The Social Side of Information Governance

In just a few years, social media has gone from a cutting-edge phenomenon to a mainstream channel that corporations use to engage clients, partners, and vendors. As a result, business leaders responsible for information management must explore this pervasive communication channel and understand how its use may impact the organization's ability to manage risk.

Changing Legal Requirements

As the nature of communication between employees, customers and businesses evolves, corporations are leveraging social media networks and using mobile devices more frequently. Gartner predicts that by 2014, social networking services will replace email for interpersonal business communications for 20% of business users.¹

Beyond email, IM and chat, regulations now include audio (COBS 11.8) and social media channels (FINRA 10-06 and others now in development). Recent case law in the US and Canada has highlighted the need to manage social media usage due to the potential discoverability of ESI under the FRCP, Canadian civil procedure rules and other regulations.² Moreover, social media data needs to be managed pursuant to compliance regulations, such as FINRA Regulatory Notice 10-06.

To address existing, new and emerging requirements, it will be important to understand the nature of obligations, how business and employees engage in social media, and the solutions necessary to stay compliant. Social media models, along with associated legal and regulatory framework, will continue to evolve rapidly. As such, organizations should look to develop policies and deploy solutions that are flexible.

Interactions in the Spotlight

Enterprise content is growing exponentially and is increasingly "unstructured," as in the case of social media, email, video, audio, text and Web pages. The prevalence of these unstructured data types in the enterprise is causing a shift from a "document"-centric view of compliance, discovery and information management, to models based on interactions. As a result, information management professionals must find new ways to increase information control and visibility. The following questions can help determine what to consider when creating a plan for social media governance: How is the organization interacting on social networks? What communication channels does it use? What must be preserved? How should compliance policies be enforced and monitored?

Traditional methods such as relational databases operate solely on structured data, which constitutes only 15% of information. They ignore human "unstructured" information, which now represents the remaining 85% of data. Managing all data enterprisewide requires a system that understands all content regardless of format, and can apply consistent policies in real time. Effectively leveraging social media while protecting the organization from non-compliance requires a social media governance plan that allows IT and compliance departments to:

• Extend existing compliance, supervision and surveillance practices to interactive content;
• Perform conceptual search and policy-based monitoring of all information—inside and outside the firewall;
• Establish social media usage policies and procedures, and then train staff on the particulars; and
• Preserve and collect relevant social media content for compliance and litigation purposes.

Traditional Methods Fall Short

Managing social media involves many factors, including volume of data, content type, use of language and the nature of the communication (such as conversational or slang-based). Traditional methods such as manual review and monitoring are labor intensive and ineffective. In addition, volumes have been written on the limitations of keyword search and the benefits of conceptual search and contextual analysis to help provide an understanding of content and automate processes.³

A vital part of any comprehensive social media governance plan must consider all content and access methods in play, as users connect via smartphones and tablets. While yesterday's technology could not readily record interactions, now it not only can memorialize interactions in real time, but do so without awareness by participants. Understanding the meaning of these new interactions is the only effective way to govern content flowing across a range of interaction channels.

Social Media Governance Best Practices

Interactions with social media may not always occur on a corporate network or controlled device. More importantly, content may be stored with a third party, such as Facebook or Twitter. This means current corporate policies may not extend to social media—a dynamic that must be considered when adopting a governance strategy.

Best Practice #1: Employ solutions that capture additional approval on a site-by-site basis to verify assent for capturing and monitoring. Individuals may interact with social media outside corporate networks, and each site represents a different set of relationships and entities that probably does not include the supervising corporation. Therefore, assent for each account or site captured/monitored is appropriate. This can minimize the risk of employees later claiming a particular site was outside the scope of any agreement, or potential claims from third parties that may have had content captured without authorization from at least one party. At this point there is limited guidance on whether third parties must assent to monitoring or capture of social media, either the site owner itself or third parties posting to that site.  This is an area of law that will likely remain unsettled for some time.

Best Practice #2: Wherever possible, create separate business identities for social media to minimize capture of personal or private information. Capturing inherently personal or private content rarely provides value to an organization. In fact, for most businesses, it likely creates new risks or obligations. Perhaps the most compelling reasons for organizations to carefully consider methods for capturing interactions are the duties it assumes once in possession. At the very least, organizations that are intentionally capturing interactions, or are likely to include interactions that could contain personal or private information, will be required to appropriately protect that information according to a variety of obligations. A few examples of risk would include the possibility of individuals within the firm making inappropriate comments regarding the following:

• Personal interactions that deal with health-related discussions;
• Discussion of personal, political or religious views;
• Interactions associated with sexual orientation or identity;
• Participation in certain associations or organizations unrelated to the business; and
• Financial information or issues.

In general, when viewed in the context of what organizations are compelled to govern in social media, most firms will find that a business identity that is separate from purely personal interactions is best for its employees and the firm itself. Some will argue that employees can subvert organizational policies by using non-authorized accounts for business interactions, and that is true. However, it is no different than it is today with personal email accounts over which organizations rarely have control. If employees are intent on undermining governance mechanisms, they will be creating unregistered identities regardless.

Best Practice #3: Prepare to deploy solutions that can govern the three primary categories of interactions. Most regulated organizations are taking a measured approach to social media, starting with a limited number of employees and approved social media sites. Companies are focusing first on categories of interaction models or capture methods. Next, they can become familiar with how employees are interacting and explore options to govern the full breadth, such as:

• Inside-based interactions: These social media interactions occur within a corporate network, or on a corporate-controlled device, allowing interactions to be captured or controlled on the device and at the network layer. Companies can capture interactions without employee assent or approval, assuming policies exist regarding monitoring or collecting information stored or transmitted on corporate devices and networks.
• Moderated interactions: These occur on corporate-maintained social media accounts on sites such as Facebook or Twitter, and the organization itself is essentially the "owner" of the page and associated interactions.
• Outside-based interactions: These interactions occur off an organization-controlled device or network. Organizations have two options for governing and monitoring these interactions: 1. Individuals can "opt-in," or register, a particular social media account, granting the governance application the authority and credentials to see and capture content; or 2. They can use solutions that monitor aggregated feeds of publically available information (Twitter feeds, LinkedIn and Facebook sites, blogs, forums, third-party websites, and news sites) to learn what is said about the corporation, its people or products.