News Stay informed about the latest enterprise technology news and product updates.

The Web of social media and compliance: Online privacy regulations

Compliance officers should review online privacy regulations before drafting social media usage policies that set expectations for online privacy.

The explosion of social media, particularly platforms like Twitter, Facebook and LinkedIn, has brought with it significant security concerns and potential regulatory scrutiny. In a recent survey by Russell Herder, an advertising agency, and Ethos Business Law, fewer than one-third of 438 respondents said their organization had a policy in place governing social media use. Only 10% of the companies surveyed by the Minneapolis-based organizations indicated that they had conducted employee training on such use. Is it any wonder that 80% of the executives said they are fearful of social networking risks?

The Web of social media
and compliance: A series
ECPA and online privacy

Online privacy policy
For compliance officers, social media use has dramatically increased the potential for data leaks and malware infections. Experts say employers and employees need to be on the same page when it comes to the use of social media and agree on usage policies that allow individuals to connect with family, friends and colleagues but clarify what kinds of social messaging are acceptable.

A recent tip from contributor Andrew Baer drove home the new reality: social media platforms demand a clear employee Internet use policy, which should then be distributed throughout the enterprise.

Given the many vectors for data breaches, an educated workforce will continue to be the most effective means of remaining compliant with regulatory guidance in the near future, despite improvements in data leak prevention software.

"The risks of employee Web 2.0 communications are just magnifications of the effects of otherwise bad behavior," said Doug Cornelius, compliance officer at a Boston-based real estate private equity firm and blogger at

Christophe Veltsos, president of Mankato, Minn.-based Prudent Security LLC and a faculty member at Minnesota State University, has a similar view: "Education is at least as important as creating edicts. If employees don't know or don't understand why their Web 2.0 behavior can cause harm to the company, they likely don't understand the policy either."

That education, however, needs to include clear expectations around online privacy for social media use at work, specifically while on a corporate network or using other IT resources like a smartphone or laptop remotely.

Baer writes that such a "policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet."

Privacy expert Rebecca Herold advised, "If a policy exists stating such, then enterprise employees shouldn't expect privacy on the corporate networking; it all depends upon the policy's existence and wording.. … If a policy says all electronic data on the network may be monitored, then it's possible for all."

Cornelius added, "Should they have an expectation of privacy? No. The company should be up front about that. If you are using the company's hardware or networking equipment, you can expect to be monitored. The company can take your computer and examine the contents."

"Everything is potentially discoverable. No matter where it is. Whether it's findable is a different story. The hoops to get it from a Web 2.0 host may be different [than internal logs]," he said.

The relevance of social media for e-discovery is only likely to increase over coming years. Further, as Carolyn Elefant reported at Legal Blog Watch at, even clients that have blocked accounts from public access can be subject to e-discovery if a judge finds that the updates are relevant to the case.

In Leduc v. Roman, a decision made in the Superior Court of Justice in Ontario, the judge ruled that "a party who maintains a private or limited access Facebook profile stands in no different position than one who sets up a publicly available profile. Both are obliged to identify and produce any postings that relate to any matter in issue in an action."

Where else do existing privacy laws apply? Be mindful of the EU

Online privacy rules can differ substantially by region or country. U.S. and European Union (EU) personal data protection laws make e-discovery risky, and implementing or conducting e-discovery in non-common law countries can leave companies caught between breaking the law in the U.S. or running afoul of European data privacy laws. When it comes to e-discovery and the EU, in fact, cross-border investigations tend to be complex affairs.

The risks of employee
Web 2.0 communications are just magnifications of the effects of otherwise bad behavior.

Doug Cornelius
A policy recommending that all employee communication be monitored and logged "may be acceptable in the U.S. (in fact it seems to be de facto), but it may ran counter to privacy principles in the EU and other countries with more stringent personal privacy directives," wrote Vivian Tero, program manager for IDC's compliance infrastructure service, in an email interview. "In the U.S., materials generated and stored on corporate IT assets are treated as corporate property."

Tero pointed out that "the EU Directive on Privacy takes a difference stance and personal messages posted on social media using corporate IT assets are still deemed as the property of the individual. Here, corporations put the onus on the individuals to self-police their behavior on social networks."

Should a national data privacy law be passed in the U.S., restrictions on how, where and why social media messaging can be monitored, logged or stored will need to be revisited.

Part 2 in the series, ECPA and online privacy, explores the implications of the Electronic Communications Privacy Act for social media use on the corporate network. Part 3 addresses what an online privacy policy could include and how it should be shared.

Let us know what you think about the story; email: Alexander B. Howard, Associate Editor, @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.