Only half of companies have usage policy for social networking, while policing of online activity raises legal and moral questions
Corporations are starting to embrace social networks and new media technology as tools for communicating with various stakeholders. These new technologies present clear advantages for companies, especially for marketing, sales and investor relations departments, but as organizations adopt new communication mechanisms, they also need to consider some serious risks.
We have seen already how CEOs using blogs or Twitter can risk getting themselves into hot water – witness Whole Foods or Ruby Tuesday. But senior executives misunderstanding or misusing communications may be only one problem area; rank-and-file employees could pose a greater danger. An August survey by the Society of Corporate Compliance and Ethics shows that many compliance officers and even IT security departments are still looking at simple issues like employee use in the workplace, exposure to computer viruses and inappropriate comments made online.
The survey shows that there is no consistent approach to policy making or monitoring. Only 50 percent of all respondents have a usage policy; among those, the levels of formal monitoring vary greatly. ‘While some firms have set out a specific policy for their employees’ online social networking activities, half have not,’ the study states. ‘Monitoring tends to be passive more than active, even though a quarter of respondents say their employer has had to discipline an employee for activities on Facebook, Twitter or LinkedIn.’
As understanding of the pervasiveness of the technology grows, so too does the realization that social networking is a legal wilderness. Beyond simple disclosure breaches and reputation damage, there are far more subtle risk factors that few compliance officers or general counsel have completely come to grips with.
Orrie Dinstein, chief privacy leader and senior counsel for intellectual property at GE Capital, admits the use of social media presents some upsides but stresses that there are many more potential downsides. Intellectual property is among the better-understood risk areas, he says. One of the biggest issues with employees posting information online is the question of ownership, and recent years have seen several disputes over who owns copyright and intellectual property rights for online content. Despite fighting for several years, Facebook has recently admitted that it does not own the content its users post online.
Then there is the issue of data leaks. Online postings are not very secure: it is disturbingly simple for an employee to inadvertently post customer data or other sensitive files. Often these files are posted deliberately, not for negative reasons but so they can be shared with colleagues.
Potential brand damage is another challenge. Dinstein did a simple search for his firm on LinkedIn and found hundreds of groups and pages with unauthorized use of GE’s logo. Many were not malicious or for profit; the logo could be used for an employee sports event, for example. ‘But most companies want to maintain control of image and brand, and this can get out of hand really fast,’ says Dinstein.
People can do foolish things that have a devastating impact on corporate reputation; the Domino’s Pizza incident where two employees posted footage of themselves defiling a customer’s food and the United Airlines baggage handler filmed deliberately smashing a passenger’s luggage were both marketing nightmares. And it is near impossible to prevent situations like these.
Not recommended
Perhaps one of the least understood risk elements is the HR legal risk associated with services like LinkedIn. ‘Consider a situation where an HR manager recommends a friend, who also happens to be a colleague, on LinkedIn,’ says Dinstein. Often these recommendations are given quite lightly, and the people giving them may not give them another thought. ‘They think they are doing their colleague a favor, and they are – in more ways than one,’ Dinstein explains. It can have a follow-on effect on, for example, an employee evaluation.
This is an area many firms have never even considered writing a policy for. It would be relatively simple to restrict this type of usage at work, but very hard to prevent or control how an employee uses a service like LinkedIn while at home. This debate raises serious challenges for legal and compliance staff. The first is policing: can you monitor employee email at work? Yes. What about personal email sent from the office during work hours? ‘Some companies do, but it is riskier,’ says Dinstein. Personal email sent from home? Probably not. Employee posts to blogs or personal accounts like Facebook? ‘This is a tricky one, but I would say probably yes, you need to cover it in your policy.’
The legal and moral issues need to be discussed when forming a policy, and then the practicalities need to be considered. Just because you can monitor something, doesn’t mean you should, or even want to.
Monitoring is one thing, but what do you do once you have the information? What happens if you see on Facebook that an employee was drinking at the beach when he/she claimed to be ill? Can you fire that person? Should you have that information in the first place? ‘It is an interesting and confusing legal and moral situation, and one that requires some high-level consideration and conversation,’ says Dinstein.