Posted March 27, 2014
Photo courtesy TRF_Mr_Hyde
In this blog series on social media and online monitoring, we’ll discuss five best ways for companies to address compliance regulations – and protect their organizations – while respecting employee and third-party privacy concerns.
by Tobias Losch, GLEG
Businesses have a lot to juggle these days. Detecting physical threats against facilities, employees, customers, executives, and suppliers is one obvious example. The list continues to grow with managing network security alerts and devices, preparing for sophisticated DDoS attacks, guarding sensitive IP and data against leaks and breaches, and protecting employees from social engineering attacks. Brand integrity, distribution control, phishing, and fraud detection add further to the complexity of managing online and offline environments.
Another issue that’s increasingly a concern is corporate compliance, particularly when it concerns social media. Social media usage is as widespread in the workforce as it is anywhere else in society, and therefore we expect – and see – many questions about online behavior related to employees and third parties. Harassment, discrimination, and inappropriate behavior, whether alleged or actual, are common realities in today’s world. Organizations that ignore these truths or turn a blind eye can be vulnerable to a variety of potential lawsuits.
But a legitimate interest in finding and addressing misbehavior and indiscretions needs to be counterbalanced with expectations of privacy by employees and third parties. This balance can be hard to find, but mistakes can be costly in terms of legal liability and public relations nightmares.
To assume that monitoring social media in the corporate workplace is primarily a matter of being discreet is too simplistic. Any organization, whether it is using in-house resources or a professional monitoring service, needs to be prepared to answer questions about transparency, boundaries, and overall good corporate governance: it is about being the good guy, not Big Brother.
Here are five key steps that can help you meet compliance regulations – and protect your organization – without needlessly violating privacy concerns: define your objectives, set your boundaries, strive for transparency, develop a social media policy, and consider using a third-party vendor.
In today’s blog post, we’ll discuss the first step.
1. Define Your Objectives
If you’re going to monitor social media or other online sources, have a clear understanding of what you are looking for and what your objectives are. What are your biggest concerns, from an organizational standpoint? Are you concerned about violence in the workplace? Employees accidentally posting sensitive data about an upcoming merger or acquisition? Or something unique to your business? You can bury yourself under mountains of incident reports, and drown your systems with noise, but that isn’t useful and it doesn’t mitigate the risks you might be exposed to in the first place.
To restate a popular saying, just because you can source large amounts of information, doesn’t mean you should. Moreover, being indiscriminate about what you monitor and why you’re doing it can turn you from being the good guy into Big Brother, who, incidentally, shares his initials with “Bad Bully”. Finding the right objectives is a very difficult task which is easily underestimated. It requires understanding, experience, and ongoing communication between internal teams and stakeholders.
In our next post, we’ll take a look at setting boundaries and what that entails.
The author received his legal education at the University of Göttingen (GER), practiced law previously as an attorney in Germany, and is GIAC certified for Law of Data Security & Investigations. He serves as a leader of Cyveillance’s Global Intelligence Team. Disclaimer: This blog post is a general reflection of certain topics and is not intended as a comprehensive discussion of the law. It does not constitute legal advice for any particular situation. If you need specific legal advice, please consult your own counsel.