A big thanks to Michael Osterman, Founder and CEO of Osterman Research, who joined us in a very informative webinar on social media last Wednesday. The session generated quite a few questions, which we felt be good to respond to via the blog.
Responses below have been provided by and denoted as either Osterman Research (OR, and ©2014 Osterman Research, Inc.) or Proofpoint (PFPT).
Q1. Is it better to have all inclusive social media policy and risk not complying v. having a more general policy?
(OR): I’m not sure it’s an either-or situation. The goal is to have a policy that will enable management to enforce best practices in order to help the organization remain in compliance with various statutes, legal decisions and corporate best practices.
Q2. Does Live Chat have to comply with the same SEC and FINRA rules as it pertains to record retention and archiving?
(OR): Yes, if the communication is with customers. FINRA rules obligate registered representatives to retain communications with customers regardless of the format or delivery mechanism.
Q3. Can you discuss the effect of Privacy laws that may constrain a company’s ability to archive social media conversations.
(OR): Some nations have relatively strict privacy laws that will prevent companies from archiving social media or any other content with the expressed permission of individuals who data would be archived. For example, Germany’s Federal Data Protection Act prevents the collection of any PII with permission and requires the data holder, even with permission, to specify for how long the data will be held, how it will be used, etc. US federal and state protections are generally less restrictive, since employers are generally granted more leeway in how work-related content will be retained.
(PFPT): Additionally, FINRA is in the process of lobbying states so that carve out provisions to privacy statutes are implemented. Such carve outs will enable regulated firms to archive employee social media content without the risk of violating state privacy law
Q4. Can you comment on the effect of NLRB as it pertains of social media being accessible to outside Labor relations organizations, such as Unions.
(PFPT): The NLRB has been active in cases where it believes that social media policies are overly broad and restrict the rights of employees. It is important to consult with those knowledgeable regarding labor laws in those industries where the NLRB may have influence
Q5. I can understand an organization archiving internal social media but is it really possible to archive all the different possible use of social media, as you mentioned there are 1000's out there?
(PFPT): Possible yet, practical no. You need to prioritize based upon the channels your employees are using, and chose a platform that provides flexibility to capture additional channels as their use increases
Q6. What were the sites you mentioned for example of data breaches through SM. I captured one "databreaches.net" and missed the other one
Q7. I would think that most companies are concerned over data leakage through social media and how to control it?
(OR): I’m not sure that’s the case. Decision makers may be aware of the potential for data leaks through social media, but most really are not doing much about it, such as monitoring for offensive content, data leaks or other content sent through social media.
Q8. But doesn't not archiving have an upside in legal discovery? What you don't have can't be legally provided. Like email retention.
(PFPT): Actually, courts have become clear that the absence of archiving and retention policy does not necessarily lead to the conclusion that that data does not exist. See our recent blog post on this topic
Q9. Would you see ad based malware as an increasing threat?
(OR): Yes, definitely. The Online Trust Alliance has some good resources here.
Q10. How do you deal with access to social media is through personal accounts so their use is through those accounts and no real corporate governance.
(PFPT): The monitoring and control of personal accounts that are used for business purposes should be addressed in policy to outline acceptable and prohibited uses. Alternatively, setup “business” social media accounts for your employees to use and have them sign semi-annual letters of attestation, stating that they will not use their "personal social" media accounts for business purposes.
Q11. What do you do about access to social media through personally owned devices like cell phones where you can't monitor the communications
(PFPT): Many technologies do exist – such as Proofpoint’s Social Platform for Archiving - that allow employee social media content to be captured and archived not just from the office PC, but from any PC and mobile devices as well.
Q12. Do you have a suggested approach to reduce/eliminate the liability of a company incurred by an employee's use (abuse?) of social media?
(OR): First and foremost, establish detailed and thorough policies focused on social media use by employees when using corporate resources, as well as when employees are at work. A company may be able to extend this to an employee’s personal time, as well, as employers are able to do with morals clauses in work contracts. Clear and detailed policies are essential in order to give the employer the ability to discipline employees for policy violations and insist that they follow corporate policies, even when personal devices are used.
Q13. Is there any guidance for social media in regards to SOC1/2 or SOX?
(PFPT): Nothing explicitly defined within SOX, other than to have defined policies in place and procedures to demonstrate that they are followed. In the case of SSAE SOC1/2, no guidance, but something that can be added to the list of documented policies for annual audit if it is determined that would be meaningful to your specific stakeholders.
Q14. Employers use social media to screen applicants - what are their reasonable archiving options in light of EEOC/FTC requirements to keep documents relied upon for specified time spans?
(PFPT): As you are likely aware, there are a number of state actions pending regarding the ability to access social media as an employment screening tool. Best to monitor court decisions and pending legislation on this topic in your specific state. Some useful guidance is available here.
Q15. Has there been any corporate lawsuits at this time involving evidence from social networking sites?
(OR): There are a growing number. Here are a couple of recent examples:
- In Armstrong v. Shirvell, the defendant requested "[a] complete copy of all communications between you and the following individuals… whether it be on Facebook, in a blog, via e-mail, text message, voicemail, letter, facsimile, or anywhere else…”
- In Calvert v. Red Robin International, Inc., the plaintiff ordered by the court to “bring all materials, electronic or otherwise, including e-mails, Facebook messages, and any other communications he has had with putative class members in this action”.
Q16. Any good templates for sm policies for IT Security side?
(PFPT): There are a variety of good resources for social media policies that can be extended to address security issues as well. An excellent resource is here.
Q17. Are these different archivers an extra cost to us if we are using Proofpoint email archiver already?
(PFPT): Yes, the Social Platform for Archiving are priced as individual modules that are provided at an additional per seat cost, but as an existing Proofpoint Archive customer you are entitled to a discounted rate. Contact your account manager for more details.
Q18. Will Proofpoint’s social solution capture email and chat in Facebook?
(PFPT): Yes. Archiver for Facebook, which is part of the Proofpoint Social Platform for Archiving, captures and archives both Facebook Messages and Email.
Q19. Do you offer a reseller program or white label?
(PFPT): Not at this time, but always open to discuss possibilities here. Please contact me at email@example.com
Q20. I only see platforms like chatter/yammer, have you considered other social platforms like Jive, Socialcast, Telligent etc.
(PFPT): We are constantly looking at market uptake for various social channels. One of the benefits of the model we have built is its modularity – we will be able to evolve and add new channels in the future very rapidly.
Thanks again to Michael Osterman for sharing his time and insights.
- Chris Ricciuti and Robert Cruz
Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College.
Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.
Michael is the president and founder of Osterman Research. He has more than 27 years experience in the high-tech research industry and has spent nearly 16 years following the messaging and collaboration industries. Prior to founding Osterman Research in 2001, Michael was the Vice President of Market Research for Creative Networks, and has held senior analyst positions with SRI International and Ryan Hankin Kent.