BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

UK And Germany Double Down On Joint AI, Clean Energy R&D Efforts
Decarbonizing Heavy Transportation: Quantron's Michael Perschke On Pioneering Hydrogen Solutions
Bridging The Digital Divide In The AI Era - The UNDP Way
Big Tech Ramps Up Content Moderation Amid EU Pressure
Spain's Successful Miura 1 Launch Reignites Europe's Hopes For Space Exploration
UNESCO And The Netherlands Launch Initiative To Ensure Ethical Oversight Of AI
Edit Story
InnovationEnterprise & Cloud

Managing Information Risk and Archiving Social Media

Ben Kerschberg
Former Contributor
Opinions expressed by Forbes Contributors are their own.
This article is more than 10 years old.

Imagine a simple scenario. Jane Doe, a disgruntled employee at a multi-billion dollar mineral spring water company (A), sends out the following tweet from her work station and the marketing department’s Twitter account, which she is authorized to use.

Senior Management here at (A) is telling industry analysts that Company (B)’s bottles are filled with tap water.

The statement is false. Five minutes later, Jane Doe deletes the tweet. No one in in Company (A) knows about the incident – yet. In the interim, however, her single tweet has been re-tweeted over 10,000 times, including to financial analysts on Wall Street, most major newspapers around the world, and the television media. The story is breaking.

An ambitious reporter calls Company (A) and asks whether the CEO will confirm or deny the veracity of the tweet. A board meeting is interrupted, the facts are presented, and neither the CEO nor the General Counsel has the first clue what’s going on. What tweet? Who sent it? From which account? Was it deleted? What did it say? Can we confirm the exact text from the retweets? Do we have an archive of the tweet? The General Counsel’s mind spins, but he is already is sure of one thing: there’s no archived record of the incident.

Does this sound unreasonable?  It isn’t.

Social media has changed the face of business. Whether in product marketing, consumer branding, customer relations, and/or human resources, the benefits of corporate social media are beyond dispute. Yet mounting evidence shows that the risks are, too. Last week, Symantec released the results of an independent survey of 2,000 global enterprises across a variety of industries with a minimum of 1,000 employees. (Symantec confirmed that “[t]he respondents do not represent any kind of grouping of former or current Symantec customers.”) The survey results speak to the heterogeneous nature of the types of electronically stored information (“ESI”) stored during legal proceedings. See Evan Koblentz, Symantec: Files, Databases Overtake Email in E-Discovery, Law Technology News (Sept. 19, 2011). As part of the survey, respondents were asked the following question:

How frequently are the following documents requested in conjunction with a legal, compliance, or regulatory request for [ESI]?

Forty one percent (41%) indicated social media. To put that figure in perspective, consider that email, that ubiquitous element of our daily work lives, was indicated only 58% of the time. (Multiple answers were allowed.) See Information Retention and eDiscovery Survey, Global Findings (Symantec 2011). This figure has a certain shock value, but no one should be surprised. (One should also keep in mind that the question, as phrased, does not speak to the volume associated with each requested data type, including email.)

Gartner Group predicts that by the end of 2013, half of all corporate litigants “will be asked to produce material from social media websites for e-discovery.” Symantec’s empirical data suggests that the 50% mark will be reached far sooner.

In the same breath, Symantec revealed that formal information retention plans lag behind the social media wave. Only 30% of corporate respondents identified themselves as either having discussed or being in the process of discussing such a plan, with an additional 14% stating that they neither had nor intended to create such a plan. One doesn’t need an Infographic of the figures in the two preceding paragraphs to see how startling this situation is. Notwithstanding the overall benefits of sound records management policy—e.g., greater agility to respond to electronic discovery requests; a markedly reduced likelihood of being sanctioned by courts; and a reduced likelihood of inadvertently disclosing the wrong information during the discovery process—ignoring this imperative is especially dangerous when one considers the unique nature of social media and how it is documented.

Managing Information Risk: A Corporate Policy for Social Media

Corporations must have a social media policy. They must be proactive with respect to those messages they allow to be disseminated, and appropriately reactive when the situation demands it, such as potential legal liability or an embarrassing public relations mishap. I had the opportunity to speak to Dean Gonsowski, Symantec e-discovery attorney, who pointed out that corporate social media policies should aim to mitigate a particular type of risk: information risk.

When designing and implementing such a policy, it should be clear whose information is in question and whose potential wrongdoing the policy is designed to stem. This must be communicated clearly to employees. According to Sheila Mackay, XEROX Litigation Services’ Senior Director of E-Discovery Consulting, employees must understand that in the context of the workplace, social media records are corporate business records.

The nature of those business records demands that numerous departments be involved in the formation of a practical social media policy that minimizes the risks of social media while still allowing the enterprise to benefit from it. In an article entitled Mitigating The Legal Risks of Using Social Media (2011), Sharon Nelson and John Simek of Sensei Enterprises set forth by far the most thoughtful examination I’ve read of potential legal liability stemming from the misuse of social media. A few include:

  • illegal employment practices;
  • false advertising;
  • discrimination against a protected legal characteristic (e.g., race or gender);
  • violating expectations of privacy; and
  • various violations of federal and state law.

Mackay adds that the use of social media for business can be highly problematic when the relevant communications are overseen by a regulatory body such as the Financial Industry Regulatory Authority (FINRA). See, e.g., FINRA Reg. Notice 11-39 (“Guidance on Social Networking Websites and Business Communications”).

What Should a Robust Social Media Policy Look Like?

Nelson and Simek provide valuable guidance here. I agree wholeheartedly with their answer to a question I have asked repeatedly. Does a corporation need a social media czar? Depending on the size and nature of the company, the answer is yes, and the czar should have sole authority to speak via social media on the company’s behalf, and to extend that power only where appropriate.

One of the most important aspects of a sound corporate social media policy is monitoring employee activity. See id. In this respect, the czar must balance how tightly (s)he wishes to hold the reins. If they are held too tightly, then one risks stifling the corporation’s ability to disseminate information quickly and in near real-time – for example, to announce a new a product; live blog from a corporate event; or relay that morning’s article about the company CFO in The Wall Street Journal. These are important benefits of social media. But consider what might happen if the reins are held too loosely. Nelson and Simek write:

[An] organization that fails to scrupulously monitor its employees’ use of social media risks missing a post that reveals the organization’s proprietary or confidential information. Social media has dramatically increased the possibility of sharing such information.

Id. Even Apple, which is notoriously secret with product information, experiences (well-publicized) leaks through various channels.

Archiving Social Media

The social media policy set forth above can have countless permutations and combinations. As Nelson and Simek point out, one need not craft a policy in a vacuum. Corporate giants such as Coke and IBM have posted their own policies online and can be the starting point for a solid, tailored policy. Yet creating a clear, defensible and enforced social media policy is just the start.

Current case law leaves little doubt that social media is discoverable in litigation. This raises the obvious question: How can companies archive social media the way they do email so that they can answer such requests? There are serious challenges to doing so properly.

When an email is sent, there is a lasting record of it. Except in rare cases, there are likely to be copies of the same message in multiple places – desktops, corporate servers, and on the same nodes on the recipient’s side of the firewall when dealing with inter-company email. This isn’t the case with social media. Tweets, status updates, blog posts, and websites are all malleable within moments after they are posted. They are ephemeral and can be deleted as easily as they are posted. Such changes are highly unlikely to be cached. Moreover, the data in question (e.g., a tweet or Facebook post) resides on a third-party server such as those owned by Twitter, Facebook, or Google. Good luck figuring out where that data resides, which is critical if it is stored in a jurisdiction like the European Union that has strict data transfer laws. Responding to that request is not impossible, but no party will enjoy the burden associated with the process. Moreover, putting aside any potential international element, retrieving data from such corporate giants is difficult enough.

The key, in my opinion, is to archive one’s social media footprint as frequently as necessary to support a defensible policy. What’s the point of placing important restrictions on the use of corporate social media if you have no way to track what actually occurs? Put otherwise: Does your company want to do everything by the book with respect to social media (yes), only to find itself in a position of not being able to produce the evidence necessary to defend itself? Archiving social media isn’t a luxury at this point – it’s a defensive firewall in the non-technical sense of the word. As Symantec’s Gonsowski told me:

The value proposition of archiving is critical. Whenever there is a new media type, then closely behind there has to be a mechanism to store it, archive it, and then manage it.

Chicago-based Nextpoint may be on the right track with its innovative approach to the problem. Assume that a client specifies the relevant web-based social media presences that it maintains (e.g., website, Twitter, Facebook page, blog). Nextpoint then sends web crawlers to capture fully text-searchable snapshots of those sites at specified times, including real-time capture of bookmarked sites. There are two related articles worth reading on Nextpoint: one in The New York Times; the other in Law Technology News.  It would be reassuring to think that companies have developed in-house archiving solutions to this critical function, but Symantec’s survey makes plain that companies are ignoring far more routine concerns.

__________

I am the founder of BKC3 Consulting Group. Please follow me on Twitter @BenKerschberg and LinkedIn. Please also feel free to email me.

Ben Kerschberg
Ben Kerschberg