Enterprise records management strategy guide for GRC professionals
A comprehensive collection of articles, videos and more, hand-picked by our editors
The explosion of social media use for business purposes has created numerous new challenges for companies -- especially from a litigation and regulatory compliance standpoint.
The eDJ Group, an e-discovery analyst and consulting firm, recently released a report titled Collection and Preservation of Social Media that tries to help organizations navigate this new terrain. The report outlines how companies can mitigate the risks surrounding the growing amount and use of social media data in the business world.
One big problem is that, despite not much precedent for social media case law, companies are increasingly responsible for the collection and preservation of social media content, according to eDJ Group co-founder and analyst Barry Murphy. In this Q&A, Murphy discusses the importance of social media data collection in today's business environment, the evolution of social media preservation for e-discovery purposes, and what future social networking compliance rules could look like.
If there's good indication that social media data may be relevant to a case, the courts are going to compel discovery of it.
co-founder and analyst, eDJ Group
Why is understanding social media data risk so important to businesses today?
Barry Murphy: I think amendments to federal rules really left open the fact that all electronically stored information is going to be subject to discovery when it comes to litigation or regulatory compliance. The rate at which social media has exploded creates problems -- there are all sorts of cases coming up where companies have to go get social media data. The problem is, it's not as straightforward as saying, "Oh, let me go preserve someone's email," because it's not a system that [companies] necessarily have any control over. Chances are, they don't have a whole lot of usage policies, or at least any real granular usage policies that advise employees how to use social media. Therefore, if they do have to go get social media during litigation, they are looking at potentially really high costs, potentially a ton of information to review, if they don't take action early.
What are some of the methods companies are using for social media data collection and preservation? Are there any techniques that are more effective than others?
Murphy: Many folks would use either a screen capture or a Web crawl tool simply to try to capture what the social media data looks like at a specific point in time. Companies can use an incremental Web crawl to keep track of incremental changes to a Facebook page or a Twitter feed. Those can be OK, depending on how important the case is.
There are two other methods that, when combined, work best, and are the most defensible ways to collect social media: That is a direct API (application programming interface) integration where you are essentially writing a direct integration to the API of the publishers of Facebook or Twitter or LinkedIn. That allows you to collect and map all of the metadata fields, and make sure you get the content in a way where it can be authenticated. The other method -- and this works best when combined with the API approach -- is a proxy method. With the proxy method, the user gives the company permission to access their account. The company could then monitor all of their communications, and collect [data] as necessary according to company policy.
The proxy method also allows organizations to shut off certain things to have real, total control. Let's say you want to let employees use Facebook at work because it allows for networking, but you don't want them playing games or using other apps. The proxy method would allow the employees, possibly, to only post to their wall, but not use any other applications. It gives the company a little more control.
What are some of the characteristics of a solid, organization-wide social media policy?
Murphy: It can't just be a broad statement like, "Don't use social media for inappropriate purposes." It has to be very specific; it has to direct them on what they can do. If the policy mentions "inappropriate activity," it should specify what those activities are. Maybe use wording like, "Don't put any company product names on Twitter," or "Don't post any trade secrets," and give examples of what those trade secrets might be. It should also let employees know that they can communicate with each other and what their rights are.
More on social media data management
Free social media policy templates from around the Web
Communication vital to social media records management
FAQ: How do corporate social media policies hold up against labor laws?
The policy should also explain what the company's philosophy on social media is. IBM has a really good social media usage policy. It says they really want people to be social and want to encourage collaboration. This allows them to also tell employees, "This is why we are going to monitor you because we are letting you use this liberally." If anything does happen, there will be consequences, whereas other companies that are not specific aren't really giving their employees any direction.
Those are the characteristics of a good social media policy: It spells out what the culture is, what the attitude is, and then gets specific about what they can and cannot use social media for.
Do you foresee any federal regulatory rules around social media data collection and preservation for e-discovery purposes? If so, what kind of guidelines could be enacted?
Murphy: Case law is just beginning to emerge, but it's really reflective of the overall attitude of information. That is, essentially, if there's good indication that social media data may be relevant to a case, the courts are going to compel discovery of it -- much like they would any other type of electronically stored information under federal rules. There have been some limitations on that, in terms of the request cannot be overly broad. For example, if there is a lawsuit and you want e-discovery of social media data, you can't just say, "I want all the information from Joe Schmoe's Facebook, LinkedIn and Twitter accounts." You need to be specific in regards to exactly what you are looking for.
I think if there are going to be any regulations around social media data, I think it's going to be more along the lines of determining what are the defensible methods for collecting this information.