RM: What risks do corporations face when it comes to their social media presence?
Adam Cohen: I think there are significant risks to the corporation itself because they don’t have as much control of their social media as they think they do. In most cases, corporations don’t realize that what they put on these social media services is all subject to the privacy policies and terms and conditions of the services. Those provide a shocking amount of access by the social media services where they may take your data.
There’s also a huge risk for the company from reputational damage that occurs as a result of third parties’ social media posting. For example, if a customer is critical of a product, that can be all over the world, immediately. Now, you have very sophisticated data analytics that can allow businesses to monitor that better, but most companies don’t know about it and they aren’t using it.
RM: What is the first thing you look for when trying to evaluate a social media account for potential wrongdoing by an employee?
Cohen: The emphasis should not be on invading legitimate personal privacy or personally private information, but on looking for a nexus between the business and the social media. Personal social media may be a concern from the perspective of an employee possibly being seen as [a representative of] the company and sullying its reputation.
But the first thing to look for is whether the employee discusses matters within the scope of employment. That’s difficult to monitor—the social media world is a big world, especially for a company with a lot of employees. But there is technology known as data analytic technology, and that’s something the company can use to do a much better job of monitoring now.
RM: What are some of the challenges that social media is introducing into the litigation arena?
Cohen: More litigants are becoming aware that social media is subject to disclosure, so they’re asking for it, which means another headache for the company in terms of legal obligations to preserve social media. Preservation may not be as easy as it sounds—you have all kinds of electronic characteristics of social media, like metadata, that many companies and lawyers aren’t familiar with or aren’t aware how to preserve. They have to collect it now; they have to figure out how to search it and produce it. And that introduces another risk—individual states have different laws and requirements.
RM: What are the biggest concerns for organizations when they try to write a social media policy?
Cohen: You can’t just assume all this behavior is covered in your broader computer and Internet use policy. The National Labor Relations Board has been, essentially, invalidating social media policies for dismissals of employees based on violations of policies that are considered overly broad. In some cases, broad terms are considered failure to give employees real notice of the policy and prohibited behavior.
From there, one of the key concerns is whether you can actually monitor and enforce the policy. Courts have now said that a policy you don’t monitor or enforce, or don’t enforce in a consistent and uniform way, is a paper tiger—it doesn’t help you. Employees have successfully argued in many employment cases that, while there is a policy, the operational reality is that the policy doesn’t apply.
RM: What are the keys to writing the best corporate social media policy?
Cohen: The first thing is to have a provision about representation of the company on social media. There are different approaches to that. [With] some employees, the company may want to say, “You have permission to represent us on social media.” Some may just want to warn, “Don’t do anything that could be construed as representing us on social media.” Some may say you need to publish a disclaimer, that kind of thing.
Second, you need specifications about confidential information. As far as you can, you must specify what you mean by confidential information and what the company considers the most dangerous kinds of confidential information. Of the guidelines I’ve seen, one of my favorite is not to post anything with a dollar sign.
It is also critical to identify when authorization is required to make certain kinds of postings. Employees need to know when they should ask for permission, and there has to be a mechanism in place for guidance—you have to provide a contact for them. Make it as easy as possible for employees to get clarity on whether they’re permitted to do something and provide resources for when questions of authority arise.
Fourth, it needs to be made clear to the employee that there are significant limits to what they can reasonably expect to be private.
Finally, make sure the policy is clear and comprehensible and collect documentation in the form of certification from the employee that says they have read, understand and are going to comply with the policy.