The explosion of social media, particularly platforms like Twitter, Facebook and LinkedIn, has brought with it significant security concerns and potential regulatory scrutiny. In a recent survey by Russell Herder, an advertising agency, and Ethos Business Law, fewer than one-third of 438 respondents said their organization had a policy in place governing social media use. Only 10% of the companies surveyed by the Minneapolis-based organizations indicated that they had conducted employee training on such use. Is it any wonder that 80% of the executives said they are fearful of social networking risks?
A recent tip from SearchCompliance.com contributor Andrew Baer drove home the new reality: social media platforms demand a clear employee Internet use policy, which should then be distributed throughout the enterprise.
Given the many vectors for data breaches, an educated workforce will continue to be the most effective means of remaining compliant with regulatory guidance in the near future, despite improvements in data leak prevention software.
"The risks of employee Web 2.0 communications are just magnifications of the effects of otherwise bad behavior," said Doug Cornelius, compliance officer at a Boston-based real estate private equity firm and blogger at ComplianceBuilding.com.
Christophe Veltsos, president of Mankato, Minn.-based Prudent Security LLC and a faculty member at Minnesota State University, has a similar view: "Education is at least as important as creating edicts. If employees don't know or don't understand why their Web 2.0 behavior can cause harm to the company, they likely don't understand the policy either."
That education, however, needs to include clear expectations around online privacy for social media use at work, specifically while on a corporate network or using other IT resources like a smartphone or laptop remotely.
Baer writes that such a "policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet."
Privacy expert Rebecca Herold advised, "If a policy exists stating such, then enterprise employees shouldn't expect privacy on the corporate networking; it all depends upon the policy's existence and wording.. … If a policy says all electronic data on the network may be monitored, then it's possible for all."
Cornelius added, "Should they have an expectation of privacy? No. The company should be up front about that. If you are using the company's hardware or networking equipment, you can expect to be monitored. The company can take your computer and examine the contents."
"Everything is potentially discoverable. No matter where it is. Whether it's findable is a different story. The hoops to get it from a Web 2.0 host may be different [than internal logs]," he said.
The relevance of social media for e-discovery is only likely to increase over coming years. Further, as Carolyn Elefant reported at Legal Blog Watch at Law.com, even clients that have blocked accounts from public access can be subject to e-discovery if a judge finds that the updates are relevant to the case.
In Leduc v. Roman, a decision made in the Superior Court of Justice in Ontario, the judge ruled that "a party who maintains a private or limited access Facebook profile stands in no different position than one who sets up a publicly available profile. Both are obliged to identify and produce any postings that relate to any matter in issue in an action."
Where else do existing privacy laws apply? Be mindful of the EU
Online privacy rules can differ substantially by region or country. U.S. and European Union (EU) personal data protection laws make e-discovery risky, and implementing or conducting e-discovery in non-common law countries can leave companies caught between breaking the law in the U.S. or running afoul of European data privacy laws. When it comes to e-discovery and the EU, in fact, cross-border investigations tend to be complex affairs.
Tero pointed out that "the EU Directive on Privacy takes a difference stance and personal messages posted on social media using corporate IT assets are still deemed as the property of the individual. Here, corporations put the onus on the individuals to self-police their behavior on social networks."
Should a national data privacy law be passed in the U.S., restrictions on how, where and why social media messaging can be monitored, logged or stored will need to be revisited.