Social Media � The Next Smoking Gun
Galina Datskovsky, senior vice president and general manager of the Information Governance business unit at CA (NYSE: CA), chuckled as she recalled how businesses grappled with e-mail back in the 1990s, and how some business owners and managers swore they would never allow employees to use e-mail.
"I had one attorney friend who said to me, 'I will never allow e-mail in here. They can just fax me the stuff,'" she said. Some 10 years later, this same attorney friend walks around with a BlackBerry.
And just as e-mail caused much hand-wringing for enterprises back in the 1990s over how to capture, store, manage and retrieve e-mailed information, social networking sites and applications such as Facebook, instant messaging (IM) and Twitter are causing similar amounts of hand-wringing today. Yet, as Datskovsky noted, social networking, just like e-mail, "is a tidal wave that cannot be stopped."
So what is the key to managing the social media and instant networking tsunami? It's not to bury your head in the sand and ignore the problem, she said, but rather to think about the implications of social media from a security, privacy, productivity and bandwidth point of view and create policies around its use.
Friending Social Media in the Workplace
For many companies, including CA, the solution to dealing with sites like Facebook and LinkedIn, as well as instant messaging and Twittering, up until now has been to just block them. But that passive approach, said Datskovsky, is short-sighted and unrealistic.
"Social pressures, the pressures of the new incoming workforce that's used to using these kinds of tools for various reasons, are going to push enterprises towards allowing these kinds of tools to eventually be used [in the workplace]," she explained.
And just as companies were forced to deal with e-mail, largely because of the importance of e-mail to e-discovery and regulatory compliance, by creating policies around its use and adopting software to properly store and manage it, companies need to think and act in the same way for social networking applications. "I don't think we're going through anything new," said Datskovsky. "It's just a new set of tools.
"People have clearly embraced the benefits of e-mail to the business," she said, and wouldn't dream of not using it. Likewise, some businesses, though nowhere near the majority, have seen the benefits of social networking as a way to promote the business and to stay connected with employees.
The Salesforce.com Precedent
The problem is who controls that information, which is stored on someone else's servers. Does that information belong to the social networking site, the person who typed it in, or that person's employer (if the person used a company computer or revealed proprietary information)? It's often hard to say or determine, though there are precedents, noted Datskovsky, such as Salesforce.com (NYSE: CRM), the popular software-as-a-service/cloud computing CRM tool.
Salesforce.com manages customer information for approximately 51,800 customers. And all that customer information is stored on Salesforce.com's servers, though customers have round-the-clock access to it. "It is also clearly understood that those [Salesforce.com] records are the property of the company that's producing them, even though they're not sitting [on that company's servers] and are not being backed up there," said Datskovsky. Moreover, "the court would clearly treat those records as company property."
So one technological way to handle social networking sites, such as Facebook and LinkedIn, in the workplace, she said, is to take the Salesforce.com approach, and contract with sites for a block of space that would ultimately be under the company's control. But that would still leave the privacy issue and determining what is acceptable or appropriate to broadcast, which is equally important.
Data Privacy and Corporate Secrets
Today, you are just as likely to find people identifying themselves as employees of a certain business as you are people who list no professional affiliation on sites like Facebook (though the latter is becoming rarer), and that is a cause for concern for many companies.
Indeed, many people on Facebook freely post company information or comment on their company, thinking the company will never find out about it or not caring if they do. And that can be a huge problem, especially if the employee exposes private company information, said Datskovsky, "and a breach of security."
To deal with and prevent potential lawsuits around these privacy issues, companies need to develop policies about what information can be shared and what can't, and "educate their user community on the implications of using [these sites], privately or otherwise." That's critical.
"At the very least, your policy has to say 'no company information may be posted on your private site. If your name is associated with a company (say you're a very visible employee at a senior level, and/or your name is clearly associated with a company), please don't post inappropriate material.'" And you need to explain what material or information the company considers to be inappropriate.
Companies also need to come up with policies for using sites like Facebook and LinkedIn for business purposes and set up contracts with those vendors to ensure that any information posted by the company or its employees belongs to the company, "because next thing you know, these things are going to appear in court as part of e-discovery," said Datskovsky.
The Perils of Instant Messaging and Twittering
Similarly, companies need to develop policies for instant messaging and Twittering.
Many companies don't allow external instant messaging, such as the use of IM applications provided by Yahoo (NASDAQ: YHOO), Microsoft (NASDAQ: MSFT) and Facebook, because of security, privacy and e-discovery issues, especially financial services firms. That's because under SEC Rule 17a-4, which covers broker-dealers, instant messages are considered part of a company's official communications, and thus must be kept for three years and easily accessible. That poses a huge problem for companies whose employees use external instant messaging services. So typically financial service firms and those companies that deal with broker-dealers simply block or do not allow employees to use instant messaging. But there are alternatives.
For example, you can deploy your own instant messaging system, in house, which will automatically log all IMs on company servers and allow administrators to retrieve information as necessary. And for those companies that prefer to use an outside service, there's always the possibility of contracting with a major IM service, such as the Salesforce.com approach, so all IMs would ultimately be under the company's (not the provider's) control. The key, said Datskovsky, is that "you don't want casual, uncontrolled IM use, which the company can't monitor."
Organizations should take a similar policy approach to Twitter, she added, educating employees to "be mindful of what [they] say, as each Tweet is preserved in various ways into longevity and can be retrieved at any point in time and used in litigation." Indeed, in her role at CA, Datskovsky said she periodically has colleagues ask her about Twittering and Tweets and what is considered proper use or appropriate Tweets.
Whatever You Do, Don't Panic
When asked for her advice about how to handle social media in the workplace, Datskovsky immediately said not to panic. "Approach [each social networking application] like any other application. If you think about your policy framework, plug it into that, and then allow it in in an appropriately thought-through manner." If you do that, she said, "then there's nothing to panic about."
The key thing is to create explicit policies, up front, for using social media, she reiterated. If you create good policies that people can adhere to, she said, you should be okay. And just as with e-mail, we will probably be seeing vendors coming out with solutions in the near future to help companies manage social media. Until then, you can check out sites like CA's Information Governance page, as well as its Information Governance blog, for additional information.