 200 million users currently accessing Facebook through their mobile devices.

Today social networking sites such as Facebook, MySpace, and Twitter are used by businesses large and small for everything from marketing to corporate communications to customer relations.

Gartner Inc. has gone so far as to predict that 50% of enterprises will be "micro blogging" by 2012.  (Micro blogging refers to a form of blogging that allows users to exchange small elements of content, such as sentences or images.)

The huge popularity of the consumer micro blogging service Twitter has led many organizations to look for an "enterprise Twitter" that provides micro blogging functionality with more control and security features to support internal use between employees. According to Gartner, enterprise users want to use micro blogging for many of the same reasons that consumers do: to share quick insights, to keep up with what colleagues are doing, and to get quick answers to questions.

However, as a recent white paper by Osterman Research observed, many of the communications issued on social networking sites today contain business records, which may be subject to discovery, government "sunshine" laws, or an increasing number of regulations.

Last January, the Financial Industry Regulatory Authority (FINRA) released Regulatory Notice 10-06, which provides guidance on how financial firms should use blogs and social networking sites. While financial advisors may not think of a blog posting or a tweet as a business record, FINRA made it very clear that all communication via the Internet, including social networks, will be considered the same as in-person or written communication.

According to FINRA:

  • Publicly available websites are considered advertisements.
  • An email or instant message sent to 25 or more prospective customers is considered sales literature.
  • An email or instant message is considered correspondence if it is sent to a single customer, an unlimited number of existing retail customers, and/or less than 25 prospective retail customers (firm-wide) within a 30-day period.
  • Password-protected Websites (e.g., Facebook or LinkedIn) are considered sales literature.
  • Chat room discussions (e.g., Facebook discussions, LinkedIn Q&A) are considered public appearances.

Organizations also need to be aware that, as social networking sites become more popular, the content on these sites may be subject to electronic discovery in legal cases. In one case, Romano v. Steelcase, the court went so far as to state that the plaintiff, who had brought a personal injury action against the defendant, had no reasonable expectation of privacy "notwithstanding her privacy settings" because Facebook and MySpace did not guarantee "complete privacy." The court ruled that private information sought from the plaintiff's social networking website accounts was material and necessary for the defendant's defense.

For its part, Facebook says it may "disclose information pursuant to subpoenas, court orders, or other requests (including civil and criminal matters) if we have a good faith belief that the response is required by law."

A social media policy is essential
Given these many recent developments, it's not surprising that many enterprises are still taking a wait-and-see attitude toward social networking. According to Symantec's most recent State of Enterprise Security Report:

  • 84% of CIOs and CISOs surveyed consider social networking sites to be a serious threat to their security.
  • 76% of companies that have or are considering implementing a social media policy expect to ban access to social media completely or grant only limited access.

Symantec recognizes the risks posed by social networking on corporate IT systems but believes that a balance can be struck between legitimate use and security. Companies can significantly reduce risk by developing a social media policy that lays out specific employee policies and guidelines. Companies should also implement training to help employees understand best practices in this new world where personal and work content collide both in the workplace and at home.

As dictated in FINRA Notice 10-06, financial firms must have a social media policy in place before engaging in social media for business use. Contrast this with the recent results of a study on social media usage among financial advisors, where 43% of respondents either did not have a social media policy in place or were unclear whether a policy was in place.

This divide illustrates the confusion around social media usage and highlights the need for organizations to take action. By not employing a policy, all businesses (not just those in the financial services industry) leave themselves open to unnecessary risk. In essence, regulatory bodies treat social media compliance no differently from instant messaging compliance. Consequently, in addition to simple chat transcripts, enterprises in regulated industries will have to archive and supervise everything from Facebook groups to re-tweets.

Recommendations for social media
Symantec has seen large companies adopting social media applications to improve collaboration between employees and partners and to build better relationships with customers. As they do, however, it becomes necessary to manage the risks associated with allowing employees to access sites like Facebook and Twitter from within their corporate network. With its endpoint, Data Loss Prevention, and storage management solutions, Symantec recommends that organizations:

  • Monitor managed and unmanaged endpoints, on or off the network.
  • Notify employees when they try to send confidential data outside of the company.
  • Block attempts by employees to post confidential data to social networking sites.
  • Remove confidential data from Web posts before they're sent to social networking sites.
  • Capture and retain all social networking activity, with the associated metadata about the content, and archive this content in a structured fashion to enable easy discovery.

With social networking growing exponentially, enterprises need to consider both the risks and opportunities presented by this phenomenon. Opening the doors to public sites like Facebook and Twitter also means facing the challenges associated with supervisory and data retention requirements. The good news is that the tools exist to help organizations gain the real business benefit from these sites, where employees, customers, and partners increasingly interact, while balancing the inherent risks associated with their use.