When it comes to social media use and compliance, the first step in forming an effective policy that addresses both security and privacy laws is recognizing that these platforms aren't going away as a risk for data leaks, data breaches or reputational damage.
The second step, determining how online privacy regulations apply and should be interpreted, is a challenge for the courts, much less IT professionals. That said, the regulations that a compliance officer must consider relate directly to the kind of information being stored or transmitted.
As compliance officer Doug Cornelius wrote in an email interview, "If you are a public company, there are securities law implications. FINRA rules effectively prohibit broker-dealers from using social media to tout securities. If you are in health care, financial services or other regulated industry, there are more detailed issues." If an enterprise handles sensitive customer data, state laws governing data protection, like Massachusetts 201 CMR 17, will dictate how personally identifiable information must be secured and managed.
In general, in the view of Christophe Veltsos, president of Mankato, Minn.-based Prudent Security LLC and a faculty member at Minnesota State University, "corporate policies don't (yet) extend past the corporate walls, although some exceptions exist. Big Brother ends once the employee steps outside of the corporate walls unless the employee is using company-owned equipment or services (PC, PDA, cell phone or VPN tunnel). The bottom line is that if it's in public or sent over corporate network, it's monitored."
Cornelius said he thinks "it is also a good policy to have employees register their blog, Twitter accounts and other social accounts with the company. (But not the password.) After all, if they are posting publicly, they should expect that someone at the company is reading it. That may temper some bad behavior. With RSS feeds, it is easy to monitor the activity."
Veltsos cautioned, however, that "even a well-designed acceptable use policy may not cover what an employee does or says outside of the corporate IT walls and/or networks. When off the clock, an employee may be making statements about employer, work conditions or customers, in a Web 2.0 environment, be it via blog or social network postings. Worse, the advent of always-connected devices, such as smartphones, Internet-enabled PDAs, or cell-network based Internet (such as EVDO), means that employees may be live-casting their thoughts and opinions, straight from the workplace."
Cornelius said he sees the same risks: "If you list your company's name or write about what you do, it affects the company. Where you use Web 2.0 technologies is meaningless, since you can access most of the sites from a home computer, office computer or mobile device, wherever you are."
What to do? "Ultimately, a well-designed policy should be generally applicable, but more importantly uniformly enforced, with appropriate mechanisms for exceptions when warranted, such as the company's new push into having a Twitter or Facebook presence." Veltsos advised. "The easiest way for a company to lose a wrongful termination case is to demonstrate shoddy or selective enforcement of its own internal policies."
Managing online privacy and social media requires better polices -- and preparation
Veltsos observed that some academic institutions have brought disciplinary actions for violations perpetrated off-campus, although "outright bans are unlikely to work unless you are the government or military." And, in fact, earlier this month the Marines banned Twitter, MySpace and Facebook use for a year.
Vivian Tero, program manager for IDC's compliance infrastructure service, said she expects that as social media use grows, "organizations would probably start doing passive monitoring, audit and sampling; then over time and with sufficient intelligence on employee behavior, those corporate policies and business rules evolve to allow for more active policy enforcement. The combination of policies, employee training and communication on acceptable use and automated tools to monitor and enforce policies would, in theory, allow for a more controlled use of Web 2.0 applications."
Tero recommended that, "in addition to having clearly articulated policies regarding the use, content, tone and language for employees using social media, organizations should also consider employing data loss prevention solutions. Some organizations have blocked these apps altogether from their networks. There are IT asset management tools today that can detect and remove 'rogue' applications. Most of the DLP solutions already have the ability to passively or active monitor the use of social media."
And, according to SearchSecurity.com, firms are showing interest in DLP to monitor social media use. Aside from some room in tight IT budgets, however, there's a need for thoughtful configuration management plans to install DLP.
Just as social media and Twitter use create security risks, compliance concerns dog enterprise 2.0 collaboration platforms as well. Whether social messaging is internal or external, firms need better software -- and effective internal policies -- to help monitor, filter, store and audit such data.
Compliance conundrums will grow in the future
These issues are only going to grow as more personal information is digitized and employees seek to access repositories for their personal data from the workplace. As telecommunications and privacy lawyer Yaron Dori observed, "the more we enter an environment where more of our lives are conducted online, you have to consider whether an employee has another option. Should we make an exception? To date, I'm not aware of a case in which a court has been willing to do that."
If you list your company's name or write about what you do, it affects the company.
Doug Cornelius, compliance officer, ComplianceBuilding.com
The American Recovery and Reinvestment Act, for instance, allocates billions of dollars toward electronic health records. Dori said he anticipates further legal conundrums on this count. "What if we move to the point where we're communicating with our doctors' officers electronically and have to do it from work? The courts just have grappled with it yet."
The bottom line is that when it comes to online privacy and social media, compliance officers will serve both workers and organization best by distributing a handbook that contains a clear social media policy when an employee enters the workplace initially. These both set out clear expectations of privacy and secure an acknowledgement of that standard. Such agreements can also be updated with sections to address peer-to-peer security concerns and make it clear that defamatory content on social media platforms could be subject to subpoena. In general, in fact, compliance officers may be better off not storing, maintaining or otherwise backing up private data if it is not mission-critical, as any data breach would then put it at risk.
The key to an effective social media policy that both respects the privacy of the individual and protects an organization lies in understanding that, as with other aspects of compliance and security, people are both the weakest and strongest links.
As IBM's social computing guidelines make clear, common sense around confidential data and responsible engagement are the best policy for all involved.
Let us know what you think about the story; email firstname.lastname@example.org.