Social Media Policy: What's OverlookedAttorney Identifies Gaps in Organizations' Management
Organizations incorporating social media into their daily operations tend to have gaps in policies, and key aspects are often an afterthought, says attorney David Adler.
The social media policy foremost needs to address employee training, says Adler, an attorney who focuses on social media management.
"This is very important because employees need to understand how they represent the brand or the company they work for" when using social media, Adler says in an interview with Information Security Media Group [transcript below].
Organizations also need to ensure they assign someone to oversee the policy. "When the regulators come knocking at the door, there needs to be somebody there," he says.
Procedures should be put in place to provide regulators with key information, such as how social networks are being monitored and how records are being kept, in case the point person is unavailable, Adler says.
Another overlooked element is monitoring. "The real opportunity here ... is to listen, monitor and follow what your customers and your competitors are saying about your company, about your people and about the way that you act in the marketplace," he says. "Monitoring is absolutely essential, and [it] means that you actively listen."
Whatever the goal for social media usage in an organization is, key decision-makers need to get together and develop a strategic plan.
"It needs to be discussed early on at a very strategic level," Adler says. "Then, policies and procedures need to be put in place so that everybody from the top down understands how that plan fits with the particular role of the company."
In an interview about managing social media, Adler discusses:
- Some of the most-overlooked elements of key social media policies;
- How organizations can approach monitoring, content approval and training;
- Tips for assessing and remediating social media risks.
Adler is an attorney, author, entrepreneur and nationally recognized speaker with a law practice focused on counseling businesses across the interrelated areas of intellectual property; media and entertainment; information technology and corporate law. He provides legal counsel on trademark and copyright matters; digital and new media licensing; production; finance; regulations; litigation; and corporate-commercial transactions.
TOM FIELD: In general, where do you find that organizations are missing the boat in terms of managing social media?
DAVID ADLER: I think for a lot of industries - especially financial services and all of the different companies in financial services - the first question was whether to even engage in social media. A lot of companies were very hesitant to engage in social media in the first place. Now what we see is, although a lot of companies are engaging, they're still very uncertain as to how best to engage in social media. I think they're really missing an opportunity to build their brand and add value to the customer experience across a number of different levels. I think that's where they stand the most to gain.
FIELD: What do you find to be some of the most overlooked elements of key social media policies?
ADLER: As I'm looking through social media policies being developed by my clients - and I'm often called in to review either an existing policy or work with the company's marketing team to develop a policy that will allow them to implement social media within the organization - one of the most overlooked areas in social media policies is employee training. This is very important because employees need to understand how they represent the brand or the company they work for when they're engaged in social media. But they also need to understand what the regulatory restrictions are on how they go about using them. Some companies may use a third-party software application, for example, and employees should understand how that works, especially because many people in today's workforce use mobile devices, as well as desktop computers and their own telephone. Some of these newer products integrate all these different access points.
Another thing to consider in the social media policy is the need to have somebody who basically owns this space for the company. In other words, when the regulators come knocking at the door, there needs to be somebody there who can say, "This is what we're doing, this is how we're doing it, this is where our records are kept, and this is how we maintain those records." You need to have somebody whose job it is to manage the entire process.
In addition, you need to have procedures in place in case that person gets hit by a bus, because if that person's not available, the regulators still want to know what's being done, how it's being monitored, how records are being kept and where those records are being kept. All of these things are aspects of the social media policy that, if thought of at all, tend to be an afterthought.
FIELD: Let's talk about some of the specific risks. What might happen to organizations if they fail to implement an appropriate social media policy?
ADLER: There are a number of different risks for businesses that don't have some form of social media policy. On the business end, there are brand risks, customer service risks and the risk that you're going to lose business opportunity or sales opportunity. On the other hand, there are the legal risks. There are risks related to intellectual property, such as maintaining and disclosing confidential information. There are other risks around regulatory infractions. For example, if a financial advisor were to make certain statements using a social media platform, that person runs the risk that they may be making that statement to an improper audience; they may not be making proper disclosures; they may not be providing a full-enough picture of all of the information that's required. And many of these requirements stem from regulatory guidance.
The risk here is not just the potential for a civil penalty; in other words, a potential investor who feels that they've been misled and, therefore, invested based on misinformation. There's also the regulatory oversight and the risk that companies will not be meeting their regulatory requirements in terms of monitoring employee use of social media, keeping accurate records of conversations that were conducted using social media, as well as fines for acting improperly.
I'd say the worst-case scenario is the rogue employee who tries to go out anonymously on these social networking sites and post disparaging comments, post improper information or try to somehow make the competition look bad. I mean, many, many people in the industry are ethical people, and they're going to do the right thing, but sometimes you have rogue employees, and so there needs to be policies and procedures in place to deal with those sorts of eventualities.
FIELD: Let's talk about some ways organizations can approach specific areas in social media, and the first I'd like to ask you about is monitoring.
ADLER: I'm glad you bring that up because I think many companies misunderstand the role of monitoring social media. Again, because so much of it is being pushed by the marketing department, the sense is that it needs to be an outlet, a way of sharing and distributing information. But the real opportunity here - and it comes with its own risk - is to listen, monitor and follow what your customers and your competitors are saying about your company, about your people and about the way that you act in the marketplace. Monitoring is absolutely essential, and monitoring means that you actively listen. You get onto the different channels, the different social media platforms, and you look for your brand. You look for your executives. You look for your products. You make sure that you're following that conversation.
Approval of Content
FIELD: An area that often gets confused for monitoring is another I want to discuss with you, and that's approval of content. What can you tell us about that, please?
ADLER: I think content approval is one of those things that's always at the top of everybody's minds when they're thinking about how best to use social media. For some industries, you can create a checklist or a playbook, if you will, of the types of content that can be shared without having to get some sort of prior approval. But content implicates a lot of different rights and a lot of different risks. There are copyright risks with respect to sharing content created by others. There are trademark risks not only to your own brand, but to possibly mentioning brands of your competitors. There are right of publicity risks that implicate endorsements or testimonials. There's a lot of risk around content, and content should absolutely be a key focus both in how it's created, as well as how and where that content is shared.
Training Best Practices
FIELD: Another topic you discussed earlier and I'd like to hear more about is training. What are some best practices there?
ADLER: Training I think is the key element to any successful social media policy because, unless your employees know what's in the policy and know how to follow it, having the policy is meaningless. What companies need to do is at the outset be thinking about not only how do we put these policies in place, but how do we educate our own employees about expectations for use on social media and how best to be a brand ambassador? There's a lot of opportunity there, and there's a number of different ways you can go about training. You can have webinars; you can have intranets in the company that can show employees proper use, as well as examples of how not to use social media. Training is really, really key because, unless the employee understands the boundaries of what they're allowed and not allowed to do, whether there's a policy in place is really not going to matter when the regulators come knocking.
Information Security Concerns
FIELD: Another area we haven't discussed is information security, and I know certainly there are risks of credentials being taken over; there's risk of malware being distributed through social media. What are some of the areas that you typically address with organizations?
ADLER: As with any technology, there's always the information security risk, and information security begins at home. I think this probably does go well with the idea of training. Employees need to understand where the information security risks are throughout their organizations, from the use of the handheld device, the use of laptops, the use of what are commonly referred to as thumb drives or the portable USB drives that may contain confidential information. Employees need to understand where those information security risks are, and then they also need to understand how best to prevent against inadvertent leaks of information. And so it goes to passwords, proper password policy, understanding how and where data should be stored and where it should be shared. There are electronic measures that can be put in place as well as physical measures that can be put in place. For example, trade secret information must be kept under lock and key and in an area that's for certain eyes only, and that's really more of a physical safeguard than an electronic safeguard.
But employees also need to be trained to look out for fraud and misleading information, and all of these things are topic areas that fall under information security. Everybody within the organization needs to understand that there are a lot of risks when one holds one's self out on these social media platforms. The old adage that goes back to the beginning of the Internet, "On the Internet, nobody knows if you're a dog," you don't know that somebody on the other side of your conversation or the other side of your post is who that person claims to be. You always have to be very careful how you interact and what information you share.
FIELD: What do you find to be some of the lessons learned that organizations can apply? Unfortunately, I think you see some of the tougher lessons that organizations learn. But is there information that can be drawn from those?
ADLER: I've seen a lot of do's and do nots in this space, but what I'd like to do is just focus on three key areas I think every business can really learn from. The first one is the idea of brand-building, and brand-building is both at the employee level as well as at the company level. Social media gives employees and companies an opportunity to be human, for lack of a better word. And because of the nature of the engagement, people can have an authentic natural presence, and the way that they engage with their customers can give customers a better sense of the brand and a better sense of the people. I think that oftentimes organizations lose sight of the fact that social media is conducted by individual people and that these people should be allowed to put a face on the brand, and they should remember that they're human beings and they should try and connect on that level.
The second area which is sort of another aspect of brand building is the idea of community relations. I know a lot of organizations struggle with the type of content that can be shared over a social networking platform, and there are many ways to educate the community and educate the consumer without talking about specific products, services or specific investments in the marketplace, or being real specific about information that might need disclaimers or might need qualifiers. Social media offers a company an opportunity to talk about all the great things that they're doing in the community and to connect with the community outside of the traditional office space. One great example is an organization that might be involved in a local charity. Social media is a great channel to talk about that charity, to engage with the community around that charity, and in both those actions the consumer and the community get to see a side of the business that they may not otherwise see.
The last area, a lesson they can really apply, is the idea of reputation management. This kind of goes back to monitoring and active listening, but social media gives a company the opportunity to monitor the tone and what's being said about their company, their people and about their products and services in real-time, and they have the opportunity to engage customers before these issues, risks or complaints get blown out of proportion. The trick here is understanding the proper way to respond, and not every comment needs a response and not every comment or action warrants a hand-fisted response because more often than not those types of responses have the exact opposite effect. What they do is they empower the defenders. They tend to focus on the wrong aspects of the issue, whereas, seeing misinformation out there or incomplete information out there gives a business an opportunity to sort of set the record straight and provide corrective information and amplified messages about how they're dealing with issues and how they're resolving problems for their consumers. All of that goes into reputation monitoring and reputation maintenance.
Remediating Social Media Risks
FIELD: If you could boil it down to a bit of advice, how would you advise organizations to start now in assessing and remediating their social media risks? Where's the starting point?
ADLER: The starting point is always to have a plan. You need to gather the key people who are involved. You need people from IT. You need people from marketing. You need people from HR. You need people from operations. You need people from sales. You need to get the key decision-makers together and say, "What's our plan? What's our goal for social media for this company? Are we looking to increase sales? Are we looking to increase customer service satisfaction? Are we looking to polish the brand?" Whatever the goal is, it needs to be discussed early on at a very strategic level. Then, policies and procedures need to be put in place so that everybody from the top down understands how that plan fits with the particular role of the company.