The average Fortune 100 firm has approximately 320 social media accounts and engages with more than 210,000 “followers” and commenters annually. More than 1,100 employees at these companies make more than 500,000 posts a year.

The problem, according to a new study by Proofpoint, a security and compliance company, is that the pace, scale, complexity, and informal culture of corporate social media creates risks and regulatory red flags that go beyond the traditional skill set of compliance overseers.

Proofpoint’s new “State of the Social Media Infrastructure” report found that the average Fortune 100 company suffered from a total of 69 un-moderated compliance incidents during the study’s 12 month research window (an analysis of more than 32,000 from July 2013 to June 2014). Nine different U.S. regulatory standards triggered incidents including rules by the Securities and Exchange Commission, Financial Industry Regulatory Authority, Federal Financial Institutions Examination Council, Food and Drug Administration, and the United Kingdom’s FCA. Social media compliance violations were triggered by employees, commenters. Financial services firms accounted for the largest incident volume with more than 5,000 incidents, roughly 250 per firm. 

Problems included both consumer data confidentiality (credit card numbers, account numbers) and the leak of business information (material disclosures). For pharmaceutical companies, a particular area of concern is reviewing public posts for reports of adverse side-effect from medications.  Healthcare organizations are required to report these incidents to the FDA.

“Message volume alone makes manual compliance monitoring and enforcement impractical if not impossible,” the report says. Assuming a one minute reading time per message, the average company would spend 8,333 hours per year on compliance review. 

“Unfortunately, social has grown so quickly and each network has so many modes of communication that compliance practitioners are finding it difficult to simply transfer existing process to the practical realities of social,” the report says. “The scale and complexity of social media, with an ever-changing roster of accounts on a growing number of networks, makes policy, training, supervision, and records retention difficult than other channels.”

Among the reasons social media risks persist is that best practice compliance controls are inconsistently enforced. Only 47 percent of branded posts were routed through marketing and content publishing platforms despite the fact that most Fortune 100 brands own these tools, the study found. This suggests that employees are either unaware, ignoring, or deliberately circumventing approved publishing workflows.

The report offers suggestions for building a successful social compliance program:

Establish a core, cross-functional team responsible for compliance. The primary role of this cross-functional team is to assign clear roles and responsibilities within the organization for policy, training, enforcement, and audit.

Develop a social media security and compliance policy covering approved business use, content, and publishing workflow.

Define approved social account types and business uses. Is brand representation limited to corporate marketing accounts, or is approved usage extended to executives, sales, support, and general employees? What business purpose is approved for each group (marketing, employee advocacy, prospecting, recruiting)? Which accounts are used for material earnings disclosures? This policy should also cover which social networks (Twitter, LinkedIn, etc.) are approved for each account type.

Consider directing employees to use an approved content publishing application to make all posts for corporate accounts and personal accounts used for business.

The study also stresses the importance of training, for executives as well as rank-and-file employees. “Executive participation in social media can have tremendous upside for the business, but compliance professionals need to educate those executives and deploy controls to catch inevitable mistakes,” it says. “As general employee populations emulate executives in social promotion of the company, we expect SEC incidents to become an even greater concern across all industries.” Of particular concern is Regulation FD (for “fair disclosure”) which requires that material information, including earnings and acquisitions, be available to all investors, and only on specifically identified social media accounts.

Examples of executives being overly zealous with social media include Twitter’s Chief Financial Officer Anthony Noto who, thinking that he was sending a private direct message to another executive, made a public post exposing a recommendation to acquire another firm. In April, Tesla CEO Elon Musk used a personal Twitter account to tease an imminent product announcement (later revealed to be new battery technology). Within 10 minutes of the post Tesla stock rise four percent, adding $900 million to the company’s market capitalization.