Employee use of Web 2.0, especially social networking, microblogging and collaborative media such as Facebook, LinkedIn, Twitter and wikis, presents enterprises with a kaleidoscope of compliance, information security, legal and reputational risks, in addition to the problem of lost productivity. To manage these risks appropriately, an enterprise needs to adopt a comprehensive Internet use policy that covers personal employee use of social media platforms and is tailored to the requirements and culture of the business.
At the same, there are risks associated with overly zealous policing of employee Web 2.0 usage, as colorfully illustrated by a federal jury's recent verdict.
This article examines the special risks and issues associated with employees' personal use of Web 2.0 tools. Obviously, corporate use of Web 2.0 must also be addressed in any Internet use policy, since corporate communications will require prior review and communications with customers may be subject to special guidelines and retention requirements. This is especially true for enterprises that are publicly traded or in a highly regulated industry like banking.
Some risks of employee Web 2.0 communications
If a corporation's securities are publicly traded, then inaccurate, misleading or selective comments about the company's business in employee Web 2.0 posts have the potential to attract the scrutiny of the Securities and Exchange Commission. Even if this doesn't happen, market reaction to unedited and unfiltered disclosures on blogs and social networking sites can result in large stock price swings. Furthermore, in highly regulated industries like banking and credit cards, regulatory mandates may require specific disclosures in product advertising; lately this area has also seen more enforcement activity by the Federal Trade Commission (FTC) and the federal bank regulatory agencies due to heightened concern over unfair and deceptive advertising practices.
The regulatory compliance risks are closely linked with information security and reputational risks. Once confidential company information is posted on the Internet, it is forever lost, both practically and legally. Proprietary code, product or marketing strategies and customer information critical to the company's competitive position can also quickly leak into the ether of cyberspace. If nonpublic personally identifiable customer information is posted on the Internet, the costs are potentially huge: ruptured customer relationships and expenses associated with customer notification, closing and reissuing accounts, and identity theft prevention measures like credit monitoring, not to mention the possibility of uncomfortable conversations with the FTC, supervising regulatory agencies, state attorneys general and, of course, plaintiffs' attorneys.
Even postings that are not material disclosures from the standpoint of securities compliance (i.e., that are not likely to affect a decision to purchase or sell securities) can be embarrassing and have a detrimental impact on the public's perception of the enterprise and internal morale. For example, in the Pietrylo v. Hillstone Restaurant Group case, employees of a New Jersey restaurant created a MySpace group in which they posted disparaging and graphic sexual remarks about the restaurant's management, clientele and policies. The more explicit, provocative or profane a posting is, the more widely viewed it is likely to be, as any Internet user can attest. Employee complaints on blogs and social media sites are regularly scrutinized as a barometer of an enterprise's health and the mood of its workforce.
Regulated financial institutions should be especially sensitive to the reputational risk factor, since federal regulatory guidance specifically views an institution's reputation with its customers as a factor in its overall safety and soundness, and an inappropriate posting can easily cause offense or generate jitters (e.g., "I work in the credit card division at XYZ, and I've been seeing a lot of defaults lately.").
Risk management 101: Have an Internet use and social media policy
To manage these risks, if an enterprise wishes to permit some amount of personal Web 2.0 use at work or any discussion of business-related matters in personal postings (issues it should decide at the very outset), it should implement a corporate Internet use policy for social media platforms, which every employee should be required to sign and which should specifically state that violations may result in disciplinary action, up to and including termination. The policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet, and that the enterprise reserves the right to monitor all usage of IT resources and Internet postings without notice and does so periodically.
Much of the content of the Internet use policy will mirror that of older corporate computer use policies, which were first instituted to manage the employer liability and information security risks associated with Web 1.0, such as the unauthorized downloading or circulation of copyrighted or pornographic content, disclosure of trade secrets and confidential information, defamation and use of computer or Internet access to engage in sexual harassment or discrimination. To avoid liability for the enterprise, the global Internet use and social media policy should still forbid these activities, but must also take into account the special nuances of Web 2.0 communications.
For example, the policy should require employees to include in or in close proximity to any post that references the company a conspicuous disclaimer that the post reflects the employee's personal views and not those of the enterprise. Additionally, the enterprise should seriously consider whether to prohibit employees from posting descriptions of or statements about the terms, features or availability of products and services, including pricing, rates, rewards and eligibility or decision criteria, and restrict such communications to authorized channels subject to prior review and/or special guidelines.
Regulated financial institutions should also consider whether to go further and prohibit even generalized comments about the business, since certain comments may reflect adversely on an institution's safety and soundness or reputation, or may be taken as misleading or deceptive. If some commentary is permitted, the employee should be required to clearly state his affiliation with the financial institution and include the disclaimer that the post reflects his personal views.
Of course, any Internet use policy should also prohibit all disclosures of confidential information, and in this respect should be integrated with the enterprise's information security policy. Both policies should have the same definition of confidential information: It must specifically include material, nonpublic information about the enterprise's business or financial condition, any and all nonpublic personal information relating to employees or customers, and, with respect to financial services customers, any associated financial or product eligibility data, such as FICO scores. The enterprise should also consider implementing a Web 2.0 management tool, such as Socialware, which can monitor and filter the information and content transmitted to external websites from the enterprise's network.
Aside from certain sensible, universally accepted prohibitions (unless one works for Howard Stern, it is hard to defend using corporate IT resources to share graphic sexual content), there is no one-size-fits-all approach. A critical question that CIOs and corporate counsel must wrestle with is how much to police. Outright prohibitions on discussing the enterprise or its business outside of work are seen as Big Brother tactics and culturally disfavored, as are total bans on personal use of corporate Internet access. Furthermore, monitoring employee Web 2.0 use and terminating or disciplining an employee based on that use can raise legal privacy issues if an enterprise's Web 2.0 strategy is not well planned and administered.
Learn more in part 2, "Pietrylo case a cautionary Web 2.0 communications compliance failure."
Andrew M. Baer is an attorney and founder of Baer Business Law LLC, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. Baer can be contacted at email@example.com.
This was first published in July 2009