Surging adoption of social media isn't exactly a state secret. Facebook, Twitter, LinkedIn and other services can deliver compelling enterprise value connecting clients, partners and colleagues. Effective use can help employees find and share expertise, improve interactions with clients and even strengthen emergency communication plans.
Against this backdrop, however, there are valid reasons to be concerned about the legal, compliance and security risks posed by the rapid adoption of social media. Social media poses dramatic challenges to regulatory compliance and e-discovery due to critical reliance on third parties for information collection and capture, rapidly rising content volume and fast-changing applications, as well as the headaches that come with the challenge of ensuring authenticity. Without an effective approach to address legal and compliance risks in social media, your organization may face:
- Increased e-discovery costs: Email, files and a broad range of other types of electronically stored information (ESI) — including social media — can be critical in e-discovery. Case law is evolving, but social media evidence affects corporate trade secret theft, trade libel, copyright and other types of litigation. Just as email played a big role in Enron's demise a decade ago, Forrester expects that social media communications will become an increasingly important risk area for litigation. Trying to track down social media communications or failing to appropriately preserve them in response to litigation can be a costly experience for enterprises.
- Stiff regulatory fines and sanctions: Regulatory concerns, particularly in the financial services market, have prevented many firms from giving the official green light for social media adoption. The Financial Industry Regulatory Authority (FINRA) has stated that social media will be an increasingly important focus in its examinations. Shedding light on how it will enforce these regulations, in mid-2011, FINRA fined and suspended a California-based broker for sending a series of tweets that FINRA considered "misrepresentative and unbalanced." As regulators develop their social media compliance requirements, fear and uncertainty around sanctions give many enterprises pause.
Although enterprises in a range of different vertical markets express concerns about risks with social media, financial services firms are especially concerned about the impact on their compliance obligations. FINRA, the self-regulatory agency of the securities industry, has issued important notices on social media. FINRA published social media guidance in its January 2010 Regulatory Notice 10-06 and provided supplemental direction in its August 2011 Regulatory Notice 11-39. While FINRA's guidance and clarification on compliance obligations for social media directly affect the financial services industry, FINRA's influence will undoubtedly affect other vertical markets, as risk professionals refine solution requirements and note lessons learned in early-stage financial services deployments. Given the nascent market stage of information archiving and governance tools for social media, Forrester recommends that you:
1. Build effective policies governing social media usage in your enterprise
Social media can empower your organization and deliver solid business value, but to reduce compliance, litigation and security risks, enterprises need to develop a corporate social media policy. The policy, which you should craft with strong cross-functional input, should, for example, cover what your organization will and will not do online, what your employees can and cannot do and what members of the public can and cannot do on your social media sites. Enterprise risk profiles and use cases vary, but it's critical to have a well-communicated social media policy in place before leveraging social media for business use and implementing supporting archiving and governance tools.
2. Determine how tools that control social media fit into broader information governance
Technology that enforces social media controls can help with risk management objectives — but look carefully before you leap. Step back and understand how these applications will integrate with your enterprise's existing policies; governance structures; and other archiving, records management and e-discovery applications. Avoid application fragmentation headaches stemming from tackling different types of ESI in a siloed approach. Prioritize those vendors that have native tools or strong partnerships that enable risk management objectives across multiple content and application types.
3. Incorporate flexibility and continuous monitoring in social media
The rapid pace of social media innovation means that you'll need to be prepared to adjust quickly with appropriate policy changes and understand how much flexibility your archiving and governance application for social media may need to incorporate these shifts. Track social media usage changes and be poised to adapt to this fluid environment.
BRIAN W. HILL is a principal analyst at Forrester Research, serving Security & Risk professionals. He is a leading expert on e-discovery, archiving strategies, records and retention management initiatives and enterprise content management (ECM) endeavors. For more information, visit www.forrester.com/rb/analyst/Brian_W_Hill.