There's a lot about employee use of social networking sites that makes IT departments nervous -- network congestion, brand protection, spyware -- and when it comes to managing access to social media, compliance may take first place. Whether users access their professional or personal accounts while on the network, enterprises must not only keep a diligent paper trail but also be on the lookout for regulatory slipups that could cost a company millions.
"I think the biggest [social media compliance] issue we see companies struggling with is data retention or data leakage [after] letting people go out onto a social network and engage with partners or customers," said Irwin Lazar, a research vice president at Nemertes Research. "If there's some regulatory or legal challenge, [you must be able to] produce records."
Regulatory bodies treat social media compliance no differently from instant messaging compliance, Lazar said. But in addition to simple chat transcripts, enterprises in regulated industries will have to archive and police everything from Facebook groups to retweets, he said.
"Most of the concerns we continue to see have been around being able to just record these conversations and track them so you can produce audit trails," Lazar said.
As enterprises' marketing and sales teams eagerly adopt social networking sites as a new way to engage customers, IT departments are getting left in the dust, according to the fifth annual Usage Trends, End User Attitudes and IT Impact survey by FaceTime Communications, a unified communications security and compliance vendor.
If required by attorneys to reproduce social network communications posted by staff, 65% of IT managers could not do it, the survey reported. While 77% of enterprises said they archive emails, only a fraction (19%) logs communications via social networks; 13% reported archiving tweets.
"Most companies worry about email because they assume all internal conversations happen on email," Lazar said. "People could be sharing information they shouldn't be sharing in a public forum."
These concerns aren't hypothetical -- 71% of financial advisors, brokers or registered financial advisors surveyed recently by American Century Investments said they have one or more future business uses planned with social media. Almost half (47%) of the 303 respondents said regulatory compliance was their biggest concern when using social networking sites for business.
Internal, firewall-protected social networking tools aren't immune from regulatory scrutiny, either, Lazar said. Discussion groups on a SharePoint page, for example, need to be archived, he said.
In its 10.1 release of its social media compliance software product Vantage, FaceTime has extended its capabilities to include searching, exporting and archiving capabilities for Microsoft Live Meeting chats, Q&As, polls and handouts. The newest release will also allow administrators to control specific features for Skype in the enterprise.
"At the end of the day, all of this is … communications. The same regulations apply," said Sarah Carter, marketing manager at FaceTime.
Tools help preempt social media compliance pitfalls
The most egregious social media compliance folly Lazar recalled involved employees at an insurance company who had set up a group page for the firm on Facebook. As the group grew in popularity -- with unsupervised employees, partners and customers chatting about products -- the firm began to comprehend the regulatory risk the employees had exposed it to, he said.
"One of the biggest [social media compliance issues] we see is someone goes and sets up an unofficial group on something like Facebook or LinkedIn … without understanding what the implication is of doing that," Lazar said. "We've even seen some examples with Twitter where people thought they were having a private conversation [although it was broadcast publicly]."
Although archiving tools help IT departments meet social media compliance rules around electronic discovery, they won't thwart non-compliance before it happens.
Instead of shutting down access to social networking completely, IT departments may consider investing in appliances or software that can preempt social media compliance pitfalls. Secure Web Gateway from FaceTime, and Compass from Socialware monitor, control and record content posted through the corporate network to social networking sites.
Both solutions can preemptively control social media by enabling administrators to set and ban specific keywords that users try to post on sites such as Facebook and Twitter. Admins can also configure the products to prevent the post, notify the user it was against policy, record the incident and alert an administrator.
Earlier this year, the Financial Industry Regulatory Authority (FINRA) released its guidelines for blogging and social networking compliance, affirming that securities firms and brokers must retain records of communications on social networking sites and ban any activity that appears to recommend a particular investment.
Relying on Facebook, Twitter and LinkedIn to do the logging for you is not enough for auditors, according to Chad Bockius, vice president of marketing and strategy at Socialware, a Texas startup offering cloud-based social media archiving and monitoring tools. Aside from the users' ability to delete or modify posts, tweets expire from Twitter's search engines after a few weeks.
"Without a doubt, the No. 1 concern we hear time and time again is [social media] compliance," Bockius said. "If you are in financial services and you do not archive social media data, you will get fined millions and millions of dollars at some point."
Social media compliance: Archiving not enough
But social media compliance means more than just archiving, Bockius said. According to a Twitter compliance guide Socialware recently published, retweeting an interesting post is seen by regulatory bodies as an endorsement. Allowing users to edit and undo pre-reviewed and approved profile settings may also spell doom for social media compliance.
"It's more than archiving," Bockius said. "If you're a registered financial advisor and somebody posts a tweet that says, 'Everyone should go out and buy Dell stock' … and you favorite that with a star, that's an endorsement and you could be fined millions of dollars."
Other social media compliance blunders may not be as innocuous or quite so visible. Two nurses were fired from a Wisconsin hospital last year following allegations they had taken pictures of a patient's X-ray -- which showed an object lodged in his rectum -- with their cell phone cameras. One nurse was accused of posting the photo to her personal Facebook page, which she later deleted.
Local police referred the allegations to the FBI to determine whether this constituted a Health Insurance Portability and Accountability Act (HIPAA) violation, according to various news reports. The FBI has not released any information about the case.
Following social media compliance best practices may not be a bad idea for those in unregulated industries, either, Bockius said. School districts worried about cyber bullying may be interested in Socialware's Compass product -- a software as a service (SaaS) tool that scans, quarantines and alerts an administrator about any posts to social networking sites that contain keywords that may violate the districts' Internet policies.
"You can imagine the headline -- 'Seventh grader uses school library computer to bully other students,'" Bockius said. "And that would be a huge black eye for the CIO of that district."
Let us know what you think about the story; email: Jessica Scarpati, News Writer