Over the past couple of weeks, I have spent a lot of time speaking with one of my clients about social media and posts from employees and contractors that may have a negative impact on the business. And the client is right to be concerned.
Most businesses are now using social media sites to communicate with their customers, potential customers, patients, employees, and everyone in between. However, such communications can often go awry at best, and result in privacy and security violations at worst. Here are just a few examples of what can go wrong.
- A zoo employee made what was widely considered to be a racist post to her Facebook timeline that she hates serving certain types of people. The zoo responded quickly with its own online posts to mitigate the resulting backlash and loss of business.
- In 2013, a multinational telecom company posted an image and message to social media that was intended to be a 9/11 anniversary tribute, but instead appeared to be trying to commercialize the event.
- A teacher was fired for writing a racially inflammatory post on her personal Facebook page.
- Many businesses have been shamed on social media sites for their poor service and/or products, and then they turn around and try to discredit the shamers by shaming them on sites such as Yelp. In fact, research shows that 42 percent of businesses have been shamed by consumers on social media.
- A group seeking to prevent suicides raised privacy concerns by launching an app that would automatically send public tweets to other Twitter users based on words that could indicate a user was depressed, regardless of what the tweet may have actually meant. After a few days the app was suspended based on public outcry.
- Facebook performed an “emotional contagion” experiment” to see how posts could affect Facebook members’ mood and psychological state, which resulted in outrage by Facebook users who discovered they were being used as study subjects without their knowledge or consent.
- Uber analyzed its data and determined when, where, and often with whom its riders had spent the night in a March 2012 blog post titled Rides of Glory.
And, of course, I could continue this list on for pages.
I’m seeing an increasing number of people putting things on Twitter about their co-workers, customers, patients, and others that they think will not be a privacy concern. I am seeing a lot of doctors, nurses and others in the healthcare field in particular playing loose and fast with the information they post, believing it does not qualify as personal information (or more specifically in the U.S. as protected health information as defined by the Health Insurance Portability and Accountability Act, or HIPAA). When considering privacy, you must also take the context into account when determining privacy risk.
It is Time to Set Social Media Rules
Of the hundreds of information security and privacy policies I’ve reviewed, very few, even in recent years, have covered social media security and privacy. As I told the client to whom I referenced at the beginning of this post, every organization needs to establish security and privacy policies for social media to help prevent privacy incidents and breaches from happening that could hurt the business, employees, and other individuals involved.
Here are some of the most important social media policies to implement to establish the rules your employees must follow when it comes to putting business related information on their social media sites. As with any policies, be sure your legal department reviews and ensures they meet all legal requirements applicable to your own particular organization prior to implementing.
- Do not re-use business passwords for social media and other types of non-business sites. It would be more likely that your business network could be hacked by someone if people are using the same business passwords on their social media websites.
- Do not include confidential, sensitive or personal information from the business within social media posts. This requires that your organization formally define the types of information items that are considered to be confidential, sensitive and personal information.
- Do not post what could be considered as threatening, abusive or profane statements on social media sites when the employee can be associated with the business. So if your employees list your organization as their employer in their profiles, they should not post nastygrams to others. This requires your organization to provide training and regular reminders with examples.
- Do not post anything that is covered by any signed non-disclosure agreement (NDA). Check the NDAs that your employees sign to see which information is covered. If you do not ask your employees to sign NDAs, consider doing so.
- Include requirements for restrictions on what can be posted about your business by third parties contracted to perform services or provide products. You don’t want your contracted workers to post your organization’s secrets, customer information, or even outright lies about your business.
- For employees who associate themselves with the organization, ask them to include disclaimers that indicate their opinions do not represent those of the business. This could be something as simple as, “My opinions do not reflect those of my employer.” Ask your lawyer to advise the best wording. Such a disclaimer helps protect the business, not the individual, so if an employee says something outrageous he needs to know that he could still be fired. Which leads to the next policy …
- Negative, threatening or inflammatory social media posts can be grounds for dismissal and possible legal action. For example, if one of your employees calls a business client a racially inflammatory name, that would be in violation of this policy. Provide your employees with plenty of examples for other plausible situations.
- Businesses must be careful what is posted online; think about how it may be interpreted in different ways. For those who post on behalf of your business, such as a promotion or contest, they should pass their ideas through an oversight group that include members from information security, privacy, legal, human resources and other departments to get their opinion of what risks such a post could potentially have.
- Be aware of how your business is being talked about online. Have a position or team regularly check to see how your business is being portrayed on social media sites. There are also businesses you can hire that specialize in doing such checking for you. You can then respond according to the situation.
Do Not Do This…
Oh, and before I end I have an important recommendation for you. Never require your employees to give you their personal social media passwords. Not only is this a clear invasion of their personal privacy, but it is also illegal in some USA states and in other countries. For more on this see a blog post I did a couple of years ago that still has relevant points for today. If you still think you need to ask your employees for their social media passwords, make sure you speak with a lawyer who understands privacy laws before actually implementing such a privacy-invasive practice.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: awareness and training, change controls, Dell, facebook, Information Security, IT compliance, policies and procedures, power more, powermore, privacy, privacy compliance, privacy professor, privacyprof, program changes, risk management, security awareness, security training Rebecca Herold, social media, toprank