An important first step that companies must take in managing the risk of social media is to craft an effective and realistic acceptable-use policy. They then have to make sure that the policy is disseminated, and they should document that employees have been informed of the policy, including having them sign forms that give the company the right to enforce the policy via monitoring. Then they will have laid the legal foundation for using a security application like EdgeWave Social, which will be one of the means by which compliance with the acceptable-use policy is monitored.
A company clearly has the right to monitor and control what any of its employees post in the company’s name and on company media accounts. But businesses must be careful when drafting policies about any type of monitoring on an employee’s personal activity, even when connected on a company device, says Ornstein. Though Ornstein is not directly familiar with EdgeWave Social, he says that any software monitoring solution “would need to be implemented very carefully to ensure that the use is lawful and not too intrusive.”
Companies must make sure to update their acceptable-use policies as needed to comport with any changes in privacy laws enacted by legislative bodies or any new privacy precedents that arise from decisions in the courts related to social media. The National Labor Relations Board, for example, ruled last September that complaining about work conditions on a public forum, such as Facebook or Twitter, constitutes free speech.
Brunetto says that EdgeWave is mindful of the legal issues. “We continue to monitor what’s going on in the courts. We’re working with legal teams to understand their take on the labor laws,” he says.
David Adler, an attorney at Leavens, Strand, Glover & Adler, LLC, an entertainment, media, and intellectual property law firm based in Chicago, discussed some of what a company might want to put in its acceptable-use policy when he spoke at the RSA Conference in San Francisco in February.
For example, he said, policies must include instructions to ensure that posts are “completely accurate and not misleading and that they do not reveal nonpublic information on any public site.”