Social Media and the Shifting Information Compliance Landscape

George T. Tziahanas, Global Head, Legal and Compliance Solutions, Autonomy Inc. Eric T. Crespolini,Vice President, eDiscovery Technologies, Autonomy Inc.

Autonomy White Paper

Index
Introduction Background
A Trend Toward Interactive Content Memorializing Interactions

1 1
1 2

Changing Legal Landscape

Scope of Discovery in Social Media

2
3

Potential Privacy and Freedom of Expression Issues in Social Media

Capturing Private Information Creates Different Forms of Risk Statutory or State Constitutional Protections Governing Employer Conduct Risk Associated with Storing, Accessing, or Disclosing Personal Information

5
5 5 6

A Model Solution for Social Media Governance

Content and Social Media Third-Party Email, Messaging Services and Chat Social Media Walls and Forums Where to Capture Social Media What Does it All Mean?

6
6 7 7 8 9

Conclusion Authors

9 9

Social Media and the Shifting Information Compliance Landscape

Introduction
Within just a few short years, social media has gone from an emerging experiment in new ways to interact and connect to a legitimate channel in which businesses of all types engage. Certainly early engagement by businesses had largely been tied to consumer-focused companies, but this is changing as social media has become more accepted and widely used. Social media itself has evolved into a general term, which encompasses a variety of channels where an individual has the ability to interact with others, usually in a more one to many model than something like a phone call or even an email. Whether this is through common sites like Facebook, Twitter, and LinkedIn, or more generally through blogs and interactive posts on internal or external websites, in essence people are now communicating through many different avenues in unprecedented volumes and speed. For many regulated entities, the implications of social media are obvious: these innovative communication channels introduce new legal and compliance challenges. To the extent employees are engaging over social media channels to conduct business, obligations regarding those interactions may flow directly from existing regulatory requirements.1, 2 In some instances, regulatory authorities are issuing more specific guidance on social media, such as FINRAs Notice on social media.3 More generally, organizations are trying to understand the preservation and production responsibilities in the context of litigation. To address existing, new, and emerging requirements, it will be important to understand the nature of obligations, how business and employees engage in social media, and the solutions necessary to stay compliant. Social media models, along with associated legal and regulatory framework, will continue to evolve rapidly. As such, organizations should look to develop policies and deploy solutions that are flexible

Background
A Trend Toward Interactive Content
Even before social media became mainstream, there was a clear trend by regulators to incorporate interactive content into their requirements, even if they did not intend the effect. When email first became more prevalent, there were often discussions as to whether it merely represented a transient form of communication, or was actually subject to retention requirements. The SEC helped settle this argument when it codified that email must be preserved as a book and record for its regulated entities. The FSA took a similar (though later) stance when it required firms to record audio interactions between parties to a covered transaction.4 The regulators realized that account statements, trade blotters, or other transactional content did not provide a full context toward conduct of regulated parties. Interactive content helped fill that void. Perhaps more interesting than the regulations themselves was associated commentary by the regulators. In an interpretive release, the SEC noted its requirements (including email) were necessarybecause the preserved records are the primary means of monitoring compliance with applicable securities laws, including antifraud provisions.5 The FSA in its commentary to COBS 11.8 noted the requirement was not just about establishing greater transparency or some general compliance objective, but more specifically to increase the probability of successful enforcement.6 In both cases, the regulators are laying the case for use of interactive content for more effective enforcement activity.
1 2

See e.g. SEC 17a3-a4 or FSA COBS 11.8 See also, warning sent to Novartis regarding advertising links posted on corporate Facebook site. http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/EnforcementActivitiesbyFDA/ WarningLettersandNoticeofViolationLetterstoPharmaceuticalCompanies/UCM221325.pdf FINRA Regulatory Notice 10-6. Social Media Websites. Guidance on Blogs and Social Networking Sites. http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdf Ibid at Note 1. SEC Interpretation. Electronic Storage of Broker-Dealer Records. 17 CFR Part 241 [Release No. 34-47806], May 2003. http://www.sec.gov/rules/interp/34-47806.htm FSA Policy Statement 08/1: Telephone Recording: recording of voice conversations and electronic communications, at 2.1

4 5

Social Media and the Shifting Information Compliance Landscape

Memorializing Interactions
Not long ago, most business was conducted through channels and media that were limited, and not easily memorialized or disseminated. Phone conversations occurred across a copper wire, fixed-physical documents were delivered or copied by hand, and the number of people engaged in any information exchange was usually small. The reality of business today is quite different for most organizations than traditional operating environments. Since 2004, the world economy has produced more transistors (the building blocks of microprocessors) at a lower cost than grains of rice.7 This has created unprecedented capabilities to create, store, and disseminate all types of increasingly rich content. The result is business conducted across many different electronic channels, where content and interactions are easily captured and recorded. One recent case exemplifies the new dynamic of highly interactive content that is easily memorialized, and of interest and use to regulators: the Galleon insider trading case. In 2007, while reviewing a set of materials from a fairly routine inquiry, an SEC attorney came across an instant message interaction that included a simple statement by one of the conspirators. It read dont buy [Polycom] till I get guidance, want to make sure guidance OK.8 And so began one of the most comprehensive insider trading investigations in history. The Galleon investigation did not just implicate a few isolated individuals in the hedge fund or investment banking community. Rather, it reached senior executives at such storied institutions as McKinsey, IBM, Intel, AMD, and others. Lower level consultants and networks of experts across diverse industries were also involved. And in nearly every instance, interactions including phone calls, emails, text messages, and other forms were central to building a case against the relevant parties.9 It demonstrated that even diverse channels of interactions were easily memorialized and available for use by investigators. This dynamic extends beyond broad-reaching criminal and civil investigations by regulatory authorities. Increasingly, potentially relevant information in traditional private party litigation is found in new interactive channels. Two examples include a traditional intellectual property infringement and contract claim10 where parties to the suit sought relevant information from MySpace, Facebook, and Media Temple, and an administrative claim brought by the National Labor Relations Board11 regarding company policies that violate individual workers rights as well as freedom of expression protections.

Changing Legal Landscape

As is often the case, technology moves faster than legislators can draft new laws, or regulators can develop clear and effective rules. Courts and regulatory authorities are usually left to interpret law developed for predecessor technologies, in the context of more recent capabilities. The facts are no different with social media. Social media, however, introduces greater complexity for organizations attempting to address legal and regulatory requirements than previous technologies. And while legislatures, courts, and regulators all wrestle with social media, organizations must forge ahead in developing a strategy to deal with a new reality. Although legal and compliance obligations will evolve, there are points of clarity and likely areas of conflict, which organizations can use to develop their strategy. These fall into three general areas: (1) Scope of discovery in social media, (2) potential privacy and freedom of expression issues, and (3) specific regulatory requirements. As the discussion below lays out, social media issues are not clear-cut, and will require solutions that are flexible and can address sometimes contradictory requirements.

7 8 9

Semiconductor Industry Association, Annual Report 2005. http://www.sia-online.org/downloads/SIA_AR_2005.pdf Fund Chief Snared by Taps, Turncoats. The Wall Street Journal, December 30, 2009. Insider Inquiry Steps Up Its Focus on Hedge Funds. The New York Times-Deal Book, February 8, 2001. http://dealbook.nytimes.com/2011/02/08/3-hedge-fund-managers-face-insider-trading-charges/?partner=rss&emc=rss Crispin v. Audigier (C.D. Cal.) (May 26, 2010) NLRB v. American Medical Response (February 7, 2011). http://www.natlawreview.com/article/federal-scrutiny-social-media-policies-facebook-posting-subject-nlrb-settlement-employer

10 11

Social Media and the Shifting Information Compliance Landscape

Scope of Discovery in Social Media

The Role of Pre-Trial Discovery Obligations and Federal Rules of Civil Procedure
As organizations attempt to develop policies and solutions to address regulatory and compliance obligations associated with social media, it seems reasonable to first look at implications of discovery on electronic information. After all, the scope and power granted to courts and parties in discovery can serve as a proxy for those granted by a regulator, since any dispute to regulatory action would end up in litigation anyway.12 In 2006, the Federal Rules of Civil Procedure (FRCP) were amended, to codify and more specifically detail requirements for the preservation and discovery of electronically stored information (ESI). The scope of the FRCP requires each party to provide a copy (or description) of all ESI that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses.13 By most accounts, this is a fairly broad duty on a disclosing party, and has been used by several courts to require discovery by parties in litigation.14 However, the reality of an organizations possession, custody, or control of relevant information provides a level of complexity that must be incorporated into the analysis. Social media often differs in an important respect to other enterprise content; it may be created and stored on a third-party system outside of an organizations control. It may also be associated with an account over which an organization has no legal right to access. As the scope of this paper is focused on legal and compliance obligations for organizations (as opposed to individuals), this is a critical point of analysis. The most common social media sitesFacebook, Twitter, and LinkedInand their peers, allow individuals and/ or organizations to establish an identity, and to engage in various forms of interaction with approved friends or connections, or potentially with the public at large. The key attribute here is that the relationship exists between an account holder and the third-party site. Since many social media interactions occur based on a relationship that does not include the employer, the scope of their duties and authority differ from what applies to enterprise content. Except where an organization is the account holder15, they are probably not in possession, custody, or control of the content posted by an employee on a third-party site16. As such, an organizations duties under the FRCP are more uncertain for such content, and would rely heavily on the actions of its employees to carry-out its obligations, if any. More importantly, the Federal Rules of Civil Procedure do not grant authority for an organization to directly access such content without approval from the account holder or site owner. Getting the latter may prove quite difficult. Many sites are taking the position that they will not cooperate in third-party requests for information. In fact, Facebook has taken the position that even with a subpoena they may fight a discovery request, and have done so successfully.17

Statutory Restriction on Access to Social Media Content in Discovery

As organizations and individuals began to use computers more broadly, Congress realized that new risks to privacy would likely follow. In response, Congress passed the Stored Communications Act (SCA) in 1986. The SCA was enacted because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address.18 Unfortunately, the SCA has not been amended in the intervening 25 years, even as technology has advanced
12

The assumption here is that the regulator would bring civil enforcement action, where the FRCPs would apply, and is a far more likely event for organizations than criminal cases. Any criminal cases brought by law enforcement agencies would fall under the Federal Rules of Criminal Procedure, which are generally more restrictive than Civil Procedures.
13 14

Rule 26 (a)(1)(A)(ii) See e.g. EEOC v. Simply Storage Mgmt., LLC, No. 1:09-cv-1223-WTL-DML (S.D. Ind. May 11, 2010), where the court applied general discovery requirements to social media sites. See also Romano v. Steelcase Inc., 2010 WL 3703242 (N.Y. Sup. Ct. Sept. 21, 2010). For example, a corporate Facebook page, or organization maintained Twitter account. An exception, discussed further below, would be where an organization was capturing social media interactions across its network, or through some other means, and storing a copy within its control. Facebook GC Tells Lawyers Hes Looking for a Fight. Law.com, February 2, 2010. See http://www.law.com/jsp/article.jsp?id=1202441887703&slreturn=1&hbxlogin=1 Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Circ. 2008)(citing Orin S. Kerr, A users Guide to the Stored Communications Act, and a Legislators Guide to Amending it, 72 GEO. WASH. L. REV. 1208, 1209-13 (2004))

15 16

17

18

Social Media and the Shifting Information Compliance Landscape

at an extraordinary rate during this time. As such, Courts are left to interpret evolving social media issues in the context of inexact statutory language19. Regardless, to the extent social media issues are subject to review under Federal Law, the SCA is a critical statute that governs rights and restrictions of potential parties involved in litigation, or more generally in regulatory compliance. The most important aspect of the SCA is that it extends rights beyond fourth amendment protections. The statute itself is complex, and a precise definition of the services a provider renders alters the mechanisms and prohibitions for disclosure.20 In general, it prohibits covered providers from voluntarily disclosing information held by a service provider without court order or subpoena issued by a court or grand jury of competent jurisdiction. Increasingly, Courts are holding that this also includes third-party subpoenas. The Ninth and Sixth Circuits have held that text messaging service providers and online providers of email services represent Electronic Communications Service (ECS) providers under the SCA21. In essence, they are forms of electronic communication, communicated and stored (as backup) by the provider, for its benefit or the benefit of the user. Extending this rationale, social media seems to fall into this framework. The District Court in Crispin v. Audigier, relying on precedent in the Ninth Circuit, held that strictly private messages on social media sites were not subject to discovery per a third-party subpoena, since they are materially the same as text messages or emails.22 The Court in Crispin also held that to the extent Facebook wall postings or similar were displayed only to a specific list of approved friends, such interactions were also protected under the SCA, drawing an analogy to electronic bulletin boards.23 This is important, since trying to determine when something became public, if less than generally available, would create significant uncertainty. The court noted this also protects both individuals and potentially organizations with hundreds or thousands of employees. Only if these posts were available to the general public would these interactions fall under an exception to the protections afforded by the SCA. There is no question that additional cases will be tested under the SCA, potentially with conflicting results. However, two Federal Circuits appear to have solid precedent that the SCA is relevant to many forms of electronic communication, and access to content cannot be assured in discovery or a regulatory compliance setting. At the very least, organizations will need to develop policies and solutions that allow them to fulfill potential discovery and regulatory compliance obligations, with the potential restrictions of the SCA.

Potential Privacy and Freedom of Expression Issues in Social Media

Statutory and Constitutional Protections
For many organizations, attempting to adhere to specific regulatory requirements often necessitates a difficult balance with privacy concerns. Many companies make clear through policy and employee handbooks that information created, stored, or communicated across enterprise information systems may be monitored or controlled. While few debate that organizations have such authority on their corporate networks (in the US anyway), social media sites accessed outside corporate networks, in particular, raise significant new complexities. Given the highly distributed and mobile nature of the workforce, and blurring of lines between at work and at home, this presents a significant issue to organizations.
19

The SCA itself does not address private party rights in litigation to electronic information. Rather, it was focused on the duties of covered providers, and the rights and mechanisms for access by governmental authorities. However, it is generally agreed that private parties can not be assumed to have greater rights to access information than was afforded to the government under the SCA. The SCA distinguishes between a Remote Computer Service (RCS) and an Electronic Communications Services (ECS). For an analysis and application of the distinction, See Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010) See Quon at note 18. See also Theofel v. Farey-Jones, 359 F.3d 1066, 1070 (9th Cir. 2004.), and Warshak v. United States, 532 F.3d 521, 523 (6th Cir. 2008) Ibid at note 20. Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457, 462 (5th Cir. 1994)

20

21

22 23

Social Media and the Shifting Information Compliance Landscape

It has been well established that the Fourth Amendment to the United States Constitution provides for individuals to have their privacy protected from unwarranted government intrusion. Going back to Katz v. United States, 389 U. S. 347 (1967), Fourth Amendment analysis has been the question whether a person has a constitutionally protected reasonable expectation of privacy.24 The Amendment does not protect all subjective expectations of privacy, but only those expectation[s] that society is prepared to recognize as reasonable.25 The issue with attempting to frame private employers intrusions into the privacy of their employees in the context of the reasonable expectation of privacy test, is that Fourth Amendment protections are limits on how the government may act and do not apply to private employers. More generally, in the context of electronic information, greater protections are often afforded under the SCA, as noted previously, in addition to state constitutions and statutes, and under common law remedies for invasion of privacy.

Capturing Private Information Creates Different Forms of Risk

As organizations begin evaluating different mechanisms to capture and monitor social media, some may either be tempted to capture personal interactions in combination with business interactions, or deploy models that have the same effect. Doing so will present organizations with new forms of risk, which for many will likely yield little value regardless. Enterprises today are already struggling under the weight of the sheer volume of information, much of which loses its intrinsic value very quickly. There seems to be little reason to add all types of non-business related interactions, unless the organization could do something with such information. Some employers are interested in determining if employees are denigrating their firm, products, or fellow employees. Others may find value in activities or conduct in personal interactions that may indicate a violation of codes of conduct. There are two primary reasons that capturing private interactions may present unnecessary risk to an organization: (1) Statutory or state constitutional protections that make such conduct illegal and risk of inappropriate actions taken as a result of private information, or (2) assuming responsibility for other forms of protected content (e.g. personal health information).

Statutory or State Constitutional Protections Governing Employer Conduct

The Constitutions of 10 US states contain specific provisions about privacy.26 In some of these states, the privacy provisions are broader than the Federal Constitution. One example is the Constitution of the State of California, which guarantees that an individual has the right to privacy and has been interpreted to apply equally to governmental and private entities. Article 1, Section 1 of the Constitution of the State of California reads: All people are by nature free and independent, and have certain inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy. In addition to constitutional protections, California, New York, North Dakota, and to a lesser extent Colorado, all have enacted off-duty conduct statutes.27 These statutes prohibit an employer from disciplining, or, in the case of Colorado, terminating an employee for engaging in lawful conduct, while not at work. Other states including Connecticut, the District of Columbia, Louisiana, South Carolina, and Washington also have similar laws that protect employees against disciplinary actions for their off-duty political activity. In addition, employees, including those not in a union, may find protections under the National Labor Relations Act (NLRA)28 for some activities conducted on social media sites. In this case, the National Labor Relations Board brought a suit against American Medical Response of Connecticut after they terminated one of their employees. The termination occurred after the
24 25 26

Ibid at 360. Ibid at 361. This includes the states of Alaska, California, Florida, Hawaii, Illinois, Louisiana, Montana, New York, South Carolina, and Washington. CA Labor Code 96(k); N.Y. Labor Code 201-d (2004); N.D. Cent. Code 14-02/4-03 (2003); Colo. Rev. Stat. 24-34-402.5 (2004) 29 U.S.C. 151169

27

28

Social Media and the Shifting Information Compliance Landscape

employer discovered that the employee had criticized her supervisor on Facebook. In the NLRBs unfair employment practice claim, they contended that such a posting on Face bookas well as follow on comments from coworkersconstituted concerted action under the NLRA. The NLRA specifically prohibits an employer from interfering in an employees right to discuss the terms and conditions of their employment, which include their wages, hours, and working conditions with their coworkers. This case ultimately settled in February 2011, with the employer agreeing to revise their policies and discontinue disciplining employees for what is protected action. While ultimately this case didnt result in a court decision, it does illustrate that the NLRB considers concerted action that occurs on Facebook to be no different from what occurs in a more private setting and they intend to aggressively go after employers who attempt to punish their employees for such actions.

Risk Associated with Storing, Accessing, or Disclosing Personal Information

Perhaps the most compelling reasons for organizations to carefully consider methods for capturing interactions are the duties it assumes once in possession. At the very least, organizations that are intentionally capturing interactions, or are likely to include interactions that could contain personal or private information, will be required to appropriately protect that information according to a variety of obligations. In addition, consider the implications if disciplinary action or workplace misconduct occurs as a result of disclosure of the following: Personal interactions that deal with health-related discussions Discussion of personal, political, or religious views Interactions associated with sexual orientation or identity Participation in certain associations or organizations unrelated to the business Financial information or issues Employees today are likely using corporate messaging environments for personal purposes (even if contrary to corporate policy). However, corporations should balance the potential to identify activity that creates real risk to the organization (e.g. disclosure of trade secrets), with the likelihood that misconduct occurs based on protecting personal information or conduct. For many organizations, the risk calculation will lean heavily towards a focus on true business content.

A Model Solution for Social Media Governance

Social media as a technology and as a platform for various types of interactions will continue to evolve rapidly and likely outpace whatever a legislature or regulator can put in place. In addition, as is already the case, there will be an ongoing tension between an organizations obligation to govern interactions while adhering to privacy rights, and limiting new risk associated with capturing personal information. The right social media governance solution will provide flexible tools to capture and govern interactions, which mitigates associated risk.

Content and Social Media

A decade ago, email and instant messages were the primary form of electronic communication. These forms were largely limited to a small number of individuals in direct communication with each other. Online forums and message boards represented a means for people to communicate or share information more broadly, but usually still limited to some subset of people. Social media encompasses a combination of methods for interacting with others. Many social media sites have messaging methods consistent with email, chat capabilities, in addition to status updates and walls that are similar to forums and messages boards of the past. In the future, there will no doubt be methods to communicate via audio or video, and likely in ways we have not yet contemplated. While many forms of interaction exist today, and more will evolve, most common forms can be broken into two major categories (1) private email or messaging services (including instant message/chat), and (2) methods to post content, links, or comments for others to see. In each instance, the assumption is that these interactions are in some way limited to a group of specified or approved individuals, versus available openly to the general public.

Social Media and the Shifting Information Compliance Landscape

Third-Party Email, Messaging Services and Chat

Email and messaging services generally take the form of a note, drafted by a sender, which is addressed to one or more recipients. Most often, a user must log into an account via some form of authentication (e.g. an ID and password), which restricts access to others. Given the restricted access, and a defined sender and list of specific recipients, Courts seem quite clear that accessing such information without approval is prohibited.29 Although chat is somewhat different, as it is often an online, real-time discussion, versus asynchronous delivery; it also requires that a user login to an account and communicate with a specific individual (or individuals) that he/she selects. Courts have relied not just on the SCA as discussed above, but also on federal and state laws governing interception of electronic communication. Federal law prohibits unauthorized individuals from accessing or intercepting any wire, or, electronic communication30 Most states have similar laws, making it illegal to access or intercept such content without approval. Historically organizations have addressed this issue by incorporating the right to monitor or capture communication in their employee handbooks and employee agreements. However, these rights usually extend only to interactions that arise on corporate networks, or occur on corporate controlled devices. Interactions with social media may not always occur on a corporate network or controlled device, and more importantly the content itself is likely to be stored with a third-party. As such, current corporate policies may not extend to social media. This dynamic presents the first recommended best practice: Best Practice #1: Employ solutions that have the ability to capture additional approval on a site-by-site basis, to verify assent for capturing and monitoring. Since individuals may interact with social media outside corporate networks, and each site represents a different set of relationships and entities that probably does not include the supervising corporation, assent for each account or site captured/monitored is appropriate. This practice minimizes the risk that employees later claim that a particular site was outside the scope of any agreement, or potential claims from third-parties that may have had content captured without authorization from at least one party.31

Social Media Walls and Forums

Like the message boards of the past, many social media sites allow individuals to post messages, links, or other content on a wall for others to see. Depending on the settings, wall posts may be visible to the general public, or to a subset of approved friends or connections. Although courts have differed, there is a growing consensus that an attempt to limit visibility to some defined group of individuals (a few hundred) would still be viewed as private communications. Courts are reticent to determine a specific number of friends or connections that define what is private or public. For regulatory and legal purposes, it seems reasonable to assume that something less than open and public content may be subject to privacy obligations as well. Organizations struggle with the implications associated with walls and forums, since it can represent a combination of non-business related content not subject to governance obligations, as well as content that is associated with the business. Some firms are tempted to capture both non-business content and business content, either for simplicity or for investigation purposes. However, enterprises should be extremely cautious in purposely gathering non-business related content, as capturing private and personal information may impose new obligations and create new risks to the firm. Best Practice #2: Wherever possible, create separate business identities for social media to minimize capture of personal or private information. Capturing content that is inherently personal or private in nature rarely provides value to an organization. In fact, for most businesses, it would likely create new risks or obligations. As noted above, when firms consider discussions of medial issues, use of alcohol, sexual orientation or conduct, political or religious affiliations, or even constitutional protected speech about a business or industry; capturing this information has the following implications:

29 30 31

Ibid at note 21. 18 USC 2511(1)(a). Interception and disclosure of wire, oral, or electronic communications prohibited. At this point there is limited guidance on whether third parties must assent to monitoring or capture of social media, either the site owner itself or third parties posting to that site. This will be an area of law that will likely remain unsettled.

Social Media and the Shifting Information Compliance Landscape

 It may create an affirmative obligation to secure private information, and become responsible if protected information is otherwise disclosed or lost (e.g. health related information). Risk that individuals within the firm may make inappropriate comments regarding an individuals political or religious views, or their sexual orientation or conduct. Make hiring, firing, or promotion decisions based on unrelated private conduct, which is protected in at least some states. Increases the noise and irrelevant information that has to be captured, stored, and analyzed, increasing costs and complexity. In general, when viewed in the context of what organizations are compelled to govern in social media, most firms will find that a business identity that is separate from purely personal interactions is best for its employees and the firm itself. Some will argue that employees can subvert organizational policies by using non-authorized accounts for business interactions; that is true. However, it is no different than it is today with personal email accounts over which organizations rarely have controls, and if employees are intent on undermining governance mechanisms they will be creating unregistered identities regardless.

Where to Capture Social Media

Capturing social media interactions is not as simple as ingesting content from some file share, or simply journaling content from a corporate email server. As noted previously, the content itself is likely stored outside of the corporative infrastructure, and capture mechanisms for social media will likely need to move closer to the point of the interaction itself. There are three primary categories where these interactions may arise, and firms should consider the need to eventually incorporate all three into their governance models. Best Practice #3: Prepare to deploy solutions that can govern the three primary categories of interactions. Most regulated organizations are taking a measured approach to social media and starting with a limited number of employees and approved social media sites. In the near-term, this means that organizations may appropriately focus on certain categories of models or capture methods. In the long-term, firms should become familiar with the different ways employees may interact with social media, and options to govern the full breadth. Inside-Based Interactions: These are interactions with social media sites that arise from within a corporate network, or on a corporate controlled device. This allows an organization options to capture or control interactions on the device itself, or at the network layer. It also allows for the potential to capture social media interactions without assent or approval of employees, assuming policies already exist that cover monitoring or collecting information stored or transmitted on corporate devices and networks. Inside-Based Interactions may also include internal collaboration systems, which some firms are now exploring and adopting for knowledge workers in particular. Moderated Interactions: These are interactions that occur on corporate maintained social media sites such as a corporate Facebook or Twitter account. In this instance, the organization itself is in essence the owner of the page and associated interactions. Specific individuals may exercise control on behalf of the firm, and these employees are presumably doing so with full knowledge of the organization. This category grants to the organization, as opposed to employees directly, the right to establish governance mechanisms. Outside-Based Interactions: These are interactions that occur off an organization controlled device or network. For those firms maintaining a policy that permits employees to engage in business conduct, they have two options in how these interactions can be governed and monitored: First, solutions support the ability to allow individuals to Opt-In or register a particular social media account. Although each site differs slightly in capture methods supported, registering the account grants the governance application the authority and credentials to see and capture content. This approval is often done on a site-by-site basis for the reasons stated above. This method works well since interactions from any device will be captured, since the governance application is talking directly to the social media site.

Social Media and the Shifting Information Compliance Landscape

 Second, firms should consider using solutions that can monitor aggregated feeds of publically available information, such as Twitter feeds, public LinkedIn and Facebook sites, blogs, forums, third-party websites, and news sites. This allows firms to see if individuals are discussing their firm, their people, or their products. This can provide another layer of surveillance and monitoring to see what other types of interactions or conversations may be occurring outside of authorized channels.

What Does it All Mean?

At the end of the day, capturing social media is a discrete technical challenge that even niche solution providers may address, even if incomplete or for just certain categories of content. But capturing social media simply for the sake of collecting it is of limited value. Shortly after email became required from a regulatory perspective, most organizations just worried about storing it somewhere to meet their obligation. However, coming out of the credit crisis, insider-trading cases, and some of the legal cases noted earlier, it has become clear that lawyers and regulators are focused less on the form a piece of information takes and care far more about what it actually means. Best Practice #4: Focus on solutions that can establish what something means, and understand how it relates to potential risk for an organization. There are few, if any, organizations today looking for more content to govern. Simply capturing new types of interactions alone likely provides limited value. Organizations derive value by mitigating risk, or identifying insights in the interactions that improve its ability to service customers or promote its products. Given the sheer volume of potential interactions, and also the fact that interactions may be very short (like a Tweet) or much more complex (like audio), solutions must possess the ability to find relevant patterns and relationships in the information. Understanding what social media interactions mean is far more important than simply capturing whatever someone can create.

Conclusion
Social media presents unique opportunities for even the most tightly regulated or highly litigated organizations. As social media evolves, it will only become more pervasive and create changing methods for interacting with employees, clients, counter-parties, and the public at large. At the same time social media interactions present unique risk to organizations. As organizations develop their social media governance models, they should be mindful of the legal and regulatory environment that creates certain obligations, but also prohibit or limit some types of conduct. More importantly, they should look beyond merely the ability to capture social media interactions, and instead focus on what it all means.

Authors
George Tziahanas is Autonomys Global Head for Legal and Compliance Solutions. Responsibilities include solution design and oversight for Autonomys Regulatory Archiving, Supervision and Surveillance, Investigation, eDiscovery, and Information Governance solutions. His duties also include leading Marketing for the Protect business at Autonomy. On an individual basis, Mr. Tziahanas works closely with regulated entities on their compliance obligations, in particular financial services organizations. He also writes and speaks broadly on the implications of emerging technologies on corporate information environments. Prior to joining Autonomy, Mr. Tziahanas held leadership positions with Orchestria, Iron Mountain, and Intel Corporation. Mr. Tziahanas holds an MS in Molecular Systematics and Biological Sciences, and a JD from DePaul University. He is admitted to The Bar in the State of Illinois and the Federal District for the Northern District of Illinois. Eric T. Crespolini is Vice President of eDiscovery Technologies and part of the Protect subject matter expert team for Autonomy. Mr. Crespolini brings over a decade of experience building and overseeing teams in delivering eDiscovery expertise to leading enterprises, information technology management and consulting, implementing enterprisewide financial and project control systems, data warehousing, electronic collection, disaster planning, and operational process development. Prior to joining Autonomy, Mr. Crespolini held senior management positions at Clearwell Systems, Xerox, and Innovative System Design. Mr. Crespolini earned his JD from Rutgers University, a BS in Actuarial Science from St. Johns University, and holds an MBA in Corporate Finance.

Social Media and the Shifting Information Compliance Landscape

The information contained in this document represents the current opinion as of the date of publication of Autonomy Systems Ltd. regarding the issues discussed. Autonomy's opinion is based upon our review of competitor product information publicly available as of the date of this document. Because Autonomy must respond to changing market conditions, it should not be interpreted to be commitment on the part of Autonomy, and Autonomy cannot attest to the accuracy of any information presented after the date of publication. This document is for informational purposes only. Autonomy is not making warranties, express or implied, in this document.

Autonomy Inc. and Autonomy Systems Limited are both subsidiaries of Autonomy Corporation plc.
20110802_RL_WP_Social_Media_Compliance