Much like electronic discovery only a few years ago, social media has a "Wild West" feel to many lawyers due to the uncertainty of obligations, technological limitations, and legal process. As it is difficult to discern the difference between opportunity and risk in the realm of social media, the landscape is fraught with intrigue and contradiction. From a legal perspective, social media is a headache that only begets complicated liability issues, with public relations disasters, employment litigation, and large discovery problems all as real possibilities. From a marketing/brand-monitoring perspective, conversely, many companies have found real value in leveraging social media to promote business objectives and connect with customers. The keys are finding the balance between benefits and risk and mitigating that risk with strategic assessment, training/education, policy, and monitoring.
As new technology has historically been a cause of anxiety for lawyers, concern about social media is nothing new to the legal profession; it was only a few years ago that many were wondering whether sending an email over the Internet would waive privilege. As with all new technology, as social media gains mainstream acceptance, there follows a gradual development of case law, technological advances, and a better overall understanding as to obligations and best practices. As such, social media has now reached the place where ambiguity meets opportunity: how to self-protect while self-promoting? That one question gives rise to a number of subsequent ones: Who owns the data on social media sites? What are the privacy concerns? How do you access the site if you are not the account holder? How do you control human behavior? In short, wherein lies the balance between liability and opportunity? The answer: within a well-crafted, well-implemented social media policy.
The case for the necessity of a social media policy for any given company is a strong one. Consider the statistics:
• Nine out every ten U.S. Internet users visit a social networking site each month, according to comScore's 2010 U.S. Digital Year in Review.
• In Canada, people spent 58 percent more time on blog sites than they did in 2009, according to the comScore's 2010 Canada Digital Year in Review.
• Globally, 15.6 percent of all time spent online is in a social network environment (comScore's 2010 U.S. Digital Year in Review).
• According to an Applied Discovery case study on social media, employees spend some 40 minutes on social media during every workweek. To find out more about Applied Discovery's consulting services, please visithttp://www.applieddiscovery.com/smart.
Given the myriad scenarios of use (and abuse) to consider when crafting a social media policy, it is critical to engage internal stakeholders. The companies that have maximized the value of social media - while effectively mitigating risk - have involved marketing, PR, IT, HR, records management, and frontline employees to ensure the "right fit," that is, to confirm that the policy meets strategic objectives and is in keeping with internal company culture. These stakeholder discussions illustrate the typical rift between "client-facing" and "enforcement" stemming from the inherent differences between "protection" and "expansion." These differences are important, however, and while they can lead to increased time and costs, it is important that all stakeholders are involved in order to create a policy that is respected and upheld by all employees. An excellent resource for examples of successful social media policies is the Social Media Governance website (http://socialmediagovernance.com), a compendium of collaborative policies that corporations have kindly shared for educational and practical usage.
Once a policy is in place, it is crucial to implement proper training, both on the policies themselves as well as on best practices in social media usage. A policy without a foundation of social media education for all employees is the equivalent of a nonexistent one, given the range of social options, as well as their respective technologies and fine print. While it may be daunting for any level of user to read through the comprehensive terms and conditions (T&C) of a social media platform, a comprehensive analysis of each site's T&C, translated into easily understood bullets, would be an excellent starting point for any in-house counsel after crafting a company social media policy.
As a resource for inside counsel, the Applied Discovery team has compiled a step-by-step best practice for social media usage, policy creation and proactive damage control based on our team's expertise and years of experience in the realm of technology, policy creation, and ambiguous case law:
1. First And Foremost, Create A Policy
Involve the key stakeholders within your organization as well as any third parties that will use social media on your behalf, such as ad agencies, marketers, or recruiters. Consider what type of policy makes sense for the organization. If the stakeholders have faith in the organization's employees' ability to discern appropriate behavior and speech in all written, public communications, a simple "common sense" approach may be enough, with a policy stating that the use of social media should be based on the users' common sense.
Contrasted with a common sense approach, an "open" social media policy provides high and low parameters covering what an employee may do. Such a policy may contain references to specific sites that are to be used or avoided, specific language for disclaimers, specific company goals and objectives in the realm of social media, and suggestions as to topical areas to engage in or communities to reach out to. A solid open policy should also teach the employees about the risks associated with social media but otherwise still allow full employee engagement in the medium.
A "closed" policy is one based on restrictions and limitations and is designed to instruct employees on what they cannot do. Typically, these policies are implemented by IT blocking certain sites and preventing the employee use of social media on behalf of the company - or even for personal use when at work. This type of policy is certainly the lowest risk but also forces the company to eschew any marketing or outreach benefits that social media so effectively delivers.
2.Train Your Company, Train Yourself
A policy is worthless if the employees don't understand it. While it may be time consuming, we at Applied Discovery recommend training all employees on the policy, on the platforms in question, and on the appropriate usage. Usage policies may vary from department to department, with marketing, for example, having a more open policy than, say, administration. Nevertheless, training should encompass an overarching theme that ties it all back to the company's social media policy. Also, training should be updated and re-administered on a frequent basis, as social media sites and habits change frequently.
3. Monitor To The Best Of Your Ability
Companies face a daunting task when it comes to monitoring employees, especially in the realm of social media activities. And managing the company's image in the public realm can be impossible. There exist monitoring products, such as reputation.com, that claim to remove unwanted information from the web, but there is much debate as to their effectiveness. Organizations can also monitor their employees' activities by relying on their IT server logs to track and record all web pages that employees load. However, most of these logs only collect limited data, like date/time as combined with a web or IP address, effectively eliminating the actual content and user activity on a given IP address, which is arguably the more important information. A much better strategy is to try to ensure that employees only post wisely and that any outsiders battering the company's reputation are managed quickly and properly.
4. Preserve What You Can
Like all data created by an organization, with social media there often arises the need to address what needs to be preserved and to what extent. These obligations tend to stem from regulatory directives such as FINRA (affecting the financial services industry) or the FDA (pharmaceutical and biotech), or from anticipated litigation. It's important to remember that data exists on the web in many forms.Many companies do not actively collect and retain the information they have on their own web pages. Fewer still actively collect and archive the social media sites that they use for corporate branding; almost none collect and preserve the social media sites that employees use on the behalf of the company. While unwieldy and daunting in scope, there are restriction on asking for social media data in the context of litigation, just like any other data. As the bench becomes savvier in the use of technology, it may be less inclined to allow a party to claim that data is not reasonably accessible if it were found on a social media site, but there are no guarantees.
While this list of recommendations may produce more questions than answers (as well as perhaps a desire to throw up one's hands and say "it's too much!"), the ever-growing list of social-media-related litigation underscores the importance of finding the time to address the use of social media in the workplace. Lawyers who would rather not know the extent of employee behavior are actively ignoring a potential risk to their company. The horror stories abound, often with humorous and frightening examples of extraordinarily poor judgment on the part of companies, their employees, and outside firms acting on a company's behalf. At the current time, the prevalence of out-of-court settlements robs us of the opportunity for legal precedent, which makes the turbulent waters of social media even harder to navigate. But eventually, we'll all get those precedents in abundance. In the meantime, we continue to hunt for answers, uneasily (but skillfully) navigating this brave new world of social media liability with abundant creativity, extensive collaboration, thorough educationand ample legal preparation.
Published July 1, 2011.