Managing the Workplace Ethics of Social Media

[Editor's Note: This is the sixth post in an ongoing series on Codes of Conduct by Jason Lunday. Follow this link to view all of Mr. Lunday's articles in his Codes of Conduct featured column series.]

———-

Online social media applications are quickly gaining the mindshare of company employees and changing just as rapidly.  With all the benefits that social media is bringing to the corporate world, a company faces numerous risks in its use, from misuse of company resources, to conflicts of interest and disparagement of others.

Social media is a challenging topic because it crosses over so many ethics and compliance issues.  But like any other ethics and compliance topic, it can and must be proactively managed for a company to safeguard its reputation and provide its employees with the tools to manage their own personal and business activities.

social-mediaIntroduction

My colleague Greg Duffy tells of a recent experience while flying from Boston to Los Angeles. Early in the long flight he noticed the fellow in his early twenties in the window seat donning headphones to watch an in-flight movie. Greg then became aware that his seatmate employed the plane’s new in-flight networking technology to carry on a video chat with a friend in another seat.  Added to this, the young man was simultaneously using the plane’s Internet connectivity to engage in somewhere around a dozen “chats” with friends on the ground – all the while sipping tequila – for the entire seven-hour flight.  This is the new ‘wired’ world – and degree that young workers are embracing it.  Always wired, always communicating, always multitasking.

New, emerging and not-even-developed social media applications and other tools not only consume more of our time, they are changing the business world. A recent online social media presentation claims that the medium is now the number one online activity, with its use accounting for 10 percent of all users’ time on the Internet. What’s more, it claims that social media use is growing three times faster than the Internet’s overall growth rate.1 For many companies, these tools can provide new ways of connecting with potential and current customers, employees, suppliers and other stakeholders.  They offer companies the opportunity to speed up the pace of business, better establish the message that a company wants to convey, strengthen a company’s relationships with customers and others and further facilitate a continuous conversation about the business.

But social media when not well managed opens the door to numerous risks – breach of confidentiality, conflicts of interest, misuse of company resources, to name a few of the more obvious ones. Since social media can touch so many aspects of a company’s operations, its leadership needs to address it in context to its overall business operations.  Unlike some risk areas, it cannot be successfully addressed largely as a stand-alone matter.

A company without an initiative to effectively identify, assess and manage its approach to social media and its various tools not only loses out on its many opportunities they offer but faces numerous risks to and improper business practices and activities that may damage the business.  A program to harness these risks does not need to be onerous or intrusive, but it does need to be proportional to the company’s exposure.  Further, a company should expect the social media arena to continue to change both in technologies, their uses, business providers and ways social media impacts the business landscape.

The Social Media Landscape

To begin assessing social media’s potential corporate impact, it is important to understand its various forms and tools. According to one of the most prolific social media sites, Wikipedia, social media’s predominant uses are for:

  • Communication, such as blogs, micro-blogs, social networking and events.
  • Collaboration, like wikis, social news and bookmarking/tagging.
  • Multimedia, including video, photography, music/audio sharing and presentation sharing and livecasting.
  • Entertainment, for example, media platforms, virtual worlds and game sharing. 2

Company management may be familiar with some of the most prevalent applications – Facebook, Twitter, LinkedIn, YouTube, and Myspace – but how many know about Open Diary, Tumblr, BigTent, Wetpaint, Mixx, Vimeo, meetup.com, ccMixter, MouthShut.com, or Forterra? Chances are that a company’s younger employees know about many of these applications and more – and are actively using them. Further, as smartphones become more ubiquitous in the workplace, employees’ access to the Internet and its social media applications will speed up the media’s adoption – and create more difficulty for a company to monitor workplace use.

Companies are early in understanding the application of legal and regulatory standards to social media. Currently, a number of U.S. laws and regulations are being applied to the media’s applications. Regulation FD responds to the communication of company financial or other key operational information outside of the company. Employee privacy is covered by FCPA and HIPAA. Intellectual property laws address how employees may communicate a company’s IP across social media. FINRA, the securities self-regulatory organization, recently adopted a regulatory notice on use of blogs and social networking sites.  But companies should expect the legal and regulatory environment to continue to broaden around social media as its impact on the business world becomes better understood.

Each company needs to consider three ways in which social media can impact it. First, it needs to address how employees use social media for their personal, non-company use.  Second, it should consider how it and its employees use social media for the company’s business objectives. Another issue of social media involves where a company needs to set rights and responsibilities for the non-employees it invites to engage in its social media activities. This article addresses the first two uses of social media.

Companies and their employees have related, though not always complementary, interests in social media. Employees – whether for business or personal use – look to social media to stay in touch with family and friends; for amusement during the day, such as during lunch, or after hours, if they have a laptop computer they bring home; and to build and maintain a professional network and for professional education.  Companies want to learn about the marketplace and needs and desires of potential customers; to stay in front of current and potential customers; to find and establish a positive face for potential employees; and to reinforce the company’s value to current employees.

Risks that Companies Face

A review of numerous companies’ social media policies3 indicates numerous risks that a company may face with employees’ use – whether for their personal or business purposes – of social media.

1. Misuse of work time

  • Accessing social media, like Facebook, for personal use while at work.  With the increasing amount of time that employees spend on social media sites, this risk is quickly growing that employees will regularly access social media from work.

2. Misuse of company resources

  • Using a company computer, personal digital assistant or Smartphone to access social media, with risks of excessive bandwidth use, equipment ‘wear and tear’ or breakage, or access to improper social media (such as ‘adult’ or ‘hate’ sites).
  • Using without permission the company name, logo, trademarks, copyrighted information or other intellectual property in blogs, discussion boards or other social networking sites that can infringe on the company’s rights to and control over these assets.
  • Using one’s company email address or a username that refers to one’s employment with the company. Some employees do not maintain a personal email account and so rely on the corporate email for personal matters.

3. Risk to company computer systems, network or data

  • Using a company computer, network, personal digital assistant or smartphone to access social media, with risks of introducing possible malicious software or other rogue applications, especially for social media that involves accessing or downloading files.

4. Disclosure of confidential or other non-public information

  • Disclosing this information a) on discussion boards or in chat rooms, or b) as part of professional social networking activity though, not authorized to disclose it. As businesses turn to the Internet and social media to facilitate business, such inadvertent disclosure becomes a greater risk.
  • Such disclosures can involve:
    • Sensitive information that harms the company’s competitive advantage.
    • Information for which the company is required to ensure fair disclosure.
    • Product or other related information that may conflict with the company’s official communications.

5. Disparagement or Harassment

  • Inappropriately discussing colleagues, customers, suppliers or other stakeholders or competitors with colleagues or individuals outside the company on discussion boards, in chat rooms or through blogs.  Blogs are a principal culprit – such as with Open Diary – where an employee’s personal musings about his or her life turn to frustration about work.  Even an employee’s comments that are poorly worded or misunderstood can cause harm.
  • Developing or compiling and then displaying an audio stream or video – intended to be humorous – but that makes fun of the employee’s industry, profession or company.
  • Posting or discussing others or displaying certain social media at work that can lead to claims of harassment.

6. Conflicts of interest

Conflicts of interest can take many forms and can cross with other forms of misconduct, from use of company resources, use of one’s work position and other personal interests that conflict with one’s duty to the company.

  • Blogging or maintaining a website favorable to or critical of or posting information about an industry, company or related issues without disclosing one’s employment with an interested company.  This also may be true for family members of someone who works for an interested company, or even former employees.
  • Serving in an outside professional role, such as an expert on a topical discussion board, that conflicts with one’s duty to his or her company.
  • Maintaining a blog that accepts advertising from his or her company’s competition.
  • Making a personal recommendation or endorsement of an individual or company that may suggest the company’s support for the recommendation or endorsement.

7. Advertising and marketing and fair competition

  • Using instant messaging, a chat room, a discussion board or other social media to make recommendations or otherwise market to current or prospective customers, in violation of company policy (whether the message or the channel).
  • Communicating critically about a competitor’s product or service on a discussion board and without disclosing one’s employment with a competing company.

8. Records Maintenance

  • Sending communications over social media that the company is not able to retain for its own records maintenance requirements.

9. Espionage or fraud

  • ‘Shopping’ a competitor by pretending to be a potential customer and misrepresenting oneself in doing so.
  • Posting a false review about a competitor’s product or service.

10. Privacy

  • Mistakenly or intentionally providing personal information of a colleague, customer or supplier on a discussion board or chat room or through other social media.
  • Disseminating another employee’s postings without that employee’s permission.

11. Personal reputation damage

  • Posting personal information or about personal activities that leads one’s company, a recruiting company or others to believe that the individual is acting unprofessionally or otherwise inappropriately.  This situation can hurt the employer where the employee’s personal reputation is tarnished and so affects the individual’s business reputation.

Corporate Use of Social Media

Because of the many ways in which social media can be misused and thus lead to ethics and compliance problems, companies that plan to use this media for business purposes should consider setting standards and other expectations that address:

  • Collecting and using personal and corporate information belonging to individuals who contribute.
  • Creating or maintaining company-sponsored blogs, discussion boards, chat rooms, audios/videos, contests, marketing activities and other social media, and employees specifically authorized to do so.  In certain instances, companies also may want to limit employees authorized to contribute to these channels.
  • Reviewing information to be posted on company social media.
  • Disclosing the company’s sponsorship and ownership of certain posted materials.
  • The company’s rights regarding use, redistribution and retention of others’ contributions to its social media.
  • Disclosing any company conflicts of interest with information posted on its social media.

social-media-mistakes

Establishing Realistic Expectations

Among the more significant errors that companies can make is setting standards and expectations that are impractical and so easily set aside. A company needs to consider practical expectations in use of social media. For instance, a company that bans all employee personal use of social media in the workplace – and even institutes technological lockdowns to prohibit its use on company technology systems – may do more harm than good when employees pull out their personal smartphones and tap into Facebook or Twitter at work.

Other considerations include:

  • Employees’ desire to use social networking sites like LinkedIn or Plaxo that can involve listing one’s company position and duties, and even posting testimonies of current and former employees or suppliers.
  • Employees who access social media while traveling on company business but seek to avoid carrying both a company and personal laptop computer.
  • Employees involved in online activities with friends, such as sports pool, that may require them to take action during the work day to participate.
  • Employees’ desire to use personal lunch time to ‘quickly catch up on what’s happening’ on social media outlets. As more employees forgo the lunch outing for a quick meal at their desks, this activity becomes more common.
  • Employees who identify social media applications that can help them improve their business and professional knowledge. Professional associations’ websites may provide employees with additional knowledge that is helpful for their work.
  • Employees who use social media, such as through Google or Bing searches, to check on prospective or current employees or suppliers when the data sources or data may not be accurate.
  • Employees who are working longer hours and so rely on personal email or other social media, like myspace.com, to keep up with family and friends because they now have less time to do so after work.
  • Employees involved in charitable or other community activities – and that may in part involve their company position – that use social media like meetup.com to keep apprised of the activity’s communications.
  • Employees using social media for business research where a certain application’s use requires advanced approval, and the approval process is time consuming.

An issue taxing many company leaders is the degree to allow the younger generation, many of whom are highly adept at Internet technology and are frequently ‘connected’, to ‘stay connected’ during work. On one hand is the argument that the ‘wired’ worker is a smarter, more technologically-savvy worker; on the other hand is the clear risk to work getting done or inappropriate conduct on the job.
codes-of-conduct

An Effective Social Media Ethics and Compliance Initiative

A more robust ethics and compliance initiative is appropriate for those companies where social media is more pertinent to its business environment.  Some considerations for a company determining the depth and breadth of its social media ethics and compliance initiative include:

  • Industry. Companies in an industry that rely on or are heavily involved in social media – such as entertainment, news, sports, broadcasting, marketing and advertising, to name a few – should expect that employees will be accessing online social media.
  • Internet access. Companies where many employees have regular Internet access and more frequently use the Internet in their work.
  • Corporate social media use. Companies that regularly use social media for their own business purposes.
  • Job function. Employees in roles that interact with social media activities more regularly – possibly communications, marketing, sales, investor relations, community affairs – should consider whether function-specific mechanisms are needed.
  • External environment. Companies with operations in locations that are heavily ‘wired’ – like Japan and South Korea – should anticipate employees’ regular use of and expectations to use social media. Companies in locations that have been traditionally ‘underwired’ but are quickly becoming ‘wired’ should anticipate the problems that are likely to arise.

The U.S. Organizational Sentencing Guidelines’ recommendations for an effective compliance and ethics program have served as an important framework for overall corporate programs and can be effectively applied to a social media initiative. This is not to suggest that effective management of social media requires its own stand-alone program as we have seen with privacy, safety, anti-corruption or other key risk areas.  To the contrary, because social media is so much a part of other ethics and compliance topics, it should be well integrated in and part of a company’s overall ethics and compliance program. (That being said, some companies where social media is a significant part of the business – like entertainment or other media companies – may consider assigning a social media compliance officer.)  Still, as with any ethics and compliance risk area, the overall framework should be fit to address social media’s specific characteristics.

Risk Assessment

  • As the social media landscape changes regularly and quickly, understand the current social media technology and how it is being used. Tap into the knowledge of information technology staff and other social media-savvy employees in this effort.  Review current literature on the topic.
  • Identify and assess the most likely risks to your business. All companies face certain risks; other risks may be more specific to your company’s industry or specific activities.
  • Identify what social media your company uses in conducting its business vs. what is simply used by employees for non-business reasons. Ensure you explore what social media employees are using for business purposes, whether or not the company encourages or authorizes it.

Policies

  • Let employees know that the company has a vested interest in any ways that their use of social media may impact the company, their duties to the company, or their business responsibilities. Set policies that:
    • Recognize the value of social media to the company and employees’ personal lives and that permit its use to forward the company’s goals while not unduly restricting employees’ outside interests.
    • Realistically have a chance of being followed.
  • Be clear about what is not allowed, what is restricted and what is permitted.
  • Cross reference social media policies with related standards or policies, such as use and protection of business resources and information and conflicts of interest.
  • Because social media is quickly changing, use care not to be overly prescriptive so that policies quickly go out of date. Instead, set broad principles about proper use, such as “Do not communicate company confidential or non-public information through social media devices that reach an external audience without proper approval.”
  • Do not forget use of electronic devices that may have a social component, such as cellular telephone ‘texting’ and smartphones.
  • When the company relies on social media for its own needs, set and communicate policies on its use by employees and external parties.

Procedures

  • Establish procedures for:
    • Non-business use of social media. For instance, if employees should receive approval before using the company name or their company position on social networking websites, ensure procedures exist for them to obtain approval.
    • Any manager responsible for overseeing or monitoring their employees’ use of social media and for higher-level managers with broader supervisory oversight of use of social media.
    • Employees involved in the company’s business use of social media.
    • Functional employees involved in proper monitoring use of social media, such as information technology staff.
  • Ensure employees have specific resources for more information and guidance as you likely have not identified all ways in which social media uses can thwart good business practices.
  • Include internal procedures to assess any new social media that becomes a real presence. It can be difficult to monitor and set policies for the many different social media tools, so at least seek to respond to those applications that become popular or that otherwise your company’s employees are likely to use because of their field or the company’s location or activities.

Communications and Education

  • While in many cases dissemination of a social media policy may be sufficient, it can be helpful at for work group managers to review the policy with staff, discuss its application to the work group’s business and respond to any questions or concerns.
  • More formal training is helpful for those employees who will use social media for the company’s business and employees involved in monitoring employees’ use of social media (especially to ensure employee privacy) and supervisory employees where risk to employee privacy is great.
  • Help managers understand how they need to help their employees and when they need to seek help themselves.

Monitoring & Auditing

  • Determine social media use that your company’s systems can easily monitor or track to reasonably ensure compliance with related policies and procedures.  Look to advisory and misconduct reporting systems as one monitoring mechanism.
  • As with a risk-based compliance initiative, consider establishing monitoring activities based on the risk that certain social media tools or activities pose. For example, if very few employees have regular computer access during working hours, it seems overwrought to assign someone to review their computer activity for social media access. On the other hand, if your company regularly uses online discussion boards to market its services and expertise, then monitoring employees’ contributions to these discussion boards seems reasonable.
  • If social media risks are significant, consider identifying an outside expert to audit your company’s social media compliance program – even to help identify emerging and future risks.

Oversight

  • Effective oversight does not mean that a company needs to assign a social media compliance officer.  It means that a company should ensure effective accountability and ongoing management of social media use that befits its risks.  Large companies that rely heavily on social media may appoint someone to this role; many companies likely can get by on ensuring that the compliance function regularly reviews the social media compliance program on its own.  Also, the oversight might involve a committee comprised of individuals with responsibilities related to privacy, communications, information technology and ethics and compliance.

Periodic assessment

  • Because social media is changing so quickly, it is a good idea to periodically review the company’s social media ethics and compliance initiative to ensure that the company is effectively managing in the changing environment.

Summary

As many companies are now experiencing, social media’s use in the workplace poses numerous risks because it crosses so many different ethics and compliance topics and because its applications and use are rapidly and constantly changing. But as with all business topics, a company can successfully manage its own and its employees’ personal use of it by employing a common framework applied to most other ethics and compliance topics, albeit with some modifications specific to social media.  The sooner that a company gets its arms around use of social media the better it will fare as the fast rate of change in social media going forward is expected; a delinquent company will have further to catch up the later it responds to the challenge.

Notes

Social media was used in preparation of this article.

1 “What the Hell is Social Media? – in 2 Minutes,” compiled and edited by Peter Kerwood, Merlin Entertainments Group., created by Kama Glober & Tim Fogg, ApartmenTwo Creative/4reel Films.

2 “Social Media,” Wikipedia, the free encyclopedia (www.wikipedia.com).

3 Including, among others, Cisco Systems, Dell, Entergy, ESPN, Fedex, Ford, Gartner, HP, IBM, Intel and Microsoft.

About the Author

Jason Lunday

Jason Lunday is principal consultant with The Ethical ElementTM, a professional services firm based in Washington, DC. Jason has worked in the ethics and compliance field for over twenty years, both inside companies and as a consultant to them.  His work has involved supporting corporate values initiatives, developing and revising codes of conduct and related policies, conducting organizational risk, culture and program assessments, developing and delivering live training, building monitoring systems and auditing compliance systems and activities. He has worked in or consulted with companies in a broad range of industries, including banking and insurance, manufacturing, industrial and consumer products, utilities and energy, healthcare and telecommunications. Noteworthy experience includes:

  • Held significant roles in corporate culture and ethics and compliance risk assessments and ethics and compliance program evaluations for companies in financial services, telecommunications, healthcare, life sciences and industrial manufacturing and involving document review, executive interviews, employee focus group and enterprise surveys.
  • Led development and of a consulting practice’s service line focused on written codes of conduct development and revision, and managed all client engagements.
  • Co-managed development and delivery of the corporate trust division of a large financial institution’s initial ethics and compliance global training initiative involving training needs assessment, program development and delivery of over 100 classroom workshops.
  • Developed a corporate ethics and compliance self-monitoring program designed to increase business line compliance responsibility and oversight and minimize corporate compliance work processes while ensuring adherence to the company’s ethics and compliance standards.
Jason’s past experience includes director of ethics and compliance at Premier, Inc., consultant in Arthur Andersen’s Ethics and Responsible Business Practices Consulting group, compliance analyst at Goldman, Sachs & Co., senior consultant in the Ethics Resource Center’s Advisory Services group and knowledge leader at LRN Corp. In addition, he has authored/co-authored numerous articles and papers on business ethics issues. Jason holds an MBA from the University of Virginia’s Darden Graduate Business School, with a focus in business ethics and organizational behavior, a BA also from the University of Virginia and additional business coursework at the New York Institute of Finance. Jason can be contacted via email at: jason.lunday [at] ethicalelement [dot] com. Follow the link to view Jason's Code of Conduct featured column on CCI.

One Comment

  1. August 6, 2010

    Jason, kudos for this well-written, and most importantly, knowledgeable article on social media’s impact on the enterprise environment and what organizations need to be addressing. Your Mistakes Companies Make call-out is a perfect list of symptoms and a prescription for why organizations struggle with social media implications. They must first understand not just “the tools,” but how people use these tools in order to assess the risks to their organization. Only then can they create a relevant policy (addressing all the issues you generously provide), and then they must train to it and continue to monitor the landscape. As mobile devices and applications combine with social technologies, for example, new enterprise issues are arising.

    This is a truly refreshing synopsis of enterprise implications and I’ll be sharing it with my clients. Thanks for providing me an intelligent “second opinion” to pass along. :-)