Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Social media regulations and compliance: What enterprises should know

Nick Hayes of Forrester Research details social media regulations and compliance issues, including five compliance areas that enterprises must manage.

In a fairly short period of time, social media has become an essential element of business success. Today, organizations...

commonly build strong presences on Facebook, Twitter, LinkedIn and elsewhere.

In fact, most large organizations maintain at least 10 Facebook accounts (with many having more than 200), and 90% have a presence on Twitter. Facebook isn't even 10 years old, yet it and countless other social networks have fundamentally changed the way that people interact with brands, communicate, build relationships and share information. Needless to say, social media is here to stay. Companies that choose to remain on the sidelines could find themselves at a competitive disadvantage and, worse yet, mired in costly legal and regulatory conversations that slow down operational efficiency.

Companies should be wary of how they monitor employees, restrict behavior through their corporate social media policy and gather information for recruiting and hiring purposes.

It may sound controversial to call social media nascent given its current pervasiveness, but the industry is in its infancy from a legal and regulatory perspective, and the complexities social media has introduced into the business environment challenge every organization today. Complicating matters further, there are vast differences in functionality and cultural expectations for how to use these sites both personally and professionally. For example, Germany makes a distinction between private social media (Facebook and Twitter) and business social media (LinkedIn). It should come as no surprise that regulators and companies around the globe struggle to set and enforce appropriate compliance guidelines for social media activity.

In this tip, we'll advise enterprises on how to navigate the various social media regulations and compliance issues they may face now and in the near future.

Questions around social media

At the core, the issue that arises from using social media in a business setting is that it alters the way we present ourselves, merging our roles as people, professionals and consumers. As we share more of ourselves on a growing number of platforms, questions quickly surface around appropriate social media behavior. For example, how frequently and on what social networks should we post? When should we present ourselves in our professional role and when should we share our personal opinions? Is it OK to be social media friends with co-workers, clients or your boss?

These are complicated questions for individuals and absolute conundrums for organizations concerned with how employees behave and interact with others inside -- and outside -- of the workplace. Enterprises face even more complicated questions concerning how they can control social media usage. Can organizations dictate how their employees use social media? Can they monitor social media conversations or use them to learn more about prospective job applicants? When does the personal connection allowed by social media tools cross the line from business to personal?

In an attempt to address such questions, regulators and government bodies are revising specific guidelines, regulations and laws relevant to social media management and oversight. Forrester Research has identified more than a dozen regulations in North America and Europe that have direct implications for how organizations manage social media, including the National Labor Relations Act, the Financial Industry Regulatory Authority's (FINRA) Regulatory Notices 10-06 and 11-39, the Federal Trade Commission's (FTC) updated .com Disclosures guidance, the Federal Financial Institutions Examination Council's (FFIEC) proposed "Social Media: Consumer Compliance Risk Management Guidance" and the proposed European Union General Data Protection Regulation. To add to this compliance complexity, new rules from the U.S. Food and Drug Administration and other regulatory agencies are likely on the way.

Funnel focus to five areas

The complex compliance environment surrounding social media is expected to become even more complicated over time. So how can organizations navigate this tricky landscape? My colleagues at Forrester and I maintain that there are five common categories of requirements that organizations must begin addressing today to ensure that their social media efforts don't run afoul of compliance regulations. Let's discuss each briefly.

Data protection and privacy. Discussions about privacy and appropriate personal boundaries flare into heated debates today; two recent examples are the kerfuffle over the National Security Agency's PRISM program and the EU's deliberation about the "right to be forgotten." The rise of social media is in large part to blame for this growing controversy, as people are willing to share more and more information about themselves in largely public forums. At the same time, firms are investing in advanced technology to mine this data and convert it into actionable business intelligence. To avoid potential conflict, organizations should evaluate how they collect social media data and work to clearly address their intentions in a public way, such as through their websites' public privacy policy statements.

Employee rights. Approximately two-thirds of U.S. and EU Web-connected adults are accessing social networking sites regularly. This means that employees in virtually any industry are likely to use social media in some form, which drastically increases a company's exposure to potentially negative branding and reputational events. For example, consider the unappetizing picture of a Taco Bell employee that recently appeared on the company's Facebook feed. To address these concerns, organizations can adopt policies to guide employee use of social media in some form. However, they must be careful that these policies don't conflict with country or state privacy laws, or other labor laws. In particular, companies should be wary of how they monitor employees, restrict behavior through their corporate social media policy, and gather information for recruiting and hiring purposes.

Disclosure and third-party endorsement. A difficult issue posed by social media is how to communicate sensitive, often complicated messages with limited words. Twitter restricts messages to just 140 characters, for example, but organizations that need to comply with the FTC, Food and Drug Administration (FDA) and other disclosure requirements must ensure that all social media messages meet strict specifications. What is considered acceptable practice depends on specific regulations and how they deal with certain aspects of social media usage. For instance, how long can a post remain on an account before it's considered an endorsement? The FTC's guidance is less prescriptive and more about overall intent, leaving it up to them to judge on a more case-by-case basis. The FDA, on the other hand, has provided little guidance specific to social media, often leaving its corporate constituents wary of pursuing an aggressive social media strategy. Any organization that is planning a push into the realm of Twitter, LinkedIn and the like should become familiar with the specific social media regulations and compliance challenges that pertain to its company and industry.

Governance and oversight. Employees across organizations are leveraging social media to deepen customer relationships, improve team collaboration and strengthen lead-generation efforts. In fact, Forrester has found that career-driven information workers are almost twice as likely as the rest of the workforce to use social media for business purposes. Considering these statistics, firms are increasingly allowing employees to use social media for business purposes, but regulators in some industries, such as FINRA and FFIEC, now want to see that organizations develop proper internal procedures and controls to ensure they manage associated risks effectively.

Information archiving and retention. Social media also presents new challenges for organizations that are required to retain records of all business communications. Namely, social content doesn't remain static; content creators can edit or delete posts after they are published, and other posters can comment and add to the discussion as well. Further complicating matters is determining what content is considered "business" communication and when that content should be captured and archived. Forrester recommends determining the appropriate context of business communications first, and then deciding which devices and applications employees are permitted to use and under what circumstances.

Social media compliance not optional

The reality for most organizations is that social media is not receding -- in fact, it continues to grow and evolve at an alarming rate. Consumers increasingly discover and communicate with businesses via social media channels, and just as importantly, workers across many organizations enjoy increased productivity thanks to the likes of Twitter and LinkedIn. Instead of cowering from social media due to compliance fears, enterprises should take the same precautions they've always needed to in the past by focusing on all applicable regulations and putting the right governance processes in place to comply with them. Organizations that are thinking about and acting on such issues now can begin reaping the business benefits today and avoid exposing the company to unnecessary risk later.

About the author:
Nick Hayes is an analyst serving security and risk professionals at Forrester Research.

This was last published in October 2013

Dig Deeper on Social media security risks