Compliance and Social Media: Top Five Best Practices

Social media activities present the risk of non-compliance with regulations, internal policies and procedures, and ethical standards, and can increase: (1) risks to consumers, (2) compliance risks, (3) legal risks, (4) operational risks, and (5) reputational risks.  If your company is taking advantage of the many benefits of social media in marketing and other customer engagement activities, you’re your compliance and risk management programs should focus on identifying and mitigating social media risks.  Read, Compliance and Social Media: The Corporate Risks

Best Practice One: Maintain Social Media Policies and Procedures

Review or create, if necessary, policies and procedures related to employees’ use of social media and compliance with all applicable consumer protection laws and regulations.  You may decide to develop separate policies and procedures, but it is prudent to also incorporate social media concerns into existing policies and procedures maintained by other departments, such as, Information Technology (security), Human Resources (i.e. confidentiality, employee conduct), and Compliance (privacy). The policies, whether they be stand alone or otherwise, must address, at a minimum, privacy, harassment, discrimination, and intellectual property rights of third-parties, and how risks from online postings and comments will be handled.  For instance, have a clear take-down policy for inappropriate or illegal content, and disciplinary actions should be outlined for improper employee online activity.

Address in your policies issues related to the ownership of and use of company social media accounts. The policies ought to put employees on notice that corporate accounts are the property of the company.  Clearly outline in policies name usage and content guidelines for corporate accounts.  You will want to also ensure that the social media policies (1) address protecting the company’s trade secrets, intellectual property and confidential information (i.e. use of company’s trademarks and copyrights) in online activities, (2) specifically prohibit sharing client lists or mythologies, and (3) sensitize team members to the possibility that they can unwittingly giving advance notice on product releases by sharing information on personal pages that can allow others to directly or indirectly deduce information about business activities.

Constantly re-assess your social media policies.  A part of the assessment needs to involve confirming that your social media policy considers all applicable laws and regulations. For most compliance policies an annual review works, but when it comes to technology and social media, more frequent reviews and revisions may be necessary.  New types of social media are constantly popping up, and people are pushing the envelope with new uses of existing social media.   Policies may have to be revised frequently to manage risks, and to help ensure that compliance guidance is evolving as quickly as the technology.

Best Practice Two: Have a Social Media Risk Management Program

To manage potential risks to the company, and the consumers, match your risk management program to the level of risks associated with the types and amount of social media in which you engage.  At a minimum, have in place a risk management program that focuses on identifying, measuring, monitoring, controlling, and ongoing assessment of the risks inherent in engaging in social media and should require reporting to the board or senior management to enable senior executives and the board to evaluate the effectiveness of the social media risk management program. Include in the risk management program (or receive input from) members of compliance, technology, information security, legal, human resources, and marketing. Consider designating a single person who is accountable for helping to ensure that social media risks are coordinated across business functionalities.

Best Practice Three: Have a Process for Social Media Oversight, Audit, and Documentation

Have a process for monitoring information posted to social media sites administered by the company or on its behalf, to help you identify and measure actual and potential risks. And, have a way to manage information posted to social media sites by third parties. There are many software solutions available to support companies with monitoring these sites by assisting you with compiling data from different social media sites and analyzing that data.  Some of those solutions have features that allow you to assign key words to infractions and route those communications to the appropriate departments, such as, legal or compliance, or to automatically delete problematic post and tweets.  These tools can also crawl the web to help you to identify unauthorized company pages (allowing you to act quickly).  They can aid you in capturing and archiving post, chats, comments, and recommendations, etc., which may be necessary to meet regulatory, litigation holds, or internal document retention policy requirements.  Also, have a practice of auditing the company’s social media activity to ensure ongoing compliance with internal policies, all applicable laws, and regulations. Finally, consider developing a process for internal pre-approval of certain categories of posting (i.e. regulated marketing material, and communications that recommend a specific investment product).

Best Practice Four: Conduct Social Media Training and Create Risk Awareness

You can install the best locks, but if you don’t train your people to shut the door behind them - - - you have a security issue.  The same holds true when it comes to social media risk management.  You can draft great policies and purchase social media compliance software, but your team has to fully understand the risks and how they can help the company to mitigate them. Design your training program to create risk awareness, as well as, educate on relevant policies and procedures. At a minimum:

  • Create a general training program to communicate new social media policies and procedures
  • Create a specialized training for departments that are at higher risk of violating laws and policies with social media, such as marketing, and departments with workforce members that have access to protected health information or personally identifiable information.
  • Address the company’s policies and procedures for official and work-related use of social media in training.  And, speak to any restrictions on using, or impermissible uses of, company information, company name, corporate logos, trade secrets, client lists, or protected customer information for personal social media activities.
  • Seek to create a culture of compliance as it relates to social media, by helping employees to understand the necessity for monitoring and oversight of social media activity and the risk associate with certain personal social media activity.
  • In addition to the structured training, consider using reminders and re-enforcement to keep the policies top of mind, such as, posters, compliance emails, and pop-up remainders on intranets, or private Facebook pages, and internal RSS feeds.

Even if you decide, as a company, not to be active on social media, train employees on how social media should be used in a private setting, especially as it relates to use of the company name and logo, and postings relating to company information, or client information. You are active on social media through your employees and through your customers.  The train has already left the station, and your employees and customers have been on board for a while now; if you don’t have a social media training program in place, you should.

Best Practice Five: Incorporate Social Media Code of Conduct into Employee Agreements

Besides employee training and policies and procedures, social media codes of conduct can be woven into employee agreements (i.e. employment contracts, confidentiality agreements, non-compete, and other restrictive covenant agreements). Insert clauses in your agreements that specifically require employees to (1) acknowledge corporate ownership of social media sites or pages, (2) protect customer privacy and data, (3) avoid disclosing trade secrets and work products, and (4) refrain from using the company logos, name, trademarks and copyrighted materials on personal social media pages, and in tweets.

Now that you have read the best practices for avoiding risks, learn how to use social media in your compliance program. Read, Compliance and Social Media: A Useful Compliance Tool