Latest News

Guest article: Social media – risk considerations for legal professionals

by David Gaffaney, a director with the legal consulting practice, Huron Consulting Group

Social media are changing the way we network as a connected society, establishing a level of interaction that has never been possible before. People who may not have connected in the past are brought together: old friends, colleagues and sometimes near-strangers. The social benefits of these technologies are intriguing. We establish new connections, strengthen old ones, and build an extended support network. In fact, many organizations, including companies, law firms, and government agencies, have recognized the benefits of these technologies outside of the organization and are looking to use them inside as a means to further business goals.

From an external business standpoint, there are a number of compelling applications of social media technology that make it worth potential risks. Web 2.0 communities are very “sticky” and therefore are ideal for marketing purposes. Companies are capitalizing on the draw of these platforms by creating communities of interest aligned with their products or a lifestyle they want to project. For example, Nike sponsors a site that brings together like-minded individuals for conversation on topics such as exercise, health, and well-being, linking Nike products and partner products into the discussion in an understated manner. Other benefits include the ability to directly support a product online via social media tools and the ability to use social media as valuable channels for PR activities.

From an internal perspective, companies are using social medial to create a sense of community for employees. Like external uses of social media, the benefits are numerous – for example the ability to leverage common work interests to find experts in particular subject matters, explicitly or through other connections. Additional benefits include increased collaboration and improved intra-office communication. And because the networks are virtual, social media connections can breakdown geographical barriers, establishing strong and meaningful interactions between the distant offices of your organization.

With the opportunities to leverage the reach and power of these technologies, unfortunately, use of social media also come with a significant amount of risk. Broad case law on these topics has thus far been very limited. However, by developing a better understanding of these issues you can position yourself to best leverage the positive aspects of social media while mitigating the risks.

The first thing to do is separate internal use from external. Internal use is social media use for company purposes. It has multiple facets, which can be segregated in the following manner:

•    A closed internal implementation: This is a company sponsored and/or hosted capability for social networking, such as Microsoft SharePoint and LCS or Lotus SameTime, that exists behind a company’s firewall.
•    Extended network sites that are available to trusted partners and customers: These sites typically exist outside the company firewall, but are not available to the general public.
•    A company-hosted community of interest, such as the Nike example or a resort or cruise line hosting social networking for vacationers during their stay: This type of network is available to the general public, is directly sponsored by the company, and is hosted either on the company’s infrastructure or through a third-party partner.

External use is social media use performed by employees on their own time. They use Facebook, MySpace, and other sites to connect with others, outside of a work environment, either socially or for business purposes. External use may occur on employees’ home machines or (very commonly) while on a corporate network with a company-issued computer.

Each of these models has a different risk and retention profile.

Internal use
From an internal use perspective, the components that make social networking so powerful in a non-work context are what make it a higher risk proposition inside a company–common elements like off-the-cuff casual remarks, or non-professional opinions that are part of quick, informal communications. Remarks that can be explained in person or on the phone can look different in text. Conversation fragments can be misinterpreted when viewed out of context. All of these elements can add to a company’s risk profile as it relates to morale and reputation.

Additionally, from a legal and information management perspective, organizations are not quite sure what to do with content of this sort. Instant messaging as a technology is now pervasive in business and personal use. When it first appeared, however, companies had to act quickly to define polices around it. Our experience in the field has shown us that many organizations currently treat any instant messaging content as zero retention and scrub any logs of this information daily. For organizations that do not use this information for specific business transactions, this is can be an acceptable, defensible policy. However, in a financial institution, for example, employees in regulated broker/dealer roles must have all correspondence tracked, meaning that the risks may even vary for subsets of employees.

For other media with content that has a longer life span, such as blogs, discussion boards, and internal wikis, the principles for mitigating risk are less clear and therefore raise additional issues for consideration. Content likely spans across multiple business processes and domains and therefore can have unclear retention rules or legal and compliance implications. As the owner of this data, it is the organization’s responsibility to manage it in a consistent manner. Company authored and managed blogs that are open to outside viewers have thus far been considered as marketing and communication tools, subject to the same rules of company and product promotion. These must be carefully edited to avoid landmines such as information that could be misconstrued as projections and forward-looking statements.

External use
The greatest challenges and risks come from the external use scenario, as use of social media from this perspective becomes much more nuanced. For example, in one recent case some employees of a restaurant in New Jersey set up an invite-only MySpace page to discuss their work issues and opinions of management and other workers.(1) Management observed an employee visiting the site and demanded that it be given access to read the postings. Upon reading the site content, they subsequently fired two employees. After being challenged the firings were eventually overturned, not on any free speech grounds but because the employees were coerced into giving access, something the employer should not have been allowed to do.

The users in this case were not using a company network, merely discussing the company on MySpace on their own time. The employer still felt this was inappropriate and wanted to monitor the communications or bring them into a more productive venue. As you can see, there are risks here from both viewpoints. Should you as an employer scour social networking sites for this kind of information? Some organizations are doing so already.

In addition to worker morale and reputational risks, another important aspect of external use is the worry of the exposure or leaking of corporate proprietary information or trade secrets, intentionally or otherwise, through social media channels. In its recent study, the email archive and data loss prevention vendor Proofpoint (2) found that, in 2009, U.S. companies experienced more exposure incidents (compromising company intellectual property) involving sites like Facebook and LinkedIn as compared to 2008 on the order of 17% versus 12%. US companies are also taking a much more aggressive approach with “offending” employees – eight percent reported terminating an employee for violating their duty to protect company information as compared to only 4% in 2008.

Further in the Proofpoint study, it was noted that 18% of companies had investigated a data leak event, inadvertent or otherwise, via an external blog or message board in the past 12 months; 17% had disciplined an employee for violating blog or message board policies. Nearly 9% of companies reported terminating an employee for such a violation. In 2008, 11% reported these violations, with 6% resulting in terminations.

In one telling example of the recognized data loss risks, in August of 2009 the US Marine Corps (USMC) took the preemptive measure to ban all use of Twitter, Facebook, and other social media sites under any circumstances, citing concern over security and information leaks. The USMC is playing with higher stakes than most organizations but we all share the goal of eliminating the potential loss of organizational knowledge that could jeopardize an operation. Corporations are concerned about proprietary knowledge and insider information that could tip a strategy to a competitor or affect the company’s stock price.

From within the legal profession, there are growing numbers of cases where lawyers have been reprimanded for comments found on social media sites when those comments referred to active cases, judges, or other lawyers. In a recent disciplinary action in Northern Illinois, a district attorney was dismissed from her position for comments she posted on her blog regarding active cases and her personal opinion about judges’ personality traits.(3) In these cases, what one might perceive as “personal time” activity has a direct bearing on one’s occupation as a lawyer. In these cases the two cannot be separated.

Further, from an external use perspective, there are a number of challenges that impact access and usability of the content produced via social media. In a case involving a site like MySpace or Facebook, content that is not publicly viewable will be difficult to produce. Unless the requesting party is a government agency on a criminal investigation, obtaining information even by formal request from the likes of Facebook, Google, or Yahoo is likely to be nearly impossible. Generally, the only way to get at this information is through consent by the opposing party, which may be difficult in a combative situation.

Most organizations are not ready to take the extreme step of blocking all access to external social media sites, and even if this is done, organizations are only able to control access from a company-issued device on their network. A fallback solution, then, is a comprehensive acceptable use policy that governs all use of communications pathways, including external collaboration sites as well as email and texting messages. In this manner, you place controls on what type of information may be posted by an employee regarding company information, whether on a corporate network or not. Your organization may not have the ability (nor the will) to monitor any of this off-site activity as it happens. Rather, the policy is often applied on an ad-hoc basis when there is an incident and investigation activity.

A good example of this policy comes from the heavily-regulated pharmaceutical industry, in yet another case of how risks can vary among industries: A blog post outside of an official company network that has the appearance of touting the benefits of a drug could be considered as an off-label marketing or promotion activity, which must be regulated. Intentional or not, this can cause issues for the manufacturer or distributor of the drug. There are technologies being developed to scour the Internet for this type of content, which will be used by companies to protect themselves from exposure and also by those trying to catch companies at wrongdoing.

There are not yet hard and fast answers to comprehensively mitigate the risks in this evolving space. There is no official codified law for social media content; the rules, rights, and regulations are being defined piecemeal as new cases come to the courts that define another aspect of use. For content governed under the Federal Stored Communications Act (SCA), there is no requirement for public service providers located in the US to retain information for any particular length of time.  

Huron continues to follow these issues closely as more case decisions are rendered and precedent is set. The best practice right now is to establish available controls and govern the information your organization manages from an IT perspective and build a comprehensive policy around acceptable use of assets for the information you can’t control. The policy and controls will differ for the different types of social media content, but any policy must be clearly communicated to employees. Know your stewardship responsibilities for all external data, and support it with the governance, process, and technology necessary to control the information and mitigate your risk.

~ ~ ~ ~ ~

Social media are broadly understood to be technologies supporting one-to-many or many-to-many interactions, in the form of personal sites (or home pages) with interactive updates, status of online presence, discussion threads, and/or individual bulletin board postings and blogs, combined with the ability to discover new contacts through friend-of-a-friend connections and broad searching.  These interactions support strengthening and extending one’s social network.   

Leading sites supporting these capabilities include Faceboook, MySpace, and LinkedIn.  Blogs and micro-blogs (like Twitter) are more of a broadcast concept, allowing individuals to reach out to large masses of subscribers at the same time.  Technologies like wikis support “groupthink” with the ability to have large numbers of people collaborate on a single topic (eg the biography of Ted Williams or, the origin of chocolate).  New forms of social media continue to emerge as well, with concepts like Google Wave, which combines aspects of instant messaging, blogs, and documents into a single, ever-changing entity.

(1) Pietrylo v. Hillstone Restaurant Group, USDC D.N.S. case no. 2:06-cv-5754-FSH-PS
(2) Proofpoint, Inc. “Outbound email and data loss prevention in today’s enterprise, 2009.” July 2009.
(3) Hearing Board of the Illinois Attorney Registration and Disciplinary Commission, No. 6201779