Every organization needs to think about and be prepared to manage the risks associated with operating in the Digital Era. It doesn't matter whether social media is part of the organization's strategic agenda, or if the organization itself has any deliberate digital presence. It also doesn't matter how large the organization is, whether it's for-profit, BtoB or BtoC, or which industry or sector it operates in. To put it simply:
If you employ people, you should have a social media policy - and more!
Digital Era risks exist regardless of an organization's focus on technology, and/or the personal feelings of that organization's leaders about social media and other digital tools. Managing those risks is part of the cost of doing business, and managing them well can be a competitive differentiator, in both the economic marketplace and the war for talent.
Unfortunately, only a small percentage of organizations have addressed Digital Era risks in any meaningful way. This is another manifestation of the new digital divide. Technology changes much faster than the corresponding laws and rules, so we're constantly playing catch up. Organizations will become more sophisticated at managing Digital Era risks over time, of course, but will always be behind.
In this post, I provide an overview intended to help organizational leaders understand some of these challenges and complexities and begin to map out a (new) course of action for managing Digital Era risks.
Social Media Policies - The Basics
There are many social media advocates who have suggested (often adamantly) that an organization's social media policy should be a simple statement to the effect of "don't say anything stupid." I think that advice is terribly naive, reflecting a narrow view of human behavior and a lack of understanding of the political, social, and legal environments in which most organizations operate.
The generic, off-the-shelf solution approach to social media policies is almost as problematic as the common sense approach. Contrary to many people's hopes and expectations, there is no simple solution or "one size fits all" approach to developing a social media policy, and a "fix-it-and-forget-it" strategy is one few organizations can afford. Because every organization is different and technology changes so rapidly, addressing Digital Era risks requires a unique approach, as well as ongoing vigilance and response.
A social media policy should include well-defined rules about what individuals can and cannot do, many of which can be linked to federal or state laws. These rules generally apply to ALL employees, regardless of whether they interact with the public using social media as part of their job responsibilities. They also should have "teeth," meaning that violating them can result in disciplinary action, up to and including termination.
Understanding the Legal and Regulatory Environment
Although a deep dive into legal realities is beyond the scope of this post, I want to provide some examples of the kinds laws and regulations that organizations and their leaders must be aware of and act in accordance with. We'll start with a few of the most important commercial laws. These include regulations that address things like the protection of proprietary and confidential information, trade secrets, and intellectual property. A person may think there's "no harm" in discussing work-related matters in their personal social networks, especially if they have high privacy settings, but doing so could be a legal violation that could cost them their job. Copyright and trademark infringements also create potential risks, even when well-intentioned. And finally, the laws of agency apply to any communication that's done on an employer's behalf, even if it may be done through a personal social networking account.
In addition to general commercial laws, there are a host of additional rules that primarily affect employees in regulated industries. In some cases, traditional rules are being applied to cyber interactions; in others, new rules have been created to explicitly address digital communication. The SEC, for example, has developed rules for publicly-traded companies and their officers and employees. FINRA has created regulations regarding the actions of financial advisors and organizations, and HIPAA focuses on individuals and organizations in the health-care industry. It's worth noting that these regulations can be applied to all individuals who work in regulated businesses, even if they themselves aren't in a regulated profession.
Furthermore, some regulations apply to people even if they aren't in a regulated industry. The FTC's rules regarding appropriate disclosures basically require anyone with a material relationship to a specific organization or brand to disclose that relationship if they're discussing the organization or brand in cyberspace.
There are also a host of employment related laws that must be understood in a Digital Era context, by both employers and employees. In the next section I address non-solicitation and non-compete laws, as well as distracted driving rules. In addition, anti-discrimination laws, anti-harassment laws, and defamation laws can also be applied to people's digital identities and interactions.
Other relevant laws include the Fair Labor Standards Act (FLSA), for which the definition of "work time" is key. If an organization has a cloud-based digital platform and a non-exempt employee accesses it when he or she is not officially working, for example, is that time compensable? How must BYOD (Bring Your Own Device) policies reflect FLSA stipulations?
One of the most advanced employment law areas when it comes to social technologies in particular is the National Labor Relations Act. Although this law is generally perceived to apply to organizations with union employees, it actually applies to all organizations. The related administrative body, the National Labor Relations Board, or NLRB, has been very proactive when it comes to social and digital technology, taking many employers to task for either not having social media policies or having policies that are so broad they produce what's referred to as a "chilling effect." This refers to situations in which employees are hindered from discussing terms of their employment in a way that could be considered protected speech and/or collective action.
Beyond Social Media Policies
Creating a social media policy of some sort is necessary for all organizations, but it's hardly sufficient to manage all the Digital Era risks organizations face. Drafting and implementing a social media policy should be considered part of a larger effort to ensure that an organization's employment policies reflect Digital Era realities, and that both employees and managers understand not just the "new" rules, but also how "old" rules apply in the new era (see Social Media: From Novelty to Utility for best practice guidance for managing social media). Organizations must also reexamine and update their operational policies and procedures, as well as their legal agreements and contracts. And if they have active digital communities, both externally and internally, they need to have proper engagement guidelines in place, as well as updated crisis management plans.
For example, do the safety policies address the use of mobile devices while someone is on the clock? The guy in this picture is on an airport tarmac, texting on a mobile device. Should the airline or airport have a policy that prevents this? When I took the shot in 2010 they probably didn't, but I bet they do now! What about things like distracted driving - is hands-free enough, or should the rule be pull over and turn off the engine before you talk or text? How about fraternization and bullying policies? Have they been extended to social and digital interactions?
The employment agreements that need to be reviewed and updated include non-compete and non-solicitation agreements, as well termination and settlement agreements. A man in Florida won - and then lost - an $80,000 discrimination settlement against his former employer. Although the agreement explicitly prohibited him from discussing the settlement with anyone but his wife and attorney, he told his daughter, who then posted a message about it to her 1200 friends and followers on Facebook. Because a number of these friends and followers had connections to the employer, which was a school, they quickly found out about his slip.
Organizations (and individuals) must also address the question of ownership, particularly in relation to public social media accounts and activities. If an employee opens a Twitter account and tweets on behalf of his or her employer, who "gets to keep" that account and the amassed followers when the employee joins another organization? What about a LinkedIn profile and the network of contacts an employee builds there? For more on this issue, check out Social Media Ownership: Recommendations for Employers.
The issue of training is also critical. Social and digital technology training should be treated like anti-harassment training. What that means is that rather than simply having someone sign off on a policy or guidelines they most likely didn't read, employers should provide online or in-person training that all employees must participate in. Supervisory and managerial employees should receive separate training that also addresses some of their unique responsibilities, such as duty to report, and offers guidance on how to investigate and handle issues raised by employees.
Digital Era risk management training should also be included in new employee orientation and new supervisors' and managers' training, and refresher courses should be required each year to update everyone with regard to new technologies, laws, and court cases.
More to Come
I know it can all seem very overwhelming and even a bit intimidating, but it's in every organization's best interests to understand and adapt to the legal and regulatory environment they work in from a Digital Era perspective. In the past their leaders could perhaps be a bit more dismissive of some of these concerns because they didn't necessarily apply to the organization, or because the risk of exposure was relatively low. But given the increasing access to digital tools and the ways in which social technologies can both expand the reach and amplify the voices of individuals and organizations, they all face greater risks and therefore have greater responsibilities.
Enhancing an organization's ability to manage Digital Era risks requires leaders to think about both outcomes (the "what") and processes (the "how"). I'll address both in a future post that offers checklist guidance for managing Digital Era risks. I'll also be speaking about these issues at the upcoming SHRM Conference. If you're planning to attend, I hope you'll come to my session. It's on Wednesday, June 25, 2014, at 10 am. You can find more details here.
In the meantime, as always, I welcome your comments and questions.