Last month we discussed the Top 10 Neglected Email Maintenance Mistakes and offered up some new questions regarding social media concerns. This month, we’ll address those potential social media pitfalls in detail because one thing is clear: As social media continues to transform the information-sharing landscape, it’s hard to predict the level of scrutiny regulators will require in the future.
7 Critical Social Media Governance Questions
As you review and evolve your firm’s social media governance policy, be sure to keep these seven critical questions top of mind:
- Should I be LinkedIn with regulators?
- How can we properly ensure that nothing posted to social media falls through the advertising and communications pre-review process?
- Are regulators scanning social media for mentions of a firm’s name?
- What would the reaction be if our firm directed employees not to connect with regulators on LinkedIn?
- Do firms have an obligation to monitor employees’ social media accounts for false news?
- Do firms (and supervisors) have an obligation to address an employee if the employee’s inappropriate or unapproved communication is posted to their LinkedIn, Facebook, or Twitter accounts?
- Can firms be held responsible for postings and feeds that they weren’t even aware of?
A compliance department’s responsibilities include assessing actual or potential risks in the firm’s business model and building a compliance program to address those risks. The railroad tracks employees are expected to follow are typically laid out in a firm’s compliance policies and procedures. They give employees the firm’s “rules of the road,” which will typically include regulatory rules and guidance as well as employee responsibilities. A firm’s electronic communications policies should include not only email usage parameters, but also the do’s and don’ts of social media, including the pariah of fake news. Coupled with your social media governance policies should be employee training and attestations requiring employees to certify that they have read, understood, and will abide by those policies.
It would be unusual for a firm to tell an employee who they can and cannot connect with on social media. And employees might accidentally breach such a rule if they are already connected to an individual that ends up working for a regulator. It is also safe to surmise that, given the increase in regulators’ electronic surveillance prowess in recent years, regulators have built lexicons into search criteria that include firm and perhaps employee names.
What should you do if you find out that an employee has breached your social media governance policy by disparaging the firm or another employee on social media, or has posted something that could be deemed advertising? Like any other policy breach, it is critical to try and find out why the employee posted the offending language, then provide remedial training on those policies.
On the flip side, how do you react if a regulator comes across a post on an employee’s social media site that you didn’t know about? The majority of firms’ social media governance policies permit employees to maintain personal social media accounts, but require that employees not post firm-related information or opinions. The compliance departments of some firms (typically small firms) will actually either connect to employees’ personal social media accounts in order to do some monitoring or ask for passwords in order to do periodic testing of entries. Considering the amount of time it takes just to monitor email, having to police every employee’s multiple social media accounts—even sporadically—is most likely not possible. Many firms will set Google alerts or the like based on their firm’s name and/or particular employees’ names and leave it at that.
To sum up, after writing your social media governance policies and procedures, it all comes down to employee training and attestations. Regulators expect that firms not only have appropriate policies and procedures, but that employees receive training on them. Regular attestations on key policies like electronic communications help to serve as a reminder to employees of their responsibilities as well. A compliance department isn’t omniscient, so empowering employees to be accountable is key. Train, train, and then send out that attestation!
To learn more about Actiance’s Social Media Governance capabilities, read “A Closer Look At Social Media eDiscovery and Governance”