Social media trends impacting regulated and nonregulated organizations today are at the forefront of the information governance imperative as they present unique challenges for organizations. Social media falls under the umbrella of information governance as an unwieldy data source that promises great rewards for businesses, yet it poses equally large risks for organizations. These risks include, but are not limited to, the violation of regulations that standard industry bodies issue, litigation, compliance issues, data privacy breaches, brand damage and intellectual property theft.
The trends indicate that we live in an era in which ignoring, blocking or constructing too strict a social media policy will put an organization at a competitive disadvantage. Social media rivals email in usage frequency and volume in many industries as an increasingly preferred communication method. This user-driven preference is not something organizations can control, but it is something they must adapt to as market and generational behavior largely dictates the flow of information.
The primary challenge in managing social media is that many platforms exist outside of organizations’ firewalls in the cloud, leaving organizations somewhat helpless without the aide of technology to collect and monitor exchanges among employees, one another and consumers. Organizations without properly constructed, implemented and communicated policies are at an even greater disadvantage in managing the proliferation of social media content.
Social media is by definition a collaborative animal. Although there are many benefits to using platforms that have a business function in the form of software as a service (SaaS), they also contain proprietary and confidential information that enterprises must retain the ability to control. Many organizations have engulfed social media as a business process without paying proper attention to this fact. Consider Salesforce or LinkedIn and the proprietary information these sites contain, yet organizations may not be sure how to retrieve or manage this information if necessary. SharePoint is another example of social media within the organization that has become a business process, resulting in increased archiving for discovery purposes.
Employees are ducking in and out of these sites as they work on a constant basis for both professional and personal reasons. This has resulted in organizations needing to include social media as a source in their document retention policies and to examine how employees are engaging with social media in order to control the abovementioned risks. The reality is that many have not incorporated social media use into a mainstream retention policy and have not designed sufficient training for employees.
Social media has blurred the lines on what defines a business record as many work-related topics are discussed in the social stratosphere. In the case of regulated industries, like financial institutions, trepidation surrounds disseminating advice and conducting transactions. Financial services companies that the Financial Industry Regulatory Authority regulates are the prototype of an early adopter of the archiving and monitoring of social media. This was driven by the proactivity of regulatory bodies in the financial industry in forming their requirements, coupled with the high stakes at play in financial transactions.
Other verticals that must manage highly sensitive information, such as the health care industry, are also up against serious concerns about private patient information escaping into the social stratosphere. This can expose organizations to litigation and data privacy breaches, which are both enormous liabilities with potentially damaging consequences. Nonregulated industries may not have these same requirements imposed upon them, but the same risks are still present.
It is becoming a matter of course that social media is discoverable in employment law given the recent case EEOC. v. Original Honeybaked Ham Co. of Georgia. In this case, as others that preceded it, discovery of social media was granted to the extent relevant information could be found. The judge in this case was appreciative of privacy concerns, and went on to establish a system of reviewing, via a forensic expert to a special master, the following: text messages, all social media websites accessed, and access to all email accounts and blogs during the time in question.
Given this trend, it is safe to assume that the same will be true in the context of criminal law, intellectual property litigation and other complex commercial cases. If an organization is regularly using social media in the course of business, social media will be treated like email for the purposes of discovery. According to X1 Discovery, there were more than 320 published cases in the first half of 2012 that considered social media in discovery. Although a good portion of these cases do involve employment law, the number of cases outside that purview is growing.
Organizations can take control by reviewing the user habits of their employees, integrating document retention policies considering social media as a data source, and investing in technology that can assist in unifying communication. Unified communication platforms provide granular security, management and compliance features for unified communications. This approach enables an organization to set a policy and propagate that across multiple communications modalities, and it provides for the addition of new communications channels. Capabilities also include blocking sensitive information leaving the company and stopping it before it does.
Other important capabilities to consider in a solution to assist in controlling social media include: audit reports for defensibility of process, the ability to conduct real-time content inspection and the ability to archive for all communication channels. Discovering this information becomes easier when platforms are unified and an organization has in-house e-discovery capabilities that can evaluate a multitude of data sources in context of a matter.
The next steps for organizations to take control of social media usage, while leveraging the rewards and mitigating the risks, are simple:
- Understand the platforms employees are using, and evaluate the risk and reward of each platform employees have access to with corresponding policy and actions
- Review document retention policies to include social media
- Provide training to employees
- Audit this process and check back to refresh policies to ensure the implemented technology is accomplishing the organization’s goals with measurable statistics
- Consider inserting into employee agreements the right to search social media for cause. Although the expectation of privacy in the U.S. and the social media user agreements clearly put individuals on notice that their social media usage may be discoverable, an agreement will enhance this knowledge
- Although many of these activities may require additional consultation, many of them can be performed in-house with a committee of the proper information governance stakeholders