Threat Intelligence Blog

Posted April 22, 2014

By Camille Stewart

Proofpoint hosted an excellent webinar a few weeks ago on “Tweets, Feeds, & Chatter: Social Media and Regulatory Compliance in 2014“, which I’ve summarized here. Presenter Nick Hayes, an analyst at Forrester Research, discussed a number of regulatory pitfalls companies should be aware of as they navigate this challenging landscape.

As Hayes stated, “Social media is pervasive, but complex.” Embracing social media is a given for most companies and employees these days, but organizations must engage with it in a way that does not put the company at risk. According to Hayes, “the most productive people at your company use social media, even in the most heavily regulated industries.” Social media is clearly a phenomenal and useful tool, but how do you govern it effectively?

Often the law lags technology, but regulators are catching up where social media is concerned. The Financial Industry Regulatory Authority (FINRA), the Food and Drug Administration (FDA), the Federal Financial Institutions Examination Council (FFIEC), the U.S. Securities and Exchange Commission (SEC), and the European Commission, to name a few, have all developed regulations for social media use. Expectations vary by industry and geography, but it is obvious that companies need to be aware of the requirements and how to address them. For example, the recent FFIEC Guidance reminds financial institutions, including banks and credit unions, that turning a blind eye to what occurs on social media is not an option, and the Food and Drug Administration (FDA) has issued similar guidance for pharmaceutical companies.

According to Hayes, the major issues on social media are:

1. Data Protection & Privacy

Privacy is a hot button issue right now. Companies are scrambling to get more data from consumers to develop customized solutions (and target them more effectively with marketing messages). Consumers, in the meantime, have become increasingly concerned with privacy but still expect to have personalized experiences. Companies need to understand different platform privacy policies and terms of service to adapt to the ever changing avenues for data exposure. Determine what data the platforms collect versus what data you collect, and make it clear what you will do with it. Be as transparent as possible so consumers can trust you.

2. Employee Rights

The National Labor Relations Board (NLRB) has made social media policies and enforcement a focal point for the past few years. Social media policies must not violate an employee’s rights under National Labor Relations Act (NLRA), most notably Section 7. Make sure employee monitoring abides by all applicable legal standards, is not overly pervasive and is clearly outlined upfront. Employers must beware of potential claims arising from the use of social media in employment decisions such as hiring and firing.

As we have addressed in our recent blog series, “Social Media Monitoring and Compliance: Five Best Ways to Navigate Complexity in the Workplace” and in our Social Media Policy Guide, it important to, among other things:

  • Make sure your social media guidelines are specific and include examples
  • Clearly define parameters for employee monitoring
  • Not ask for employee login credentials
  • Address employee use of social media during non-working hours for work-related purposes without prior approval
  • Reference other relevant company policies
  • Make sure you keep policies up-to-date as this area of law is ever changing

3. Disclosure, Third-Party endorsement and Promotions

Make sure all social media disclosures and endorsements are “clear and conspicuous” according to the Federal Trade Commission (FTC) standard and abide by SEC disclosure regulations. Promotions and challenges should be clear and complete, should not be considered a lottery, and should meet certain guidelines outlined by a myriad of state and federal laws. Educate staff about these obligations to combat inadvertent violations of these regulations.

4. Governance and Oversight

Have a consistent and clear way to oversee policies, monitor use, and provide supervision. Give authority to certain people or departments to create social media accounts for the company. State clearly who owns social media accounts used for company purposes. Establish a training regular requirement that focuses on highlighting your social media policy and general cyber safety awareness.

5. Information Archiving and Retention

It is important to recognize that the information distributed in quick bites via social media may be an essential part of e-discovery. Retaining and archiving all of this information presents a unique set of challenges because of the variety of post types, ability to edit, retweeting, commenting on posts and the immediate nature of these bits of information. Organizations should treat social media like any other form of electronic evidence under the Federal Rules of Civil Procedure as well as any relevant agency regulations. Review your record retention policy and your existing archiving capabilities to determine if social media can be adequately archived.


As a legal, security, or compliance professional, you shouldn’t be afraid of social media. It is an excellent tool to promote consumer engagement and can help your company grow. The most successful companies are those where internal teams work together to ensure employees are educated about proper usage, that policies are up-to-date and consistent with regulations, and that they employ a social media monitoring service to address security and compliance concerns as well as marketing needs.

Additional Posts

Cyveillance Research Finds Rampant Instances of Rogue Mobile Apps and Malvertising on Third-Party Storefronts

Although most businesses only authorize their mobile applications to be distributed on legitimate ...

Shaping the Threat Intelligence Management Market

There has been significant chatter recently about threat intelligence management – specifically ...