Monitoring Social Media Use
MORE THAN THREE-FOURTHS of the businesses responding to a recent survey said they used social networking for business purposes in 2012. The survey also showed that about half of those businesses allow for personal use of social networks at work. “Businesses are embracing this media,” says Daniel Ornstein, co-head of the Proskauer’s International Labor & Employment Law Group, which conducted the annual global survey.
Social networking is “a great business tool,” he says. The company can run into trouble, however, if it does not use that tool properly. The survey found that only about a third of the businesses using social media sites like Facebook, Twitter, and LinkedIn monitor what employees post to company sites or to their own accounts while at work. This level of unchecked usage can lead to policy breaches, legal concerns, and a host of other problems.
Of course, manually monitoring such activity would be labor intensive. Fortunately, companies can employ technological solutions to monitor the use of social media in the workplace. These security applications scan the content an employee plans to post in real time, enforcing a company’s specific policies through granular controls. This type of security application seeks to provide a balanced approach to protecting a business’s brand and marketability while ensuring the protection of employees’ rights and privacy.
One such technology is EdgeWave Social, distributed by EdgeWave. This cloud-based security application, which is primarily designed for mid-sized education and service provider markets, is intended to give companies managed access to employee activity on social networking sites, filter threats, and protect proprietary information. The product was formerly sold in conjunction with EdgeWave’s iPrism, a Web-based security program. But the social tool recently became a standalone product, allowing for companies who have existing Web security contracts to use it with those other services. It works alongside any Web-filtering programs so that companies don’t have to worry about existing firewalls or other security filters, says Steve Brunetto, director of product management at EdgeWave.
In addition to helping to ensure that social media activity isn’t the source of malware and spam entering the company network, the EdgeWave Social application helps to mitigate what Brunetto calls “human risks,” including “anything that could get [companies] in trouble with compliance or regulations.”
For example, perhaps something that an employee tweets or posts in the company’s name or using the company’s network could create legal liability for the company in connection with charges of racial discrimination or sexual harassment, notes Brunetto.
Brunetto explains that EdgeWave Social blocks employees from posting unauthorized content on social media sites through integrated controls with built-in language detection features related to a number of predefined areas. This feature can be set to monitor both corporate and personal social media accounts accessed on any company owned or managed device from the internal network, whether a desktop, mobile device, laptop, or tablet. Organizations can add to or take away from the list of predefined detections depending on their specific needs and policies, and can even create new rules based on their own dictionary for text matching.
Brunetto says EdgeWave Social is not meant to monitor personal account activity outside of work. “The one area we’re not trying to reach is if it’s [the employee’s] own device on a public network, we’re really not worried about that so much,” he noted. “We are looking at anything where [a company has] a valid reason to be looking at it and putting in some policy.”
One benefit to EdgeWave’s blocking application is that it allows for a seamless end-user experience, keeping the person posting information within the social media site, unlike other applications that redirect them to sites outside the social media network.
“Some of the other solutions out there, they’ll give you a Web page, a block page, and now you’re kind of outside of Facebook,” he explains. “You have to go back, and you’re not in the same place. Or the block will be an error message. And those are really poor experiences.”
EdgeWave Social instead brings up a dialog box that appears to be coming from the site itself when someone attempts to post unauthorized content. “It’s totally integrated. It looks like it’s coming from Facebook, or it looks like it’s coming from Twitter,” says Brunetto.
Brunetto emphasizes that each company can tailor the custom text that will appear in response to inappropriate content, such as suggesting that an employee review the acceptable-use policy or referring to a specific guideline. By doing so, he says, the tool “promotes that learning and that self-correcting behavior.”
Another feature e-mails the blocked message to an administrator or sends it to be stored in a reporting database for later review.
EdgeWave Social also offers employers the ability to tailor layers of access for each employee based on his or her administrative privileges on certain company accounts. “You probably have people that are authorized to speak in the name of the company,” says Brunetto. “We have the ability to say, ‘Okay, we recognize the identity of the person from the directory service,’ and then we can match that up with the user name of the social media platform. One person can have full-on authority to post to the corporate account, and another person doesn’t, or they have read-only access to it.”
Security Management has not tested EdgeWave Social, and the company did not provide any end users to talk with, so we cannot know whether it performs exactly as claimed in practice, but whatever software a company uses, the concept is that companies need a way to monitor usage.
Legal concerns. As a company tries to protect itself, it must also be mindful of the legal issues that could be raised by monitoring what employees do on personal accounts, Ornstein points out. Companies must consult with counsel and make sure they know what the laws are in their jurisdictions.
As far as having an application that monitors everything, he says, “It depends very much how it works and what employees have consented to.”
An important first step that companies must take in managing the risk of social media is to craft an effective and realistic acceptable-use policy. They then have to make sure that the policy is disseminated, and they should document that employees have been informed of the policy, including having them sign forms that give the company the right to enforce the policy via monitoring. Then they will have laid the legal foundation for using a security application like EdgeWave Social, which will be one of the means by which compliance with the acceptable-use policy is monitored.
A company clearly has the right to monitor and control what any of its employees post in the company’s name and on company media accounts. But businesses must be careful when drafting policies about any type of monitoring on an employee’s personal activity, even when connected on a company device, says Ornstein. Though Ornstein is not directly familiar with EdgeWave Social, he says that any software monitoring solution “would need to be implemented very carefully to ensure that the use is lawful and not too intrusive.”
Companies must make sure to update their acceptable-use policies as needed to comport with any changes in privacy laws enacted by legislative bodies or any new privacy precedents that arise from decisions in the courts related to social media. The National Labor Relations Board, for example, ruled last September that complaining about work conditions on a public forum, such as Facebook or Twitter, constitutes free speech.
Brunetto says that EdgeWave is mindful of the legal issues. “We continue to monitor what’s going on in the courts. We’re working with legal teams to understand their take on the labor laws,” he says.
David Adler, an attorney at Leavens, Strand, Glover & Adler, LLC, an entertainment, media, and intellectual property law firm based in Chicago, discussed some of what a company might want to put in its acceptable-use policy when he spoke at the RSA Conference in San Francisco in February.
For example, he said, policies must include instructions to ensure that posts are “completely accurate and not misleading and that they do not reveal nonpublic information on any public site.”
Policies also need to be clear from a privacy standpoint. “You need to make sure your privacy policies are up to date, and they speak clearly and completely as to what your data collection practices are,” he noted. And, of course, companies should consult an attorney as they draft their policies.
Ornstein adds that just formulating and disseminating a policy isn’t enough.
“One key practice we’d recommend…is that the people...who are responsible for implementing these policies are themselves properly trained and aware of the legal issues surrounding monitoring and surveillance,” he says.
Once an employer has come up with an acceptable-use policy that takes privacy and legal concerns into consideration, it can then implement monitoring tools.
Enforcing social media policy is critical. A company’s confidential information can be compromised in a mere second, and once posted to the Web, it can live forever through screen shots and other types of data collection, Adler noted.
Ornstein seconds Adler’s viewpoint, noting that “it’s the permanent transferability that spreads like wildfire and that I think creates issues we’ve seen before but on a scale that we’ve never seen before.”