November 20, 2013
As noted in the previous post, regulatory requirements that impact the use of social media continue to evolve. Some may argue that only financial services firms should be taking proactive steps to control the risk of social media misuse given existing regulatory mandates. Consider that:
- FINRA release 11-39 was issued back in August 2011, and outlines record keeping and supervisory requirements for social media. Comparable regulation is also in place in Canada via IIROC.
- More recently, FINRA raised the regulatory bar with its Targeted Exam Letter notice. This letter calls for periodic spot-check that will be undertaken to examine the usage of social media by individual brokers, in order to assess whether there is any correlation with performance. FINRA regulated broker-dealers must also provide explanations of the measures that they have adopted to monitor compliance with the firm's social media policies (e.g., training meetings, annual certification, technology).
- FFIEC: covering banks, savings associations, and credit unions, as well as non-bank entities supervised by the Consumer Financial Protection Bureau and state regulators. Regulations – currently in draft and expected to be final before the end of 2014 - would require that organizations have a documented social media policy in place, along with enforcement and employee training.
Also noteworthy within the FFIEC document is a listing of other regulation that should be considered in building social media policies. This list includes Truth in Savings Act/Regulation DD and Part 707, Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3, Fair Housing Act, Truth in Lending Act/Regulation Z, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, Unfair, Deceptive, or Abusive Acts or Practices – to name just a few.
Meanwhile, in other regulated industries including Pharma and Health Care, specific regulatory guidance outlining social media record keeping and supervisory obligations continues to be lacking.
So, does this imply that organizations outside of financial services do not to take proactive steps to control the use of social media? We’d suggest not, for 3 critical reasons:
- Within many industries there is no specific delineation between information sources. In health care, for example, PHI is PHI whether it may be located in the email stream, contained within documents, or be referenced in a post on LinkedIn, and organizations are obligated to control this information per HIPAA guidelines. The same can be stated within other industries where a “business record” is defined according the value or potential risk of its content – and not the specific information type or location.
- Similarly, for legal discovery, US Federal Rules of Civil Procedure do not distinguish between specific classes of electronically stored communication (ESI). In fact, Duties to Disclose as outlined in section 26a(A)(II) specifically notes that the duty applies to “all documents…” that may be material to support or defend against a specific legal claim.
- Most recently, SEC Regulation Full Disclosure (FD) was referenced in a case involving a CEO posting of material, non-public information. The SEC bottom line – social media is the same as any other communication channels, and its use in disseminating important company information must follow the same protocols as any other recognized “channel of distribution” to investors. (see: Netflix and the SEC)
Should you proactively control and archive social media? If you are a publicly traded US corporation that uses LinkedIn, Chatter, Yammer or other social media for business purposes, the answer is yes.