Enterprise 2.0, Policies and Compliance

Mike Gotta asked me to join him on a panel about the policy and compliance issues at the Enterprise 2.0 Conference in Boston. This was my fifth Enterprise 2.0 conference: 2007, 2008, 2009, 2009 San Francisco.

That the audience was interested in compliance and regulatory issues is an indication of the industry maturing.

“Policy formation, governance and risk management programs are a critical requirement as organizations assess implications to the enterprise (e.g., identity assurance, data loss, compliance, e-Discovery, security), arising from internal and external use of social networking and social media. This panel of social media and Enterprise 2.0 practitioners will discuss real-life approaches that address management concerns.”

The panel consisted of:

  • Mike Gotta, Principal Analyst, Gartner
  • Bruce Galinsky, IT Director, Global Insurance Company
  • Abha Kumar, Principal, Information Technology, Vanguard
  • Doug Cornelius, Chief Compliance Officer, Beacon Capital Partners LLC
  • Alice Wang, Director, Gartner Inc.

I took the opportunity in my introduction to set the stage for the view of most compliance and in house lawyers:

“I’m the “NO” guy in your organization and most likely the person to bring your enterprise 2.0 or web 2.0 project to a grinding halt. People in my position do not want to hear about being social. I don’t care what you had for lunch or what your kids did last night. I don’t want to endanger the multi-million dollar value of this company so that you can play with Facebook inside the office. “Now get out of my office before I sic my flying monkeys on you.”

We were unsure when planning the session whether the audience would be interested in issues related to external or internal policies. Overwhelmingly, the audience voted for a focus on internal.

One of the initial questions was whether you even need a policy. We were largely in agreement that you may not need a new separate policy. However, I pointed out, your compliance/legal department is going to want one.

Largely, the risks with enterprise 2.0 are not new risks. The big difference is that the bad stuff is now findable. Most of evangelists proclaim the benefit of finding the good stuff you need to do your job better and to encourage innovation. The downside is exposing the bad stuff and opening the enterprise up to liability.

We eventually got to the point in the discussion about if you let personal issue community to form internally. Should you allow an employee to set up a wiki or discussion forum on religious, race or political issues?  Generally it will take some action to create a new community on the enterprise 2.0 platform. Undoubtedly, there will be some need to control the creation of communities and therefore a need for a policy.

There was some discussion about content, control of the content and fixing mistakes. Personally, I have less concern about that. You need to encourage the team to keep the information current and correct. If someone is operating with the wrong information it is better you know about it and can fix the problem. The alternative is not knowing about the problem because it lives in an email silo, allowing the bad information to continue uncorrected.

When trying to draft a policy it is very useful to look to external policies for ideas and approaches. My social media policies database is a good place to start looking for precedents.  The public web 2.0 industry is well ahead of the slower enterprise 2.0 industry.

Some other issues:

  • FTC and the disclosure of “Material Connection”  (see FTC and Bloggers.)
  • EU Data Privacy
  • Records Management
  • Discovery and Law suits
  • First Amendment
  • Human Resources Issues
    • Labor relations
    • Recommendations
    • Overtime
    • Retiree and alumni involvement
  • Hiring Discrimination
  • Off-Duty activities
  • Company IP, logos and trademarks
  • Monitoring – if you have a policy you need to enforce it.

Each company has a different set of issues they are worried about. Each company also has a unique corporate culture. So there is no right way to drafting a policy. You really need to pick and chose finding the different elements that will work in your enterprise.

Analysts on SharePoint 2010

enterpise 2.0

I’m attending the Enterprise 2.0 Conference in San Francisco. I’m sharing my notes from this session.

  • e2 ModeratorIrwin Lazar, Vice President, Communications Research, Nemertes Research
  • Christian Finn, Director of SharePoint Product Management, Microsoft
  • Mike Gotta, Principal Analyst, Burton Group
  • Rob Koplowitz, Principal Analyst, Forrester Research

SharePoint is a platform. The move from the 2003 version to the 2007 solidified the treatment as a platform. It is also getting better integrated with the rest of the Microsoft development framework.

SharePoint does require a big overall strategy. It’s not a lightweight deployment. But the deployment of lots of grass-roots deployments of Enterprise 2.0 tools causes lots of governance, privacy and control issues. SharePoint helped manage those issues. But the 2007 was flawed and caused its own sets of problems.

SharePoint 2010 requires top-level decisions and policies before the grass-roots content creation can begin. It’s tough to start small. Maybe the cloud version/SaaS model is better. It’s more agile.

Christian, after sitting quietly, pointed out that software is both a platform and an application. People to be able to use it right out of the box. He admits that SharePoint will not move as fast, but that means the platform is more stable. They are open as a platform, welcoming third-party add-ons to bring additional functionality.

The panelists agreed that SharePoint did a great job of focusing on things like records management. But SharePoint, with its 3 to 4 year development cycle, will always be behind the market. Christian points out that 3 years it the typical adoption cycle for software.

Social Media: Policy Formation & Risk Management

Enterprise 2.0 San Francisco 2009

Today, I am in San Francisco at the Enterprise 2.0 Conference at the Moscone Center, speaking on a panel about social media policies.

I gave a presentation on Cloud Computing at the 2009 version of the Conference in Boston: Evening in the Cloud and Compliance and a presentation on blogging at the 2008 version of the Enterprise 2.0 Conference in Boston: What Blogging Brings to Business.

I was happy to hear that the conference was still interested in having me, even though I have been moving away from the Enterprise 2.0 space.

Here is the session description for today’s panel presentation:

Policy formation, risk management, media relations, and governance programs become a critical requirement as organizations assess implications to the enterprise arising from employee participation in social networking sites and use of media. Issues related to security, confidentiality, intellectual property, data loss protection, brand image, compliance, and human resources (i.e., ethics/conduct) are critical to address before problems arise.

  • e2 Moderator – Mike Gotta, Principal Analyst, Burton Group
  • Speaker – Christopher Burgess, Senior Security Advisor, Cisco
  • Speaker – Doug Cornelius, Chief Compliance Officer, Beacon Capital Partners (that’s me)
  • Speaker – Scott Mark, Enterprise Application Architect, Medtronic

First up, we plan to ask the audience whether they are interested in policy issue for internal deployments (Enterprise 2.0) or issues related to public uses (Web 2.0). The session description is broad enough that attendees may be expecting either. As it happens, most of the same issues are present in Enterprise 2.0 and Web 2.0. The conference itself has been including both. Since many of the innovations are coming from the public web 2.0 side, ahead of the enterprise side.

Rather than put the audience to sleep with a bunch of PowerPoint presentations, we are planning a discussion of the issues. Since I needed to organize my talking points, I figured I would make them into a blog post so that I could find them.

Having a Social Media Policy

From my perspective, the first thing a company needs to decide is what stance to take on the use of these tools: Pro, Con, or Neutral. Few companies are ready to fully embrace 2.0 tools.

Regardless of the stance it is important to have a policy for social media tools. Blocking access, by itself, is not a policy. It is easy to access the sites from a mobile device of home computer. Blocking access on the office network is just an annoyance.

The policy can also act as an educational tool for the employees of the company.

Security, Confidentiality, Data Loss Protection

These concerns are true for any communication media or portable storage.  Enterprise 2.0 and Web 2.0 do not pose unique challenges for these issues.

The difference is the main benefit you’ll hear at the Enterprise 2.0 conference; these tools make things more findable. Before Google, it was hard to find things on the WWW. Google changed that, making web content easier to find. Most Enterprise 2.0 platforms exploit some of the same things that make content findable. Remember that it’s not just the bad things that are findable. These tools also make the good things findable.

The importance of good policies and education is to make the good things vastly outnumber the bad things.

Off-Duty Activities.

What is personal? What is work? What is your time? What is the office’s time? Those are issues that most companies are wrestling with as the economy moves to more of a 24 hour economy. Regardless, an employer will have a hard time disciplining an employee for things they do “off-the-clock.” Here are some specific state laws on the topic.

Colorado – Colo. Rev. Stat. § 24-34-402.5: In Colorado, it is an unfair employment practice to fire employees for engaging in lawful activities that take place off the employer’s premises during nonworking hours unless (a) the activities engaged in relate to a bona fide occupational requirement or is reasonably and rationally related to the employment activities and responsibilities of a particular employee or a particular group of employees, rather than to all employees of the employer; or (b) the activities engaged in create a conflict of interest with any responsibilities to the employer or the appearance of such a conflict of interest.

New York – N.Y. Lab. Law § 201-d(2)(c): Employers in New York cannot take any adverse action against an employee on account of that employee’s engagement in legal recreational activities if the employee engages in the activities outside of working hours, off of the employer’s premises, without using the employer’s property.

North Dakota – N.D. Cent. Code § 14-02.4-03: Employers may not take adverse action against an employee or applicant on account of the employee’s or applicant’s “participation in lawful activity off the employer’s premises during nonworking hours which is not in direct conflict with the essential business-related interests of the employer.”

Overtime

If hourly employees are using these tools off hours for the benefit of the company, there is a potential wage claim.

Data Privacy

The European data privacy laws need to be considered as part of a Web 2.0 or an Enterprise 2.0 deployment. These data privacy laws regulated the collection of personal information and the transmission of the personal information to another country.

In the US we think of data privacy as social security numbers and financial account information. Medical information has also fallen into that category. But the European view of personal data is as much about your religious and ethnic information as it is about those other categories of information.

A deployment as simple as publishing an internal photobook of personnel would violate the European data privacy laws.

First Amendment

The First Amendment protects citizens from government censorship. First Amendment rights will apply if you work for the government. Otherwise, employees are generally free to exercise their First Amendment rights as ex-employees.

Internally, it is best to avoid religious and political discussions. (Unless your organization is a religious or political organization.)

Labor Relations and Union Organizing Activity

While employers are permitted to lay out policies as to what employees may blog about in relation to work, employers cannot implement policies that have the effect of chilling an employee’s exercise of his or her Section 7 rights under the National Labor Relations Act-, nor can employers discipline employees for blogging about “wages, hours, or terms or conditions of employment,” such as the company’s pay scale or vacation policy. See Timekeeping Sys., Inc., 323 N.L.R.B. 244 (1997).

Additionally, outright bans on blogging about the employer will likely be viewed as an unreasonable impediment to self-organization in violation of the NLRA. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), cert. denied, 537 U.S. 1193 (2003) (In this case, the court found that blogging that involved an employee attacking his company’s management and president online may trigger “concerted activity” provisions under federal labor laws.).

Anonymity

Although staying anonymous (or using pseudonym) sounds like a good way to keep out of trouble, it’s hard to stay anonymous on the internet for long if someone wants to find you.

Internally, there is little need to be anonymous. I have heard example of feedback tools that preserve anonymity.

One example of the issues that come from anonymity/pseudonym is the Cisco Patent Troll Tracker blog case.

Identifying Your Employer and Use of Company Name or Company Logo

Once you identify yourself as an employee of the company, what you publish will be associated with the company.

One should also consider what happens to Web 2.0/Enterprise 2.0 content when an employee leaves. Internal is easier to deal with since the employee has left. It is easy enough to keep the content published and the user id showing that the person left the company.

With Web 2.0, there are more issues to consider. Can the employee take a blog with them? If it is on their domain, the company will have a hard time stopping them from taking it with them. If the blog is on a company domain or subdomain, it’s probably going to stay with the company.

Productivity Drain

There are some legitimate concerns that employee productivity will be diminished when they are allowed to use web 2.0 tools or Enterprise 2.0 tools are deployed internally. You need to be prepared to address these concerns.

Recommendations

A true recommendation is generally a good thing. There are specific regulatory limitations for lawyers and registered investment advisers using public recommendations.

If a supervisor gives an employee a good recommendation on LinkedIn, it will be hard to later discharge the employee for poor performance.

Criticizing the Company

Some criticism can be considered whistle-blowing and be subject to legal protections. If the employee’s negative comments concern the employee’s reasonably held belief that the company is engaging in illegal activity, the employee may also be protected under whistleblower protection laws.

Monitoring and Discipline

One of the key reasons for adopting a policy is to discipline for bad behavior. The policy sets the behavior standard. Employees are expected to live up to that standard.

The other use of the policy is for eduction. The better purpose for a policy to prevent the person from partaking in the bad behavior at the onset.

Using E 2.0 tools to Draft

One thing I encourage is to use the enterprise 2. 0 tools to help draft the policy. Put a draft policy up on a blog for comment.

Examples of Social Media Policies

Here are some good examples in helping to draft your own policy:

Further Reading on Social Media Policies

Some more reading for you:

Doug’s Collection of Social Media Policies and Articles:
http://delicious.com/dougcornelius/blogging_policy

Join Me at Enterprise 2.0

Enterprise 2.0 SF

On November 4, I will be out in San Francisco at the West Coast Enterprise 2.0 Conference on this panel:

Social Media: Policy Formation and Risk Management

Policy formation, risk management, media relations, and governance programs become a critical requirement as organizations assess implications to the enterprise arising from employee participation in social networking sites and use of media. Issues related to security, confidentiality, intellectual property, data loss protection, brand image, compliance, and human resources (i.e., ethics/conduct) are critical to address before problems arise. In this panel session, Principal Analyst Mike Gotta of Burton Group will moderate a discussion with practitioners involved in social media strategies.

I will be on a panel with these folks:

  • Mike Gotta of Burton Group
  • Christopher Burgess, Cisco – Senior Security Advisor
  • Scott Mark, Medtronic – Enterprise Application Architect