Every organization needs to think about and be prepared to manage the risks associated with operating in the Digital Era. It doesn't matter whether social media is part of the organization's strategic agenda, or if the organization itself has any digital presence. It also doesn't matter how large the organization is, whether it's for-profit, BtoB or BtoC, or which industry or sector it operates in. To put it simply:
If you employ people, you should have a social media policy.
End of story? Not exactly. Drafting and implementing a social media policy should be considered part of a larger effort to ensure that an organization's employment policies reflect Digital Era realities, and that both employees and managers understand not just the "new" rules, but also how "old" rules apply in the new era.
There are many social media advocates who suggest (often adamantly) that an organization's social media policy should be a simple statement to the effect of don't say anything stupid. In my view, that advice is terribly naive, reflecting a narrow view of human behavior and a lack of understanding of the political, social, and legal environments in which most organizations operate.
I'm generally not a fan of fear mongering, and I don't like to overwhelm people, but this issue is more complex than many so-called experts will assert - and more challenging than many organizational leaders may want to accept. There is generally no simple solution or "one size fits all" approach, and a "fix-it-and-forget-it" strategy is one few organizations can afford.
In this post, I provide an overview intended to help organizational leaders understand some of these challenges and complexities and begin to map out a (new) course of action for managing Digital Era risks. The post serves as an introduction to a future white paper or monograph that will delve into the subject more deeply.
The post is organized into the following sections. Read or scroll down to learn more.
- Recent "What Were They Thinking?" Examples
- The State of the Social Media Policy-sphere
- The Legal Landscape
- Guidance for Leaders
As an introductory piece, this post lacks depth (as well as some breadth).
I'd love to have it serve as a conversation starter.
Please share your comments/questions & convert the monologue into a dialogue.
RECENT "WHAT WERE THEY THINKING?" EXAMPLES
Both employees and employers can be guilty of poor judgment when it comes to social media activity!
EMPLOYEE EXAMPLES. Last week I shared two stories with the SMinOrgs Community about cases in which individuals shared "questionable" thoughts in cyberspace that had implications for their employers:
- A Fellow at NYU's Center on Law and Security resigned after posting negative comments on Twitter about CBS war correspondent Lara Logan in response to news about her being sexually assaulted in Cairo (see story here).
- A high school teacher in Pennsylvania was suspended (with pay) after her employer learned about a blog she maintained in which she spoke harshly about students (see story here).
The first case highlights the fact that even experienced social media users can make significant mistakes due to lapses in judgment and/or careless wording (click here for another story about a journalist). The second case highlights several important considerations:
- The teacher's blog was not part of her official responsibilities and not connected to her formal role.
- She posted on her own time, using her own equipment (for the most part).
- She did not disclose her full name or her employer (though her identity was relatively easy to determine), and she did not reference students by name.
In both cases, it's not clear what the organization's social media policies are, or what role those policies played. Because the fellow in the first case admitted wrong-doing and resigned, it may not be critical. But in the second case, the teacher claims to have done nothing wrong and wants to be reinstated. Absent a strong social media policy, the school board may not be able to take disciplinary action against her, regardless of how egregious they (and others) may view her actions as being.
EMPLOYER EXAMPLES. A logical conclusion from the stories above is that social media policies can be viewed as a form of insurance - and it doesn't make sense to be uninsured or underinsured (think Allstate's Mayhem!). But many organizations take that "logical conclusion" to the extreme and create a "lockdown" approach in which they block all access to social media sites at work and/or forbid employees to "inappropriately" reference them or their brands in cyberspace.
Some strict social media policies can be legally defensible, but that doesn't mean they make the best business sense, as evidenced by the case of a waitress in Atlanta who was fired for negative comments she posted about customers on Facebook (see story here). But in other cases employers have been accused of overreaching and taking an overly broad approach to managing risk. Here are two notable examples that have been at the center of some recent media frenzies:
- The National Labor Relations Board (NLRB ) settled a dispute with a company in Connecticut that they alleged had illegally fired an employee in part for comments she posted on Facebook about her supervisor (which I wrote about here).
- The American Civil Liberties Union (ACLU) sent a letter to Maryland's Department of Public Safety and Correctional Services (DPSCS or DOC) requesting them to discontinue their practice of requiring job candidates to provide login information for their social media accounts (which I wrote about here).
The NLRB has received another similar complaint in recent weeks, and based on the comments on the February 7th post on the NLRB's Facebook page, there could be other cases in the near future, so the challenges to restrictive social media policies may have only just begun.
THE STATE OF THE SOCIAL MEDIA POLICY-SPHERE
A quick review of recent research results and sample policies/guidelines can provide a sense of where things currently stand with respect to social media policies and guidelines:
RESEARCH RESULTS. Here are some studies on social media in organizations published in the last six months.
- CAI: An Analysis of Our Social Media in the Workplace Survey
- Toolbox.com/PJA Social Media Index: Wave VI
- IACP Center for Social Media 2010 Survey Results
- AAM Releases Social Media Study
- The Mercadien Group 2011 Social Media Survey Report
- NASCIO: A National Survey of Social Media Use in State Government
Though many of them include other findings and analyses as well, I want to highlight the results with respect to social media policies:
- The percentage of organizations reporting they've implemented social media policies ranges from 24% to 43%.
- In the studies where the question was asked, 23-31% of respondents indicated their organization is currently working on developing a policy.
- In the Toolbox.com study, which included almost 3000 professionals in IT, HR, and Finance, 51-53% of the respondents indicated their organization either didn't have a social media policy, or they were unsure whether it did.
To obtain even more current results from a broad sample of professionals, I created a LinkedIn poll to assess the status of social media policies in a range of organizations. The results generally corroborate the results of the other studies. Here is a snapshot of the results after 501 votes (click on the image to view the latest results, look at different data "slices," and read the comments):
The poll will be open until early March, so please add your vote &/or share the poll.
The response so far has been great, but more votes are welcome!
SAMPLE POLICIES AND GUIDELINES. I advise against taking a "boilerplate" approach to creating a social media policy, and I certainly don't think it's wise to simply copy a policy created by another organization, but there is value in benchmarking the policies and guidelines created by others, especially organizations that are relatively sophisticated at leveraging social media.
Several sites aggregate and provide links to publicly-available social media policies and guidelines, as well as related resources. The most well-known of these sites is Social Media Governance, but there are others that also provide large, comprehensive lists of sample policies and other resources, such as:
The sample policies range in complexity, as vary in terms of their content and format. Though it's important to review a wide variety of them, I would focus on some of the more elaborate examples, as it's easier to delete aspects that aren't relevant to your operations than to try to think of what might be missing. Three of the most sophisticated examples are
- Cisco Social Media Policy, Guidelines, and FAQs document
- The United States Army Social Media Handbook
- Navy Command Social Media Handbook
As you review the resources provided on these sites, it's also important to understand the distinctions between policies and guidelines (though the terms are often used interchangeably):
- Think of policies as well-defined rules about what individuals can and cannot do, many of which can be linked to federal or state laws. Policies also generally apply to ALL employees, regardless of whether they interact with the public using social media as part of their job responsibilities.
- Guidelines, by contrast, are a little fuzzier, reflecting expectations for behavior that may not be as easy to define or enforce. They are also generally created to guide the behavior of employees who interact with outsiders using social media as part of their job responsibilities.
The Cisco Social Media Policy, Guidelines, and FAQs document can be used to illustrate some of these distinctions. Here are samples from the policy and guidelines sections on pages 4 and 5:
- Identify yourself as a Cisco employee.
- Do not post confidential or copyrighted information.
- Do not post anything that is defamatory, offensive, harassing, or in violation of any applicable law or any of Cisco policies.
- Be responsible.
- Be authentic, factual, and respectful at all times.
- Avoid engaging in on-line disputes.
- Add value.
Please add a comment if you know of other research results and/or great resources for sample social media policies/guidelines.
THE LEGAL LANDSCAPE
Trying to get a handle on Digital Era legal considerations is like trying to maintain your balance while straddling shifting tectonic plates - especially if, like me, you're not an attorney. There are specific legal considerations related to the conduct of business, labor and employment law considerations, and a federal, state and even global legal environment that's in a near-constant state of flux.
BUSINESS CONDUCT CONSIDERATIONS. As evidenced by the Cisco example and others provided in the aggregated lists in the preceding section, there are numerous legal requirements to consider in developing a social media policy/guidelines for employees who may discuss their organization and/or its products/services in cyberspace, either as formally (as part of their job responsibilities) or informally. These include:
- Federal Trade Commission (FTC) rules regarding identity and affiliation disclosures, disclaimers, and endorsements
- Regulations regarding the protection of trade secrets, proprietary and confidential information
- Copyright, trademark and intellectual property protections
- Laws of agency
- Privacy protections (e.g., Health Insurance Portability and Accountability Act (HIPAA))
- Security and Exchange Commission (SEC) regulations
LABOR AND EMPLOYMENT CONSIDERATIONS. There are also a host of labor and employment laws and regulations that organizations must consider with respect to individual employee behavior in cyberspace. These include:
- Anti-discrimination laws
- Anti-harassment laws
- Fair Labor Standards Act (FLSA)
- National Labor Relations Act (NLRA) (which applies to both union non-union employers)
- Whistleblower protections
- Non-solicitation and non-compete laws
- Defamation laws
- Distracted driving regulations
- Privacy protection requirements
- Fair Credit Reporting Act (FCRA) (when third-parties are used as part of a background screening process)
- Employer negligence (e.g., negligent hiring, negligent referral)
THE CHANGING LEGAL ENVIRONMENT. In addition to the laws cited above, relevant federal laws include the Stored Communications Act, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act. There are also related state laws that vary widely, and for some organizations global laws to contend with as well.
The three federal laws cited in the preceding paragraph were passed in 1986, long before widespread usage of digital technologies. Other relevant laws are even older. The age of these laws is problematic, because they don't reflect today's realities, which requires advocates, judges and juries to interpret them in light of their understanding of those realities, which is often limited. The varying interpretations lead to divergent opinions and create a lot of conflicting case law that it will take some time to resolve as the number of cases increases and they make their way through the judicial system. A few examples:
- Employees' Private Email Accounts Not Necessarily Off-Limits To Employers
- Are Contact Lists Still Trade Secrets in the Age of Social Networking Sites?
- eDiscovery & Social Media
Efforts to update both federal and state laws to reflect Digital Era technologies and realities have begun, but the discussions are conflict-ridden and political (see, for example, stories about net neutrality), which means it will be a long time before organizations will have updated regulatory guidance to rely on.
As noted by some of the case examples above, privacy in particular is an area of the law that is undergoing significant changes as societies determine where the lines should be drawn and what the relative rights and responsibilities of various stakeholders should be (it's also a hotly debated subject in the court of public opinion) In the ACLU and NLRB cases cited earlier, the outcomes (so far) have been in favor of protecting an employee's rights, but in Quon vs. the City of Ontario, the U.S. Supreme Court decided in favor of the employer. Last year, judges in Indiana and New York decided that the private social networking activity of two employees was discoverable and relevant to a discrimination case against their employer (see details for the IN case here and for the NY case here). Meanwhile, in Germany, legislation was proposed last summer to ban employers from viewing candidates' Facebook pages as part of their pre-employment screening process (see this white paper and this blog post for more on the subject of "social screening").
GUIDANCE FOR LEADERS
Enhancing an organization's ability to manage Digital Era risks requires leaders to think about both outcomes (the "what") and process (the "how").
OUTCOMES. There are several things every employer should do to ensure they're managing Digital Era risks with a holistic, systemic, and integrative approach. Here's a high-level checklist of the main activities:
- Determine your overall strategic approach to leveraging social media for both internal and external purposes.
- Develop a social media policy for all employees.
- Review/revise all employment policies to reflect Digital Era technologies and realities.
- Determine a fair and consistent (and realistic) approach to monitoring, enforcement, and discipline.
- Craft social media guidelines for employees who interact with outsiders via social media channels.
- Create posting guidelines and moderation rules for outsiders who may engage with your organization via one of its social media channels (see this blog post for more on managing comments in online communities).
- Communicate the final policy/ies and guidelines and establish a method for providing regular reminders.
- Prepare and provide training for
- Community managers and other "official" social media users
- Non-managerial employees
- Managerial employees
- Plan for regular reviews/revisions to policies to reflect new technologies, legal/regulatory changes, and case law.
PROCESS. Ideally, organizational leaders should be proactive in managing Digital Era risks, rather than waiting for a threat or crisis to force them to reactively develop and implement a hasty solution. Thoughtfulness and thoroughness are important, but time is also of the essence. Therefore, it's important to proceed with "mindful flexibility," which requires being both strategic and goal focused, as well as adaptable, and to emphasize procedural efficiency as well as effectiveness.
There are a number of web-based resources that provide detailed guidance on developing and implementing social media policies and guidelines. Here are some of my recommendations for leaders:
Prepare yourself to lead
- Educate yourself about what social media is, how it works, and its implications for your organization (Parts 1 and 2 of the Social Media Primer can help).
- It's okay to delegate, but don't abdicate your leadership responsibilities (see Part 5 of the Social Media Primer for more).
- Hiring outside experts is a worthwhile investment, especially, if you lack in-house social media expertise. But do your due diligence first - there are many self-proclaimed experts whose depth of knowledge isn't as great as they claim it is.
Create a policy team
- Involve multiple stakeholders from relevant functional areas:
- Externally-oriented groups: marketing, sales, public relations, customer service
- Internally -oriented groups: human resources, knowledge management, IT, organizational development, learning & development
- Both: in-house counsel
- Employ outside experts who can provide sophisticated guidance from various perspectives:
- Social media and other digital technologies
- Federal and state laws and issues (and perhaps global too)
- Business development
- Human capital management
Develop a project plan and guidelines
- Set clear deadlines so you don't get bogged down by bureaucracy and semantic arguments.
- Coordinate policy initiative with other social media development and implementation initiatives (see Part 7 of the Social Media Primer for more ).
- Identify overarching principles, goals and objectives that reflect:
- Industry and nature of the business
- Strategic priorities (both in general and in relation to social media)
- Guiding values (including ethics)
- Cultural context and workforce characteristics
- A balance between legal and business perspectives
- A balance between employer and employee perspectives
Review, refine, create policies and guidelines
- Review the entire employee handbook and/or relevant policies that could be impacted by new digital technologies.
- Identify the best approach to specifically addressing the use of social media
- Develop something new (i.e., a single, multi-faceted policy, or multiple policies)
- Update existing polic(ies)
- Leverage benchmarked resources to create both policies and guidelines, but ensure they're properly vetted and customized as needed.
- Try to build as much durability into the policies/guidelines as possible:
- Balance broad, general wording with specificity
- Allow for flexibility as new case law and regulations develop
- Prepare for technologies, platforms, and devices that could be used in the future
Please add a comment if you know of great resources for social media policy/guideline development and/or you have additional process tips to share.
Overwhelmed? That's certainly understandable. This is a complex undertaking, and for many organizational leaders it's virtually impossible to imagine how they're going to find the resources to devote to it, especially in light of ongoing economic challenges and other strategic and tactical priorities. And it seems particularly burdensome if social media is not one of those strategic or tactical priorities.
But similar to the realities I address in Part 3 of the Primer, organizational leaders don't really get a vote. Digital Era risks exist regardless of their organization's focus on technology, and/or their personal feelings about social media and other 2.0 tools. Managing those risks is part of the cost of doing business, and managing them well can be a competitive differentiator, in both the economic marketplace and the talent marketplace.