The Web of social media and compliance: Online privacy regulations

By Alexander B. Howard, Associate Editor 17 Aug 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The Web of social media and compliance: A series ECPA and online privacy Online privacy policy

For compliance officers, social media use has dramatically increased the potential for data leaks and malware infections. Experts say employers and employees need to be on the same page when it comes to the use of social media and agree on usage policies that allow individuals to connect with family, friends and colleagues but clarify what kinds of social messaging are acceptable.

A recent tip from SearchCompliance.com contributor Andrew Baer drove home the new reality: social media platforms demand a clear employee Internet use policy, which should then be distributed throughout the enterprise.

Given the many vectors for data breaches, an educated workforce will continue to be the most effective means of remaining compliant with regulatory guidance in the near future, despite improvements in data leak prevention software.

"The risks of employee Web 2.0 communications are just magnifications of the effects of otherwise bad behavior," said Doug Cornelius, compliance officer at a Boston-based real estate private equity firm and blogger at ComplianceBuilding.com.

Christophe Veltsos, president of Mankato, Minn.-based Prudent Security LLC and a faculty member at Minnesota State University, has a similar view: "Education is at least as important as creating edicts. If employees don't know or don't understand why their Web 2.0 behavior can cause harm to the company, they likely don't understand the policy either."

That education, however, needs to include clear expectations around online privacy for social media use at work, specifically while on a corporate network or using other IT resources like a smartphone or laptop remotely.

Baer writes that such a "policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet."

Privacy expert Rebecca Herold advised, "If a policy exists stating such, then enterprise employees shouldn't expect privacy on the corporate networking; it all depends upon the policy's existence and wording.. … If a policy says all electronic data on the network may be monitored, then it's possible for all."

Cornelius added, "Should they have an expectation of privacy? No. The company should be up front about that. If you are using the company's hardware or networking equipment, you can expect to be monitored. The company can take your computer and examine the contents."

"Everything is potentially discoverable. No matter where it is. Whether it's findable is a different story. The hoops to get it from a Web 2.0 host may be different [than internal logs]," he said.

The relevance of social media for e-discovery is only likely to increase over coming years. Further, as Carolyn Elefant reported at Legal Blog Watch at Law.com, even clients that have blocked accounts from public access can be subject to e-discovery if a judge finds that the updates are relevant to the case.

In Leduc v. Roman, a decision made in the Superior Court of Justice in Ontario, the judge ruled that "a party who maintains a private or limited access Facebook profile stands in no different position than one who sets up a publicly available profile. Both are obliged to identify and produce any postings that relate to any matter in issue in an action."

Where else do existing privacy laws apply? Be mindful of the EU

Online privacy rules can differ substantially by region or country. U.S. and European Union (EU) personal data protection laws make e-discovery risky, and implementing or conducting e-discovery in non-common law countries can leave companies caught between breaking the law in the U.S. or running afoul of European data privacy laws. When it comes to e-discovery and the EU, in fact, cross-border investigations tend to be complex affairs.

The risks of employee Web 2.0 communications are just magnifications of the effects of otherwise bad behavior. Doug Cornelius compliance officer, ComplianceBuilding.com

A policy recommending that all employee communication be monitored and logged "may be acceptable in the U.S. (in fact it seems to be de facto), but it may ran counter to privacy principles in the EU and other countries with more stringent personal privacy directives," wrote Vivian Tero, program manager for IDC's compliance infrastructure service, in an email interview. "In the U.S., materials generated and stored on corporate IT assets are treated as corporate property."

Tero pointed out that "the EU Directive on Privacy takes a difference stance and personal messages posted on social media using corporate IT assets are still deemed as the property of the individual. Here, corporations put the onus on the individuals to self-police their behavior on social networks."

Should a national data privacy law be passed in the U.S., restrictions on how, where and why social media messaging can be monitored, logged or stored will need to be revisited.

Part 2 in the series, ECPA and online privacy, explores the implications of the Electronic Communications Privacy Act for social media use on the corporate network. Part 3 addresses what an online privacy policy could include and how it should be shared.

Tags: Risk management and compliance,  Managing governance and compliance,  E-discovery and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange E-discovery and compliance IT compliance: FAQs about IT operations, regulations and standards Effective compliance document management in five days Data loss prevention technology matures but is still no cure-all Discovery of data breach under HITECH raises big compliance questions Be ready for electronic discovery with a records retention policy The Web of social media and compliance: The ECPA and online privacy The Web of social media and compliance: Online privacy policy U.S., EU personal data protection laws make e-discovery risky Data security: The missing piece of e-discovery (but not for long) E-discover the gaps in your information management process

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary