April 21, 2014
Increasingly, organizations are turning to social media to market, sell, and maintain brand. But how can a regulated organization take advantage of social media while maintaining regulatory compliance? The SEC, FINRA, the FFIEC, HIPAA, and other regulatory bodies have either issued guidance covering the use of social media or have interpreted existing rules so that they can be applied to social media.
This post will discuss how to use Facebook and Twitter while maintaining regulatory compliance.
Given that social media is only recently seeing broad enterprise adoption, it has taken some time for regulators to catch up, but that situation is changing rapidly:
- An advisor was charged by the SEC for offering $500+ billion in fictitious securities through various social media sites. In addition to being charged with fraud, the advisor was also charged for failing to maintain proper social media records
- A broker that used social media present equity index annuities favorably without disclosing the associated risks was suspended for 20 days and was fined $10,000by FINRA.
- A broker was fined $5000 and was issued a 10-day suspension by FINRA when he defended a company's stock on Facebook. The broker's employer also forced him to resign from his position.
So, how best to avoid the potential sanctions and fines that could stem from improper use of social media?
Facebook, Twitter and how to Maintain Regulatory Compliance
The examples above illustrate the importance of crafting a solid social media policy that outlines exactly what employees should and shouldn't do when it comes to social media. There are many steps in this process that will be subject to future posts, but (here is a great resource that lists the social media policies)
Once an airtight social media policy is in place and your employees are properly trained, you can turn your attention to the common regulator investigative task of determining “who did what when”.
Which brings us to the critical importance of archiving your employees' social media content in its native format so that you can answer the "who said what and when” question when the regulators ask.
Given the differences in each social media channel, it is important to consider each site's features, in order to determine what needs to be archived.
Take Facebook, for starters. Facebook contains wall posts, your comments / likes and 3rd party comments / likes, personal profiles, business pages, group pages, messages and Email, Photos and galleries, and Notes—all of which need to be captured and archived Moreover, it's important to note that you should capture Facebook content not only for your employees, but also for external folks that communicate with your employees on Facebook.
Take, for example, a wall post that an employee creates on Facebook. As 3rd parties comment on or like that post, it's critical that you capture and archive that content as well- preserving the full context of a Facebook communication.
As another example, Facebook has built-in messaging capabilities that allow the employee to communicate in a method akin to email or instant messaging. This communications should be captured and archived as well.
How about Twitter? Twitter includes Tweets, Re-tweets, Your tweets re-tweeted by others, Mentions of you by others, Direct Messages, Backgrounds and Bios—once again, all of which should be captured and archived.Like Facebook, this is true of employee-generated content as well as for 3rd party content.
For example, if an employee tweets to his or her followers, it’s necessary to capture and archive 3rd party replies to those tweets. And in addition to replying to your tweets, 3rd parties can re-tweet your tweet to their followers. These 3rd party re-tweets should be captured and archived as well.
Twitter also provides the user with the ability to send direct messages to other users on Twitter’s site. Similar to email, these communications should be captured.
Regulators are catching up with organizations that are using social for a variety of business-related purposes. They’ve issued proper use guidelines and have levied sanctions and fines for misuse. In addition to proper social media policy, capturing and archiving social media content to answer the “who said what and when” question is critical. The need to respond to regulatory requests in a timely and complete manner is no different with social media that it is for email, so be sure to have a comprehensive solution in place before you embark on you rollout social media to your employees.
The Proofpoint Social Platform for Archiving
Proofpoint Social Platform for Archiving allows organizations to employ policy-based controls to capture social content so that it can be managed as any other critical information asset. Proofpoint captures social conversational content, by converting user content to email form in real-time, ensuring you remain compliant with your regulatory obligations.
To learn more, visit: http://www.proofpoint.com/products/archive-governance/social-platform/index.php
- Christopher Ricciuti
Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College.