Dealing with Reputation Risk

reputation risk and social media

Properly assessing risk is critical to any business. Successful businesspeople understand that every decision they make must be weighed against the potential risk to the company. This risk assessment must not be limited solely to situations directly related to the business itself, however. They must also consider reputation risk, or the risk events will have a negative impact on one’s personal reputation and, by extension, the business.

Whether fair or not, the decisions made in someone’s personal life can have a substantial impact on the company they are connected to. This risk extends beyond just the owner or executives of a company; employees caught doing unscrupulous things can cause a public relations nightmare for the business, ultimately resulting in massive losses for the company itself.

Assessing Reputation Risk

Unlike business transactions, where there are countless models and historical examples of the likely risk and reward of most given situations, reputation risk is far harder to quantify and prepare for. It is nearly impossible to predict, for example, whether or not an executive will get belligerently intoxicated and assault a police officer. The executive can bring unwelcome attention to the company, which in turn can cause investors, advertisers, and partners to shy away in the short or even long-term.

Exacerbated in the Social Media Generation

Social media platforms such as Facebook and Twitter have dramatically intensified reputation risks. In the past, it was possible for a relatively minor incident to be swept under the rug or forgotten relatively quickly. If not, chances were good that a story would stay relatively local, perhaps reported in an area newspaper once or twice before fading from memory.

Today, however, even a single story in a local newspaper (or, worse, an online blog) can be shared and re-shared thousands of times in a matter of hours. “Viral” stories can spread across an industry and the country within only a day or two. By the same token, an ill-advised Facebook or Twitter post on a controversial topic can be shared just as quickly.

Mitigating the Danger

Unfortunately, there is only so much one can do when trying to guard against reputational risk problems. It is impossible to control every human being’s actions, and even harder to control them every second of every day. The only viable solution is offering guidelines to employees and executives to try and minimize the problem as much as possible. It is also worth calculating risk factors among employees. For example, an employee with a history of public intoxication or domestic abuse issues may not be someone you want representing your company.

At the end of the day, there is only so much one can do to reduce reputation risk. It is important, however, to have a public relations strategy on hand for if and when a troublesome situation arises—and it almost certainly will at some point.

Twitter’s Data Mining Profits Show Lesser-Known Social Media Risk

Data Mining

In an interview for this month’s issue of Risk Management magazine, lawyer and social media specialist Adam Cohen cautioned businesses that the risks of social networking sites extend beyond explosive posting faux pas.

“In most cases, corporations don’t realize that what they put on these social media services is all subject to the privacy policies and terms and conditions of the services,” said the eDiscovery expert and author of Social Media: Legal Risk and Corporate Policy. “Those provide a shocking amount of access by the social media services where they may take your data.”

As Twitter prepares for its much-anticipated IPO, the social media giant has released a torrent of information on its financial standing and practices. One of the most important tidbits for users concerns the site’s lesser-known side-business: data mining. In the first half of 2013, Twitter made $32 million by selling its data—namely, tweets—to other companies, a 53% increase from the year before.

So far this year, the company has raked in $47.5 million from selling user data to companies that analyze the social media posts for insights into news events and trends. Because of its real-time nature, Twitter is the primary contributor to data mining, though other social networks are frequently used in professional analysis.

This analysis is then sold to businesses for a slew of uses. “The types of ways that businesses are using Twitter data has gone deeper and deeper,” Chris Moody, the CEO of original Twitter data mining company Gnip, told Time. “We’re seeing it in supply chain and inventory management. It’s not just consumer brands that are engaging on Twitter.”The United Nations uses Twitter algorithms to pinpoint areas of social unrest. Burger chain Five Guys used “social intelligence technology” from New Brand Analytics to monitor quality in restaurants across the country and evaluate the appeal of a new fry size offering. Wall Street subscribers to one service, Dataminr, got a leg up on the S&P Index drop following the Navy Yard shooting. Five minutes before the news broke, users received an alert to take action after the company’s algorithms picked up on eyewitness reports and deduced from their timing, influence, and location that something urgent was taking place.

Clearly, there’s money to be made on both sides. According to the Wall Street Journal, the “social listening” business is booming, partially funded by millions of dollars in venture capital. Research firm IDC estimates that the entire “big data” market has grown seven times as quickly as the information technology sector as a whole, and may be valued at $16.9 billion in two years.

Data is mined for a variety of purposes – ones your company may even want to explore – but while there are benefits to the ends, the means translate into cyber exposures of which you may never know the details or depth. While the reputational risk of social media garners a lot of the attention – and rightfully so – there are increasingly tremendous exposures that lay in the forms just to sign up. With Twitter going public, there will only be further incentive to maximize revenue by selling user data, and more reason to approach corporate social media with caution.

A Breach a Day…Or More


More and more we are hearing of the increased frequency with which data breaches are occurring. You read about it the newspaper, see it on the news and sometimes you get notices in your inbox in real-time, like I do. What used to be a once-a-week data breach email alert from, an open security foundation, now comes as multiple emails, several times a day.

Quite frightening.

Here are some of the most recent data breach events:

February 27, 2013: TEKsystems, a company affiliated with Bank of America, was charged with monitoring hacker activity from groups targeting the bank — most likely, the collective hacking group known as Anonymous. Not liking the sound of that, a group affiliated with Anonymous released what it claims is “14GB of data belonging to the bank and other organizations, including Thomson Reuters, Bloomberg and TEKsystems.”

February 27, 2013: I thought the first email I received with the title “Laptop of Head of Israel’s Atomic Energy Commission Stolen” was bad, but then I received one the very next day that was even worse. According to various news reports, a second laptop belonging to Shaul Horev was stolen from his home in just one week. It might be time for tighter security.

February 26, 2013: Though this only counts as a potential data breach, it’s still quite alarming. According to the same open security foundation (OSF) from which I receive data breach email alerts, a hospital has left sensitive data belonging to patients and staff exposed on the internet. The worst part is, OSF has made “multiple phone calls, filled out a formal (outsourced) service desk ticket addressed to the hospital’s sysadmin and technical analyst, and sent a direct email to the hospital’s CEO.” Still, they’ve received no response.

February 25, 2013: We’ll head to Canada for this one. According to news reports from the great white north, the loss of a thumb drive has prompted an investigation that has widened to include the Justice Department. The drive contained information regarding Canada Pension Plan disability benefits related to more than 5,000 individuals.

February 21, 2013: Even peacocks are not immune. Last week, NBC announced it was the victim of an attack. Hackers added links to malware on the site, using the Citadel Trojan worm, the same one that plagued the websites of U.S. banks recently.

February 21, 2013: Zendesk, a customer service software provider, announced a security breach that allowed hackers into its system, where they had access to information from three customers — Twitter, Pinterest and Tumblr.

February 5, 2013: The U.S. government seems to be no match for sophisticated system spies. Earlier this month, The U.S. Department of Energy revealed that hackers breached 14 of its servers and 20 of its workstations, making off with personal information belonging to several hundred employees. “It’s a continuing story of negligence,” Ed McCallum, former director of the department’s office of safeguards and security, told the Free Beacon. “[The department] is on the cutting edge of some of the most sophisticated military and intelligence technology the country owns and it is being treated frivolously by the Department of Energy and its political masters.”

These are just a few of the many, many data breach alerts I’ve received in the month of February alone. It leaves one questioning whether we will ever win the war against hackers.

The Risks of Social Media: How Third Party Marketers Can Pose a Liability

As social media becomes more important to brands, companies have learned to embrace the marketing tool as a necessity. But many organizations don’t have the time it takes to build an audience of followers on Facebook and Twitter. This is where third party marketing agencies come in. But, as evidenced in recent legal headlines, the liability is enormous.

A recent piece in the International Business Times cited the case of a nonprofit organization that used a third party marketing agency to establish and maintain the nonprofit’s social media presence. But when the nonprofit was late on one payment to the agency, it found that the passwords to the nonprofit’s Facebook and Twitter account had been changed. It was a simple message: if you don’t pay up, you lose your account. And there are several examples of third party marketing agencies not complying with laws and regulations regarding advertising.

A white paper on the inherent legal risks associated with marketing through social media, published by Venable LLP, a New York-based corporate law firm, states:

Companies that have relationships with third-party affiliate marketers should ensure that those affiliates comply with advertising and marketing laws in marketing the companies’ products or services through social media. Businesses should have agreements with affiliates requiring the affiliates to comply with all applicable federal, state, and local laws and regulations; it may be prudent to include specific representations and warranties by the affiliate with respect to compliance, with specific references to significant laws such as the FTC Act. The agreements should also have a provision whereby the affiliate agrees to indemnify the company (either though a mutual indemnification or otherwise) from liability arising out of the affiliate’s conduct – preferably with a provision requiring that the affiliate carry sufficient insurance to fund the indemnification should it be triggered.

On a related note, confidentiality provisions and related provisions ensuring data security have become increasingly important in the current legal environment, particularly in agreements involving cross-border activities where consumer personal information is collected online. Additionally, businesses should, to the extent it is feasible, monitor the advertising and marketing practices of affiliates and review their marketing materials before they are disseminated. A company should take similar measures with respect to third parties who market through social media outlets operated by the company.

But socia media marketing risks are found in-house, too. Take the case of blogger Noah Kravitz and tech blog PhoneDog. When Kravitz began work at PhoneDog, he created a Twitter handle, @Phonedog_Noah, which eventually amassed 17,000 followers. Kravitz left PhoneDog on good terms in 2010, changing his handle to @NoahKravitz but keeping the password and, hence, his followers.

Things turned ugly when he filed suit over back pay. PhoneDog then countersued, claiming the followers of @Phonedog_Noah make up, essentially, a corporate customer list — their corporate customer list. In a remarkable move, they also demanded $2.50 for each of the followers over an eight-month period, which adds up to $340,000.

The PhoneDog vs. Kravitz case ended in negotiation in early December. So, without a legal ruling on this modern matter, we are still left with the question of who actually owns certain Twitter accounts? That’s a question we will undoubtedly see more of in the future.

But for now, during this legla limbo of social media laws, there is a large amount of helpful information on the web that companies can use to analyze social media marketing and create their own social media policy, such as, which offers a section with 218 different social media policies. And this site lists six steps to creating a social media governance board. But the most important things to remember when putting your company’s social media marketing efforts in the hands of someone else, either in-house or outsourced, are:

  1. Will the third party/employee do a better job than your staff/yourself?
  2. Does the outsourcing company/employee understand your brand completely?
  3. Do you have a thorough and specific contract in place?

And please, feel free to share your thoughts. Does your company use third party social media marketing or do you keep this aspect of operations in-house? What are the risks your company has faced with either option?