Or why there's no excuse for not including that disclaimer in a 140-character Tweet.
After a meeting of the Board, the CFO of a prominent clothing retailer sent an upbeat and seemingly harmless tweet from his private Twitter account: "Board meeting: Good numbers=Happy Board." One problem: Official earnings hadn't yet been released to all investors, so the CFO's Twitter followers were now privy to insider information, and the CFO was quickly fired for "improperly communicating company information through social media."
Social media's rapid adoption and widespread use comes with new challenges for both corporations and consumers. Today, the lines are blurred between personal and work personas, work and portable devices, and work places and everywhere else.
Social media can put organizations at risk for violation of information privacy, unfair competition, libel, threat of physical security issues, and more, which for many companies spells compliance trouble. That's why regulatory agencies are taking a very active role in driving appropriate organizational social media guidelines and enforcement.
Social Media Compliance Regulations: Who's Affected?
As you might expect, financial, insurance, healthcare, and governmental organizations are those with the most stringent social media regulations. However, any company that sells goods or services must clearly define endorser relationships. Regulatory agencies state that character limits in social media platforms such as Twitter are no excuse for not providing appropriate disclosures or hashtags. Recent guidelines from the SEC state: "The words 'Sponsored' and 'Promotion' use only nine characters. 'Paid ad' only uses seven characters. Starting a tweet with 'Ad:' or '#ad' - which takes only three characters - would likely be effective." Secondly, employees of brands and employees of agencies who promote content for brands must state their affiliation in each social media post.
Financial and Insurance Industries
Regulations from both the Security and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) limit the type of financial information a firm can disclose regarding particular securities and other financial instruments, and they require financial firms to clearly disclose their financial interest in any offering being promoted. For instance, employees or corporate PR agencies cannot reveal any financial information prior to company audits and quarterly reports being filed with the SEC, as the example at the beginning of this article makes abundantly clear.
When it comes to insurance, FINRA and many state insurance commissioners require that financial institutions report statistical information about written customer complaints related to annuities and their life settlement products. In fact, both insurance and financial organizations must report customer complaints transmitted via social media and handle them according to established complaint-handling procedures. In addition, insurance companies must follow strict rules that prohibit potentially misleading advertising language. For example, insurance laws in many states specify words that cannot be used in life insurance advertisements (e.g.: "guaranteed," "free," "limited time only," etc.).
When it comes to third parties posting or commenting on social media pages belonging to a financial or insurance company, there are in fact circumstances where third-party posts, even those made without the knowledge of the company, can become legally attributable to that company. This is done under stipulations called "entanglement" or "adoption." Entanglement is when third-party content is attributable to a company because the company was somehow involved with the preparation of that content, which makes it responsible. Adoption is when third-party content is either explicitly or implicitly endorsed by the company; therefore, it is considered to be communication coming from the company even though it didn't originate from the company.
Another major compliance area for financial organizations is the archiving of communications. Financial companies must capture and archive ads and sales collateral for three years and ensure they are easily accessed during an audit. For instance, Rule 204-2(a) of the Investment Adviser's Act of 1940 outlines archiving and monitoring rules for registered investment advisers (RIAs) on advertisements and more, which very much applies to how social media is used.
Then there are rules related to how private information can be used in marketing materials. According to the Investment Adviser's Act Rule 206(4)-1, the SEC prohibits client testimonials of any kind in advertisements. This prohibition can cause problems for companies using social and professional networking sites such as LinkedIn, as the FTC requires endorsers to disclose their material connection to any company that they recommend. In addition, the SEC's Regulation S-P defines how personal information can be used (and stored) in all cases, including social media.
Healthcare, Pharmaceutical, and Medical Device Industries
In the mammoth healthcare sector, HIPAA guidelines and FDA disclosure rules have the greatest impact on social media activities.
Regarding FDA regulations, it is about the disclosure of the risks and benefits of healthcare products, which must always be accessible for reference.
For healthcare providers, as you likely have seen among the many forms you sign any time you visit a new health professional, it is HIPAA regulations that protect the privacy of patients.
Regarding HIPAA, it should be common sense that nothing published on social media should give any indication as to the identity of individual patients, but sometimes lines aren't always clear.
Sharing patient data with professional colleagues and professional communities via the Internet or smartphones, as well as blogging about one's medical practice, has become fairly standard procedure for healthcare providers. But if patients knew their information was being shared with strangers, even other physicians, they likely wouldn't be happy about it—even when their identifying information is hidden. In fact, small details such as location, time, and history can potentially divulge a person's identity. That's why it is essential in all cases to get permission from a patient before doing any type of online sharing about the facts of a case. Very often, this permission is being asked for on the forms you sign at the doctor's office.
For pharmaceutical and medical device companies, the FDA has issued "draft guidance" on how to present the risks and benefits of drugs and devices through social media. Regardless of character limits, the FDA mandates that benefit claims must be accompanied by risk information, which can be a challenge when using microblogging platforms like Twitter.
Typically, each government agency, whether federal, state, or local, has its own compliance policies regarding employee use of social media. Core to these policies is that government social media accounts must only post information as it relates to the official business of that agency, and what is posted should never disclose non-public information. When it comes to government employees using personal social media accounts, as with other types of organizations, the crux lies in openly disclosing governmental affiliation in any circumstance where there could be any confusion as to whether a person is sharing a personal opinion or official information, or providing any perceived endorsement.
Developing an Organizational Social Media Policy
Of course, the previous section of this article only touches on some of the regulations a company must understand and implement when it comes to social media, which is why it's critical that executive, legal, HR, and IT staff must take the time to understand all of the applicable compliance regulations. But once companies know the regulations, they must integrate them into a formal organizational social media policy, and these policies also need a formal education and training plan. Oftentimes, social media policies are integrated with other employee codes of conduct and HR policies, and organizations often require employees to sign a yearly attestation of these policies.
A detailed social media policy should identify Acceptable Content Use Policies (ACUP) that outline how employees engage with social media. This covers things like unsuitable language, hate speech, malicious links, or otherwise inappropriate content.
Some elements that your organization's social media policy guide should specify include these:
- A clear distinction between personal and business communications
- What employees are allowed and not allowed to divulge. Some sensitive topics include salaries and benefits, names of their supervisor, products in development, or even the projects they're working on.
- Whether employees are allowed to "check in" at headquarters or client locations using location-based posts stamps. Many social media channels now include these location stamps in posts unless the feature is explicitly disabled.
- The types of photos and videos that can be posted and to which social media sites—for instance, limiting the posting of Vines or Instagrams from sensitive locations like security operations centers.
- What global employees can do on overseas social media platforms like Weibo and Baidu. Also, it is important to address different cultural expectations about privacy when posting to public platforms.
- How employees can use social media as part of their daily job, such as in marketing and public relations departments
- The risks of using social media both at home and at work. Even the most well-meaning social media post can have devastating consequences if it violates compliance regulations.
Social media policies also need to define roles because many departments and people have a key role to play when it comes to defining and enforcing these policies. Crucial in the definition of roles is the creation of an organizational feedback mechanism so as to prevent finger-pointing when there's an incident. The issue is often beyond marketing/PR, frequently spilling into security, human resources, legal, IT, and possibly even physical security. Nearly every department has a role to play that can make or break an organization's social media policy.
Once social media policies and roles are formalized, it's critical to provide, as well as document, training efforts to ensure employees understand these policies. For many companies, social media education is part of an annual cyber safety class. Of course, extra attention needs to be given to executives and marketing/PR personnel (and agencies) whose job it is to make social media posts on behalf of a company.
Monitoring and Management
Of course, when it comes to marketing/PR, it is important to limit the authority or authorization of social media releases to a few individuals or teams who are able to control, monitor, and supervise posts before release because these teams are best able to respond to consumer inquiries and problems as they arise. On this topic, social-sharing software tools are available that allow management to set user-level permissions for social media, restrict incoming and outgoing messaging, and provide advance post reviewing for management and compliance officers.
Not surprisingly, one of the biggest challenges is monitoring social media and identifying actual risks and threats amidst all the noise in order to see what is coming and how to respond quickly. Policies will not be implemented without monitoring and enforcement.
Creating an audit trail for social media is difficult. Reports need to include activities, complaints, engagements, and analytics.
As policies are defined and adopted, you may need to consider technology solutions that automate and capture online communications. Regulations mandate that organizations archive social media posts in a way that preserves a complete representation of the original. Gaps in the archive or missing records can result in harsh penalties. As mentioned earlier in this article, financial companies are required to archive social media activity for three years.
Monitoring software can help regulated organizations rise to the challenge by automating a review of potential posts, issuing critical notification, and archiving posts, all in a way that is compliant. For example, social media monitoring software typically has filters that identify and isolate unauthorized posts and notify management before isolated posts are published. This type of software can help companies extend compliance and surveillance properties to interactive networks and content by collecting data, including the sorting and monitoring of social network conversations.
Proactivity, Not Reactivity, Is the Key
As with other aspects of compliance and cyber security, social media is likely to remain a critical piece of the landscape on which corporate executives, IT staff, and compliance and HR departments must keep a close eye. As compliance regulations become increasingly more strict, taking an approach to social media that is other than proactive can no longer be an option for most companies.