It was bound to happen.
The self proclaimed "cheating" website, AshleyMadison.com, recently confirmed that as many as 37 million customers had their account information stolen from the site. The stolen data is said to include sexual fantasies and preferences, explicit photos, names, and credit card transactions. Last week, the hackers released the stolen files - nearly 9.7 gb of data on 32 million users. Then again, more files were released on August 20, 2015. According to Wired Magazine, one analysis of the first batch of data revealed nearly 15,000 military or government email addresses.
With more than 32 million profiles impacted by the AshleyMadison breach, what do you do if any of this information is linked back to one of your executives? What is your crisis plan? How will you manage the negative fall out?
After all, any company whose business relies on the reputation of its executives is at risk from this and other high-profile data breaches. Social media incidents WILL happen and they WILL come at organizations from all angles.
Jonathan Copulsky, principal at Deloitte Consulting L.L.P., and author of Brand Resilience, in an interview with Business Insurance Magazine said, "it's not a matter of if, it's a question of when. We encourage people to think about what they would do if" an event were to occur.
NO SHORTAGE OF STUPIDITY
Comedian Ron White's famous catch phrase, "you can't fix stupid" is proving especially true as corporations struggle to train employees in the intelligent use of social media and the Internet.
- Just a few months ago, after surviving a round of layoffs, executives at retailer J.Crew sent photos withhashtags that made reference to "The Hunger Games" films where teens are forced to fight to the death as a metaphor for keeping their jobs.
- Former member of the United States House of Representatives, Anthony Weiner is a poster-child for social media stupidity. Dubbed Weinergate because he sent sexually explicit selfies from his cell phone. Weiner eventually resigned when the photos hit prime time.
- Justine Sacco, a media relations executive, was fired for tweeting a racist joke about Africa and AIDs to her 500 or so twitter followers. The story is the same - her tweet went viral, the blogosphere found her social media posting history, she lost her job, the end.
Even when corporate IT resources aren't used, the division between home and work is blurry as private behaviors undermine the trust of the public when executives don't use common sense. While you can't fix stupid, how should the Board of Directors, HR or the executive team respond when an executive mis-steps on the Internet or social media?
DOCUMENT, DOCUMENT, DOCUMENT
A social media policy should be implemented before anything happens. In fact, both a Social Media Policy and a Reputation Management Plan need to be documented and implemented before disaster strikes. Even if your company doesn't do business online, there are still plenty of customers who will talk about their experiences with you through social media. Do not underestimate the impact social media risk can have on your company.
Comprehensive policies and procedures are critical in helping to prevent and in preparing to respond quickly and effectively to issues encountered online. Not having a Social Media Policy in place is a lot like sending photos of your junk to random strangers - one misstep and the damage is done. If clear policy and guidelines are defined and signed by all employees, then this provides simple recourse for dismissing an employee in the event of an incident.
TIPS FOR CREATING AN EFFECTIVE SOCIAL MEDIA POLICY:
- If your company has not established a Social Media Code of Ethics, this needs to be a priority. BrandProtect - a Toronto-based social media risk monitoring service - has published a free Internet Reputation Guidelines and Social Media Policy handbook on their website which can be used as a resource to help create a Social Media Policy.
- If you do have a Social Media Acceptable Use Policy in place (sample policy available here from SHRM), it needs to be reviewed and updated on a regular basis. Social media platforms are changing every day, exposing your organization to new security risks. Your code of ethics for activity on these platforms needs to adapt based on these changes.
- Ensure that all of your employees read and sign the Social Media Code Acceptable Use Policy upon hire. When an update is made to the policy, staff needs to acknowledge they have been made aware of and have signed off on the updates. One way to do this is to provide an online version that requires all staff to read it and accept it. Acceptance of the online document would be sufficient proof that they are up to date on the most current social media policy. Check with legal counsel in your market, there are some jurisdictions that require a physical signature on a document be kept on file.
- Require staff to take training on the company's Social Media Acceptable Use policy. This could be done either online or in a classroom setting. Retain proof that employees have completed the course.
- If a member of your company does post something inconsistent with the values of your organization, there needs to be a procedure established for how to address it.
- Assess the seriousness of the issue.
- Address the matter with the staff member, ask them delete their post or face consequences.
- If the indiscretion will cause damage to the reputation of the company, or if the post is deliberate or of a threatening nature, additional actions, including dismissal of the employee and contacting the authorities may be necessary.
MONITOR FOR SOCIAL MEDIA RISK
According to Nancy Flynn, in a recent Wall Street Journal article, management has an obligation to monitor how employees are using social media at all times:
"It's all too easy for disgruntled or tone-deaf employees to go onto social media and criticize customers, harass subordinates and otherwise misbehave. Sometimes that can bring workplace tensions and complaints, sometimes it can damage a company's reputation in the marketplace, and sometimes it can lead all the way to lawsuits or regulatory action. And, like email, social-networking records can be subpoenaed and used as evidence."
When monitoring for stupidity, it is easy to minimize what may appear to be harmless behavior or just "boys being boys." However, executive extramarital affairs or other distractions that go public can quickly tarnish the reputation of a any company.
Public and shareholder trust in executives is a critical piece of a company's reputation. When that trust is broken, shareholders lose. A recent study of 219 CEO indiscretions revealed that companies experience an average shareholder loss of $226 million in the days following the incident. Worse, the damage is not temporary. Stock prices at companies that suffered from CEO stupidity fell between 11% and 14% over the subsequent year.
"Threat monitoring will help you respond faster to stupid indiscretions. At the same time, for the same effort, it is also good to know that threat monitoring may identify more severe threats," said BrandProtect's Kiefer. "With the alarming frequency of lone shooter incidents, violent or disgruntled employees, planned protests, boycotts, data breaches - it pays to pay attention. No organization can afford to miss threats against its employees."
Kiefer recommends monitoring social media platforms against a wide range of threats - stupidity, physical threats (families, facilities, activism, protests or planned business disruptions), assets (such as logos, trademarks) as well as cyber threats such as loss of sensitive data or leakage of confidential information.
Once detected, a potential brand incident should be automatically reviewed by the security, HR or executive teams depending on the severity and then move into mitigation or containment of the problem. For more information about workflow and evaluating threats, the United States Air Force has published a social media response flowchart that provides a free and useful decision-tree for escalation of social media threats.
SPEED MATTERS TO MINIMIZE SOCIAL MEDIA RISK
When a social media incident occurs, be it external or internally - from an employee, customer or other actor, it is important to move quickly. After a social media incident has occurred, it is important to establish your company's position on the subject matter at hand. Both Mr. Casey and Ms. Sacco's employers quickly released statements to the media asserting that the comments of the individuals were in no way reflective of the values of their respective companies.
The statements made it clear that their organizations did not tolerate racism or discrimination on any grounds. Swiftly addressing the incident and clarifying the company's position is critical if a company and a brand hope keep the trust of the public intact. If they had not made clear statements in a timely manner, they may have been seen as not caring or worse yet, condoning the comments.
CONCLUSION
Executive "Weiner problems" and stupidity have wide ranging impacts. Shareholders react badly if they feel the executive is distracted or that the executive has integrity issues. The impact of stupidity is wide ranging - legal action, broken marriages, embarrassment and falling stock prices. The obvious conclusion and take away for executives - keep your zipper closed (no matter how awesome you think it looks on camera) or stick with a camera-less flip-phone. These simple steps can help your team protect your privacy as well as your organizational rights, revenue and reputation. This is where social monitoring can help. If the executive team knows they are being watched, they will not be stupid or, at the very least, be more discrete.