Allowing Wall Street privacy law exemption is crazy! Why, you ask? Why, I’m happy to explain. In March, 2012, I wrote “6 Good Reasons NOT To Ask for Facebook Passwords“. Since that time legislation prohibiting employers from requiring access to their employees’ protected areas of their social media accounts has been introduced or is pending in at least 35 states. Three states–Arkansas, New Mexico and Utah–have enacted legislation so far in 2013. California, Illinois and Maryland enacted laws establishing various restrictions on employers from making demands to get into employee social networking sites in 2012. Without laws prohibiting such demands, many to most employers will do whatever is legal if they believe it is in the best interest of the business. So, these protections provided millions of workers with a bit of relief knowing they wouldn’t be forced to show things to employers from their personal non-business accounts.
So, I was surprised to see an article last week describing how the Financial Industry Regulatory Authority (FINRA) was pushing to get access to the non-public (per settings) posts to social networks, such as Twitter, Facebook and others. The heart of the story:
“FINRA and the Securities and Exchange Commission require broker-dealers to keep records of all business communications. To help employers abide by these rules, FINRA has asked lawmakers in around 10 states to amend legislation to enable securities firms to monitor “business communications over a social networking site”.”
Oh, the FINRA spokesperson did some really great spin, telling CNN “that the watchdog does not want firms to be able to routinely monitor employee accounts or have access to login details, only to have the power to ‘follow up on red flags’” didn’t he?
Interesting, since being exempt from the laws would generally result in allowing that type of routine monitoring and collection of login details. Good grief; those increasing instances of activities are what led to these state laws to begin with!
(Image from http://www.psychicdonut.com/wp-content/uploads/2011/08/Intentions.jpg)
Throughout history the best of intentions have often led to bad results, and significant negative impacts on others.
Here are a few really important points to keep in mind:
- There are legal requirements to keep records of all “business communications.” A personal, non-business social network account is *not* a business communication path. In fact, if you look at the corporate social media policies that have been enacted, you will likely find most explicitly state that personal social media accounts must not be used for business communications.
- The request to exempt the companies from the laws allows them to then start doing *exactly* what the FINRA spokesperson said that they do not want the firms to be able to routinely do! Really, what great spin! “We want to do X for the good of investors. However, we don’t actually want the businesses to really do X.” He sounds conflicted.
- There are already ways to investigate insider trading, as well as other types of insider fraud, which could be occurring within personal accounts. You get a warrant for that, or take other appropriate actions.
- All types of businesses can access all the information of their workers that were posted to publicly accessible areas of social media sites. In fact, if there are suspicions or red flags about a specific employee, a business should start by looking at such publicly available online information. You don’t need to exempt laws to be able to do this today.
- If we allow such exemptions and subsequent access for the reasons of protecting a financial organization and their investors, then what’s to stop other industries from wanting to do the same? And then, why not allow employers to access employees’ personally owned computers and other computing devices, for the same reason? Slllllliiiiiippppppppery Sllllllllllllllllllope indeed!
Wait! If a company gets a tip that an employee is emailing insider information out of the company, it must and should follow up with that employee’s email to protect all little investors like me from the fraud on the market! Why should the employee be protected from investigation if the messages are sent through Facebook or Twitter?
Businesses already have a right to monitor their own business communications. That hasn’t changed. Allowing financial firms to be exempt from laws banning employers from monitoring *non-public personal* social networking sites is much broader than doing an investigation on a specific individual suspected of insider trading. For such instances of suspected employee inappropriate communications/abuse of access there are already ways that valid investigation can occur without impacting everyone else, such as through warrants to get access directly to the suspected employee’s social media account. Such action also helps to maintain accountability for the employer’s actions while they have that type of access. With a blanket exemption, employers have basically been given an accountability-free way to access non-business (which they are) personal social network accounts of employees.
Good intentions are not effective controls
While it would be nice, if possible, to trust in current management intentions to protect the privacy of all employees within an industry, trust is not a dependable control. The greatest expectations of goodwill always fall short, and there will be many who ultimately will see an opening and then require far more from their employees than necessary to support any type of potential insider trading investigation needs and ability to react to red flags. History has demonstrated this thousands of times.
Providing an exemption (to not abide by existing and emerging social media monitoring privacy laws) to financial organizations, or any other industry, to monitor employees’ online activities that are not publicly available will still allow for all the associated employees to be subject to such monitoring. The FINRA spoke-person gave good spin about not wanting “firms to be able to routinely monitor employee accounts or have access to login details, only to have the power to “follow up on red flags”” but an exemption to the laws would directly give the them that capability to routinely monitor all accounts; nothing would prevent them from doing so.
Experience shows some managers will do whatever they can get away with
I know from building the information security and privacy program at a large financial and healthcare insurer throughout the 1990’s (with hundreds of managers throughout 10 different business lines) that many managers will want to do what they are not legally prevented from doing. Back in the 1990’s when managing the information security area, I routinely had at least one, and often more, weekly requests from managers to look an employee’s emails on the business email systems….and that was largely when very few were on the Internet and very few were using personal email addresses beyond CompuServe and AOL. A large percentage of those manager requests were not for valid reasons, but based on other personal and emotional issues. Throughout the past 13 years I’ve seen that this is still the case with a large portion of the business managers within my wide variety of clients, and those I speak with at conferences and other professional meetings. I agree that they are not simply snooping, in most cases, but they are looking based upon other motivations that are not related to valid financial-fraud-related red flags.
There can be compensating controls to allow such access when needed. But, I don’t see that providing exemptions, specifically to financial organizations, from laws prohibiting employers from demanding employee social network passwords, or requiring employees to show them their social network sites, have any type of mitigating influences. There are currently other ways that employers can address such red flags and need to access information, if such a situation arises.
Allowing financial organizations to require employees to give their employers full access to the non-public portions of the workers’ social networking sites, to be able to be inspected on an ongoing basis in the event one, or even a few, of the millions of employees this would impact might do something wrong, is completely backwards. It is also a slippery slope leading to yet more invasive surveillance using the same type of unfounded justification. Instead, FINRA should think of a way that would responsibly and reasonably allow for financial organizations to address red flags.
Why is wholesale exemption justified?
It would be interesting to know the actual risks of insider trading through social networks that exist:
- How many people have been caught doing insider trading via their non-public social network accounts?
- How many of the insider trading cases have involved the managers (that would be doing the monitoring) as opposed to the actual employees (who would be the monitored)?
- What percentage of the entire population of financial workers does this represent?
- How much impact did any such activities actually have on the institutions and investors?
Versus:
5. How many workers have been negatively impacted to date by the actions of their employers in response to social networking posts?
The answers to the above will continue to change as social network activities evolve; such evolution will be interesting to see.
A better approach
It would be more reasonable to require financial organizations to implement social media use policies, along with associated training and ongoing awareness, that outline the expectations for employees with regard to what they can and cannot communicate about outside of the organizations (which would include rules for not posting to any social networking sites in any way), and make clear that a warrant would be issued to any social network to gain access if there was reasonable suspicion of insider trading or any other type of information leak.
Really, they should already have such policies and training, any way.
Wholesale exemptions to privacy laws for business sake is not the answer
The FINRA request is an over-simplistic, far-reaching request that looks like an idea that was the first and only consideration they had to address a [potential? active? growing?] problem.
If all financial organizations under FINRA had exemption to the privacy laws, then they will get that ability to routinely monitor employee accounts and have access to login details. Those kinds of employer actions are what prompted those laws to come into existence in the first place. There are better solutions than simply just saying financial institutions need an exemption to such laws; more of which are being considered and passed
Why open up the surveillance doors, and exempt privacy laws, without demonstrated risk and with no associated oversight?
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: audit, awareness, breach, compliance, data protection, e-mail, electronic mail, email, employees, employment, exception management, facebook, FINRA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, insider threat, insider trading, IT security, job applicants, messaging, midmarket, monitoring, non-compliance, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, Red Flags, risk, risk assessment, risk management, security, sensitive personal information, social media, social network, SPI, surveillance, systems security, training, twitter, walk through