Compliance and Social Media: The Corporate Risks

In 2003, there was less than one device per person in the world.  By 2020, it is estimated that there will be approximately 6.58 connected devices per person globally. Today seventy-four percent (74%) of all adults online use social networking sites.  By 2017, social networkers worldwide are estimated to equal 2.55 billion.

Companies are clearly concluding that social media channels have market benefits.  As of 2014, 97% of Fortune 500 companies have a corporate presence on LinkedIn, 83% have corporate Twitter accounts, 80% percent have Facebook pages, and 67% have YouTube channels. Social media can greatly improve marketing efforts by broader and quicker dissemination of information to customers and potential customers, and it can help customers cut through products and services to find the one that best suits their needs.  Many companies use social media as an instrument to generate new business, retain existing business, and interact with consumers, leads and prospects. Social media is used for marketing, branding, advertising, offering incentives, enabling online applications, requesting feedback from customers (and other customer engagement), corporate communications, and grievance resolutions. The technology and social media landscape is moving fast, and companies must seek to understand the mutable risks that this rapidly changing terrain creates, as well as, the many business advantages that they have undoubtedly identified.

The typical risk management and compliance policies, along with the policy management and approval processes, are not drafted to address the fast changing and real time nature of social media.  Social media risks increase in situations where the internal policies and procedures do not kept pace with changes in the marketplace. The ever-changing social media and technology environment necessitates that companies assess, re-assess, and re-assess again, social media related risks. Policy approval processes may have to be fast tracked for these types of policies for companies to keep pace with the social media and technology space.

Although using social media to market to, and interact with, customers can greatly increase a company’s bottom-line, it can also significantly impact a company’s risk profile.  Aside from operational risks, reputational risks, and information technology risks, social media activities present the risk of non-compliance with laws and regulations, internal policies and procedures, and ethical standards.  Not only does it increase risks to companies, but it also increase risks to consumers. Those risks are magnified if you do not conduct social media risk assessments, do not have an oversight and monitoring program that includes social media activities, and do not have adequate controls in place to mitigate social media risks.  For a list of best practices for controlling and mitigating risks, read Compliance and Social Media: Top Five Best Practices.

And, if you are thinking the risks are too high, so you will not use social media, and that you will block its use by employees, think again.  You still run the risk of employees’ engagement on their private pages creating issues for the company.  Social media is here in full force, and you will be wise to make social media a component of your risk management plan, train employees on proper use of social media channels, and deploy technology tools to help you detect misconduct, threats and risks.

Regulated Industries Marketing

If a company is not in a highly regulated industry, marketing through social media may not present major concerns, but if you are reading this article, you are probably in an industry that is regulated.  Companies in regulated industries frequently have restrictions on when, how and to whom they may market. Read, Compliance and Social Media: Industry Regulatory Marketing Risks to learn more about social media marketing risk for government healthcare programs, pharmaceuticals companies, financial and insurance industries, and alcohol and tobacco

Intellectual Property Violations

Whether you are in a regulated industry or not, social media marketing activities of your sales and marketing team could put your company at greater risk of violating the intellectual property of third parties.  For example, posting photographs or videos of customers attending events, or posting audio or video of testimonies of customers on social media sites like Facebook or YouTube, without obtaining the proper releases and authorizations, could create intellectual property issues for your organization.  Intellectual property rights are frequently violated on social media sites when images are downloaded and posted on blogs and websites without obtaining proper use licenses.

Customer Feedback, Grievances and Complaints

Social media channels can also be a forum for customers to leave solicited and unsolicited complaints and grievances.  These complaints and grievances are more public, casual, and dynamic than traditional ways in which customers raise issues.  This forum for customer feedback can create some real compliance challenges, especially if regulators interpret the communication as the type of communication that must be tracked, and responded to within a certain number of days.  If processes are not in place to log and forward to the right departments the customer feedback (that are grievances and complaints) delivered through social media channels, you can miss important regulatory requirements. Plus, negative comments about the company on social media sites can create a reputational risk to the company, resulting in loss of revenue.

Human Resources

Over 90% of U.S. companies use social media for recruiting, which can raise other challenges. Use of social media as a part of background checks could be interpreted as inappropriate access to protected information, such as, religion, sexual orientation, and martial status. Blogging statements and Facebook posts by employees on their personal sites and pages could raise Human Resources concerns related harassment, discrimination, and retaliation.  There are also liability risks in connection with recommendations for employees or former employees, via sites like LinkedIn.

Corporate Blogs, Communications and Postings

FINANCIAL INSTITUTIONS

Federal Financial Institutions Examination Council (FFIEC) requires financial institutions to monitor and control content on sites owned or administered by third parties, and for those institutions to have procedures in place to address risks related to posting of confidential or sensitive information. FINRA and Securities and Exchange Commission (SEC) both require record retention related to certain social media communication. All which creates greater risks of regulatory non-compliance.

PUBLICLY TRADED COMPANIES

Blogging by officials of publicly traded companies create some added Securities Laws risks. For instance, statements made in a blog could be viewed as “forwarding looking statements” requiring a disclaimer or they could be ruled by enforcement authorities as violations of “quiet periods”. Publically traded companies also have to contend with the Sarbanes-Oxley Act (SOX), which imposes restricts designed to improve financial disclosures and prevent accounting fraud. SOX requires that organizations see to it that any social media posts made by their officials that could be defined as “material disclosures” are also distributed promptly through other communications channels. Plus, under SOX companies must make sure information contained on social media sites reflect the most current information, which includes all “material financial changes.”

CONFIDENTIAL AND SENSITIVE INFORMATION

Some employees are very comfortable with sharing almost every detail of their personal life, which often times include what happened during their workday, and in so doing, may disclose protected information, either intentionally or inadvertently via a blog or Facebook posting.  For example, a healthcare provider may share information about a patient (without mentioning a name), and inadvertently reveal protected health information or personally identifiable information violating Health Insurance Portability and Accountability Act (HIPAA).   Salespeople who connect on LinkedIn with clients may be unintentionally disclosing a list of the company’s customers to people mining for data.  Sharing information about projects could give competitors information about offerings (before they are released) and reveal important protected business strategies.

UNAUTHORIZED ACTIONS

Unauthorized actions in the company name and unauthorized use of the corporate logo create business risks related to intellectual property losses and financial losses.  They also raise several compliance risks, related to fraud and privacy violations. Hackers impersonating companies have made statements to manipulate stock prices, which may create issues with the SEC if the SEC decides to hold companies accountable for not addressing vulnerabilities that allow them to be hacked.  Hackers have also gained access to customer information and passwords by posing as a company.  Once passwords are obtained, the hacker also may have access to other customer accounts if the customers used the same password for various sites.