compliance implications of social media

WHITE PAPER

COMPLIANCE IMPLICATIONS OF SOCIAL MEDIAA Guide for NCUA Credit Unions

Worldwide Headquarters 1301 Shoreway, Suite 275 Belmont, CA 94002 USA (650) 631-6300 phone [email protected]

EMEA Headquarters 400 Thames Valley Park Reading, Berkshire, RG6 1PT UK +44 (0) 118 963 7469 phone [email protected]

©2001-2011 Actiance, Inc. A-WP-008-SM-CREDIT-UNIONS-0111

WHITE PAPER – Compliance Implications of Social Media 2

This white paper is for informational purposes only. Actiance makes no warranties, express or implied, in this document.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or

introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express

written permission of Actiance, Inc. © 2001 - 2011 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage,

Unified Security Gateway and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners.

Table of Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Lack of specific guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Maintaining compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

CUs in Social Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Appropriate Use of Social Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Compliance Curtails Entry into Social Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

CU Compliance Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Advertising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Retention of Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Wider Regulatory Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Gramm-Leach-Bliley Act (GLBA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Red Flag Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Privacy of Consumer Financial Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Payment Card Industry Data Security Standard (PCI DSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Federal Rules of Civil Procedure (FRCP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

When Social Media Goes Bad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Hackers Taking Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Blogging Gone Bad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Good Intentions, Bad Tweets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Inappropriate Comments Equal Lost Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Employee Tweets Create Negative Working Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Consequences of Violating Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Key Tenets of CU Social Media Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Mitigating the Risk of Social Media and Web 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Enforcement of Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Monitor Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Prevent Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Block Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Log All Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

About Actiance, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14



©2001-2011 Actiance, Inc.


Overview

It took the humble telephone eighty-nine years to reach the 150 million users that Facebook achieved in just five. The impact of social media can be seen everywhere, in the workplace, at home, even on billboards, and TV. For credit unions looking to connect with their members and grow their business, social media is a must. But what are the dangers, who is at risk, and how can credit unions ensure that embracing Facebook, LinkedIn, and Twitter doesn’t result in a social scandal?

Lack of specific guidelines

Although the National Credit Union Administration (NCUA) has not yet issued additional rules or guidelines on the use of social media, when regulations already in existence are considered, it’s easy to see that they currently cover this new form of electronic communication. From advertising and the retention of records to the possibility of leaking social security numbers, account numbers, credit card data and other PII (Personally Identifiable Information), the regulations may not mention social media specifically, but it’s clearly a medium that potentially enables all of these negative and potentially dire circumstances to occur.

Social media applications were developed with consumers in mind. Therefore, there are no enterprise controls available natively. With the majority of credit unions not in a position to control the content of messages posted to Facebook by employees, let alone archive the messages with any meaningful context, many have wisely decided to postpone their social media strategy.

However, the compelling evidence of the benefits of embracing social media has meant that others have leapt in with both feet, potentially placing them ahead of their competitors and making more difficult the decision for others to stay away from social media. The danger for credit unions is that without the right security, management, and compliance controls in place, any benefit of its use can evaporate quicker than saying “Federally Insured”.

Maintaining compliance

Following FINRA’s footsteps in the US, the FSA in the UK has recently taken steps to ensure that members recognize that new media such as social networking, blogs, and forums are automatically included in current regulations. It is highly likely that the NCUA, along with other financial regulatory bodies, will follow suit and clarify that, like every other form of electronic communication, care must be taken to ensure that social media usage complies with current regulations.

This whitepaper considers the threats that social media poses and the regulations they may infringe upon and suggests how credit unions can overcome them, remain compliant, and embrace the new Internet.





CUs in Social Media

When President Roosevelt first signed the Federal Credit Union Act in 1934, television was in its infancy. Who could have predicted that nearly seventy-five years later that Larissa Walkiw’s Young and Free Alberta video for the Common Wealth Credit Union (now Servus) would be one of the most popular credit union videos on YouTube.

Social media is taking credit unions by storm. From marketing to member services, it offers several benefits over traditional forms of communications, including cost. But perhaps the biggest reason for its success is one that fits in very comfortably with the credit union ethos, the personal touch and dedication to superior member service. Social media experts have always advocated the use of “real people” and genuine photos of employees accessing Facebook, LinkedIn, and Twitter, and the strategy pays off. One may not know all of one’s followers or buddies, but the interaction and conversation with a face you can put a name to, has a major impact in cultivating relationships.

Smaller credit unions have been quick to take advantage of social media and Web 2.0, with a great deal of success in attracting new business and growing investment opportunities with existing ones. Their success has not gone unnoticed by the larger credit unions, which until recently have shied away from social media. However, with more than 500 million users on Facebook, 75 million on LinkedIn, and 70 million on Twitter, credit unions can’t afford to not include social media in their business strategy.

A recent survey of 11,000 credit union members conducted by Callahan Internet Strategy Consortium, a group of credit unions that cooperatively conduct research, discovered that:

•Morethan82%ofcreditunionmembersaged18-60+useFacebook

•MembersusingTwitterexpecttheircredituniontoprovideinformation,suchasfraudalerts(71%),specialoffers(60%),financialtips(58%),andratespecials(57%).

•Abouthalfofallmemberssurveyedsaidtheywouldreadacreditunion’sFacebookpageperiodically.

(Source: thefinancialbrand.com)

Appropriate Use of Social Media

When credit unions include social media in their marketing plan, they need to understand from the outset that while it is a social interaction, it’s also a very public and professional one. Every credit union wants to show the “human” side of their operations, yet they must be careful to not become too casual in their replies to posts and Tweets, or they face coming across as unprofessional and careless. Content on their social media sites is also important – all photos and links must be professional as well. “Think before you post” must be kept top-of-mind at all times. Credit unions must remind their employees to consider how it would look if their post hit the front page of a leading publication. This advice applies whether that “leading publication” is a newspaper, website, or blog site.

Without a doubt, credit union employees can be great ambassadors. If given every reason to promote the credit union brand and no motivation to complain, they can spread the word about the credit union advantage far and wide – and at virtually no cost. Social media proponents argue that appropriate use of social media can help create a positive corporate culture, which in turn leads to happier and more productive employees. Some social media advocates even go so far as to contend that the optimal use of social media can actually increase productivity, e.g., by taking a few minutes off to play a Facebook game or watch a couple of funny YouTube videos, the employee comes back relaxed, refreshed, and ready to work!





Compliance Curtails Entry into Social Media

One of the reasons for the delay by many credit unions in taking the social media plunge has been well-founded concerns over compliance issues. Whether this is due to a greater awareness of the potential pitfalls or waiting for guidance from regulators, such as the NCUA, is not clear, but it is worth noting that now some of the biggest credit unions such as BECU and Golden 1 can now be found on Twitter.

Social media is just an extension of how credit unions converse with their members. Whether it’s assistance on using a service, letting people know about the latest offers, or even introducing new business contacts, Facebook, LinkedIn, and Twitter simply offer another point of contact, such as walking into a local branch or talking on the telephone.

However, like every other form of communication, care must be taken that anything that could be considered an advertisement or advice must comply with current regulations. For the majority of communications, that means securing, filtering content, monitoring, and archiving each and every post. Not an easy task when there are so many different social media and Web 2.0 tools and applications.

http://twitter.com/BECU

http://twitter.com/golden1cu





CU Compliance Concerns

As social media use within credit unions grows so does the risk of non-compliance. Whether a credit union is using social media to communicate with members, announce new products, or promote community events, it’s not just the outspoken views of rogue employees that they need to control. Social media can suddenly allow a vast number of specific credit union guidelines and regulations and other associated regulations, such as the Gramm-Leach-Bliley Act (GLBA), to be broken, often unintentionally.

Data Leakage

Although not specifically covered in either NCUA or National Association of State Credit Union Supervisors (NASCUS) regulations, the use of modern communication tools is still governed by current rules. For instance, the NCUA guideline 792.67, Security of systems of records, states credit unions “…shall establish administrative and physical controls to ensure the protection of a system of records from unauthorized access or disclosure and from physical damage or destruction…Procedures shall also be adopted to prevent accidental access to or dissemination of records.”

InActiance’sFifthAnnualCollaborativeInternetSurvey,14%oforganizationsquestionedhadexperienceddataleakagethroughsocialnetworksandafurther18%tookdisciplinaryactionasaresultofincidents.Whetherit’san instant message to the wrong person, a tweet that should have been a direct message, or a misjudged post to Facebook, the route for accidental leakage has never been easier, nor has it had such a potentially wide audience.

Advertising

Advertising regulation is also a potential compliance failing point. From Regulation Z – Truth in Lending to the Fair Housing Act (FHA), the rules around advertising are being tightened all the time. Under the Fair Housing Act, “Advertisements must not contain any words, symbols, models or other forms of communication that suggest a discriminatory preference or policy of exclusion.”

NCUA rule 707.2 defines advertisement as “a commercial message, appearing in any medium that promotes directly or indirectly…” terms, yields, and bonus.

In the case of rule 707, these “trigger” words demand that a notice must be given as to where investors can view additional information on the offer such as a webpage. For credit unions using Twitter, this ruling can sometimes be a challenge, but the use of shortened URLs can help to keep posts to 140 characters and still comply. Consideration should also be given to chats over IM, as the rulings around advertising still apply and disclaimers should be given.

Retention of Records

The Truth in Savings Act demands that “A credit union shall retain evidence of compliance with this regulation for a minimum of two years after the date disclosures are required to be made or action is required to be taken.” However, for credit unions using social media, this ruling may prove difficult to comply with. Facebook, for instance, currently offers no archiving facility of members’ posts, making it impossible for credit unions to keep a reliable record of messages posted.

Appendix A to part 749 of the NCUA regulations states that although there is no specific format in how records are retained, they must be easily accessible and accurate. In addition, “The credit union should also ensure that the reproduction is acceptable for submission as evidence in a legal proceeding.” Compliance with eDiscovery requires a tamper-proof archive, and best practice demands that records include the context of the message, not just the message posted.





Wider Regulatory Concerns

Gramm-Leach-Bliley Act (GLBA)

Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) outlines standards for safeguarding confidential member information, including names, addresses, phone numbers, account numbers, and Social Security numbers. The GLBA requires that the content of communications should be scanned for such information, that the data should not be sent in clear text, and that it should never be sent via public communications channels.

In a survey by Actiance, over a third of the respondents that can access IM services at work admitted to sending an instant message to the wrong person. Accidental data leakage is one of the biggest concerns for any organization. Many financial institutions take care to move conversations that require sensitive information exchange to more secure channels, but all it takes is a simple mistake for a regulation to be violated.

Red Flag Rules

The Red Flag rules require credit unions to protect information against identity theft and to implement a program that would detect warning signs or raise a “red flag” to possible suspicious activity. The rapid growth in social media and Web 2.0 usage has made them a magnet for hackers and malware writers looking to steal confidential information that enables them to directly steal identities or to build up a profile that may lead to identity theft.

One of the problems with social media is that users place too much trust in their network of followers or friends, enabling social engineering techniques that persuade users to give up passwords or click on malicious links to work with a surprising success rate.

Privacy of Consumer Financial Information

The consumer privacy rule generally encompasses a privacy notice that details how non-public information may be used by the credit union and an opt-out clause for the consumer. Similar to the GLBA, credit unions must ensure that non-public information, including name and address, transaction history, consumer credit reports, and court records, is protected against malicious and accidental data leakage.

In addition, guidance issued by the NCUA states, “The fact that an individual is a customer of a credit union equates to personally identifiable financial information about that consumer,” which is something to keep in mind when devising social media strategies to encourage new followers and fans.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS requires that organizations that process payment account information should ensure that they build and maintain a secure network, encrypt cardholder data sent over public networks, and that unique IDs are assigned to individuals that have access to cardholder information.

When using social media, credit unions need to ensure not only against data leakage, but also be able to identify those employees that have access to both cardholder information and applications such as instant messaging or sites such as Facebook, which frequently involve the use of different user names.





Federal Rules of Civil Procedure (FRCP)

The FRCP defines the procedures for managing civil suits in district courts, including legal discovery. Rule 34 allows the requesting party to designate the form in which the electronically stored information should be produced. If this format is unavailable, the producer must deliver it in a form which is reasonably usable.

Social media sites such as Facebook, LinkedIn, or Twitter have neither archiving facilities nor a guarantee to keep messages for the last week, let alone the six or seven years that some legislation requires. Being able to accurately reproduce data for a court of law is challenging in the best of times, social media just made it harder.





When Social Media Goes Bad

Here are some examples of how unchecked social media activities can cause damage to a credit union:

Hackers Taking Control

In February 2010, Omni Credit Union and Advanced Savings both lost control of their Twitter accounts by disclosing their password in a social engineering attack. The hackers then used the accounts to send out spam porn, including malicious links. Although no harm was done, besides a few surprised members being offered more than a great APR, the incident potentially damaged the reputation of the credit unions.

Blogging Gone Bad

Last year, a receptionist from a credit union in Utah blogged about her pet peeves at work, including the name of her credit union. Fortunately, someone quickly pointed out the error of her ways and the blog was promptly taken down and an apology issued, but it is amazing how often a lack of forethought is behind most social media faux pas.

Good Intentions, Bad Tweets

A loan officer at a credit union in Wisconsin was simply looking to get the word out about the credit union’s great loan rates. After all, it is his job to build the credit union’s much-needed loan portfolio. Looking to generate new business, he tweeted about their excellent new and used car rates – albeit without all of the required legal disclosures. Simply not enough room in 140 characters!

Inappropriate Comments Equal Lost Business

A teller at a Kansas-based credit union had a negative experience with a member who was having a bad day. Before social media, such an occurrence would be confined to the back office and perhaps a post-work conversation at the employee’s dinner table. However, when the teller posted her thoughts on the member’s rude behavior on her Facebook page, it did not take long for it to circulate back to the member. Later that week, the member closed his account with the credit union, and it just happened to be a quite profitable account.

Employee Tweets Create Negative Working Environment

A group of employees were killing time on a slow day by tweeting back and forth at a small credit union in Texas – fairly harmless chit chat at first. But, when the tweets migrated into sexually oriented matters, one employee was offended. Fortunately, it did not lead to a sexual harassment lawsuit, but it did create tension and a negative working environment at the credit union’s headquarters.

Consequences of Violating Regulations

Below are just some of the dire consequences associated with violating NCUA regulations:

GLBA Substantial fines, imprisonment for up to five years and loss of reputation

PCI Substantial fines and loss of reputation

Red Flag Rules Penalties of up to $3,500 per violation

PCI-DSS Fines of up to $500,000, possible refusal of future transactions, and loss of reputation

Z- Truth in Lending Fines of up to $5000, imprisonment for up to one year

Regulation E (Electronic Fund Transfers Act) Substantial fines, imprisonment for up to one year





Key Tenets of CU Social Media Policies

Many observers believe that there is anarchy in the absence of social media policy and training. Perhaps the first step is to emphasize the credit union’s core values: the mission statement and member service guidelines must carry over online. In other words, the credit union’s General Code of Ethics should provide guidance on the positive behavior expected from all employees, regardless of channel.

Credit unions should invest in adequate training programs to remind their staff of their responsibilities and outline clearly what is acceptable and appropriate. They should send frequent messages to employees on the misuse of social media and draw upon case studies to convey the consequences of bad behavior or reputational damage to the credit union. Credit unions must establish clear rules of engagement – these rules need to spell out employee expectations in terms of tone, language to be used, as well as situations that demand an employee response, e.g., correcting misguided information related to interest rates or loans.

Other items that credit unions should consider adding to their policies include:

•Don’tletpersonaluseofTwitterorothersocialnetworkingsitesinterferewithwork.

•EmployeesmustbeapprovedtouseTwitterorothersocialnetworkingsitestoconductbusiness.

•Anyuseofthecreditunion’sname,trademarks,logos,orotherintellectualpropertymustbeapproved.

• Ifemployeesmakepersonalcommentsaboutanyaspectofthecreditunion’sbusiness,theirprofilesmustcarryadisclaimer that the views expressed are their own and not the organization’s views.

• Tweetsandotherpostsmaynotdiscloseconfidential,proprietary,rate,orloaninformation.





Mitigating the Risk of Social Media and Web 2.0

Traditional security measures are no match for today’s modern communication tools. Many legitimate applications use evasive techniques, such as port hopping, protocol tunneling, and encryption. In addition, some use peer-to-peer connections. Skype, for instance, uses a peer-to-peer connection and is encrypted end-to-end, often even tunneling through HTTP/port 80 if that is the only port/protocol that it finds open on the firewall, negating the use of an URL filtering solution to control it.

Aside from the obvious hazard of malware using this unauthorized channel to surreptitiously enter the network, enabling social media and Web 2.0 applications without the means to enforce other communication channels from being used adds the danger that organizations are not monitoring everything that leaves their network.

Below are the key areas that credit unions must consider when enabling social media and Web 2.0 to be used in the workplace. Control of social media is not as difficult as it first seems; credit unions just need to follow the best practice guidelines of control, including logging and archiving all pertinent content. What they must recognize is that their current security measures are no match for Web 2.0 applications.

Enforcement of Policy

Social media and Web 2.0 applications offer huge productivity benefits, but that doesn’t mean to say that employees should be given free rein. Consideration should still be given to whether an employee really needs access to specific applications or be able to transfer certain files types.

In Actiance’s Fifth Annual Survey, The Collaborative Internet: Usage Trends, End User Attitudes and IT Impact (originally published as “FaceTime’s Fifth Annual Survey”), file sharing tools (websites or P2P applications) were foundtobepresentin74%ofenterprises,withonly32%ofITprofessionalsestimatingthattheywereinuse.Web-basedchatwasalsofoundin95%ofenterprises,withonly31%ofITprofessionalsestimatingthatitwasinuse.

Credit unions need to ensure that only authorized websites and applications are used by employees and that access is limited to their job requirements. Whether it’s being able to post to LinkedIn but not to give recommendations or view Twitter but not to post, consideration must be given, not just from a reputational standpoint, but also from the regulations they potentially could violate.

Monitor Content

In just the same way that the majority of organizations have implemented technology to monitor email content, so the same must be done for social media. Whether a credit union decides only to block posts that contain trigger words such as “APR” or “yield,” or send all posts to a compliance officer for monitoring will depend on individual circumstances. However, without some form of monitoring in place, it will be impossible for credit unions to demonstrate compliance with many advertising regulations.

Prevent Data Leakage

As credit unions turn to social media to collaborate with colleagues and members, the risk of accidental data leakage has increased significantly. A small lapse in judgment can have serious consequences. Controlling how social media is used in the workplace is not just about stopping an inappropriate comment; it’s also about preventing users from sharing business-critical information in what is essentially a public forum.

InActiance’sFifthAnnualCollaborativeInternetsurvey,69%ofITrespondentsreportedincidentsofmalwareand/orinformationleaksduetotheuseofInternetapplications.Virusesweremostcommonat55%,followedbyspywareinfiltrationsat45%–butinnewstatisticsgatheredforthefirsttimethisyear,14%haveseendataleakagethroughsocial networks.





Prevention of data leakage features prominently in virtually every regulation that a credit union must comply with. For example, a quick tweet of “@(member name) thanks for stopping by the branch today”, could potentially break a confidentiality clause if the recipient hasn’t indicated publicly that they did so themselves.

Block Threats

It is no secret that Web 2.0 applications, public IM, peer-to-peer file sharing and social media introduce risk to the credit union. The productivity advantages of collaboration are quickly lost when malware infections send the IT staff into the equivalent of search and rescue mode to clear malware from end points and protect the credit union from sensitive data loss.

Unsurprisingly, social engineering tactics are used extensively by malware writers who hijack IM buddy lists to trick users into thinking a link coming in on their IM screen is actually from a trusted friend on the system. Once introduced to the network, multi-protocol malware can quickly jump from the public IM system to internal systems. Credit unions need to ensure that all entry points for malware are blocked, not just email and basic Internet gateway ports.

Log All Content

In order to comply with industry regulations and eDiscovery requirements, credit unions need to be able to log each and every interaction posted to social media and other Web 2.0 applications. Although sites like Twitter and Facebook have not been specifically mentioned yet in guidelines, such as those issued by NCUA, the current regulations make it perfectly clear that records pertaining to transactions, advertising, and other credit union activities should be archived. Aside from non-compliance, the consequences of not logging content is that it potentially leaves the credit union at the mercy of the other party in a legal dispute.

Currently, the majority of social media sites do not offer any means to log and store content, nor do they give any guarantees that the information there today will be available tomorrow. Going further, it’s not a given that today’s social media darling will still be around in two years time to retrieve content and conversations. To ensure compliance, credit unions need to consider how to log content posted to social media, including the context of the whole “conversation”.

Archive

The process of archiving, storing, and making social media conversations easily retrievable for regulatory compliance and legal discovery is made exponentially more complex because of the multidimensional nature of these conversations. For example, a chat on a Facebook wall can include numerous participants joining at different times, creating a requirement to understand the context surrounding each participant’s understanding of these conversations.

To simplify retrieval, credit unions need to ensure that content and context of posts and messages can be exported, along with corporate identity credentials, to an email archive or WORM storage, for a single discovery location.





Summary

Some analysts believe that usage of social media will follow a trajectory similar to email and instant messaging: discouraged or even blocked by organizations at first, then approved for use by a few individuals, and eventually opened up to the majority of employees. The trajectory often changes as the organization identifies ways the new tool can make it more competitive or more efficient in conducting its business.

For credit unions looking to take advantage of social media now and to be prepared for future compliance, they must consider the regulations that are already in place that govern other forms of electronic communications. Additionally, as major financial regulatory bodies around the globe, such as FINRA and the FSA, begin to issue additional guidelines to specifically include social media, it is clear that it is only a matter of time before the NCUA clarifies their position.

For the majority of communications, that means securing, filtering, monitoring, and archiving each and every post - not always an easy task given that there are so many different social media and Web 2.0 applications with no native controls in the enterprise. However, so long as credit unions look to include the same controls they do over other electronic communication, such as email, and partner with the right vendors to put such controls in place, it needn’t be too onerous.





About Actiance, Inc.

Actiance enables the safe and productive use of unified communications, collaboration, and Web 2.0, including blogs and social networking sites. Formerly FaceTime Communications, Actiance’s award-winning platforms are used by 9 of the top 10 US banks and more than 1,600 organizations globally for the security, management, and compliance of unified communications, Web 2.0, and social media channels. Actiance supports all leading social networks, unified communications providers, and IM platforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype, Microsoft, IBM, and Cisco.

Socialite

Socialite is Actiance’s security, management, and compliance solution for Social Networks, providing granular control of Facebook, LinkedIn, and Twitter.

Socialite not only controls access to 150 different features across social networks, but can also moderate, manage, and archive any social media traffic routed through the solution, which can either be on-premise or hosted.

Socialite includes a number of key features for securely enabling the use of social networks, including:

•Dataleakprevention: preventing sensitive data from leaving the company, either maliciously or inadvertently

• Identitymanagement: establishing a single corporate identity and tracking users across multiple social media platforms (e.g., @JohnJones on Twitter is the same as JohnHJones on LinkedIn)

•Activitycontrol: managing access to features, such as who can read, like, comment upon, or access specific features

•Moderatorcontrol: pre-approving content for Facebook, LinkedIn, and Twitter, where content is required to be reviewed by a corporate communications officer or other third party

•Granularapplicationcontrol: enabling access to Facebook but not to Facebook Chat or downloading/installing any of the applications in the gaming category

•Conversationandcontentlogging: capturing all posts, messages, and commentary in context, including export to an archiving platform of your choice for eDiscovery purposes

compliance implications of social media

Technology