Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Balancing the Power of Social Media With Compliance Risks

Karen Kroll | March 18, 2014

In April of last year, the SEC issued a report stating that companies can use social media outlets like Facebook and Twitter to announce material information in compliance with Regulation Fair Disclosure, just as long as they alert investors about which social media channels will be used to disseminate such information.

The news was a relief to Netflix chief executive officer Reed Hastings, whose Facebook post from July of 2012 announcing that the company had streamed 1 billion hours of content during the prior month had prompted an investigation and the subsequent report. In a press release announcing the report, the SEC stated that it “did not initiate an enforcement action or allege wrongdoing by Hastings or Netflix.”

So now companies can breathe a sigh of relief and tell their employees to start filling their social media sites with content, right? Hardly. Companies still face huge risks when they communicate via social media Websites.

Some industries, such as financial services and healthcare, must still navigate lots of regulations when communicating over social media sites. And even if a message doesn't spark action by regulators, the possibility that a thoughtless or offensive Tweet or Facebook post will generate negative publicity, alienating customers or business partners is real.

There are also risks for companies in how they deal with employees' use of social media or if they ignore social media completely. “If you don't participate in social media, you run the risk of not knowing what others are saying, unfiltered, about your brand,” says Lizzie Roscoe, social media manager of global digital communications at McDonalds. “You miss the opportunity to engage with consumers online.”

Rather than ignore or avoid social media, companies can benefit by identifying ways to use it to promote their interests that don't violate regulations or incite a backlash. The key is identifying “what you are trying to accomplish and how you can do it in a way that makes sense without being burdensome but still protecting what you need to protect,” says Kathryn Ossian, founder of law firm Ossian Law and editor of the book, Social Media and the Law.

Compliance officers must balance the opportunity for the company to leverage social media as a powerful communications tool with the risks it presents. For starters, companies need to train employees and create policies that can reduce the risk of improper or illegal use of social media, yet they can't implement policies so broad that they violate labor laws. A policy that requires employees to gain approval, for example, before posting any work-related comments on any social media—including their own accounts—essentially restricts employees from talking about their working conditions, which would violate the National Labor Relations Act, Ossian says.

In many cases, companies' ability to censor employees' personal social media messages may be limited to requiring them to keep any confidential corporate information confidential, and to refrain from intentionally harming the company's reputation or legitimate business interests, says Lothar Determann, partner with the law firm of Baker & McKenzie and author of Determann's Field Guide to International Data Privacy Law Compliance.  

Companies also need to protect their data, along with any client data they retain, from threats or malware that arrive via social media, says Joanna Belbey, social media and compliance specialist with Actiance, a provider of communication, collaboration, and social media governance solutions.

It's worth pointing out to employees, adds Belbey, that the laws and policies that apply offline also apply in the virtual world. For instance, any advertising messages disseminated via social media—just like those on television or in print—can't mislead and claims must be substantiated in certain cases, Belbey says.

“If you don't participate in social media, you run the risk of not knowing what others are saying—unfiltered—about your brand. You miss the opportunity to engage with consumers online.”

—Lizzie Roscoe,
Social Media Manager,
McDonalds Corp.

Social media messages also can be subject to record retention requirements. “If you type it, it's a record,” Belbey says. That's of particular concern in highly regulated industries, such as financial services.

Similarly, social media comments or posts may be subject to litigation holds and used in court proceedings, Determann says. In these cases, an employer involved in litigation may struggle to ensure that the holder of the account can't delete or manipulate the data related to the proceedings, even if it resides within a personal account.

Mitigating the Risks

While the risks of engaging customers and others via social media are real, trying to avoid social media means losing valuable opportunities to promote your brand. “Consumers are already talking about the brand, so it's imperative that they're also talking with the brand,” Roscoe says. 

Moreover, prohibiting the use of social media among employees can tempt them to engage in it surreptitiously, Determann notes. When that occurs, the company's ability to track the conversations is reduced. Such a policy can even lead to a loss of talent, as some employees may balk at what they see as corporate over-reach, or take technology and communications preferences into account when searching for employment.

The goal is to develop an approach and policies that allow for the use
of social media within parameters that enable the company to meet its compliance obligations and minimize the risk of offensive or tasteless messages.

Selecting the right platform for a particular objective is essential, Determann says. Open, public platforms like Twitter and Facebook can be great for disseminating information to a large group of people. Companies that want employees to collaborate and share confidential information with a select group of co-workers or business partners, however, probably will find a secure intranet more effective.

It's also important to bring together top stakeholders to outline the social media risks most relevant to the organization, as well as tactics to mitigate them, Belbey says.

At McDonalds, for instance, the communications, marketing, legal, IT, and technology audit groups are among the teams providing input to the company's social media initiatives, says Guy Pieroni, director of technology audit. “Everyone comes with a different perspective,” which helps ensure that all angles are covered, he adds.

It's also important to develop policies to guide employees' and the company's use of social media. While the purpose of social media technology differs significantly from, for instance, a payroll or accounting system, some of the same control mechanisms come into play, Pieroni points out. That may mean formally provisioning access to the company's social media profiles and requiring those allowed access to follow an established sign-in procedure. “We can take our existing set of policies and frameworks and apply them in a slightly different way,” he says.  


Many regulatory agencies have been developing guidance on the appropriate use of social media for the industries under their purview. Among the information issued so far:

Just as important as the policies in place is a commitment to ensuring that they're followed. Belbey notes that SEC examiners working with a company not only review the policies, but also interview its employees to assess how completely they're being followed. Firms need to develop reasonably enforceable policies, and then follow them.  

While critical, policies and supervision are not enough. Employees also need to be trained in the prudent, legal use of social media, Determann says. Given how rapidly electronic communication can travel, and how fast technology changes, it's almost impossible to cover every situation with a law. “You have to trust employees to do the right thing at short notice and when they're under pressure,” he says.

Technology can also play a role in ensuring that a company's social media initiatives comply with applicable regulations and remain within the company's guidelines. Among other capabilities, technology solutions can maintain social media records, provide a repository of pre-approved content, and flag words in social media messages that might be problematic, Belbey says. “You come up with policies and then use technology to do what the policies say.”