In June of this year I had the opportunity to present at the Society for Human Resource Management (SHRM) Annual Conference & Exposition. My talk was entitled, "Managing Risk in the Digital Era: Checklist Guidance for HR Professionals," and the program description read as follows:
You need to be prepared to manage the risks associated with operating in the digital era regardless of whether social media and other digital technologies are part of your organization's strategic agenda. It is critical that you ensure your policies reflect digital era realities and that employees and managers understand not just the "new" rules, but also how "old" rules apply. Balancing legal, business, and relationship perspectives, this session provides an overview of general legal considerations and offers specific guidance to evaluate and update your policies, communicate changes and provide necessary training.
There were at least four other presentations on the general topic, all of which were given by attorneys (which I am not). The other presentations tended to focus on social media, and although they included recommendations as well as descriptions of the challenges, I believe my talk was unique in that it focused on digital risks more broadly, emphasized the importance of thinking beyond social media policies, and offered specific guidance on not just what needs to be done to manage Digital Era risks, but how organizations should proceed.
With a concurrent session on the last morning of a long conference, I didn't expect great attendance, but there were about 60 attendees. More importantly, at least to me, the attendees were very engaged, with at least 20% asking thoughtful, specific, and sophisticated questions. It was clear that many of their organizations are still trying to come to terms with the best approaches to take to both their social media policies and digital risk management more broadly.
One of the attendees was Aliah D. Wright, a manager and online editor for SHRM and the author of A Necessary Evil: Managing Employee Activity on Facebook, LinkedIn and the Hundreds of Other Social Media Sites. She was there to cover the session for SHRM and published her summary/take-aways in Managing Risk in a Digital World. Thanks Aliah!
I've embedded a copy of the slide deck from my presentation below. It can also be accessed directly via our SlideShare channel. The recording of the talk is available through SHRM's conference on demand package.
Folks may also be interested in the photo essay I published in Scenes from SHRM14: Social and Digital Dimensions, which highlights examples of how SHRM, as well as vendors and service providers, continue to leverage social and digital technologies, both in their offerings and in the ways in which they reach out and interact with key stakeholders.
Here is some additional material on social media policies that isn't explicitly included in the presentation deck, as well as a more complete treatment of the legal/regulatory environment.
Sample Social Media Policies and Guidelines. I advise against taking a "boilerplate" approach to creating social media policies, and I certainly don't think it's wise to simply copy a policy created by another organization, but there is value in benchmarking the social media policies and guidelines created by others, especially organizations that are relatively sophisticated at leveraging social media.
Several sites aggregate and provide links to publicly-available social media policies and guidelines, as well as related resources. The most well-known of these sites is Social Media Governance, but there are others that also provide large, comprehensive lists of sample policies and other resources, such as:
The sample policies range in complexity, and vary in terms of their content and format. Though it is important to review a wide variety of them, I would focus on some of the more elaborate examples, as it's easier to delete aspects that aren't relevant to your operations than to try to think of what might be missing.
A word of caution: when I recently revisited the Social Media Governance site and followed links to find examples for the SHRM presentation, I found that many of the links were no longer valid and I had to go to a search engine to find what I was looking for. I would advise using the databases/lists as a reference and then conducting independent searches to ensure you're accessing the most recent social media policies and guidelines for the organizations you want to benchmark against.
The Legal Landscape. Trying to get a handle on Digital Era legal considerations is like trying to maintain your balance while straddling shifting tectonic plates - especially if, like me, you're not an attorney. There are specific legal considerations related to the conduct of business, labor and employment law considerations, and a federal, state and even local and global legal environment that's in a near-constant state of flux.
Business Conduct Considerations. There are numerous legal requirements to consider in developing social media policies and guidelines for employees who may discuss their organization and/or its products/services in cyberspace, either formally (as part of their job responsibilities) or informally. These include:
- Federal Trade Commission (FTC) rules regarding identity and affiliation disclosures, disclaimers, and endorsements
- Regulations regarding the protection of trade secrets, proprietary and confidential information
- Copyright, trademark and intellectual property protections
- Laws of agency
- Privacy protections (e.g., Health Insurance Portability and Accountability Act (HIPAA))
- Security and Exchange Commission (SEC) regulations
Labor and Employment Considerations. There are also a host of labor and employment laws and regulations that organizations must consider with respect to individual employee behavior in cyberspace. These include:
- Anti-discrimination laws
- Anti-harassment laws
- Fair Labor Standards Act (FLSA)
- National Labor Relations Act (NLRA) (which applies to both union non-union employers)
- Whistleblower protections
- Non-solicitation and non-compete laws
- Defamation laws
- Distracted driving regulations
- Privacy protection requirements
- Fair Credit Reporting Act (FCRA) (when third-parties are used as part of a background screening process)
- Employer negligence (e.g., negligent hiring, negligent referral)
The Changing Legal Environment. In addition to the laws cited above, relevant federal laws include the Stored Communications Act, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act. There are also related state laws that vary widely, and for some organizations local and global laws to contend with as well.
The three federal laws cited in the preceding paragraph were passed in 1986, long before widespread usage of digital technologies. Other relevant laws are even older. The age of these laws is problematic, because they don't reflect today's realities, which requires advocates, judges and juries to interpret them in light of their understanding of those realities, which is often limited. The varying interpretations lead to divergent opinions and create a lot of conflicting case law that it will take some time to resolve as the number of cases increases and they make their way through the judicial system.
Efforts to update both federal and state laws to reflect Digital Era technologies and realities have begun, but the discussions are conflict-ridden and political (see, for example, stories about net neutrality), which means it will be a long time before organizations will have updated regulatory guidance to rely on.
Privacy in particular is an area of the law that is undergoing significant changes as societies determine where the lines should be drawn and what the relative rights and responsibilities of various stakeholders should be (it's also a hotly debated subject in the court of public opinion). In the context of work, privacy is just one of several issues that have to be resolved in determining the relative rights and responsibilities of employers and employees.