Companies of all sizes and in all industries face special media, privacy, information, and computer security risks in today's economy. At the outset, businesses operate in an environment that has undergone drastic changes in recent years.
Organizations are confronted with a myriad of risks, arising from the development of social media and networking, including the evolution of the hacking community from cyber-vandals defacing websites to organized crime. Hackers target valuable data including financial information, healthcare records, employee data, and general patient information. All of this illegally obtained information can be sold in a thriving underground market.
Additionally, there has been a marked increase in U.S. regulations and legislation, including:
- the Health Insurance Portability and Accountability Act (HIPAA) of 1996,
- the Gramm-Leach-Bliley Act (GLBA) of 1999,
- the Red Flag Rules and comparable state laws,
- the patchwork quilt of privacy breach notification laws that blanket the country, and
- the Payment Card Industry Data Security Standard (PCI DSS), which are standards imposed by the credit card associations.
Numerous companies are potentially exposed to risks due to their significant reliance upon technology. Logistical risks are now often automated and run by computer—virtually every activity, even the simplest operation, is now a computer-controlled event. At any point in a company's day-to-day operations, a failure of technology or any misstep in the release of material, computer attack, or privacy breach could result in legal liability, regulatory scrutiny, and civil litigation. Additionally, a business may also experience a direct loss of assets in the form of damaged or lost data, lost revenue, extra expense and reputational risk.
Although many companies have efficient processes surrounding information security, social media and social networking remain a bit of a mystery to most. Often viewed as the domain of teenagers and extremely time consuming, a vast number of companies lack official compliance and risk management strategies for social media and networking activities.
Social media is a type of media based on conversations and interactions between online entities, whether individuals, groups, or corporations. By extension, social media fuels social networking. The risks of social media and social networking are generally categorized as follows: privacy, intellectual property, personal injury in the form of libel/defamation, false advertising/unfair competition, and reputational risk.
Social media websites capture significant amounts of personal information. This presents a risk that the host of the website will either fail to properly protect the information or intentionally release it (i.e., providing it to an advertiser). In addition, there is the risk of social engineering, which is akin to profiling users of social media into certain demographic, ethnic, gender, or other types of groups.
Consider the example of researchers at Carnegie Mellon, who developed a process whereby they could accurately predict the social security numbers of nearly 10 percent of the people born in the United States between 1989 and 2003. They analyzed publicly available information from numerous sources, including social networking websites and learned that the first three digits in social security numbers are determined by location and the remaining numbers are related to the date that a person applied for the social security number.
Infringement of intellectual property—primarily copyright and trademark infringement—are also risks created by the use of social media. Members of a social networking website may use that website as a platform to share protected intellectual property, such as music or movies, or the service might use a third party’s intellectual property on their website, such as copyrighted software code or registered trademarks.
There is also an increased exposure from more traditional types of misbehavior. Social media "chats" may include defamatory remarks about a person (e.g., co-worker) or company (e.g., employer or competitor) that can create liability as the victims seek to hold the website, the individual who posted the remarks, and/or the employer/company responsible for the statements.
Inasmuch as social media and social networking are now increasingly being used for commercial purposes, the potential for false advertising and unfair competition escalates. This highlights the importance of having controls pertaining to content. Also, employees may make unauthorized comments publicly on Internet websites or blogs about their company's products or services, which can be attributed to or interpreted as coming from the company. While there are no standard rules as to the use of social media, Marsh recommends certain "best practices" that companies may find helpful.
- Identify who in the organization has the authority to post what information on which social media.
- Integrate disclosures of information through social media into the oversight function provided by the public company's disclosure controls procedures.
- Establish procedures that ensure any posting to social media are coordinated with any necessary disclosures by traditional means of press release, form 8-K, or periodic reports.
- Consider other legal requirements (e.g., employment law, intellectual property law, etc.) and work with other areas on social media.
- Review company policies and revise as needed or establish new policies for public disclosure through social media.
- Ensure company policies are consistent and integrated.
- Provide appropriate training to employees.
- Take into account business considerations such as cost to implement and maintain new processes, training, and the like.
It is inevitable that social media and social networking will continue to grow in the coming years. Although companies and individuals should develop an understanding of how social media and networking meshes with and enhances their business goals, it is imperative that they also learn the benefits and pitfalls of these new means of communication and interaction. Failure to be informed about social media and neglect in establishing protocols can expose companies to significant liabilities. Marsh's social media and networking experts are available to meet with you to learn more about effectively preparing for and managing the risks associated with new media.