risk register social media

8/11/2019 Risk Register Social Media

1/13


2/13

focus on: April 2011

Part I: Overview

What Is Social Media and WhyShould Your Company Care?

In less than a decade, socialmedia, in many ways, seems tohave taken over the world.

This statement is not hyperbole. As one of thelargest social networking sites in the social mediauniverse, Facebook boasted more than 750 millionpeople actively using its service. 1 If it hasntalready, Facebook will soon grow twice as largeas the population of the United States, whichcurrently hovers at 311 million. 2

Even so, the vast majority of companies did notimmediately join the social media revolution.Instead, they spent varying amounts of timeobserving from the sidelines. But when the first

wave of companies did join, it was because theyanticipated the significant business benefits of this brave new world -- where the personal, theprofessional, and the commercial combineseamlessly, and in the blink of an eye.Many others, however, remained unconvinced --often because of a lack of information and anunclear understanding of how social media could

be beneficial. What is this social media thing all

about? they wanted to know. And why should my company care?Unlike traditional media, which offers a one-way experience (in which media outlets broadcastinformation for public consumption), social mediaoffers a two-way interactive experience. Consumersof social media, unlike consumers of traditionalmedia, can interact instantly and directly witheither the originators or the authors of theproffered information. They can interact with eachother, too. The interaction and cross-communica-tion that social media makes possible is precisely

what makes social media so world-changing.

As with any new technology, there is a downside.Social media also creates a whole new world of

privacy, security, intellectual property, employmentpractices, and other legal risks, to name just a few (in Part III of this paper, we will review each risk).But the opportunity to interact with anyone,anywhere, anytime is too world-changing to ignore.It has altered the traditional media expectation of consumers listening passively to radio and television

broadcasts, or reading newspapers and magazines, with no hope of an immediate interaction (and no way, certainly, for customers to converse withcompanies). With social media, all that changed.Individuals and groups suddenly have a radicalnew ability to voice opinions through this new media, a channel never before available. Usingsocial media, everyone can become a commenter,editor, content creator, producer, and distributor.Not only that, but the entire world has becomeaccessible in ways that are disorienting fortraditional media and those accustomed to itscultural hierarchy. Consider the popular socialnetworking site, Twitter. This platform allowsanyone with an account to post short messages. Totailor the onslaught of messages being broadcastfrom the Twitter-sphere of 200 million current

Twitter subscribers, users can create lists of those

they wish to follow so they only receive Twitterfeeds from those they select. 3

With Twitter, anyone can send a short message of 140 characters -- called a tweet -- about any topic,including the famous and the infamous, the holy and the ethically challenged. Anyone, for instance,can tweet about President Barack Obama and Lady Gaga, or the Dalai Lama and -- well, you get theidea. Twitter is just one of the components in asocial media portfolio. Englands Queen Elizabeth II,already with a Twitter account, added a Facebook page last year to complement her YouTube channel,Flickr account, and website.

Social Media: The Business Benefits May Be Enormous,But Can the Risks -- Reputational, Legal, Operational -- Be Mitigated?

Toby Merrill, Kenneth Latham, Richard Santalesa, David Navetta


3/13

Perhaps most surprising, social media has beenan enabler of grassroots revolution in countries

where such an event seemed impossible. As a casein point, look at the impact of social media on thegovernments of Colombia, Egypt, Indonesia, Iran,Libya and Tunisia, to name but a handful. Insumming up this trend, author David Kirkpatrick in his book, The Facebook Effect , observed that thelarge scale broadcast of information was formerly the province of electronic media -- radio andtelevision. But the Facebook Effect -- in cases likeColombia or Iran -- means ordinary individuals areinitiating the broadcast. You dont have to know anything special or have any particular skills. 4

The social media universe encompasses a much broader array of interactions than those that occuron popular and familiar social networking siteslike Twitter and Facebook. Social media actually

refers to a growing galaxy of sites that includes:personal and business blogs, news sites withinteractive or comment features, group forums,

wikis, social and business networking sites, onlinecommunity sites, social bookmarking sites,microblogging sites, and gaming as well as virtual

world sites. (See the Glossary of Social Media Termson page 10 for brief definitions of these andrelated terms that appear in this paper.) Socialmedia embraces a cyber-universe of websites thatpromise to expand -- virtually -- forever. (One example:according to WhiteboardAdvisors.com, by the endof 2010, there were 152 million blogs 5 on theInternet.)In short, like earlier methods of communicationthat seemed new and a little strange when they first appeared, social media, writes Facebook Effect author Kirkpatrick,...is a new form of communica-tion, just as was instant messaging, email, thetelephone, and the telegraph. 6

Part II: How Can SocialMedia Benefit Business?

The exponential growth of social media, from blogs, Facebookand Twitter to LinkedIn andYouTube, offers organizations thechance to join a conversation withmillions of customers around the

globe every day. 7

Harvard Business Review, The New Conversation:Taking Social Media from Talk to Action

The key word in the quote aboveis conversation, since attractingcustomers by creating a socialnetwork is entirely different than

broadcasting ads, or employingmarketing strategies to convert

targeted groups of consumersinto customers. Creating onlineconversations also requires a

whole new approach and skill set.Social networking sites encourage

businesses to change their tradi-tional marketing strategies andfocus on talking with -- not at --prospects and clients, with thegoal of developing and deepening the relationship

between the company and customer. But whatsthe business benefit of that deepened relationship?

When prospects grow to know, like, and trust acompany, through interacting with their represen-tatives on social networking sites, they are muchmore likely to do business with that company.It is well-established that people feel moreconnected with a company when they have directcommunication on an ongoing basis and opportunitiesto express their opinions, commented Lisa Brown,in an article about the use of social media risks in

business. 8 Indeed, social networking conversationscreate a level of immediacy and a kind of publicintimacy that is impossible with traditionalmarketing. And since most large or medium-size

companies are perceived by the public as relatively faceless, social networking gives companies theopportunity to present a human face in the formof a social media spokesperson -- an individual whocan nurture person-to-person conversations which

builds trust in the companys authenticity as wellas its professionalism.But there is something else that social networkingsites offer a business that no other form of publicinterface does: the ability to monitor publicperception of its brand, products, and services inreal time. As an accompanying result, companiesalso have the opportunity as well as the responsibility

Social media

embraces a

cyber-universof websitethat promiseto expand -

virtually forever



4/13

to provide a quick and effective response, if anegative perception goes viral through socialmedias worldwide interconnected platforms.Reputation monitoring and repair aside, there aremultiple strategies companies can use with socialnetworking sites. As cited in The Harvard Business

Review , a large U.S. construction materials company employs a variety of social networking platformsin order to accomplish a handful of business-sup-porting aims. According to the report, the company uses Twitter to get news in front of reporters;LinkedIn is where company salespeople postscholarly articles to share with each other andtheir customers; their Facebook page focuses onthe companys social responsibility efforts, whilethe company blog is more of an exchange withcustomers. 9

As comprehensive as that may sound, it is in reality just one aspect of how a business can harness the

power of social media. Several additional popularstrategies companies employ include 10: Branded Fan Pages on Social Networking Sites

(to establish a social media presence onFacebook, Twitter, YouTube, and Flickr)

Quick Online Response to Rumors and NegativePerceptions (social media is ideal for counteringnegative viral news about a company)

Information Disclosure -- Public Broadcast(social media is an effective way to reach largenumbers of people, whether they are actualor potential customers, shareholders, or investors;

the U.S. Securities and Exchange Commission (SEC)has been moving in this direction for disclosureof required and public information disclosures)

Employment Practices (human resourcesdepartments increasingly make use of socialmedia -- particularly LinkedIn and Facebook -- togather information when making hiring andpromotion decisions)

Customer Service and Feedback (companies setup blogs to communicate product developmentinformation and gather comments from consumers;companies also use Twitter for customer serviceand feedback: for instance, Best Buys Twelpforce

Twitter account 11)

Promotions and Contests (encourage site membersto engage with a companys products or services)

User-Generated Content Promotions (companiesalso engage customers on social media platforms

by encouraging them, with prize incentives, to write about why they like a particular product;

caution must be used with such promotions,however, as Federal Trade Commission (FTC)guidelines regarding paid endorsementscan lead to legal liability without full publicdisclosure)

Word-of-Mouth Marketing via Blogs (companiesprovide their products to popular bloggers with

big reader audiences, hoping for a favorablereview; but a number of risks have developed inthis area, including FTC disclosure requirements,as in the strategy above)

These diverse forms of social networking may

cover a lot of business bases. But how do they translate into business benefits?For the most part, the business benefit of socialmedia is indirect, in much the same fashion thatpublic relations is, although some companies canpoint to a measurable relationship between theirsocial networking efforts and sales. If we look atthe social networking strategies of a nationalchain of coffee shops (a well-known chain with 5.4million fans on Facebook, 4,800 subscribers to thecompanys YouTube channel, 4,880 members onFlickr with 15,900 photos, and more than 700,000followers on Twitter) 12, we see that their overall

business benefit comes in the form of customeridentification with the company and its products.Identification is critical: from it grows onlineinteraction, and from online interaction growscustomer loyalty. Being able to claim more thanfive million loyal customers is a bankable socialmedia benefit.


The opportunity to interact with anyone,anywhere, anytime is too world-changingto ignore. It has altered the traditionalmedia expectation of consumers listeningpassively to radio and television broadcasts,or reading newspapers and magazines,with no hope of an immediate interaction.With Social Media, all that changed.


5/13


PART III: WhatAre the Reputational,Legal and Operational Risks ofSocial Media Participation?

Social media has changed how people communicate

and interact, how marketers sell products, how governments reach out to citizens, [how universitiesrecruit students], even how companies operate. It isaltering the character of political activism, and in

some countries it is starting to affect the processes of democracy itself. 13

David Kirkpatrick, The Facebook Effect

As mentioned earlier, social media makes a wholenew world of privacy, security, intellectual property,employment practices, and other legal riskspossible. It is important to understand the consid-erable downside that exists hand-in-hand with the

remarkable upside of using social media for a variety of business aims, which can occur in threemajor areas of risk: reputational, legal, andoperational.

Reputational The reputational risks of social media can easily equal or exceed the reputational benefits, for onesimple reason. The vast reach of social media plat-forms -- on which millions, globally, communicateevery second of every day and night -- offer notonly a vast frontier of promotional opportunity,

but a vast uncharted sinkhole of risk.

In April 2009, two employees of a national pizzadelivery chain made a prank video in which one of them tainted a sandwich, ostensibly intended fordelivery to customers. When they posted their

video on YouTube, it drew over a million viewers.Because of that extreme degree of interest, word of the video trended on Twitter, and within 48 hours,consumer perception of the pizza chain hadpivoted 180 degrees -- from positive to negative.

The company attempted to perform damage control by quickly launching its own Twitter account tocounter rumors and answer questions, while itsCEO took to YouTube to personally address thepublics concerns. By that time, however, anyonline search for the pizza chains name turnedup references to the prank video story on the f irstpage of search results a true PR nightmare.But there are less dramatic and drastic ways thatemployees can harm a companys image. Generalbad behavior by employees, or the posting ofembarrassing information, has the potential toreflect poorly on the company (especially whenthat behavior is exhibited in a branded socialmedia location, for example on a companys Fanpage on Facebook). According to the Miami Daily

Business Review , Employees who disparagecoworkers, management, clients, vendors or eventhe company itself, whether intentionally or not,can damage a companys reputation. 14 Ironically,as discussed below, employees who praise theircompanys products or services can unintentionally get their employer in hot water, too.

Legal The legal risks associated with social media should be carefully considered prior to engaging in a socialmedia strategy. The main risks include: employment,privacy, security, intellectual property and mediarisks. Business managers who want to implementa social media legal strategy should consult withinside and outside counsel who understand infor-mation technology law. While these legal risks can

be significant, with forethought and planning,they can be managed. In this part of the paper,

we will provide an overview of the key risks. The following are some common situations in which social media can be the occasion for legalaction:Employment Risks: The practice of investigating potential and existingemployees through social media is widespread.

According to The Allentown Morning Call , Seventy percent of recruiters and hiring managers in theUnited States have rejected an applicant based oninformation they found online. In total, nearly onein five companies has disciplined or fired anemployee for social media misdeeds. 15 Employers

who hire outside vendors to investigate either anapplicants or an employees social media activitiesand content may be required by law to get writtenconsent from those individuals. The informationcollected from a social media site may constitute aconsumer report under the Fair Credit Reporting

Act (FCRA). If so, the employer seeking to acquiresuch information must, in some cases, obtain anindividuals consent before the employer mayacquire the consumer report (e.g., credit report)regarding that individual. In addition, the FCRA

would require employers to provide information toindividuals as to how they may dispute the accuracy of the report with the company that furnished thereport. This requirement, however, applies only

when the employer takes an adverse action basedon the report (such as not hiring or promoting theperson in question). In addition, a number of states, including Illinois, Oregon, Hawaii, and

Washington prohibit employers (with certainexceptions) from using consumer reports in thehiring and promotion processes. 16


6/13

Impermissible discrimination in hiring basedon social media research can subject a company toinvestigation by the EEOC, as well as possibleaction for alleged violations of the Civil Rights Actof 1964, the Age Discrimination in Employment

Act, the Americans with Disabilities Act, and many other federal and state statutes. 17

Companies whose employees participate inconversations on social media platforms whileusing company computers may want to monitortheir employees social media communications.Such monitoring is not without its legal dangers,though, as an employer may then be subject toliability under the Stored Communications Act(part of the larger Electronic CommunicationsPrivacy Act), if an employer accesses the content of non-public communications not stored on thecompanys own server. In addition, if employees

and/or managers engage in unprofessionalexchanges online, that can lead to harassmentclaims against the company. Social media legal risks may also be present if an employer decides to fire employees based ontheir Facebook interactions with other employeesin the organization. In one incident, where anemployee was f ired for negative comments abouther supervisor posted on a Facebook page shared

with other employees, the National Labor RelationsBoard (NRLB) said that employers action violatedthe National Labor Relations Act (NLRA). In theNRLBs view, the firing interfered with employeerights under the NLRA stipulation relating tounion organizing -- which allows employees todiscuss wages, hours, and working conditions withco-workers and others, while not at work. 18 Inanother case, an employee alleged that a companyssocial media policy restrictions on employeecommunications about the company (on suchsites) was a violation of the NLRA. 19 The first casesettled and the second complaint was resolved foran undisclosed amount, along with an agreementto revise the companys social media rules.

Security Risks: Social media sites posepotentially increased security risks, and if a security breacharises from social media activities,the organization may face liability.Security breaches may occur

because of malware downloadedonto an organizations websitethrough the use of social media.

This can happen when an employeedownloads an application, or is a

victim of phishing or click-jack-ing 20 on a social media site whileusing a company computer. If theorganizations social media-relatedsecurity policies, procedures, andtechnical safeguards are inadequate,

it may be held liable for a breacharising from the surreptitiously acquired malware. In addition,social engineering within socialmedia sites, as well as spoofedsocial media profiles or pages,provide other points of entry forattackers and pose more legalrisks for organizations. A spoofed site is one wherecriminals have set up profiles or fan pages to look exactly like an organizations own page. If a cus-tomer or employee is tricked into providing com-pany information, personal information, orsensitive information (such as usernames and pass-

words), it could pose legal liability risks to the or-ganization whose profile or fan page was spoofed,or replicated in a fake version.Intellectual Property and Media Risks: PR News warns, Make sure your social mediateam understands what they can and cant do withthe intellectual property of others. If your employeespost or re-post information [belonging to others]

without permission, this can lead to infringementclaims against your company. 21 It could also resultin potential contractual breach claims, if theintellectual property belongs to an existing client.Companies may be held directly liable for hostingmaterial on their website in circumstances wherethe safe harbor protections of the DigitalMillennium Copyright Act may be unavailable --or vicariously liable for employee actions onthird-party sites that infringe the copyright,trademark, or other intellectual property rightsof others.

Nearly on

in fivcompanies hasdisciplined o

fired aemployee fosocial medi

misdeeds



7/13

Furthermore, employee discussions on socialmedia sites could disclose third-party trade secretsthat the company is legally required to protect,and that can lead to misappropriation and othercontractual and tort claims. Companies aregenerally legally responsible for any financialstatements on social media sites made by them, oron their behalf, through the antifraud provisionsof securities laws. As mentioned earlier, employees who praise orpromote their organizations products and servicesmay create legal liability. The FTC may regardpositive statements by employees (when theirrelationship to the company has not been revealed)as improper advertising. For example, if anemployee were to publish a fake positive review of its employers products or services, or encourageothers to do the same, it could violate section

255.5 of the FTCs Endorsement and AdvertisingGuidelines. 22

Defamation Risks: Defamation is yet another common claim thatmay result from social media activities, andcompanies need to be aware that they facepotential liability for defamatory statements made

by their employees about competitors, and fordefamatory statements made by the public on thecompanies third-party social networking pages.Privacy Risks:

Companies may have an obligation to protect

the privacy of members of the public who jointheir social networking pages on third-party sites,or who provide personal information throughsocial media sites just as they do, in many cases,

when the public provides personal information onthe companys own website. For example, not only do companies need to guard against violating theChildrens Online Privacy Protection Act (COPPA),they need to conform to the privacy regulationsand terms of use of those third-party sites. Face-

book, for instance, has stringent guidelinessurrounding company promotions on their site. 23Finally, companies may run into legal trouble if their social media activities violate their ownprivacy policies.

Lastly, there are several ways in which socialmedia activity might compromise or leak sensitivecompany information (or client information) thatcould have legal consequences. These are: throughcrowdsourcing sites (the company posts a problemand asks for solutions from the public, with theunintended consequence that trade secrets areindirectly revealed); through inadvertently compiledclient lists (a vice presidents contacts on LinkedIn,say, could equate to a complete client list, visible

by competitors); and through the inadvertentdisclosure of competitive intelligence whilediscussing products, customers, and strategicdecisions on various social networking sites.(Some businesses actively gather informationabout their competitors through social mediasites, and analyze that information to gain acompetitive advantage. If trade secrets or other

proprietary information has been inadvertently revealed in this way, legal headaches could ensue.)

Operational When employees access social media platforms at work -- even those employees who are designatedas social media spokespersons for the organization-- they risk endangering the organizationsnetworked computers by unknowingly acquiringmalware, viruses, and spyware. Social networkingsites, particularly Facebook and Twitter, are afavorite playground for those with bad intentions.Fraudsters coax unsuspecting users intodownloading a free application that covertlydelivers spyware, which then infiltrates thecompanys entire system of computers. These andsocial engineering scams -- in which fraudstersmanipulate people into divulging informationthat either leads to more valuable information, orprovides access to a companys computers for hack-ing purposes -- are common on social networkingsites. A related concern, and one that additionally

belongs in legal social media risks, occurs when acompanys website and social media pages arespoofed by fraudsters. Visitors are tricked intodownloading malware or divulging information,

as a result, thinking they are dealing with theactual company. As mentioned above in the legalrisk section, some may allege in a lawsuit that acompanys failure to monitor for malware, socialengineering scams, and spoofed sites in the socialmedia realm and the companys failure to inform

visitors as these are discovered -- is evidence ofpotential negligence, breach of contract, orstatutory violations.



8/13

According to the anti-virus software company,McAfee, More than six out of 10 organizationshave already suffered losses averaging $2 million,for a collective loss of more than $1.1 billion insecurity related incidents last year [2009]. 24 As aresult, in McAfees survey of more than 1,000global business decision-makers in seventeencountries, half of those surveyed were concernedabout the security of Web 2.0 applications suchas social media, micro blogging [like Twitter],collaborative platforms, web mail, and contentsharing tools. 25

Finally, when non-executive (non-exempt) employeescommunicate during off-hours about work-relatedissues with supervisors -- either through email orsocial networking sites -- that activity can open acompany to the so-called wage and hour disputesthat have recently grown more common. Because

non-exempt employees are paid to work certainhours, and their virtual work time is notcounted nor compensated, it remains unsettled asto whether and how they should be compensatedfor that additional work.

PART IV: How Can Organizations Mitigate theSocial Media Risks They Inevitably Face?

Odd though it may seem, companies that dont actively participate in social media -- to promotetheir business and build brand awareness -- stillneed to address the reputational, legal, and opera-tional risks that social media can pose. Why? Itsextremely likely that their employees are usingsocial media tools, either at home or during

business hours at work, regardless of whether itsemployee- or company-owned equipment. In doingso, such employees may unwittingly put theiremployer at risk. Even non-participating companiesas a result, need to be proactive in creating socialmedia guidelines or policies for their employees.

Five Basic Steps for Addressing YourCompanys Social Media Risks:

1. Conduct a broad assessment of its general socialmedia activities, looking for potential risks. Beyondthat general assessment, whenever a social mediacampaign is contemplated, the organization needsto assess the particular risks of that campaign.Not only should the organizations contemplatedcampaign align with the culture of the organizationand its current marketing strategy, but the risksshould be weighed against the benefits -- with

both being articulated as clearly as possible.2. Identify the key players who will be responsiblefor developing, executing, and monitoring itssocial media strategy. An active strategy willrequire a great deal of time and resources so itsimportant to decide which departments will footthe bill for staffing, technology, and other expenses.

Also, identify a senior executive or employee withthe political wherewithal that can make decisions

very quickly and make time-sensitive decisionsas necessary.3. Draft a simple but comprehensive social mediapolicy or set of guidelines tuned to the company,its customers, and its industry (even if a company decides to grant official social media accesssolely to designated spokespersons, separateguidelines are still needed for employees usingsocial media when theyre not at work.) This socialmedia policy should be reviewed by the organiza-

tions human resources, legal, informationtechnology, and communications departments. Also recommended is a review by an independentlaw firm.4. Formally address the risks of social media partic-ipation with company employees. Since employeesactually pose the biggest risk to a company -- albeit,usually without meaning to it is essential toprovide regular educational training programsregarding the dangers of damaging the company (reputationally, legally, or operationally) by usingsocial media on the job, or on their own time.5. Create a social media agreement that employeesreview and sign annually (as a condition of continuedemployment, and as part of their employmentcontract). Such an agreement should be updatedannually -- or more often, as warranted -- to addresschanges in social media that may impact businessin new ways.Regardless of whether an organization decides toimplement an active social media strategy -- or not-- it must clearly outline how employees are allowedto access social media sites (if they are allowed)and under what guidelines.

When employees access social mediaplatforms at work - even those employeeswho are designated as social mediaspokespersons for the organization - they

risk endangering the organizationsnetworked computers by unknowinglyacquiring malware, viruses, and spyware.Social networking sites, particularlyFacebook and Twitter, are a favoriteplayground for those with bad intentions.

Social Media: The Business Benefits May Be Enormous,But Can the Risks -- Reputational, Legal, Operational -- Be Mitigated? .


9/13

Here are a few approaches companies have taken:1. No Employee Has Access at Work: When thecompany policy is that no employee will haveaccess at work, it is important that training,guidelines, and agreements educate employeesabout the reason for the no-access policy, while atthe same time outlining the companys at-homesocial media use concerns, and what is required of employees as a result.2. Designated Individuals Have Access for Work:

When designated individuals within the company have been granted social media access for work usually for formally approved functions and underspecific business guidelines -- more formal educa-tion should be provided (similar to training foremployees expected to act as media spokespersonsfor the company). This may also require that allcontent posted on behalf of the company be

cleared through the organizations legal andcommunications departments.3. Employees Only Have Access to Specific Sites:

When employees are allowed to access LinkedIn,for instance, in order to further the companys

business aims, but are prohibited from accessingother sites -- like Facebook and Twitter -- socialmedia education and training are crucial. Employeesalso need to know what they can and cannot do onthe allowed site, as well as what the penalties arefor migrating to prohibited sites.4. All Employees Have Total Access at Work: When

all employees have total at-work social mediaaccess, the same issues need to be clarified andemployees need to know when and how long they

will be permitted to use social media at work. They need to be instructed on the comments and contentthey provide as a representative of their employer.

They also need to know that their compliance withthe companys written social media policy will bemonitored and enforced. Formal education andregular confirmation and acknowledgment of thesocial media policy is critical to success in thisregard.

Here are a few areas that social media educationfor employees as well as managers should address,in order to mitigate reputational, legal, andoperational risks: When employees post on their personal blogs,or elsewhere online, they must provide a suitabledisclaimer that their opinion on a particularsubject does not reflect the views of their employer. When communicating a positive opinion aboutthe company or its products, employees mustdisclose that they are employees; if they postanonymously, the FTC could launch an investigationagainst the company, generally in response toa complaint. When responding to questions and commentsabout the company or its products on social mediaplatforms, employees must not post in a way that

would lead others to reasonably believe they aredoing so on behalf of the company (unless as adesignated spokesperson in which case allcontent should be cleared by the companys legaldepartment). Employees should assume that anything they post online is public information, even if theirprofile page is only open to their Facebook friends. In any case, they should refrain fromposting anything online that is derogatory aboutthe company, its products, clients, co-workers, ormanagers. In the same vein, they would be wise torefrain from the use of profanity, posting compro-

mising photographs, and so forth. (Unfortunately,others may post compromising pictures of them without their knowledge, so it is wise to avoidallowing such photographs to be taken, or torequest removal when they are.) Employees should be particularly careful aboutsharing company information through socialmedia; the wise choice is to simply not do it. Evenif the information is not a trade secret, its bestto avoid sharing even trivial facts that are nototherwise expressly and publicly available, unlessthat employee is the designated social mediaspokesperson (who has detailed guidelinespertaining to that job and will have reviewed suchcontent with the legal department). Employees should be equally careful aboutprotecting the information and privacy of thecompanys clients and customers (as well as itsco-workers and managers). When using social media, employees shouldcarefully avoid a violation of the laws pertaining tohuman rights (including harassment), defamation,copyright or other intellectual property rights,securities, financial disclosure, and privacy rights.



10/13


11/13

PART VI: Making Social Media Workfor Your Company

The business benefits of social media participationcan be substantial, while the cost of non-participation,or opting out, may mean anything from losing

business to losing touch with your customers andimportant trends in your industry. Of course, as

weve outlined in this paper, there is also much tolose if your company does not respond proactively to the many risks posed by social media.

To conclude, ensuring your companys socialmedia safety is a matter of taking the followingsteps:

Analyze your companys unique social mediasafety needs, create detailed social media guide-lines, and educate your employees about safe-guarding your company when using socialnetworking sites at work and at home.Monitor the social media landscape, including

your companys own sites as well as its third-party pages, for content that is negative, damaging, orthat potentially infringes on intellectual property rights -- whether your own, or that of yourcompetitors.Be sure that you have adequate insurance coveragefor your companys social media activities, andreview the coverage parameters and amountsregularly. (Commercial general liability may notcover online content, and your company will need

coverage not only for your own website, but forcontent youve placed anywhere on the Internet.)Once youve taken these steps to mitigate the con-siderable reputational, legal, and operational risks,

your company will be in the best possible positionto reap the enormous business benefits of socialmedia participation.


A Glossary of Social Media Terms:

Crowdsourcing: Wikipedia, the online encyclopedia

(http://www.Wikipedia.org), defines crowdsourcing asthe act of outsourcing tasks, traditionally performed by anemployee or contractor, to an undefined, large group ofpeople or community (a crowd), through an open call.

Microblogging: The traditional blog (or web log journal)features posts by its owner/author that are typically between400 and 1000 words long, while the typical microblog entryor posting is much shorter often less than 20 words.The most frequented microblog platforms are Twitter andFacebooks status updates feature, but there are more than111 such sites worldwide, according to Wikipedia.

Social Bookmarking: Social bookmarking sites (for exampleDelicious, Digg, and Stumbleupon) allow Internet users tostore, organize, and share links to web pages that are usefulto them. These pages may relate to any number of userinterests and are public -- so those who share the sameinterests can find these bookmarked sites as well.

Social Engineering: Social engineering involves onlinemanipulation in order to con unsuspecting people intorevealing valuable information, or into performing an act thatwill allow fraudsters access to either computers or information.There are many types of social engineering scams, includingphishing, pretexting, diversion theft, and baiting.

Spoofed: This word refers to a victim of spoofing as some-one whos been spoofed, or has fallen for the online scam

of responding to a fake website as if it were the legitimatesite it resembles. The spoof site is used to extract valuableinformation from visitors, such as passwords and user IDs.There are other forms of spoofing as well.

Spyware: This is a type of covertly installed software(a form of malware) that typically infects home computerswithout the owners knowledge, in order to surreptitiouslygather information such as browsing habits. Spyware mayalso be used to change certain computer settings withoutthe permission of the owner.

Tweet: A short, 140-character message delivered on themicroblogging platform, Twitter, by those who have set up afree account on the site.

Twitter: The most famous microblogging site on the Internet,where people can tweet about the things that interest them,as well as retweet or tweet again the tweets of others.See: http://www.Twitter.com

Wiki: This Hawaiian word for fast has come to mean acollaborative website that enables the creation of content byany number of interested people in an open environment.Examples are: Wikipedia, company intranets, and communitysites.


12/13


About the Authors:

Toby Merrill is Vice President of ACE ProfessionalRisk, where he serves as the national productmanager of ACEs network security, privacy,technology and media liability products. Withmore than 14 years of insurance experience, he has

worked with a number of Fortune 500 companiesin reviewing crisis management plans, as well asseeing how well they actually work following aserious data breach. Prior to his tenure with ACE,Mr. Merrill was a Regional Professional Liability Specialist with Chubb Specialty Insurance.He

began his career in the Information Technologydepartment at Cozen & OConnor in Philadelphia.Mr. Merrill has authored numerous articles on net-

work risk management, and frequently serves as aspeaker at industry trade conferences on cyber risk and network security topics. He is a graduate of Franklin & Marshall College in Lancaster, Pa., wherehe received a Bachelor of Arts degree in Business

Administration.

Kenneth Latham is Vice President of ACE ProfessionalRisk, and product manager for Employment Liability and Fiduciary Insurance. He is responsible for theunderwriting and loss prevention activities withinthe group and has more than 15 years of managementliability insurance experience. Ken is a graduate of Pace University.

Richard Santalesa is Senior Counsel in InformationLaw Group's east coast office, based in Fairfield,Connecticut and New York City, where he representsclients on electronic commerce and internet issues,software and content licensing, privacy, datasecurity, outsourcing, website developmenttransactions and other commercial arrangementsinvolving intellectual property and technology-savvy companies. With over 20 years of technology experience, Richard registered his first domainname in 1994 and has authored articles andcolumns for numerous publications.

avid Navetta is a Founding Partner of the Infor-mation Law Group. David focuses on technology,privacy, information security and intellectualproperty law. He is also a Certified Information

Privacy Professional through the International Association of Privacy Professionals. David hasenjoyed a wide variety of legal experiences, including

work at a large international law firm, in-houseexperience at a multinational financial institution,and an entrepreneurial endeavor running his ownlaw firm. David currently serves as a Co-Chair of the American Bar Associations InformationSecurity Committee, and is Co-Chair of the PCILegal Risk and Liability Working Group.

The ACE Group is a global leader in insurance and reinsurance, serving a diverse group of clients. Headed by ACE Limited, a component of the S&P 500stock index, the ACE Group conducts its business on a worldwide basis with operating subsidiaries in more than 50 countries. Additional i nformation can

be found at www.acegroup.com.

The opinions and positions expressed in this paper are the authors own and not necessarily of any ACE company or Information Law Group. Referencesto insurance policy contracts are general in nature. Insurance contracts have specific terms conditions, and limitations that govern the rights and obligationsof the parties and the scope of coverage in each case.

2011 ACE Limited. All rights reserved. All trademarks and/or servicemarks contained herein are the property of their respective owners.


13/13

risk register social media

Documents