Successfully reported this slideshow.
Apr 15, 2013
Social media offers a number of important benefits to both users and organizations that maintain a social media presence. For example, users benefit from the use of social media by having a ready source of current information, being able to share views, and partnering with like-minded individuals. Organizations benefit by building a following among current and prospective customers, gaining competitive advantage by being perceived as thought leaders, and sharing information in ways that would not otherwise be possible using conventional communication channels. Despite the many benefits of social media for both users and organizations, there are two primary risks associated with it:
• Users can send business records, confidential information or racially or sexually offensive content using social media tools in violation of the law, legal best practice or corporate policies.
• Users can generate content using social media that needs to be preserved according to corporate and regulatory retention requirements – but often is not.
WHITE PAPER The Case for Social Media Management and ArchivingSPON An Osterman Research White Paper Published January 2011 SPONSORED BY sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • firstname.lastname@example.org www.ostermanresearch.com • twitter.com/mosterman
The Case for Social Media Management and ArchivingExecutive SummarySOCIAL MEDIA USE IS GROWINGBy virtually any measure, the impact of social media is growing on a number of fronts:• More businesses are using social media to build brand awareness• Governments are using social media to share information• Social media sites have emerged as icons in the popular cultureWith regard to the last point, the “Big Three” social media tools in North America host astaggering number of users as of late 2010:• Twitter has 175 million usersi• Facebook has roughly 520 million usersii• LinkedIn has 85 million usersiiiHowever, there are more than 1,000 systems in use in the dynamic, worldwide socialmedia environment. For exampleiv:• China’s microblogging site Sina.com is expected to have 65 million users by the end of 2010v.• Google’s Orkut is the most popular social media network in Brazil with 37.5 million users as of August 2010vi.• StudiVZ, with 16.6 million usersvii, is a German language social network and, not surprisingly, is the most popular such site in Germany.• Mixi, a popular social network in Japan intended only for individuals who have access to a mobile phone provided by a Japanese carrier, has roughly 12 million users as of September 2010viii.As further evidence of the growing impact of social media is the time that users spendusing these networks: a Nielsen studyixfound that in June 2010 users spent nearly 23%of their online time using social media, up from nearly 16% a year earlier, making socialmedia the fastest growing consumer of users’ online time.SOCIAL MEDIA, WHILE BENEFICIAL, INCREASES CORPORATE RISKSocial media offers a number of important benefits to both users and organizations thatmaintain a social media presence. For example, users benefit from the use of socialmedia by having a ready source of current information, being able to share views, andpartnering with like-minded individuals. Organizations benefit by building a followingamong current and prospective customers, gaining competitive advantage by beingperceived as thought leaders, and sharing information in ways that would not otherwisebe possible using conventional communication channels. Further, the proper use ofsocial media strengthens client and prospect relationships with real time, authenticdialogue in a way that other media cannot.©2010 Osterman Research, Inc. 1
The Case for Social Media Management and ArchivingDespite the many benefits of social media for both users and organizations, there aretwo primary risks associated with it:• Users can send business records, confidential information or racially or sexually offensive content using social media tools in violation of the law, legal best practice or corporate policies.• Users can generate content using social media that needs to be preserved according to corporate and regulatory retention requirements – but often is not.ABOUT THIS WHITE PAPERThe goal of this white paper is to demonstrate that social media content must bemanaged properly. Specifically, this means a) monitoring what employees post on socialmedia sites and how they do so, and b) archiving relevant business records that aredistributed via social media sites. Further, this white paper offers a brief overview of thevendor that sponsored it and that can address each of these issues, Actiance.Social Media Monitoring and Archiving Are CriticalOUTBOUND SOCIAL MEDIA MUST BE MONITORED…The inappropriate use of social media can create enormous liabilities, embarrassmentand other problems for an organization. For example:• Employees at the Tri-City Medical Center in Oceanside, California posted patient information on Facebookx.• A hospital employee in Hawaii with access to patients’ medical records illegally accessed another person’s records and posted on MySpace that the individual had HIVxi.• A West Allis, Wisconsin employee was fired for a post she made on her Facebook page claiming that she was addicted to alcohol and various prescription and illegal drugs, although the employee claimed that her comments were made in jestxii.• In early 2009, an employee of Ketchum, a public relations firm, used Twitter to post insulting comments about the city of Memphis shortly before presenting to the worldwide communications group at FedEx – Memphis’ largest employer. An employee of FedEx discovered the tweet, responded to the tweeter, and then copied FedEx’s senior managers, the management of FedEx’s communication department and the management of Ketchumxiii.• A radio host tweeted a racially offensive comment after a basketball game between the Dallas Mavericks and San Antonio Spurs and was subsequently firedxiv.• The case of Blakely v. Continental Airlines [164 N.J. 38 (2000)], although decided by the New Jersey Supreme Court prior to the advent of social media, established the precedent that employers are liable for what their employees post online.©2010 Osterman Research, Inc. 2
The Case for Social Media Management and ArchivingIt is also important to monitor content based on regulatory guidelines. For example:• Federal Energy Regulatory Commission (FERC) Order No. 717 requires monitoring and archiving of communications between the marketing and transmission operations of vertically integrated electricity and natural gas companies.• Various rules issued by the Financial Industry Regulatory Authority (FINRA) require supervision of communications by registered financial services representatives.Various US government agencies have also issued guidance on the retention andmanagement of social media content. For example:• The Environmental Protection Agency has published Interim Guidance for EPA Employees who are Representing EPA Online Using Social Media, requiring that “agency records created or received using social media tools must be printed to paper and managed according to the applicable records schedule in a recordkeeping system.”• The US Department of Defense has provided formal guidance on the use of Web 2.0 tools, which includes guidance that “all users of these Internet-based capabilities must be aware of the potential record value of their content, including content that may originate outside the agency.”• The US State Department’s official policy, Using Social Media, requires a site sponsor to be the recordkeeper for content that must be preserved long term, requiring that records “be maintained with related records or managed through an acceptable records management application.”The National Archives and Record Administration (NARA) continues to refine policyregarding the retention of social media communication. An October 2010 NARA bulletinexplains that “Open and transparent government increasingly relies on the use of these[Web 2.0] technologies, and as agencies adopt these tools, they must comply with allrecords management laws, regulations, and policies. The principles for analyzing,scheduling, and managing records are based on content and are independent of themedium; where and how an agency creates, uses, or stores information does not affecthow agencies identify Federal records.xv”….BUT INBOUND CONTENT IS JUST AS IMPORTANT TO MONITORHowever, outbound threats are only part of the problem that social media can pose.Because Twitter, Facebook and many other social media sites have become a haven forhackers, malware authors and other criminals, organizations must be vigilant to protectagainst threats can enter a corporate network through social media sites. For example:• The Boonana malware, written in Java and first reported in late October 2010, targets Macs through social media sites and operates in a manner similar to that of the Koobface worm that has been infecting Windows-based machines since 2008. Koobface has targeted Facebook users in particularxvi.©2010 Osterman Research, Inc. 3
The Case for Social Media Management and Archiving• In early October 2010, a large-scale phishing attack against LinkedIn users delivered the Bugat malware that is related to the Zeus bot responsible for the loss of tens of millions of dollarsxvii.• A temporary security hole in Twitter, patched in September 2010, allowed an exploit in which simply placing a mouse cursor over a malicious link would cause the user to visit a malicious or offensive sitexviii. Thousands of users were impacted by this bug.• A Consumer Reports study found that 1.8 million computers had been infected by applications downloaded through a social media sitexix.OTHER CONSIDERATIONS FOR MONITORING SOCIAL MEDIAIn addition to the obvious outbound and inbound threats posed by social media, there isalso the issue of managing users’ identities when employees and other representativesof a company post content to a social media site. This issue is focused primarily on twokey concerns:• Employees can establish for themselves any available name on a social media site and use it to post content either officially or unofficially. This results in a company losing control over naming conventions and the identities of individuals purporting to post content on the company’s behalf. To specifically address this issue for financial services firms, the FINRA issued a statement in Regulatory Notice 10-06xxthat “[regulated] firms must have a general policy prohibiting any associated person from engaging in business communications in a social media site that is not subject to the firm’s supervision.”• A related concern is that employees posting content on behalf of their employer can maintain the same social media name once they leave the organization. However, the lack of enforceable naming conventions means that the outside world has no indication that the employee has changed employers, thereby leaving employers vulnerable to a variety of posts long after an employee has left an organization.SOCIAL MEDIA CONTENT MUST ALSO BE ARCHIVEDWhile social media can create problems for individuals and employees if content isinappropriate, at least some social media content – that which contains business recordsand other content that may have evidentiary value – must be retained based on variousretention guidelines. For example:• FINRA Regulatory Notice 10-06xxi states that “every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110.” This notice requires pre-review of static content, the supervision of dynamic content and the supervision of customer complaints sent in social media.©2010 Osterman Research, Inc. 4
The Case for Social Media Management and Archiving• The State of Oregon has established a policy that “social media posts are public records. That means they require you to retain them.xxii”• Similarly, the State of North Carolina has concluded that “[social media] posts of the employee administrator and any feedback by other employees or non-employees, including citizens, will become part of the public record.xxiii”• FERC 18 CFR Parts 35 and 284 require the retention of various types of records for five years and FERC Part 125 establishes specific retention periods for the records of public utilities and companies affiliated with them. While these regulations do not specifically call out retention of social media content per se, even a conservative reading of these requirements would dictate preservation of relevant social media content sent by energy and related companies governed by FERC.• In the case TEKSystems, Inc. v. Hammernick, the plaintiff is suing based on its allegation that the defendant violated several agreements after leaving the company by using her LinkedIn account to contact a number of employees of the plaintiffxxiv.Today, driven by FINRA and the Securities and Exchange Commission, the financialservices industry is the key driver for archiving social media content – for the most part,other industries have yet to establish detailed and thorough guidelines about thearchiving of this content, although the government and energy sectors are close behind.The financial services industry’s focus on social media archiving is part of its long termfocus on electronic content archiving which began with email in 1997 and instantmessaging in 2003.That said, other industries will clearly follow the lead of financial services, governmentand energy and will establish detailed guidelines on social media archiving. However,any public or private company, regardless of industry, must establish retentionguidelines to ensure that it is retaining business records in social media for theappropriate length of time. Social media, as with any business record, must be retainedto demonstrate both to courts and regulators proper diligence in the preservation ofbusiness content, and also to provide the ability for pre-review of business records forearly case assessment and related activities.THE BOTTOM LINE: ORGANIZATIONS ARE AT RISKThe vast majority of organizations today do not have the ability to capture relevantinformation from social media sites or to retain it for long periods as many do for othertypes of business records. Nor do they have the ability to monitor employee posts tosocial media sites for inappropriate content that could result in a lawsuit or quash amerger or damage their corporate reputation. The result is that organizations areincreasingly at risk as the use of social media tools continues to grow. This risk is multi-faceted and includes the potential spoliation of evidence, a failure to prevent sexualharassment between employees, charges of libel and other negative consequences.It is important that organizations retain social media content independently of theproviders – in other words, don’t rely on social media providers to retain content, butinstead manage it independently to ensure its retention for as long as necessary.©2010 Osterman Research, Inc. 5
The Case for Social Media Management and ArchivingAlthough it is best practice to retain content independently, it is imperative to do sobecause the social media platform providers are not obligated to do this. For example,Twitter’s terms of service include “We also retain the right to create limits on…storage atour sole discretion at any time without prior notice to you.”What to Do NextOsterman Research recommends that any organization that is using or is consideringusing social media undertake a four-step process for protecting against the risksassociated with its use.STEP 1: UNDERSTAND HOW AND WHY SOCIAL MEDIA IS USED INYOUR ORGANIZATIONIT should conduct a thorough audit of how social media is used in the organization,which tools are used, why they are used and so forth. This audit should also include aforward-looking focus on how these tools might be used in the future, how competingfirms are using these tools, and new capabilities that might be employed in the future.In short, an organization should determine if it could obtain competitive advantagethrough the use of social media instead of making a knee-jerk decision not to use itbecause of security or other risks it might pose.It is important to note that there may be a major disconnect between what IT, securityor compliance perceives as a legitimate application of social media and what individualusers or business units perceive to be legitimate. The goal, of course, is to balance thecompeting interests of both groups and derive the greatest benefit from the use ofsocial media while still remaining compliant with corporate policies and securityrequirements. This might include:• Marketing, communications, PR teams and spokespeople who want the ability to post commentary, create events and utilize the full functionality of social media.• Corporate users, such as Human Resources and legal staff who need to research new hires and investigate shared content.• Regulatory compliance teams who must not only maintain records of shared content and activities, but also approve and moderate subject matter.• Employees who utilize social media to prospect for business, network with customers and partners and collaborate with suppliers.STEP 2: UNDERSTAND THE RISKS YOU FACE BY NOT MANAGINGSOCIAL MEDIA PROPERLYNext, it is important to understand the consequences that can result when social mediacontent is not managed properly, when business records in social media posts are notretained, and so forth. It would be appropriate at this phase of the evaluation processto understand the potential consequences associated with not managing social mediause adequately. For example:©2010 Osterman Research, Inc. 6
The Case for Social Media Management and Archiving• If business records or actionable information are sent via social media tools, management’s decision to purge this content could be seen as spoliation of evidence in a lawsuit. For example, if management decides not to preserve sexually harassing direct messages sent using Twitter, a party offended by this content that takes legal action may be entitled to access the archives of these posts as part of an e-discovery exercise and could claim spoliation in their absence. The ramifications of spoliation can be substantial and include fines and sanctions imposed by the court, the requirement to pay the prevailing party’s legal fees, attorneys’ costs for additional motions, and other serious consequences.• If employees want to discuss work conditions or complain about their benefits, for example, employers are not permitted to interfere with these communications according to rules codified in the National Labor Relations Act. This means that employers must tread a fine line between monitoring and blocking social media for inappropriate use or sharing of content in an inappropriate way and preserving the rights of employees to share information. Further complicating the issue is the need for multinational organizations to satisfy the diverse requirements of each territory in which it operates.• For firms in the financial services industry, investment advisers cannot be the beneficiary of a testimonial or recommendation on LinkedIn because of the potential violation of Rule 206(4) of the Investment Advisers Act of 19401. This rule makes it illegal for an investment adviser to publish or benefit from an advertisement or testimonial that deals with their conduct as an adviser.• Similarly, registered financial services representatives are subject to scrutiny when they post content on social media sites, including monitoring of their posts and retention of their communications.STEP 3: IMPLEMENT SOCIAL MEDIA POLICIES THAT FIT YOURINDUSTRY AND ORGANIZATIONThe next requirement is to implement policies that will attempt to strike the appropriatebalance between employee freedom to communicate via social media tools, the businessbenefits that will be derived from the use of these tools, compliance with industryregulations, and advice from legal counsel. Considerations for these policies include:• Policies about the use of social media tools should be part of an overall messaging and communication policy that covers the use of corporate email, personal Webmail, instant messaging, collaboration workspaces, cloud-based storage tools and any venue through which individuals might share corporate information.• Sufficient granularity should be included so that differing roles within the organization are clearly subject to different policies. For example, energy and securities traders may be subject to different rules about their use of social media than clerical staff, senior managers should be subject to different policies when1 http://newrulesofinvesting.com/2009/03/22/adviser-use-of-linkedin-may-violate-sec-rules/©2010 Osterman Research, Inc. 7
The Case for Social Media Management and Archiving communicating with external auditors than when they communicate with employees, formal communications that represent a company position should be subject to different scrutiny than personal communications, and so on.• Policies should also include a detailed discussion about appropriate use of social media tools, including requirements not to post sexually or racially offensive comments or images, not to include links to inappropriate Web sites, not to defame or slander others, not to post content that could run afoul of copyright laws, not to post personnel records or other sensitive information, and the like.• The specific tools that can and cannot be used should be specified clearly, preferably along with a rationale for the decision. This includes the social media sites themselves, as well as the platforms on which these sites are accessed – home computers, smartphones, desktop computers at work, etc.• Where appropriate and where possible, disclaimers should be included for communications like Facebook posts or blogs. Obviously, disclaimers will not be practical for tweets and other space-limited communication tools (unless, possibly, a short URL is included that points to a corporate disclaimer).• Policies should clearly spell out that management reserves the right to monitor employee communication via social media, when it has the right to act on this information, and that content may be retained for an indefinite period.• Succession planning should also be a part of social media policies. For example, if an employee – particularly one with a large number of followers – leaves the organization, corporate policy should include provisions about whose followers those are, the individual’s or the company’s.• Policies should also spell out the corporate reaction to and consequences of a breach of policy.STEP 4: DEPLOY MANAGEMENT AND ARCHIVING TECHNOLOGIESFinally, any organization should deploy technologies that will do the following:• Monitor employee posts on every social media protocol that might be used. This monitoring may be after the fact, such as sampling employee posts to check for inappropriate content; or it might be in real time to monitor posts before they leave the organization.• Osterman Research has found that while many IT decision makers oppose the use of specific social media tools or at least find them not to be legitimate for use in a business context, far fewer really do anything to prevent their use.• Archive and log all relevant content that might constitute a business record and that might need to be retained. It is generally easier to simply archive or log all social media content than take the risk that some important content might slip through and not be retained, but this will depend to a large extent on the industry in which an©2010 Osterman Research, Inc. 8
The Case for Social Media Management and Archiving organization operates and other factors. A key part of content logging is to ensure that the identity of the individuals who use social media tools is clear and that content can be tied back to their corporate identity. Most organizations will want to integrate their social media archive with their primary electronic content archive. This makes legal holds, as well as searching across all electronic content during early case assessment and e-discovery, much easier and less time-consuming.• It is also vitally important to block threats that can enter an organization through social media. This is particularly important given a) the widespread use of short URLs that offer the user no visual cues about the veracity of the link, and b) the fact that many social media tools can display content provided by individuals to whom users have not given permission to display posts. One of the key problems with social media from a security perspective is that these tools are generally less well defended than more established tools like email. Given the rapid increase in the use of many of these tools, many IT departments are scrambling to keep up with the rapid growth of social media tools, leaving organizations vulnerable to malware infiltration. For example, an Osterman Research survey conducted during May 2010 revealed that 12% of mid-sized and large organizations in North America had been the victim of malware infiltration during the previous 12 months, while 9% of organizations had had sensitive or confidential information accidentally or maliciously leaked through a social media or Web 2.0 applicationxxv .SummaryThe fundamental message regarding the use of social media in any organization can bedistilled down to three important points:1. Take advantage of social media for marketing, thought leadership or other purposes, particularly during the window in which your competitors are not doing so.2. Monitor social media content leaving and entering your organization to minimize the risks that it can create.3. Archive relevant business content generated in social media, also to mitigate risks.©2010 Osterman Research, Inc. 9
The Case for Social Media Management and ArchivingSponsor of This White Paper Actiance enables the safe and productive use of Unified Communications, collaboration and Web 2.0, including blogs and social networking sites. Formerly FaceTime Communications,Actiance, Inc. Actiance’s award-winning platforms are used1301 Shoreway by 9 of the top 10 US banks and more thanSuite 275 1600 organizations globally for the security,Belmont, CA 94002 management and compliance of unifiedUSA communications, Web 2.0 and social media+1 888 349 3223 channels. Actiance supports all leading social networks, unified communications providers400 Thames Valley Park Drive and IM platforms, including Facebook,Thames Valley Park LinkedIn, Twitter AOL, Google, Yahoo!, Skype, Microsoft, IBM and Cisco.Reading, RG6 1PTUnited Kingdom For more information about Actiance’s award+44 (0) 1189 637 469 winning platform, please visit www.actiance.com.www.actiance.com© 2010 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it be distributed without the permissionof Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., withoutprior written authorization of Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall thisdocument or any software product or other offering referenced herein serve as a substitute for the reader’s compliancewith any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executiveorder, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competentlegal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warrantyregarding the completeness or accuracy of the information contained in this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIEDREPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS AREDETERMINED TO BE ILLEGAL.©2010 Osterman Research, Inc. 10
The Case for Social Media Management and Archivingi http://twitter.com/aboutii http://www.facebook.com/press/info.php?statisticsiii http://goo.gl/Ox2IDiv http://www.socialmediatoday.com/soravjain/195917/40-most-popular-social-networking-sites-worldv http://english.peopledaily.com.cn/90001/90776/90882/7193475.htmlvi http://www.comscore.com/Press_Events/Press_Releases/2010/10/Orkut_Continues_to_Lead_Brazil_s_Social_ Networking_Market_Facebook_Audience_Grows_Fivefold/(language)/eng-USvii http://pulse2.com/2010/05/28/studivz-has-16-6-million-users-facebook-has-9-million-in-germany/viii http://www.comscoredatamine.com/2010/11/twitter-sees-impressive-growth-in-japan/ix http://mashable.com/2010/08/02/stats-time-spent-online/x Source: Privacy Rights Clearinghouse (http://www.privacyrights.org/data-breach)xi Source: Privacy Rights Clearinghouse (http://www.privacyrights.org/data-breach)xii http://www.courthousenews.com/2010/05/24/27513.htmxiii http://shankman.com/be-careful-what-you-post/xiv http://www.huffingtonpost.com/2010/04/26/mike-bacsik-twitter-tirad_n_552532.htmlxv NARA Bulletin 2011-02xvi http://www.computerworld.com/s/article/9193720/Koobface_worm_targets_Mac_users_on_Facebook_Twitterxvii http://www.bankinfosecurity.com/podcasts.php?podcastID=783xviii http://mashable.com/2010/09/21/twitter-mouseover-bug/xix Source: Consumer Reports State of the Netxx http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdfxxi http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdfxxii http://oregon.gov/DAS/EISPD/EGOV/BOARD/social_networking_guide/public_records.shtmlxxiii Source: Best Practices for Social Media Usage, December 2009xxiv http://www.chicagobusinesslitigationlawyerblog.com/2010/10/federal_lawsuit_asks_judge_to.htmlxxv Source: Messaging and Web Security Market Trends, 2010-2013; Osterman Research, Inc.©2010 Osterman Research, Inc. 11