The Web of social media and compliance: Online privacy policy

By Alexander B. Howard, Associate Editor 17 Aug 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The Web of social media and compliance: A series Online privacy regulations ECPA and online privacy

When it comes to social media use and compliance, the first step in forming an effective policy that addresses both security and privacy laws is recognizing that these platforms aren't going away as a risk for data leaks, data breaches or reputational damage.

The second step, determining how online privacy regulations apply and should be interpreted, is a challenge for the courts, much less IT professionals. That said, the regulations that a compliance officer must consider relate directly to the kind of information being stored or transmitted.

As compliance officer Doug Cornelius wrote in an email interview, "If you are a public company, there are securities law implications. FINRA rules effectively prohibit broker-dealers from using social media to tout securities. If you are in health care, financial services or other regulated industry, there are more detailed issues." If an enterprise handles sensitive customer data, state laws governing data protection, like Massachusetts 201 CMR 17, will dictate how personally identifiable information must be secured and managed.

In general, in the view of Christophe Veltsos, president of Mankato, Minn.-based Prudent Security LLC and a faculty member at Minnesota State University, "corporate policies don't (yet) extend past the corporate walls, although some exceptions exist. Big Brother ends once the employee steps outside of the corporate walls unless the employee is using company-owned equipment or services (PC, PDA, cell phone or VPN tunnel). The bottom line is that if it's in public or sent over corporate network, it's monitored."

Cornelius said he thinks "it is also a good policy to have employees register their blog, Twitter accounts and other social accounts with the company. (But not the password.) After all, if they are posting publicly, they should expect that someone at the company is reading it. That may temper some bad behavior. With RSS feeds, it is easy to monitor the activity."

Veltsos cautioned, however, that "even a well-designed acceptable use policy may not cover what an employee does or says outside of the corporate IT walls and/or networks. When off the clock, an employee may be making statements about employer, work conditions or customers, in a Web 2.0 environment, be it via blog or social network postings. Worse, the advent of always-connected devices, such as smartphones, Internet-enabled PDAs, or cell-network based Internet (such as EVDO), means that employees may be live-casting their thoughts and opinions, straight from the workplace."

Cornelius said he sees the same risks: "If you list your company's name or write about what you do, it affects the company. Where you use Web 2.0 technologies is meaningless, since you can access most of the sites from a home computer, office computer or mobile device, wherever you are."

What to do? "Ultimately, a well-designed policy should be generally applicable, but more importantly uniformly enforced, with appropriate mechanisms for exceptions when warranted, such as the company's new push into having a Twitter or Facebook presence." Veltsos advised. "The easiest way for a company to lose a wrongful termination case is to demonstrate shoddy or selective enforcement of its own internal policies."

Managing online privacy and social media requires better polices -- and preparation

Veltsos observed that some academic institutions have brought disciplinary actions for violations perpetrated off-campus, although "outright bans are unlikely to work unless you are the government or military." And, in fact, earlier this month the Marines banned Twitter, MySpace and Facebook use for a year.

Vivian Tero, program manager for IDC's compliance infrastructure service, said she expects that as social media use grows, "organizations would probably start doing passive monitoring, audit and sampling; then over time and with sufficient intelligence on employee behavior, those corporate policies and business rules evolve to allow for more active policy enforcement. The combination of policies, employee training and communication on acceptable use and automated tools to monitor and enforce policies would, in theory, allow for a more controlled use of Web 2.0 applications."

Tero recommended that, "in addition to having clearly articulated policies regarding the use, content, tone and language for employees using social media, organizations should also consider employing data loss prevention solutions. Some organizations have blocked these apps altogether from their networks. There are IT asset management tools today that can detect and remove 'rogue' applications. Most of the DLP solutions already have the ability to passively or active monitor the use of social media."

And, according to SearchSecurity.com, firms are showing interest in DLP to monitor social media use. Aside from some room in tight IT budgets, however, there's a need for thoughtful configuration management plans to install DLP.

Just as social media and Twitter use create security risks, compliance concerns dog enterprise 2.0 collaboration platforms as well. Whether social messaging is internal or external, firms need better software -- and effective internal policies -- to help monitor, filter, store and audit such data.

Compliance conundrums will grow in the future

These issues are only going to grow as more personal information is digitized and employees seek to access repositories for their personal data from the workplace. As telecommunications and privacy lawyer Yaron Dori observed, "the more we enter an environment where more of our lives are conducted online, you have to consider whether an employee has another option. Should we make an exception? To date, I'm not aware of a case in which a court has been willing to do that."

If you list your company's name or write about what you do, it affects the company. Doug Cornelius compliance officer, ComplianceBuilding.com

The American Recovery and Reinvestment Act, for instance, allocates billions of dollars toward electronic health records. Dori said he anticipates further legal conundrums on this count. "What if we move to the point where we're communicating with our doctors' officers electronically and have to do it from work? The courts just have grappled with it yet."

The bottom line is that when it comes to online privacy and social media, compliance officers will serve both workers and organization best by distributing a handbook that contains a clear social media policy when an employee enters the workplace initially. These both set out clear expectations of privacy and secure an acknowledgement of that standard. Such agreements can also be updated with sections to address peer-to-peer security concerns and make it clear that defamatory content on social media platforms could be subject to subpoena. In general, in fact, compliance officers may be better off not storing, maintaining or otherwise backing up private data if it is not mission-critical, as any data breach would then put it at risk.

The key to an effective social media policy that both respects the privacy of the individual and protects an organization lies in understanding that, as with other aspects of compliance and security, people are both the weakest and strongest links.

As IBM's social computing guidelines make clear, common sense around confidential data and responsible engagement are the best policy for all involved.

Tags: Risk management and compliance,  Managing governance and compliance,  E-discovery and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange E-discovery and compliance IT compliance: FAQs about IT operations, regulations and standards Effective compliance document management in five days Data loss prevention technology matures but is still no cure-all Discovery of data breach under HITECH raises big compliance questions Be ready for electronic discovery with a records retention policy The Web of social media and compliance: Online privacy regulations The Web of social media and compliance: The ECPA and online privacy U.S., EU personal data protection laws make e-discovery risky Data security: The missing piece of e-discovery (but not for long) E-discover the gaps in your information management process

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary