Social Media: Policy Formation & Risk Management

Enterprise 2.0 San Francisco 2009

Today, I am in San Francisco at the Enterprise 2.0 Conference at the Moscone Center, speaking on a panel about social media policies.

I gave a presentation on Cloud Computing at the 2009 version of the Conference in Boston: Evening in the Cloud and Compliance and a presentation on blogging at the 2008 version of the Enterprise 2.0 Conference in Boston: What Blogging Brings to Business.

I was happy to hear that the conference was still interested in having me, even though I have been moving away from the Enterprise 2.0 space.

Here is the session description for today’s panel presentation:

Policy formation, risk management, media relations, and governance programs become a critical requirement as organizations assess implications to the enterprise arising from employee participation in social networking sites and use of media. Issues related to security, confidentiality, intellectual property, data loss protection, brand image, compliance, and human resources (i.e., ethics/conduct) are critical to address before problems arise.

  • e2 Moderator – Mike Gotta, Principal Analyst, Burton Group
  • Speaker – Christopher Burgess, Senior Security Advisor, Cisco
  • Speaker – Doug Cornelius, Chief Compliance Officer, Beacon Capital Partners (that’s me)
  • Speaker – Scott Mark, Enterprise Application Architect, Medtronic

First up, we plan to ask the audience whether they are interested in policy issue for internal deployments (Enterprise 2.0) or issues related to public uses (Web 2.0). The session description is broad enough that attendees may be expecting either. As it happens, most of the same issues are present in Enterprise 2.0 and Web 2.0. The conference itself has been including both. Since many of the innovations are coming from the public web 2.0 side, ahead of the enterprise side.

Rather than put the audience to sleep with a bunch of PowerPoint presentations, we are planning a discussion of the issues. Since I needed to organize my talking points, I figured I would make them into a blog post so that I could find them.

Having a Social Media Policy

From my perspective, the first thing a company needs to decide is what stance to take on the use of these tools: Pro, Con, or Neutral. Few companies are ready to fully embrace 2.0 tools.

Regardless of the stance it is important to have a policy for social media tools. Blocking access, by itself, is not a policy. It is easy to access the sites from a mobile device of home computer. Blocking access on the office network is just an annoyance.

The policy can also act as an educational tool for the employees of the company.

Security, Confidentiality, Data Loss Protection

These concerns are true for any communication media or portable storage.  Enterprise 2.0 and Web 2.0 do not pose unique challenges for these issues.

The difference is the main benefit you’ll hear at the Enterprise 2.0 conference; these tools make things more findable. Before Google, it was hard to find things on the WWW. Google changed that, making web content easier to find. Most Enterprise 2.0 platforms exploit some of the same things that make content findable. Remember that it’s not just the bad things that are findable. These tools also make the good things findable.

The importance of good policies and education is to make the good things vastly outnumber the bad things.

Off-Duty Activities.

What is personal? What is work? What is your time? What is the office’s time? Those are issues that most companies are wrestling with as the economy moves to more of a 24 hour economy. Regardless, an employer will have a hard time disciplining an employee for things they do “off-the-clock.” Here are some specific state laws on the topic.

Colorado – Colo. Rev. Stat. § 24-34-402.5: In Colorado, it is an unfair employment practice to fire employees for engaging in lawful activities that take place off the employer’s premises during nonworking hours unless (a) the activities engaged in relate to a bona fide occupational requirement or is reasonably and rationally related to the employment activities and responsibilities of a particular employee or a particular group of employees, rather than to all employees of the employer; or (b) the activities engaged in create a conflict of interest with any responsibilities to the employer or the appearance of such a conflict of interest.

New York – N.Y. Lab. Law § 201-d(2)(c): Employers in New York cannot take any adverse action against an employee on account of that employee’s engagement in legal recreational activities if the employee engages in the activities outside of working hours, off of the employer’s premises, without using the employer’s property.

North Dakota – N.D. Cent. Code § 14-02.4-03: Employers may not take adverse action against an employee or applicant on account of the employee’s or applicant’s “participation in lawful activity off the employer’s premises during nonworking hours which is not in direct conflict with the essential business-related interests of the employer.”


If hourly employees are using these tools off hours for the benefit of the company, there is a potential wage claim.

Data Privacy

The European data privacy laws need to be considered as part of a Web 2.0 or an Enterprise 2.0 deployment. These data privacy laws regulated the collection of personal information and the transmission of the personal information to another country.

In the US we think of data privacy as social security numbers and financial account information. Medical information has also fallen into that category. But the European view of personal data is as much about your religious and ethnic information as it is about those other categories of information.

A deployment as simple as publishing an internal photobook of personnel would violate the European data privacy laws.

First Amendment

The First Amendment protects citizens from government censorship. First Amendment rights will apply if you work for the government. Otherwise, employees are generally free to exercise their First Amendment rights as ex-employees.

Internally, it is best to avoid religious and political discussions. (Unless your organization is a religious or political organization.)

Labor Relations and Union Organizing Activity

While employers are permitted to lay out policies as to what employees may blog about in relation to work, employers cannot implement policies that have the effect of chilling an employee’s exercise of his or her Section 7 rights under the National Labor Relations Act-, nor can employers discipline employees for blogging about “wages, hours, or terms or conditions of employment,” such as the company’s pay scale or vacation policy. See Timekeeping Sys., Inc., 323 N.L.R.B. 244 (1997).

Additionally, outright bans on blogging about the employer will likely be viewed as an unreasonable impediment to self-organization in violation of the NLRA. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), cert. denied, 537 U.S. 1193 (2003) (In this case, the court found that blogging that involved an employee attacking his company’s management and president online may trigger “concerted activity” provisions under federal labor laws.).


Although staying anonymous (or using pseudonym) sounds like a good way to keep out of trouble, it’s hard to stay anonymous on the internet for long if someone wants to find you.

Internally, there is little need to be anonymous. I have heard example of feedback tools that preserve anonymity.

One example of the issues that come from anonymity/pseudonym is the Cisco Patent Troll Tracker blog case.

Identifying Your Employer and Use of Company Name or Company Logo

Once you identify yourself as an employee of the company, what you publish will be associated with the company.

One should also consider what happens to Web 2.0/Enterprise 2.0 content when an employee leaves. Internal is easier to deal with since the employee has left. It is easy enough to keep the content published and the user id showing that the person left the company.

With Web 2.0, there are more issues to consider. Can the employee take a blog with them? If it is on their domain, the company will have a hard time stopping them from taking it with them. If the blog is on a company domain or subdomain, it’s probably going to stay with the company.

Productivity Drain

There are some legitimate concerns that employee productivity will be diminished when they are allowed to use web 2.0 tools or Enterprise 2.0 tools are deployed internally. You need to be prepared to address these concerns.


A true recommendation is generally a good thing. There are specific regulatory limitations for lawyers and registered investment advisers using public recommendations.

If a supervisor gives an employee a good recommendation on LinkedIn, it will be hard to later discharge the employee for poor performance.

Criticizing the Company

Some criticism can be considered whistle-blowing and be subject to legal protections. If the employee’s negative comments concern the employee’s reasonably held belief that the company is engaging in illegal activity, the employee may also be protected under whistleblower protection laws.

Monitoring and Discipline

One of the key reasons for adopting a policy is to discipline for bad behavior. The policy sets the behavior standard. Employees are expected to live up to that standard.

The other use of the policy is for eduction. The better purpose for a policy to prevent the person from partaking in the bad behavior at the onset.

Using E 2.0 tools to Draft

One thing I encourage is to use the enterprise 2. 0 tools to help draft the policy. Put a draft policy up on a blog for comment.

Examples of Social Media Policies

Here are some good examples in helping to draft your own policy:

Further Reading on Social Media Policies

Some more reading for you:

Doug’s Collection of Social Media Policies and Articles: