Discover PerformanceHP Software's community for IT leaders // November 2012
Creating a model solution for social media governance
Social media and data retention are a tough mix. Learn how to protect your organization against legal and compliance risk in a social media world.
For regulated entities, data retention is a constant concern. Rapid technological change only increases the burden. When email first entered the enterprise, regulators needed to decide whether it would be subject to retention requirements. Today, it’s the wide range of social media providing uncertainty in data governance.
As social media evolves and becomes more pervasive, businesses need to develop a governance model that’s mindful of the unique risks and the legal/regulatory challenges. A recent Autonomy white paper thoroughly surveys the landscape and includes four best practices through which organizations can establish a strong governance model with the flexibility to change as technology, regulations, and legal precedence evolve.
Danger: Private information ahead
U.S. federal law prohibits the interception of electronic communication without prior authorization. Organizations have addressed this issue by incorporating the right to monitor or capture communication in their employee contracts and handbooks. However, these rights usually extend only to interactions that rise on corporate networks or occur on corporate-controlled devices.
Social media communication takes place on a third-party site, often conducted through an individual’s private account. Thus, organizations attempting to monitor or capture interactions risk violating privacy laws. Many of the best practices for social media governance attempt to automate procedures to protect the organization against such violations.
Best practice #1: Wherever possible, create separate business identities for social media to minimize capture of personal or private information.
Inherently personal or private content is rarely valuable to an organization, but it does create new risks and obligations. For example, if an employee shares personal health data with his social network, this could create an affirmative obligation for the organization to protect this data through encryption. Further, exactly where posting or transmitting information moves from “personal” to “public” has not been settled. Thus, a business identity that is separate from purely personal interactions is best for its employees and the firm itself.
Best practice #2: Prepare to deploy solutions that can govern the three types of interactions: inside, moderated, and outside.
- Inside-based interactions—This is social media activity that is initiated from within a corporate network or on a corporate-controlled device.
- Moderated interactions—These are interactions that occur on a corporately maintained social media account. The organization owns the account and the associated interactions. This gives the organization, rather than employees directly, the right to establish governance mechanisms.
- Outside-based interactions—For interactions occurring off an organization-controlled device or network, governance solutions should let individuals opt in or register a particular social media account. Registering the account grants the governance application the authority and credentials to see and capture content.
Best practice #3: Employ solutions that have the ability to capture additional approval on a site-by-site basis, to verify assent for capturing and monitoring.
There may be cases where it makes sense to capture/monitor data from an employee’s personal social media account with his or her explicit consent, such as when employees tweet exclusively about business-related news and trends. Organizations need to protect themselves against workers later claiming the data capture was unauthorized.
The capture of employee assent must be automated. Moreover, each site monitored represents a different set of relationships and entities, so each account/site combination must be managed individually.
However, capturing social media content simply for the sake of collecting it is of limited value. Today, lawyers and regulators are focused less on the form a piece of information takes and care far more about what it actually means.
Best practice #4: Focus on solutions that can establish what something means, and understand how it relates to potential risk for an organization.
Given the sheer volume of potential interactions, and also the fact that interactions may be very short (like a tweet) or much more complex (like audio), solutions must possess the ability to find relevant patterns or relationships in the information. This intelligence will give you solid footing for compliance obligations and litigation protection, without wasting effort on content identification.
For more details on the implications of social media on information governance, download the Autonomy white paper, “Social Media and Information Compliance” (.pdf).
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.
Welcome to a new reality of split-second decisions and marketing by the numbers.
Looking toward the era when everyone — and everything — is connected.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Preparing today for tomorrow’s threats.
Data Center 20/20
The innovation and revenue engine of the enterprise.