«
»

Belbey Blogs: Before you go social, check with Uncle Sam

goverance cycleToday’s post is a collaboration between Richie Etwaru, Director, UBS and Joanna Belbey, Social Media and Compliance Specialist, Actiance

It’s difficult to debate the value of installing enterprise social networks.

Richie Etwaru, a futurist and avid speaker, covered the current state, business value, and future thinking needed around the construct of what he phrases the #ENTSOCNET (an internal enterprise social network). Mr. Etwaru titled the piece Solving for building backlash of Enterprise Social Networks and covers the 1st, 2nd and 3rd generation of the #ENTSOCNET. Installing an internal social network, driving, adoption and extracting business value as Mr. Etwaru describes, is complicated and difficult work. Leaders must ensure that said complicated and difficult work is being done under the auspices of regulatory guidelines.

There are regulatory compliance, corporate governance, and legal requirements organizations must address before deploying social. There however, is an impedance mismatch and some amount of misinterpretation between what the regulators consider enterprise social media, and what leaders in the enterprise consider to be enterprise social media. The spirit of the regulations suggest that whether an enterprise in installing an internal social network (what Mr. Etwaru describes as the #ENTSOCNET) for its employees only, or leveraging external social networks such as Facebook, LinkedIn or Twitter; all communications, messages, inboxes, comments, endorsements, DMs, tweets retweets etc. are governed under the regulations.

What Regulators want

More than 2 years ago, regulators of the securities industries began to issue guidance on how to use social media. The Financial Industry Regulatory Authority (FINRA), The Securities and Exchange Commission (SEC), Investment Industry Regulatory Organization of Canada (IIROC), National Association of Insurance Commissioners (NAIC) and others view social media, whether it’s external or internal, as just another form of business communications, such as email or instant messages. They remind us that it’s the content that is determinative, not the platform. Regulators also expect that firms demonstrate that they are supervising, or reviewing, a pre-defined portion of these communications. Other more general legislation may also apply such as Sarbanes-Oxley (SOX) Gramm-Leach-Bliley Act, and the data breach notification laws (PCI, DSS).

What this all means

In short, whether internal or external, firms need to ensure that all business communications (or “business as such”) are captured, archived, supervised and made easily e-discoverable. There is nothing new here as this has been an evolution. First paper, then email, instant messages, now both internal and external social media, firms continue to be challenged to capture, retain and review a portion of all business records in whatever form they appear. As a first step, firms may use their existing email and instant message retention policies as a framework to develop policies for internal and external social media. Governing said policies is a separate and pronounced challenge.

Governance is key

Firms are increasingly committed to comprehensive corporate governance to avoid scandal and to comply with regulations. The development of sound policies and procedures before deployment is key, given the vast amount of data stored in most collaboration environments and the free ranging conversations among employees, contractors and even clients that can ensue, policies must be defined.

Specifically policies should address: records management (retention, litigation readiness, privacy), information management (making sure that records are tamper proof, and easily accessible), data deposition (disposal of data) and conflict management.  Where possible, firms should automate policies with technology to protect their intellectual property, prevent the creation and distribution of inappropriate content and provide an audit trail of all activity to ensure accountability.

It’s a serious legal matter

When learning of pending litigation, firms must be able to preserve all records  (“legal hold” or “ligation holds”) that may relate to legal action against the company, including records of social activity. According to the Federal Rules of Civil Procedures (FRCP), firms must meet discovery requests for paper as well as electronic documents (spreadsheets, slide decks), emails, posts, and conversations across social media in a timely fashion. Therefore, firms need plans and the means to retain and produce such data upon request. Email was new and difficult, social is not yet understood, complex and mindboggling.

Social, not my grandma’s email

Social media, due to its nature, adds complexity to these requirements as interactions occur over time. For example, a blog starts with an initial post, then readers may add comments, or change their minds and revise and delete their comments and the original author may respond. These interactions could go on for months in some cases. Firms should have the ability to produce all of these threads of posts, comments and replies “in context” to give meaning to the conversations. By providing context, firms may reduce litigation costs by reducing the number of hours required by attorneys to sort through records to determine the sequence of events and the true essence of the conversations. Preserving context requires intelligent software solutions.

What now

Enterprise-wide “social business” tools were designed to facilitate collaboration, not necessarily to meet the legal and compliance requirements of regulated firms or public corporations. They offer basic functionality to capture and archive communications, but not the reporting, contextual view of information, nor granular policy setting that may be desired. Firms are therefore advised that before deploying enterprise wide collaboration tools, they look to third party vendors to ensure their compliance requirements are met.

Collaboration, no pun intended

I reached out to Mr. Etwaru (whom I met a few years ago at a conference in NYC) and shared this perspective. His response is below.

~~~~~~~~~~~~~~~~~~~~~

Hi Joanna,

            Your thoughts are spot on. From the regulators (who are doing a great job) point of view social, email, chat, etc. all carry similar risk and hence are metaphorically bucketed from a guidance standpoint. In the enterprise however, the risk with social is multiples higher for a multitude of reasons. One reason is employees learned of social in their personal lives where regulations are by and large absent. Hence, when using social in the enterprise (or in a commercial manner) employees (fallible as we are) tend to assume the same “free range” comes with social. The policy, governance and education you suggested is paramount, I could not agree more.

That being said …

However daunting all of this may be, the biggest risk is not using internal social media to break down silos and to unleash the intellectual power of the enterprise while driving innovation.

BTW, love your diagram, I can help you make it pretty

Hope this helps,

-R

~~~~~~~~~~~~~~~~~~~~~

Diagram above rendered by Mr. Etwaru,

-Joanna

This entry was posted on January 30, 2013, 5:45 am and is filed under Actiance, Collaboration, Compliance, eDiscovery, Electronically Stored Information (ESI), Employee Behavior, Enterprise 2.0, Enterprise IM, Facebook, Financial Services, FINRA, Guest Post, Legal, Social Networking, Unified Communications, Web 2.0. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. When the social party grows up, what if no one attends? « actiance

Leave a comment