the case for social media management and archiving

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research White Paper

Published January 2011

SPONSORED BY sponsored by

The Case for Social Media

Management and Archiving SPON

WH

ITE

PA

PER

SP

ON

The Case for Social Media Management and Archiving

©2010 Osterman Research, Inc. 1

Executive Summary SOCIAL MEDIA USE IS GROWING By virtually any measure, the impact of social media is growing on a number of fronts: • More businesses are using social media to build brand awareness • Governments are using social media to share information • Social media sites have emerged as icons in the popular culture With regard to the last point, the “Big Three” social media tools in North America host a staggering number of users as of late 2010: • Twitter has 175 million usersi • Facebook has roughly 520 million usersii • LinkedIn has 85 million usersiii

However, there are more than 1,000 systems in use in the dynamic, worldwide social media environment. For exampleiv: • China’s microblogging site Sina.com is expected to have 65 million users by the end

of 2010v. • Google’s Orkut is the most popular social media network in Brazil with 37.5 million

users as of August 2010vi. • StudiVZ, with 16.6 million usersvii, is a German language social network and, not

surprisingly, is the most popular such site in Germany. • Mixi, a popular social network in Japan intended only for individuals who have access

to a mobile phone provided by a Japanese carrier, has roughly 12 million users as of September 2010viii.

As further evidence of the growing impact of social media is the time that users spend using these networks: a Nielsen studyixfound that in June 2010 users spent nearly 23% of their online time using social media, up from nearly 16% a year earlier, making social media the fastest growing consumer of users’ online time. SOCIAL MEDIA, WHILE BENEFICIAL, INCREASES CORPORATE RISK Social media offers a number of important benefits to both users and organizations that maintain a social media presence. For example, users benefit from the use of social media by having a ready source of current information, being able to share views, and partnering with like-minded individuals. Organizations benefit by building a following among current and prospective customers, gaining competitive advantage by being perceived as thought leaders, and sharing information in ways that would not otherwise be possible using conventional communication channels. Further, the proper use of social media strengthens client and prospect relationships with real time, authentic dialogue in a way that other media cannot.



Despite the many benefits of social media for both users and organizations, there are two primary risks associated with it: • Users can send business records, confidential information or racially or sexually

offensive content using social media tools in violation of the law, legal best practice or corporate policies.

• Users can generate content using social media that needs to be preserved according to corporate and regulatory retention requirements – but often is not.

ABOUT THIS WHITE PAPER The goal of this white paper is to demonstrate that social media content must be managed properly. Specifically, this means a) monitoring what employees post on social media sites and how they do so, and b) archiving relevant business records that are distributed via social media sites. Further, this white paper offers a brief overview of the vendor that sponsored it and that can address each of these issues, Actiance.

Social Media Monitoring and Archiving Are Critical OUTBOUND SOCIAL MEDIA MUST BE MONITORED… The inappropriate use of social media can create enormous liabilities, embarrassment and other problems for an organization. For example: • Employees at the Tri-City Medical Center in Oceanside, California posted patient

information on Facebookx. • A hospital employee in Hawaii with access to patients’ medical records illegally

accessed another person’s records and posted on MySpace that the individual had HIVxi.

• A West Allis, Wisconsin employee was fired for a post she made on her Facebook

page claiming that she was addicted to alcohol and various prescription and illegal drugs, although the employee claimed that her comments were made in jestxii.

• In early 2009, an employee of Ketchum, a public relations firm, used Twitter to post

insulting comments about the city of Memphis shortly before presenting to the worldwide communications group at FedEx – Memphis’ largest employer. An employee of FedEx discovered the tweet, responded to the tweeter, and then copied FedEx’s senior managers, the management of FedEx’s communication department and the management of Ketchumxiii.

• A radio host tweeted a racially offensive comment after a basketball game between

the Dallas Mavericks and San Antonio Spurs and was subsequently firedxiv. • The case of Blakely v. Continental Airlines [164 N.J. 38 (2000)], although decided by

the New Jersey Supreme Court prior to the advent of social media, established the precedent that employers are liable for what their employees post online.



It is also important to monitor content based on regulatory guidelines. For example: • Federal Energy Regulatory Commission (FERC) Order No. 717 requires monitoring

and archiving of communications between the marketing and transmission operations of vertically integrated electricity and natural gas companies.

• Various rules issued by the Financial Industry Regulatory Authority (FINRA) require

supervision of communications by registered financial services representatives. Various US government agencies have also issued guidance on the retention and management of social media content. For example: • The Environmental Protection Agency has published Interim Guidance for EPA

Employees who are Representing EPA Online Using Social Media, requiring that “agency records created or received using social media tools must be printed to paper and managed according to the applicable records schedule in a recordkeeping system.”

• The US Department of Defense has provided formal guidance on the use of Web 2.0

tools, which includes guidance that “all users of these Internet-based capabilities must be aware of the potential record value of their content, including content that may originate outside the agency.”

• The US State Department’s official policy, Using Social Media, requires a site sponsor

to be the recordkeeper for content that must be preserved long term, requiring that records “be maintained with related records or managed through an acceptable records management application.”

The National Archives and Record Administration (NARA) continues to refine policy regarding the retention of social media communication. An October 2010 NARA bulletin explains that “Open and transparent government increasingly relies on the use of these [Web 2.0] technologies, and as agencies adopt these tools, they must comply with all records management laws, regulations, and policies. The principles for analyzing, scheduling, and managing records are based on content and are independent of the medium; where and how an agency creates, uses, or stores information does not affect how agencies identify Federal records.xv” ….BUT INBOUND CONTENT IS JUST AS IMPORTANT TO MONITOR However, outbound threats are only part of the problem that social media can pose. Because Twitter, Facebook and many other social media sites have become a haven for hackers, malware authors and other criminals, organizations must be vigilant to protect against threats can enter a corporate network through social media sites. For example: • The Boonana malware, written in Java and first reported in late October 2010,

targets Macs through social media sites and operates in a manner similar to that of the Koobface worm that has been infecting Windows-based machines since 2008. Koobface has targeted Facebook users in particularxvi.



• In early October 2010, a large-scale phishing attack against LinkedIn users delivered the Bugat malware that is related to the Zeus bot responsible for the loss of tens of millions of dollarsxvii.

• A temporary security hole in Twitter, patched in September 2010, allowed an exploit

in which simply placing a mouse cursor over a malicious link would cause the user to visit a malicious or offensive sitexviii. Thousands of users were impacted by this bug.

• A Consumer Reports study found that 1.8 million computers had been infected by

applications downloaded through a social media sitexix. OTHER CONSIDERATIONS FOR MONITORING SOCIAL MEDIA In addition to the obvious outbound and inbound threats posed by social media, there is also the issue of managing users’ identities when employees and other representatives of a company post content to a social media site. This issue is focused primarily on two key concerns: • Employees can establish for themselves any available name on a social media site

and use it to post content either officially or unofficially. This results in a company losing control over naming conventions and the identities of individuals purporting to post content on the company’s behalf. To specifically address this issue for financial services firms, the FINRA issued a statement in Regulatory Notice 10-06xxthat “[regulated] firms must have a general policy prohibiting any associated person from engaging in business communications in a social media site that is not subject to the firm’s supervision.”

• A related concern is that employees posting content on behalf of their employer can

maintain the same social media name once they leave the organization. However, the lack of enforceable naming conventions means that the outside world has no indication that the employee has changed employers, thereby leaving employers vulnerable to a variety of posts long after an employee has left an organization.

SOCIAL MEDIA CONTENT MUST ALSO BE ARCHIVED While social media can create problems for individuals and employees if content is inappropriate, at least some social media content – that which contains business records and other content that may have evidentiary value – must be retained based on various retention guidelines. For example: • FINRA Regulatory Notice 10-06xxi states that “every firm that intends to

communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110.” This notice requires pre-review of static content, the supervision of dynamic content and the supervision of customer complaints sent in social media.



• The State of Oregon has established a policy that “social media posts are public records. That means they require you to retain them.xxii”

• Similarly, the State of North Carolina has concluded that “[social media] posts of the employee administrator and any feedback by other employees or non-employees, including citizens, will become part of the public record.xxiii”

• FERC 18 CFR Parts 35 and 284 require the retention of various types of records for

five years and FERC Part 125 establishes specific retention periods for the records of public utilities and companies affiliated with them. While these regulations do not specifically call out retention of social media content per se, even a conservative reading of these requirements would dictate preservation of relevant social media content sent by energy and related companies governed by FERC.

• In the case TEKSystems, Inc. v. Hammernick, the plaintiff is suing based on its

allegation that the defendant violated several agreements after leaving the company by using her LinkedIn account to contact a number of employees of the plaintiffxxiv.

Today, driven by FINRA and the Securities and Exchange Commission, the financial services industry is the key driver for archiving social media content – for the most part, other industries have yet to establish detailed and thorough guidelines about the archiving of this content, although the government and energy sectors are close behind. The financial services industry’s focus on social media archiving is part of its long term focus on electronic content archiving which began with email in 1997 and instant messaging in 2003. That said, other industries will clearly follow the lead of financial services, government and energy and will establish detailed guidelines on social media archiving. However, any public or private company, regardless of industry, must establish retention guidelines to ensure that it is retaining business records in social media for the appropriate length of time. Social media, as with any business record, must be retained to demonstrate both to courts and regulators proper diligence in the preservation of business content, and also to provide the ability for pre-review of business records for early case assessment and related activities.

THE BOTTOM LINE: ORGANIZATIONS ARE AT RISK The vast majority of organizations today do not have the ability to capture relevant information from social media sites or to retain it for long periods as many do for other types of business records. Nor do they have the ability to monitor employee posts to social media sites for inappropriate content that could result in a lawsuit or quash a merger or damage their corporate reputation. The result is that organizations are increasingly at risk as the use of social media tools continues to grow. This risk is multi-faceted and includes the potential spoliation of evidence, a failure to prevent sexual harassment between employees, charges of libel and other negative consequences. It is important that organizations retain social media content independently of the providers – in other words, don’t rely on social media providers to retain content, but instead manage it independently to ensure its retention for as long as necessary.



Although it is best practice to retain content independently, it is imperative to do so because the social media platform providers are not obligated to do this. For example, Twitter’s terms of service include “We also retain the right to create limits on…storage at our sole discretion at any time without prior notice to you.”

What to Do Next Osterman Research recommends that any organization that is using or is considering using social media undertake a four-step process for protecting against the risks associated with its use. STEP 1: UNDERSTAND HOW AND WHY SOCIAL MEDIA IS USED IN YOUR ORGANIZATION IT should conduct a thorough audit of how social media is used in the organization, which tools are used, why they are used and so forth. This audit should also include a forward-looking focus on how these tools might be used in the future, how competing firms are using these tools, and new capabilities that might be employed in the future. In short, an organization should determine if it could obtain competitive advantage through the use of social media instead of making a knee-jerk decision not to use it because of security or other risks it might pose. It is important to note that there may be a major disconnect between what IT, security or compliance perceives as a legitimate application of social media and what individual users or business units perceive to be legitimate. The goal, of course, is to balance the competing interests of both groups and derive the greatest benefit from the use of social media while still remaining compliant with corporate policies and security requirements. This might include: • Marketing, communications, PR teams and spokespeople who want the ability to

post commentary, create events and utilize the full functionality of social media.

• Corporate users, such as Human Resources and legal staff who need to research new hires and investigate shared content.

• Regulatory compliance teams who must not only maintain records of shared content and activities, but also approve and moderate subject matter.

• Employees who utilize social media to prospect for business, network with customers and partners and collaborate with suppliers.

STEP 2: UNDERSTAND THE RISKS YOU FACE BY NOT MANAGING SOCIAL MEDIA PROPERLY Next, it is important to understand the consequences that can result when social media content is not managed properly, when business records in social media posts are not retained, and so forth. It would be appropriate at this phase of the evaluation process to understand the potential consequences associated with not managing social media use adequately. For example:



• If business records or actionable information are sent via social media tools, management’s decision to purge this content could be seen as spoliation of evidence in a lawsuit. For example, if management decides not to preserve sexually harassing direct messages sent using Twitter, a party offended by this content that takes legal action may be entitled to access the archives of these posts as part of an e-discovery exercise and could claim spoliation in their absence. The ramifications of spoliation can be substantial and include fines and sanctions imposed by the court, the requirement to pay the prevailing party’s legal fees, attorneys’ costs for additional motions, and other serious consequences.

• If employees want to discuss work conditions or complain about their benefits, for

example, employers are not permitted to interfere with these communications according to rules codified in the National Labor Relations Act. This means that employers must tread a fine line between monitoring and blocking social media for inappropriate use or sharing of content in an inappropriate way and preserving the rights of employees to share information. Further complicating the issue is the need for multinational organizations to satisfy the diverse requirements of each territory in which it operates.

• For firms in the financial services industry, investment advisers cannot be the

beneficiary of a testimonial or recommendation on LinkedIn because of the potential violation of Rule 206(4) of the Investment Advisers Act of 19401. This rule makes it illegal for an investment adviser to publish or benefit from an advertisement or testimonial that deals with their conduct as an adviser.

• Similarly, registered financial services representatives are subject to scrutiny when

they post content on social media sites, including monitoring of their posts and retention of their communications.

STEP 3: IMPLEMENT SOCIAL MEDIA POLICIES THAT FIT YOUR INDUSTRY AND ORGANIZATION The next requirement is to implement policies that will attempt to strike the appropriate balance between employee freedom to communicate via social media tools, the business benefits that will be derived from the use of these tools, compliance with industry regulations, and advice from legal counsel. Considerations for these policies include: • Policies about the use of social media tools should be part of an overall messaging

and communication policy that covers the use of corporate email, personal Webmail, instant messaging, collaboration workspaces, cloud-based storage tools and any venue through which individuals might share corporate information.

• Sufficient granularity should be included so that differing roles within the

organization are clearly subject to different policies. For example, energy and securities traders may be subject to different rules about their use of social media than clerical staff, senior managers should be subject to different policies when

1 http://newrulesofinvesting.com/2009/03/22/adviser-use-of-linkedin-may-violate-sec-rules/



communicating with external auditors than when they communicate with employees, formal communications that represent a company position should be subject to different scrutiny than personal communications, and so on.

• Policies should also include a detailed discussion about appropriate use of social

media tools, including requirements not to post sexually or racially offensive comments or images, not to include links to inappropriate Web sites, not to defame or slander others, not to post content that could run afoul of copyright laws, not to post personnel records or other sensitive information, and the like.

• The specific tools that can and cannot be used should be specified clearly, preferably

along with a rationale for the decision. This includes the social media sites themselves, as well as the platforms on which these sites are accessed – home computers, smartphones, desktop computers at work, etc.

• Where appropriate and where possible, disclaimers should be included for

communications like Facebook posts or blogs. Obviously, disclaimers will not be practical for tweets and other space-limited communication tools (unless, possibly, a short URL is included that points to a corporate disclaimer).

• Policies should clearly spell out that management reserves the right to monitor

employee communication via social media, when it has the right to act on this information, and that content may be retained for an indefinite period.

• Succession planning should also be a part of social media policies. For example, if

an employee – particularly one with a large number of followers – leaves the organization, corporate policy should include provisions about whose followers those are, the individual’s or the company’s.

• Policies should also spell out the corporate reaction to and consequences of a breach

of policy. STEP 4: DEPLOY MANAGEMENT AND ARCHIVING TECHNOLOGIES Finally, any organization should deploy technologies that will do the following: • Monitor employee posts on every social media protocol that might be used. This

monitoring may be after the fact, such as sampling employee posts to check for inappropriate content; or it might be in real time to monitor posts before they leave the organization.

• Osterman Research has found that while many IT decision makers oppose the use of

specific social media tools or at least find them not to be legitimate for use in a business context, far fewer really do anything to prevent their use.

• Archive and log all relevant content that might constitute a business record and that might need to be retained. It is generally easier to simply archive or log all social media content than take the risk that some important content might slip through and not be retained, but this will depend to a large extent on the industry in which an



organization operates and other factors. A key part of content logging is to ensure that the identity of the individuals who use social media tools is clear and that content can be tied back to their corporate identity. Most organizations will want to integrate their social media archive with their primary electronic content archive. This makes legal holds, as well as searching across all electronic content during early case assessment and e-discovery, much easier and less time-consuming.

• It is also vitally important to block threats that can enter an organization through

social media. This is particularly important given a) the widespread use of short URLs that offer the user no visual cues about the veracity of the link, and b) the fact that many social media tools can display content provided by individuals to whom users have not given permission to display posts. One of the key problems with social media from a security perspective is that these tools are generally less well defended than more established tools like email. Given the rapid increase in the use of many of these tools, many IT departments are scrambling to keep up with the rapid growth of social media tools, leaving organizations vulnerable to malware infiltration. For example, an Osterman Research survey conducted during May 2010 revealed that 12% of mid-sized and large organizations in North America had been the victim of malware infiltration during the previous 12 months, while 9% of organizations had had sensitive or confidential information accidentally or maliciously leaked through a social media or Web 2.0 applicationxxv.

Summary The fundamental message regarding the use of social media in any organization can be distilled down to three important points: 1. Take advantage of social media for marketing, thought leadership or other purposes,

particularly during the window in which your competitors are not doing so.

2. Monitor social media content leaving and entering your organization to minimize the risks that it can create.

3. Archive relevant business content generated in social media, also to mitigate risks.



Sponsor of This White Paper Actiance enables the safe and productive use of Unified Communications, collaboration and Web 2.0, including blogs and social networking sites. Formerly FaceTime Communications, Actiance’s award-winning platforms are used by 9 of the top 10 US banks and more than 1600 organizations globally for the security, management and compliance of unified communications, Web 2.0 and social media channels. Actiance supports all leading social networks, unified communications providers and IM platforms, including Facebook, LinkedIn, Twitter AOL, Google, Yahoo!, Skype, Microsoft, IBM and Cisco. For more information about Actiance’s award winning platform, please visit www.actiance.com.

© 2010 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

Actiance, Inc. 1301 Shoreway Suite 275 Belmont, CA 94002 USA +1 888 349 3223 400 Thames Valley Park Drive Thames Valley Park Reading, RG6 1PT United Kingdom +44 (0) 1189 637 469 www.actiance.com



i http://twitter.com/about ii http://www.facebook.com/press/info.php?statistics iii http://goo.gl/Ox2ID iv http://www.socialmediatoday.com/soravjain/195917/40-most-popular-social-networking-sites-world v http://english.peopledaily.com.cn/90001/90776/90882/7193475.html vi http://www.comscore.com/Press_Events/Press_Releases/2010/10/Orkut_Continues_to_Lead_Brazil_s_Social_ Networking_Market_Facebook_Audience_Grows_Fivefold/(language)/eng-US vii http://pulse2.com/2010/05/28/studivz-has-16-6-million-users-facebook-has-9-million-in-germany/ viii http://www.comscoredatamine.com/2010/11/twitter-sees-impressive-growth-in-japan/ ix http://mashable.com/2010/08/02/stats-time-spent-online/ x Source: Privacy Rights Clearinghouse (http://www.privacyrights.org/data-breach) xi Source: Privacy Rights Clearinghouse (http://www.privacyrights.org/data-breach) xii http://www.courthousenews.com/2010/05/24/27513.htm xiii http://shankman.com/be-careful-what-you-post/ xiv http://www.huffingtonpost.com/2010/04/26/mike-bacsik-twitter-tirad_n_552532.html xv NARA Bulletin 2011-02 xvi http://www.computerworld.com/s/article/9193720/Koobface_worm_targets_Mac_users_on_Facebook_Twitter xvii http://www.bankinfosecurity.com/podcasts.php?podcastID=783 xviii http://mashable.com/2010/09/21/twitter-mouseover-bug/ xix Source: Consumer Reports State of the Net xx http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdf xxi http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdf xxii http://oregon.gov/DAS/EISPD/EGOV/BOARD/social_networking_guide/public_records.shtml xxiii Source: Best Practices for Social Media Usage, December 2009 xxiv http://www.chicagobusinesslitigationlawyerblog.com/2010/10/federal_lawsuit_asks_judge_to.html xxv Source: Messaging and Web Security Market Trends, 2010-2013; Osterman Research, Inc.

the case for social media management and archiving

Technology