Saving Your Company From a Social Media Nightmare

Facebook has more than 1 billion users worldwide. Twitter processes more than 340 million tweets per day. What is the liability for your company? Are you liable for postings made from employees’ own devices? Can you legally access your employees’ social media sites or base hiring and firing decisions on them?

“Social Media in the Workplace: Litigation Risks and Insurance Coverage” — a RIMS 2013 session — covered these critical issues. Presenting on the topic were:

  • Karen Bachman, director, risk management and privacy for Shire Pharmaceuticals
  • Max Perkins, underwriter, specialty lines for Beazley Group
  • Joann Lytle, partner, McCarter & English, LLP
What is social media? According to Merriam-Webster, it’s:
Forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content (as videos)
“It’s basically what we have done for years in terms of networking and interfacing but it’s now in an electronic format that moves at the speed of sound and speed of light,” said Perkins.”It can be scary at times but can also be used to your benefit.”By now, most of us are aware of the reasons why companies use social media, including:
  • marketing
  • customer service
  • market research
  • hiring

But what are the concerns?

  • Privacy “What if someone makes a mistake and mentions a patient’s health history,” asked Perkins. “How is your HR team using social media? Are they able to do that legally?”
  • The speed and ease of communication lead people to make impulsive, ill-considered comments
  • Permanent record

But alas, as the speakers pointed out, there are resources available to organizations that wish to manage the risks of social media? They can:

  • Draft a social media use policy
  • Require employee training
  • Monitor social media use
  • Purchase insurance “It’s not all there right now, it’s still developing,” said Perkins.
Joann Lytle used an interesting, real-world example. A health clinic employee disclosed the contents of a patient’s medical file, including the fact that the patient had a sexually transmitted disease from a sexual partner other than her husband. Another employe created a MySpace page with picture of the patient and disclosed the contents of her medical file, disclosing she has an STD. Though the page was only up for a few days, it was enough for a legal case against Fairview (Yath vs Fairview Clinic).
It seems like it would be a cut and dry case, ending in Yath’s favor.But that’s not what happened.
Fairview had a policy prohibiting the use of social media at work. Technical evidence demonstrated that the MySpace page was not created at the employer’s place of business.
“It really saved Fairview,” said Lytle. “They did the right thing and took the right steps. If any of the factors were different, it could’ve been a huge liability.
How should a company respond to a potentially damaging post? “This is the kind of thing you should be planning for in advance,” said Bachman
  • Take full responsibility — in social media, it’s impossible to run and hide
  • Make no excuses — stick to clarifying an incident — stick with real data
  • Respond immediately 
  • Do not get into an ongoing conversation with other posters — you’re just going to get deeper and deeper into trouble with no way to dig yourself out

We only need to look at LinkedIn’s Top 5 Corporate Twitter Disasters of 2012 to understand how a simple mistake or an irate employee can cause a media nightmare.Companies can establish a framework to manage risk these risks, however. Aside from monitoring and training, companies can purchase media content liability coverage, including:

  • Defamation, libel, slander, infringement of copyright
  • Infringement of domain name, trademark, trade name, trade dress
  • Plagiarism, piracy, misappropriation of ideas under an implied contract
  • Invasion or interference with an individual’s right to privacy

“One thing to think about is where your culture is within the organization,” said Perkins. “Do you have a cultural awareness of what social media is?”

The Risks of Social Media: Internal Audit

Internal audit has never been easy, but modern business practices are challenging IA professionals even further. Social media, fraud risk and data analysis tools are areas in need of attention and, in some cases, improvement.

The 2013 Internal Audit Capabilities and Needs Survey, released by Protiviti, show that 43% of respondents have no social media policy within their organization. Among those with a policy, many fail to address even the most basic issues, such as information security and approved use of social media applications.

What’s most alarming, however, is that more than half (51%) of organizations do not address social media risk as a part of their risk assessment process — 45% indicate they have no plans to do so in the coming year’s audit plans. Of those that do address the topic, 84% rated their organization’s social media risk-assessment capability as “not effective” or “moderately effective.”

“The survey findings are surprising in that they show how many businesses are either inadequately prepared or altogether inactive in putting effective processes and policies in place around social media,” said Brian Christensen, executive vice president, global internal audit, at Protiviti. “From a risk management perspective, this poses significant potential problems for businesses that can range from reputational risk to IT infrastructure risk as a result of unchecked exposures to customer, vendor and company information.”

Other findings related to internal audit include:

  • Continuous auditing was the top priority in terms of audit process knowledge in 2011 and 2012, but dropped down to #18 in the 2013 rankings.
  • For audit process knowledge, auditing IT – new technologies was the third-highest “needs-improvement” priority, and scored significantly lower than any other area evaluated with regard to existing competency.
  • Concerns among chief audit executives were generally aligned with the broader sampling of respondents. However, they did rank audit process knowledge around Computer-assisted Audit Techniques (CAATs) as a higher priority for improvement, compared to the overall ranking.

In 2013, we can no longer view social media as a “new” risk. Businesses must prepare for the worst, whether it’s an attack on a company’s reputation via Facebook or a rogue employee stealing an organization’s Twitter account password, social media risk can manifest itself in many ways. There is only one way for companies to deal with it, however.

Be prepared.

The Risks of Social Media: How Third Party Marketers Can Pose a Liability

As social media becomes more important to brands, companies have learned to embrace the marketing tool as a necessity. But many organizations don’t have the time it takes to build an audience of followers on Facebook and Twitter. This is where third party marketing agencies come in. But, as evidenced in recent legal headlines, the liability is enormous.

A recent piece in the International Business Times cited the case of a nonprofit organization that used a third party marketing agency to establish and maintain the nonprofit’s social media presence. But when the nonprofit was late on one payment to the agency, it found that the passwords to the nonprofit’s Facebook and Twitter account had been changed. It was a simple message: if you don’t pay up, you lose your account. And there are several examples of third party marketing agencies not complying with laws and regulations regarding advertising.

A white paper on the inherent legal risks associated with marketing through social media, published by Venable LLP, a New York-based corporate law firm, states:

Companies that have relationships with third-party affiliate marketers should ensure that those affiliates comply with advertising and marketing laws in marketing the companies’ products or services through social media. Businesses should have agreements with affiliates requiring the affiliates to comply with all applicable federal, state, and local laws and regulations; it may be prudent to include specific representations and warranties by the affiliate with respect to compliance, with specific references to significant laws such as the FTC Act. The agreements should also have a provision whereby the affiliate agrees to indemnify the company (either though a mutual indemnification or otherwise) from liability arising out of the affiliate’s conduct – preferably with a provision requiring that the affiliate carry sufficient insurance to fund the indemnification should it be triggered.

On a related note, confidentiality provisions and related provisions ensuring data security have become increasingly important in the current legal environment, particularly in agreements involving cross-border activities where consumer personal information is collected online. Additionally, businesses should, to the extent it is feasible, monitor the advertising and marketing practices of affiliates and review their marketing materials before they are disseminated. A company should take similar measures with respect to third parties who market through social media outlets operated by the company.

But socia media marketing risks are found in-house, too. Take the case of blogger Noah Kravitz and tech blog PhoneDog. When Kravitz began work at PhoneDog, he created a Twitter handle, @Phonedog_Noah, which eventually amassed 17,000 followers. Kravitz left PhoneDog on good terms in 2010, changing his handle to @NoahKravitz but keeping the password and, hence, his followers.

Things turned ugly when he filed suit over back pay. PhoneDog then countersued, claiming the followers of @Phonedog_Noah make up, essentially, a corporate customer list — their corporate customer list. In a remarkable move, they also demanded $2.50 for each of the followers over an eight-month period, which adds up to $340,000.

The PhoneDog vs. Kravitz case ended in negotiation in early December. So, without a legal ruling on this modern matter, we are still left with the question of who actually owns certain Twitter accounts? That’s a question we will undoubtedly see more of in the future.

But for now, during this legla limbo of social media laws, there is a large amount of helpful information on the web that companies can use to analyze social media marketing and create their own social media policy, such as, which offers a section with 218 different social media policies. And this site lists six steps to creating a social media governance board. But the most important things to remember when putting your company’s social media marketing efforts in the hands of someone else, either in-house or outsourced, are:

  1. Will the third party/employee do a better job than your staff/yourself?
  2. Does the outsourcing company/employee understand your brand completely?
  3. Do you have a thorough and specific contract in place?

And please, feel free to share your thoughts. Does your company use third party social media marketing or do you keep this aspect of operations in-house? What are the risks your company has faced with either option?

The Risks of Social Media: Facebook Post Attracts SEC Action

We’ve written about the perils of careless social media use time and time again on the Monitor and in Risk Management. And no matter how many company-wide memos are issued or how many training courses are thrust upon employees, as long as social media exists, there will be those that, whether intentionally or innocently, create a reputational or regulatory nightmare for their employer or another company.

Reed Hastings, the CEO of Netflix, is one of them. The active Facebook user commonly posts about the success of Netflix, often thanking users of the service for their loyal support, which sounds like the first line from a book on how to correctly promote a product using social media. But Hastings may have become a little too comfortable sharing certain aspects of the company’s information.

In July of this year, he posted to his 240,000+ Facebook subscribers that “Netflix monthly viewing exceeded 1 billion hours for the first time ever in June.” That type of boastful post may seem like nothing more than a proud CEO to many, but to the Securities and Exchange Commission, it was quite possibly an illegal statement. On Wednesday, the SEC issued Netflix a Wells Notice, which means SEC staff will recommend that the SEC issue either a cease-and-desist action and/or a civil injunction against Netflix and Hastings over the alleged violation.

Hastings responds via, you guessed it, Facebook.

Did Hastings violate rules regarding selective disclosure? Should all companies, especially those the size of Netflix, have legal counsel review all social media posts representing the company’s views? Should every company employ a social media risk manager?

It seems we’re getting there.