Training and Social Networking Policies: Essential Elements in Protecting Your Company Secrets

Attorney David Erb of the law firm Fisher & Phillips.

Any business that does not have a social networking policy or does not train its employees on the do’s and don’ts of social networking may have a critical security gap in the protection of its trade secrets. And its confidential and proprietary information and may be exposing itself unduly to harassment, hostile work environment, defamation and numerous other legal claims.

Chances are that one-quarter to perhaps as much as one-half of your workforce (or more if your workforce is younger) are regular users of social networking websites. And that number is likely to increase.

The term “social networking” refers to the regular communication and publication on the Internet of thoughts, ideas, activities, opinions and myriad other content on social networking sites, such as Facebook, MySpace, LinkedIn, Twitter, and YouTube, to name a few. Most of these sites allow their users to post a personal profile which can contain a listing of the user’s education and work history, family, social and business relationships, activities and likes and dislikes.

Social networking — the new security threat

LinkedIn is designed with the networking professional in mind and is tailored to business networking; whereas, Facebook, MySpace, and Twitter are designed with a broader, more open freewheeling architecture that invites disclosure (and therein lies another part of the problem). These sites allow users to post status updates (in other words, whatever is on their mind) at anytime day or night from any computer with internet access or even from a cell phone, iPhone or Blackberry.

“Anytime” is a key word here. A recent survey of 1,000 Americans by Retrevo, Inc. revealed that 48 percent of those polled admitted that they update Facebook or Twitter during the night or as soon as they wake up. In addition, 19 percent of people under the age of 25 say they update Facebook or Twitter anytime they happen to wake up during the night compared to 11 percent over the age of 25. Social networking also includes both personal and professional blogs, which now are so simple to use that a blog can be set up in a matter of a few minutes.

Careless employees can be just as damaging and just as dangerous as malicious ones. In social settings, like social networks, people naturally gravitate to discussions about work. The people who tweet about their haircut, the movie they just saw, or what they had for dinner are also likely to tweet about coworkers, customers and the work they did that day.

Stories abound of inappropriate posts about coworkers and customers. How often are employees observed “texting” below the table at a meeting? One recent mobile Facebook post from a meeting tersely criticized a subordinate’s failure to comprehend and concluded that the employee “forgot to take her medication.”

An employee’s “friends” or followers are also likely to extend well-beyond a small social circle. In addition to former high school and college friends, the list likely includes former colleagues, maybe ones who now work for competitors, or customers or other business relationships. It is not surprising then, according to a recent survey, that over 50 percent of employers believe they have a right to monitor employee postings on social networking websites.

On the other hand, 60 percent of employees surveyed believe their online activities are none of their employer’s business. The inherent tension on this issue is obvious, but equally obvious is the need for a clear set of rules and expectations, particularly where your employees are regularly exposed or have access to confidential business information.

Social networking policies and employee training

The first two steps essential to reducing the security risks posed by employees engaged in social networking are:

  1. Having a detailed social networking policy; and,
  2. Carefully training your employees.

It is essential to have a social networking policy that clearly establishes permitted and prohibited conduct at work and expected behavior online, regardless of whether the online conduct is for business or personal purposes. Routine e-mail, computer, and confidentiality policies do not adequately address the risks presented.

Despite the dramatic increase in the use of social networking websites, in a survey done by the Wall Street Journal only 26 percent of employees said their employer had a policy regarding social networking. An August 2009 study done of one industry found that 50 percent of employers reported not having a policy for employees’ online activity outside of work and only 10 percent reported having “a policy specifically addressing these types of social networking sites.”

Article Continues Below

Employee training is also essential if you want to meaningfully reduce your risks. For many employees, social networking online is a new phenomenon. Many employees are not likely to instinctively appreciate the risks or intuitively understand the full scope of what is necessary to police their behavior in relation to their job.

For example, a manager “friending” an employee is fraught with problems. The employee may feel he or she has to say “yes” because to say “no” risks insulting the manager. There is a risk that the casual “friendly” atmosphere cultivated by social networking sites may lead to inappropriately personal messages or what may be perceived as inappropriate, which could in turn create a hostile environment or otherwise encourage a harassment claim. It also gives the manager access to information that could provide the basis for a discrimination claim.

Why proper training is imperative

By the same token, an employer cannot issue a blanket decree prohibiting employees from using social networking sites on their own time without potentially running afoul of federal and state law. Thus, proper training is imperative to protect the company and, in large part, to protect the employees from themselves.

Remember in almost all instances, the only online editor is the employee, who could be posting from the office or from any street corner or from any Starbucks at anytime. Employees who understand the personal and professional risks of inappropriate activity will be much more likely to self-regulate their online behavior in an appropriate fashion.

A topic for another day are the myriad reasons for companies to take full advantage of social networking. Many companies are already actively involved in most facets of online social media. They recognize that social networking presents substantial opportunities for marketing, customer service, protecting brand name, keeping in frequent touch with customers, raising the company’s public and community profile and performing competitive research.

These opportunities simply underscore the need for a well thought out social networking strategy that incorporates policies and training that allow the company to reduce its risks and reap the rewards.

This was originally published on Fisher & Phillips’ Non-Compete and Trade Secrets Blog.

David Erb is a partner in the Philadelphia office of the law firm Fisher & Phillips (www.laborlawyers.com). He is a leading member of the firm's employee defection and trade secrets practice group, and his practice concentrates on the issues of employee recruitment and defection of highly-compensated employees. Contact him at derb@laborlawyers.com.

Topics

5 Comments on “Training and Social Networking Policies: Essential Elements in Protecting Your Company Secrets

  1. I just sent this to my IT coordinator, who I was just working with on updating our internet/email use policy to incorporate employee's online behaviour, in and outside of work.

    It was a hell of a process trying to get the language just right, and I'll be doing some training directly with our employees with regards to how this policy works (thankfully I have a small organization), but I so agree that it's important to do this now, as opposed to later when you're in the middle of a disciplinary situation.

    We're already encountered a few situations of employees violating our code of conduct online, but as there was nothing in writing, we couldn't do anything. But as of next week, it's on like donkey kong.

  2. David – I love that you've stressed the importance of training, but I'm disappointed (though not surprised) at how strongly you advocate a policy.

    Policies don't change behavior. Someone who is going to leak confidential info will do it without or without a policy. But the training, as you noted, helps make people aware of things they may not have considered.

    My favorite “policies” have always actually been guidelines. They inform on how to derive maximum value from social media, rather than scaring people off from using it at all.

    Chris

  3. Chris,

    Guidelines are good, but from an enforcement perspective, it is far better to have policies that establish a solid set of ground rules. Those ground rules are particularly important when they touch upon trade secret, confidential or proprietary information. As you say, someone who is going to leak will do it regardless of the existence of a policy. That may be true. But if a company is put in a position of having to pursue a legal action against the leaker, an added layer of established expectations that specifically address social media will strengthen the company's case. The biggest benefit, however, from having an established set of rules governing an employees' usage of social media is probably in the day to day disciplinary context suggested by Stephanie's post below.

    The problem for many companies is finding the right policy languange that estblishes the proper balance among competing interests: protecting the company's interests, ensuring compliance with various federal, state and local laws, supporting creative use, maximizing the value of social media and not appearing overly intrusive of the employees' private lives, to name a few. Different companies will balance these interests differently, which is why there is no “one policy fits all” standard.

    I agree with you that, policies aside, one of the important keys is training. Many employees, many people, do not fully appreciate the potential adverse impacts of what they disclose online, others simply don't care. Social media because of its immediacy and seeming intimacy tends to foster open disclosure. By its nature, it encourages people to let their guard down. Add to that the fact that many people naturally gravitate to posting about work, and it is easy to see the potential for problems. Training should cover not only the company's social media policies, but it should sensitize employees to potenial adverse consequences and provide them with a set of guidelines (and this is where I think guidelines are important) to help them think ahead.

    David

  4. David – I'm glad to see attorneys like you who are starting to recognize the complexities involved with approaching social networking use from a policy perspective. Not that long ago, the approaches were much less nuanced, either underestimating the risks by suggesting minor modifications to existing policies and/or promoting broadly-defined, blanket approaches that could actually create more risk than they might mitigate. Actually, now that I think about it, a lot of the legal/policy approaches still do that…

    Like Chris, I appreciate your emphasis on the importance of training, to which I'd like to add three points:

    1. Since we're still in the early days of social media usage, the training should be conducted in person whenever possible, similar to the approaches taken with harassment training.

    2. Organizations should plan for frequent updates to the training (and their policies) since technologies, case law, and (eventually) regulations are constantly changing.

    3. Managers and leaders should undergo separate training focused on the unique issues related to their roles, such as how to proceed when a social media matter is brought to their attention and understanding the boundaries with respect to actions they can take (e.g., perusing social networks as part of the hiring process, attempting to access a password protected site/account).

    Courtney Hunt

    Founder, Social Media in Organizations (SMinOrgs) Community

  5. Courtney,

    Your additional points are well taken. I find that people pay far more attention to in-person training then they do to a webinar (myself included). Also separate training for supervisors and other executives is critical. Generally, HR professionals readily understand the need for training but getting approval up the chain of command for training rank and file is not always easy. Sometimes it's an economic issue; other times the stumbling block is a failure to fully appreciate the risks posed. It tells me I need to do a better job of pointing out those risks. Thanks for your comments.

    David

Leave a Comment

Your email address will not be published. Required fields are marked *