Over the past few months I’ve discussed with several different organizations the issue of their personnel posting on Internet sites, to blogs, within Internet communities, and various other locations. The issues are many, but few organizations have really thought about them all; the implications of employees posting from the corporate network, using their corporate email address within online postings, the time used while at work to post, the possibility of libelous statements being made that the corporation may have to ultimately end up paying for, and many assorted other issues.
Some of my CISO and CPO buddies have found troubling statements their personnel have made, on their own time and from their own home accounts and computers, about their organizations. Some have posted sensitive information. The issues are related to information security and privacy of their customers, and are likely considered as being covered by the respective organization’s non-disclosure agreements (NDAs). The troubling thing involved with some of these situations is that several of the postings were made anonymously, but the information posted led the organizations to believe they were likely made by some specific individuals who would be the only ones with the access to the information divulged.
I started thinking about these discussions again when I read about a recent case in which Reunion Industries, Inc. claimed that anonymous defendants posted libelous statements and committed defamation through the Yahoo! Financial Bulletin Board.
Reunion Industries tried to force AOL (the ISP for the posters) to provide the identity of the defendants. However, on March 5, 2007, the judge denied the motion until the corporation presented sufficent prima facie evidence (generally enough evidence to establish a fact, and if not rebutted, becomes conclusive of that fact) to meet the defamation standard. The court ruled that to meet the defamation standard for a corporation, Reunion Industries would need to prove actual damages.
Could your organization prove actual damages if someone posted anonymous libelous or defamation messages? What documentation would you have to demonstrate the damage? What kind of logs do you keep to validate such damages? What would happen if someone anonymously posted a customer database to a website? What if they had good reason to suspect a certain person, but no hard evidence? These types of incidents are starting to occur more frequently.
As we become a more online society, with more people keeping not only personal blogs but also posting to others’ blogs, chat rooms, bulletin boards and so on, this is something to consider. Information security, privacy, legal and HR leaders need to go to lunch together and talk about what issues their organizations face with regard to what needs to be done when information from or about their organization is posted, and what, if any, logs or other documentation exists that would help them in any subsequent court case.
Tags: anonymity, awareness and training, defamation, Information Security, IT compliance, logs, policies and procedures, privacy, risk management