Check: Are you ready for social media?

Social media brings opportunities and risks. Companies have to prepare and position themselves. This article summarizes a few key considerations from different angles for a checkup on your company’s social media readiness.

Open, public platforms come with a critical mass of users, content and functionality. If your competitors are already there, you may have to follow. If not, you may want to be first. Or, perhaps you may rule a platform out. If you adopt an open platform, you need to decide what purposes you allow employees to use it for; e.g., marketing, information gathering, communicating with certain communities. With respect to the intended use, the platform’s data processing practices must be compatible with your company’s privacy compliance program and contractual commitments to your customers and employees.

On closed, proprietary platforms, confidentiality and data security can be as strong as with respect to other outsourced information technology services; e.g

, corporate e-mail. You need to vet the platform vendor like any other data processing services provider with respect to data security. If the vendor meets your data security requirements, you may theoretically be able to use such platforms for most or all types of company communications. Closed tools tend to be useful, however, only for some forms of company-internal cooperation. The very fact that they are closed limits their usefulness in many other respects and renders them unsuitable for certain usage types; e.g

, advertising, product placement, etc. Thus, closed platforms are often not an alternative to open platforms.

Consider a mix of open and closed social media platforms for different purposes. Some companies additionally create customized platforms or at least customized applications or features for existing platforms. Then, establish clear rules and guidance on how your employees should and must not use particular social media platforms.

To protect your company’s intellectual property, review the platform providers’ services terms and technical realities carefully in advance. Confirm whether your company can own an account—or only individuals—and whether a leaving employee can, and can be compelled to, transfer accounts, connections, data, content and other intangibles upon termination of employment. You may also want to reach an explicit understanding and agreement with your employees regarding what will happen to social media accounts when employees leave.

Privacy on social media is a hotly debated and widely misunderstood concept. Providers have to disclose—and in some jurisdictions obtain consent regarding—their data processing practices for marketing purposes. But, the brunt of responsibility, risks and compliance obligations is on the users of social media platforms who upload information; i.e., you and I and our companies (Determann, “Social Media Privacy—12 Myths and Facts,”

, forthcoming 2012). Companies that let their employees use social media should check whether processes and documentation supporting the company’s data privacy law compliance program need an upgrade in the social media age. Privacy statements, employee notices, customer consent forms, acceptable use policies, monitoring protocols, anti-spam law compliance mechanisms—many processes and policies have been designed with particular technologies, communication patterns and user behavior in mind and will need different wording and examples to appropriately capture social media platforms. Providers of standard or customized proprietary social media platforms may have to be asked to sign up to the

,

or similar form contracts required by companies’ compliance programs. Companies have to conduct some level of due diligence on all service providers’ data processing and security practices, including social media platforms used by employees.

Employees need to be informed about your answer to the threshold question whether your company prescribes, prohibits or permits social media usage and which platforms to use for work-related purposes (Determann, “Social Media @ Work—Legal and Business Considerations for Global Companies,”

and

).

Policies about monitoring employees, networks and computers may have to be updated to specifically state if and how the employer monitors employees using social media. This is necessary to prevent U.S. employees from developing limited expectations of privacy, which could then restrict the employer’s ability to monitor and protect data security, trade secrets and compliance more generally. With respect to employees outside the United States, however, employers have to respect limitations under data protection and communications laws abroad (Determann/Sprague, “Intrusive Monitoring: Employment Privacy Expectations Are Reasonable in Europe, Destroyed in the United States,”

).

With respect to social media that companies encourage or require employees to use, employees should be informed that providing pictures and populating certain data fields is voluntary and potentially not recommended; e.g., due to concerns regarding possible age or racial discrimination.

Employees must protect trade secrets and personal data—on social media as much as elsewhere. With respect to social media, companies find a greater risk that through connections with company-internal and external persons and informal communications modes, employees tend to disclose information more lightly. Thus, reminders may be in order regarding what particular social media platforms may and must not be used for (Determann/Krüdewagen, “Policing Social Media Policies,”

).

Employees should generally not be allowed to anonymously endorse their company’s own products or criticize competitors.

If employees are permitted or expected to comment publicly on company affairs; e.g

, financial results, product defects, litigation, with disclosure of the company affiliation, employees traditionally have to undergo certain controls and legal review. Such requirements should be applied regardless of the publication forum. Ad hoc publicity on social media platforms can expose a company to liability as much as a formal filing with the SEC and should therefore be pre-reviewed just as carefully.

Companies need a process to prevent value associated with social media accounts to leave the company with employees who quit or are fired. Company-owned accounts should be transferred from departing employees as part of the exit interview. With respect to employee-owned accounts, the employer may be entitled to copies of some or all data in the account if adequate agreements with the employees are put in place, ideally in the new hire process.

Litigation holds and rules on communications with witnesses, defendants and jury members apply to communications and information on social media platforms as elsewhere. Company policies and employee notices may have to be updated to remind everyone involved.

If a company decides to issue a separate social media policy, it should include a reminder that employees are obligated to comply with laws and company policies also in the social media context, including rules against harassment, distribution of obscene or illegal content, defamation, etc.

Social media platforms provide a rich source of information that companies are interested in for purposes of selecting job candidates or investigating employee misconduct. But, companies should limit the information intake—or separate research staff and HR staff—to prevent setting themselves up for discrimination charges. Demanding social media account passwords from employees or candidates is also hardly advisable; it is in conflict with platform provider terms, with possible implications under the Computer Fraud and Abuse Act, and is about to be prohibited in a number of U.S. states.

If companies want to collect information from social media platforms or include information regarding social media presentations of candidates or employees in files or human resources information systems, they may be obligated to notify the candidates or employees under data protection laws in Europe and many other jurisdictions.

Information technology and security personnel should help develop guidance on how to deal with social media; e.g

, how to protect the company and its employees from new security threats and how to vet safe apps that employees are allowed to download to company devices. Also, new processes and technological solutions may be necessary with respect to employee monitoring, investigations and erasing data from retired devices.

Anti-spam laws apply also on social media platforms (Determann/Gates, “Rethinking Compliance Strategies: After EU, U.S., Other Countries, Canada Passes Anti-Spam Law,”

). Often, the platform operators impose additional restrictions on direct marketing. Marketing personnel has to be trained on applicable restrictions and practical compliance options—where available. On some social media platforms, it is impractical to scrub against opt-out lists or include unsubscribe verbiage in posts. Such platforms should probably not be used for direct marketing. Also of concern are European restrictions on cookies and social media plug-ins; information gathering practices involving “scraping” of social media sites contrary to the sites’ terms; manipulating competitors’ Wikipedia pages; promoting or administering contests or sweepstakes; ads directed at children; endorsements, reviews or testimonials without disclosure of company affiliation or financial connection, and anonymous product reviews by employees.

Compliance officers and in-house lawyers should determine what additional steps they should take to extend the company’s overall compliance program to cover social media-related risks. For example, companies in the pharma and healthcare sector should implement processes to ensure that they adequately address reports on adverse events relating to medicines or treatments, as well as promotion of off-label use that they may receive through social media channels.

In the United States and many other jurisdictions, employers must respect the right of employees to engage in concerted action; e.g

, discuss working conditions with co-workers. In many European jurisdictions, companies may have to consult with works councils or trade unions if they want to monitor employee conduct and performance via research on social media. Employees can assert rights under constitutional principles, which apply directly or indirectly in many countries and can protect an employee’s freedom to complain about working conditions or co-workers. Companies should periodically review their social media policies and communications to ensure that they are not violating laws protecting workers’ rights.

Technologies, communication patterns and social conventions develop rapidly and chaotically on new media. Most abuses and problems relating to social media platforms should not be blamed on the platform operators and do not result from employee mischief but rather by accident or due to lack of sophistication. Even more important than regulation is, therefore, ongoing training on how employees can and should use social media, in hands-on workshops, with information on how the platforms and technologies work, case studies on mishaps and “teachable moments,” role modeling, simulating real-life situations and special coaching for company spokespersons.

We finalized this checklist in mid-May. When IAPP publishes it, it will be outdated. Once a month, it will be time to add new points to social media checklists. So, check with your kids and friends what the latest and coolest social media application is and how you can best use it.