Social Media Liabilities in the Enterprise
New LIabilities with New Technologies
As organizations evaluate whether to implement social media, the potential liabilities of employees utilizing these media must be considered and compliance policies must be enacted. When utilizing social media such as blog and wikis, organizations gain the efficient communication and collaboration benefits that these media provide, but they also face greater risk of liability. Employees utilizing blogs can create legal liabilities for employers by discussing trade secrets or making disparaging remarks about co-workers or others. Employees may also create financial and public relations liabilities simply by saying something inappropriate, such as criticizing management, even if this is not illegal.
Even if your organization does not allow social media use, there is a high probability that employees are blogging or using wikis from home. Because many blogs and wikis are publicly viewable, an organization must be proactive and design social-media usage policies for those employees who may mention their employer when using social media from home.
This paper will highlight some of the liabilities organizations must consider when designing social media usage policies and how organizations can attempt to ensure employees are following these policies. Certainly, there are also regulatory concerns such as Sarbanes Oxley, HIPAA, and SEC regulations that corporations must consider when implementing social media. For an overview of these concerns, please visit the "Regulations for Enterprise Social Media" whitepaper.
As with other forms of communication, defamation is a concern when individuals express their opinions. Defamatory remarks are usually considered those that are false, but are purported to be fact, and harm an individual or group. There is a fine line between stating a critical opinion and publishing a false statement that could easily be perceived as true. Describing someone as a crook is probably considered an opinion, while stating that a person stole money from their employer, when that person has obviously not committed the act, would probably be considered defamation.
Organizations should implement policies that limit employees from expressing such bold statements on their work-affiliated blogs or wikis. It is one thing to express an opinion, it is a different situation when an employee makes blatantly false accusations. Employees may also be tempted to make defamatory remarks about management or fellow employees because of work-related stress. If an employee publishes a defamatory statement while at work, the employer could be held liable for damages, and would certainly suffer damage in the public eye. Employers should not attempt to limit employees' right to free speech, but they should mandate that employees who publish harsh opinions do so from their personal blogs or wikis that are not affiliated with the company. Employers should also take the time to educate employees about defamation and the consequences that can occur from publishing a defamatory remark.
Similarly to defamation, employees may make remarks about fellow employees that could be considered sexual harassment. Often, the employee may not even realize his or her statements could be considered sexual harassment.
Sexual harassment is considered unwelcome attention involving a sexual nature. With social media, sexual harassment may include activities ranging from slightlly crude remarks or jokes to explicit comments about co- employees. Organizations must ensure that employees are not violating sexual harassment policies and laws with their comments in blogs and wikis, whether or not these social media communications take place from work or home. Organizations must also ensure that employees are not making general statements that could be considered sexual harassment, even if the statement is not directed at other employees. It's quite possible that a sexual harassment statement directed at someone other than an employee may be published on a work blog and the organization would again be at risk of liability.
Again, employers should take step to make certain that employees are aware of policies, and that employees are also aware of what constitutes sexual harassment.
Copyright Infringement and Plagiarism
With the ease of copying information from one site to another, copyright infringement and plagiarism are all too frequent events, especially with blogs. Plagiarism occurs when one claims another's work as their own and does not adequately cite the original author or publisher. Simply copying another author's blog post, or part of that post, and posting it on one's own blog without citing the author could be considered plagiarism.
While it is common form on the internet to use components of other authors' works in a blog or wiki, these posts must also properly attribute the original author and link back to the original source. Organizations should create policies that mandate those writers borrowing content from other authors properly cite the original author and also link back to the original source.
Disclosing Confidential Information or Trade Secrets
Organizations must consistently monitor communications flowing out to ensure that proprietary technical information, financial data, or new business strategies are not leaked. Blogs and wikis present unique challenges, because the communication lines for these media are not linear, and social media communications are distributed instantaneously to thousands of readers. Having proprietary information distributed through these social media could prove disastrous for an organization.
To prevent this information leakage, organizations should designate what information may and may not be discussed and should clearly designate types of information that are considered confidential. Organizations should consistently update employees as to what information is confidential and what company information has entered the public domain. They should also encourage employees that have questions about the types of information they can discuss to contact the appropriate person or department.
Social media, particularly blogs, are an excellent way for individuals to vent about events and stress in their life, particularly those that happen at work. Some employees are often quick to critique management. These criticisms can just as often be productive as they can be damaging. However, negative criticisms that are made public can become disastrous public relations events, as evidence by the "Peanut Butter Manifesto," written by Brad Garlinghouse of Yahoo.
A company's social media usage policy should dictate whether it is appropriate for employees to publish company critiques in their social media and whether employees must gain prior approval before doing so. Again, free-speech should not be denied, but a company must also protect itself from public relations nightmares. This is a fine balancing act between free speech and company rightsfor the organization.
Reader comments in blogs and wikis also present unique compliance challenges, but there are multiple options for controlling comments in social media. Past litigation has occurred from comments that were posted in social media that may have been defamatory or considered sexual harassment. Even if an employee follows all policies perfectly, there is still the possibility that a commenter may post a statement that could damage to the organization.
One extreme option is to have employees disable comments on their blogs or wikis. This will prevent any uncontrolled comments from flowing through these media. However, disabling comments violates the spirit of social media, so employees may be unreceptive to a policy not allowing comments.
A more realistic option is to instruct employees that they must review all user-submitted comments before they are posted directly on a blog or wiki. This acts as a screening method, so that an employee will discover an inappropriate comment before it is posted and will remove it. Employees should enable the "moderate comments" option in their blog or wiki to screen the comments before they are posted.
Additionally, employees should disable anonymous commenting on their blog or wiki. The ability to make anonymous comments encourages users to make disparaging remarks, as the user feels it cannot be held accountable because his or her name is not attached to the statement.
To ensure that employees are following these social media compliance policies, organizations must enact a process for monitoring employee blogs and wikis. For an organization that has a minimal amount of social media, a viable option is to simply designate a person to read all new social media entries and posts every day.
For organizations that have hundreds or thousands of blogs, manually reading each blog and wiki is much less realistic. A better method might be to utilize sites such as Google Blog Search and Technorati to search employee blogs for keywords that might represent statements that violate compliance policies. However, there is currently not a viable method for searching through wikis on the internet.
It is important to know where to look when attempting to monitor employee social media communications. Organizations should always ask their employees to register their blog or wiki with a department such as human resources, however, it is unlikely that all employees will follow this policy, as blogs and wikis may be created practically instantaneously and without permission.
A more robust method of discovering employee operated social media within an organization is to utilize a discovery process that incorporates intranet and internet scans. An organization can perform a TCP/IP scan on its intranet to discover running web servers on its common ports. Once these web servers have been discovered, they can be investigated to determine if they are running a social media application.
To find employees blogging from home, one should again utilize Google Blog Search or Technorati. One could run searches, looking for keyword phrases such as "I work at company X," or a search for each employee's name could be run to identify employee-operated blogs. Again, there is no reliable resource for wiki discovery.
While these are rudimentary methods, they will help organizations discover who is using social media and where they are using these technologies.
Techrigy's SM2 is an all-inclusive option for discovering and monitoring employee social media. SM2 performs sophisticated intranet port scans to determine if employees are using social media within the intranet, and exactly what type of social media the employee is using. SM2 also interfaces with external blog search tools, and utilizes its own wiki search tools, to discover employees using social media from home. SM2 can perform this discovery process as frequently as an organization desires, whether it be on a daily, weekly, or monthly basis.
Once SM2 has identified employee social media, it creates backup records of these media and then monitors these media for policy violations. Violation rules can also be customized by an organization. If a possible violation is discovered, a notification report is relayed to the appropriate compliance officer. These reports can also occur as frequently as the organization desires.
SM2 is an outstanding option for creating an automated and reliable social media compliance management process, especially for those organizations that face the chore of monitoring hundreds or thousands of social media.
Organizations must create social media policies, regardless of whether they do or do not allow social media usage. There are more than 70 million bloggers, and it is likely that at least one person within your organization is blogging from work or home. Wiki usage is following suit, especially as collaboration tools are created within the organization's intranet.
Companies must create policies targeted at preventing defamation, sexual harassment, copyright infringement, and confidential information leaks. Employees must also be educated to ensure that they realize the potential liabilities when the wrong information is communicated through social media. Social media can be game-changing collaboration tools for organizations, but they can also be dangerous tools if their communications are not properly monitored.