paper
Chapter 13
Information Governance for Social Media
Isaac T. Gbenle PhD
Information
Information is the lifeblood of every organization, and an increasing volume of information today is created and exchanged through the use of social networks and Web 2.0 tools like blogs, microblogs, and wikis.
Corporations use public social media technology to create a visible brand, strengthen relations with current customers while attracting new connections and clients, highlight their products and services, and gather intelligence that can be used in decision making.
Governments use public social media technologies to consult with and engage citizens, provide services, and keep pace with fast-moving events (e.g., natural disasters).
Both types of enterprises also benefit from the use of internal social media solutions that facilitate communication and collaboration, improve employee engagement, and boost productivity and efficiency.
Information Contd
Content created through or posted to these new social media platforms must be managed, monitored, and, quite often, archived. Content that meets the organization's definition of a record (i.e., documents business activities) must be retained in accordance with the organization's records retention and disposition policy.
Too often, social media content is not managed by information governance (IG) policies or monitored with controls that ensure protection of the brand and critical information assets and preservation of business records.
According to the U.S. National Archives and Records Administration: Social media platforms can be grouped into the categories below. Some specific platforms may fit into more than one category depending on how the platform is used.
Web Publishing. Platforms used to create, publish, and reuse content.
Microblogging (Twitter, Plurk)
Blogs (WordPress, Blogger)
Wikis (Wikispaces, PBWiki)
Mashups (Google Maps, popurls)
Social networking. Platforms used to provide interactions and collaboration among users.
Social networking tools (Facebook, LinkedIn)
Social bookmarks (Delicious, Digg)
Virtual worlds (Second Life, OpenSim)
Crowdsourcing/Social voting (IdeaScale, Chaordix)
File sharing/storage. Platforms used to share files and host content storage.
Photo libraries (Flickr, Picasa)
Video sharing (YouTube, Vimeo)
Storage (Google Drive, Dropbox)
Social Media in the Enterprise
Implementing security is more manageable and practical with enterprise social networking software.
Public-facing social media integrates Internet-based applications, technology, social interaction, and content creation to enable communication, collaboration, and content sharing within and across subnetworks of millions of public users. Implementing tight security on these types of mass networks would likely slow response time and inhibit the user experience, and it may not provide a sufficient level of security to warrant the investment on the part of the social media provider.
Enterprise social networking is being adopted by business and public-sector entities at a rapid rate. With the entry of Generation Gmail into the workforce, many of these initiatives took on an experimental, "cool" image. However, it is crucial to establish social media business objectives, to define time-limited metrics, and to measure progress. There does need to be some leeway, as calculating return on investment (ROI) for enterprise social networks is very new, and all the benefits (and pitfalls) have not yet been discovered or defined. Certainly the network load and required bandwidth for e-mail and attachments will decrease; instead of sending a 25MB PowerPoint file back and forth among 10 coworkers, the file can sit in a common workspace for collaboration.
Social media differs greatly from e-mail use. E-mail is mature and stable. Social media is not. These distinctions have important ramifications for IG policy development.
Biggest Risks of Social Media
Social media is the Wild West of collaboration and communication. Vulnerabilities still are being exposed, and rules still are being established. Users often are unsure of exactly who can see what they have posted. They may believe that they have posted a comment only for the eyes of a friend or colleague, not realizing it may have been posted publicly. "One of the biggest risks that social networking poses to organizations is that employees may be exposing information that's not meant for public consumption, especially in highly regulated environments like banking and healthcare, in industries that rely heavily on proprietary research and development, or even in the military"
Lack of a social media policy. Many organizations are just now discovering the extent to which social media has popped up in various pockets of their organization. They may believe that their e-mail and communications policy will pretty much cover social media use and that it is not worth the time and expense to update IG policies to include social media.
Employees—the accidental and intentional insider threat. This may be in part due to lack of social media policy or due to lack of monitoring and enforcement. Sometimes an employee harms an organization intentionally. Remember Private Bradley Manning's release of hundreds of thousands of classified government documents to WikiLeaks?[
But most times employees do not realize the negative impact of their behavior in posting to social media sites. People might use social media to vent about a bad day at work, but the underlying message can damage the company's reputation and alienate coworkers and clients. Other times a post that is seemingly unrelated to work can backfire and take a toll on business. We're all human and sometimes emotion gets the better of us, before we have rationally thought out the consequences. And that is especially true in the new world of social media, where it may be unclear exactly who can see a comment.
Legal Risks of Social Media Posts
Two of the biggest threats of social media use for organizations come from the lack of a social media policy and threats presented by employee use.
With no IG policy, guidelines, monitoring, or governance, legal risks of using social media increase significantly. This is an avoidable risk.
Just when compliance and records managers thought they had nailed down IG for e-mail, IM, and electronic records, social media came on the scene creating new, dynamic challenges!
IG Considerations for Social Media
An IG framework for social media should incorporate social media policy, controls, and operational guidelines as well as spell out consequences for violations. Best practices for social media still are being established, and those that have been established are evolving. In addition to establishing policies to govern the use of social media across the organization, best practices should include industry-specific, vertical market considerations. A cross-section of functional groups within the enterprise should provide input into the policy-making process.
At the very minimum, internal audit, marketing, finance, information technology (IT), legal, human resources, and RM must be consulted, and all business units should be represented. Clear roles and responsibilities must be spelled out, and controls must be established to govern acceptable use—essentially what is allowed and what is not. Even writing style, logo format, branding, and other marketing considerations should be weighed. The enterprise's image and brand are at risk, and prudent steps must be taken to protect this valuable, intangible asset. And most important, all legal and regulatory considerations must be folded into the new IG policy governing the use of social media.
Key Social Media Policy Guidelines An IG framework for social media should incorporate social media policy, controls, and operational guidelines, and spell out consequences for violations.
A prudent and properly crafted social media policy:
Specifies who is authorized to create social media accounts for the organization.
Authorizes specifically who can speak on the organization's behalf and who cannot (by role/responsibility).
Outlines the types of negative impact on the company's brand and reputation that unscreened, poorly considered posts may have.[24]
Draws clear distinctions between business and personal use of social media and specifies whether personal access is allowed during work hours.
Underscores the fact that employees should not have any expectation of privacy when using social media for corporate purposes, just as in using other forms of communications such as e-mail, IM, and voicemail, which may be monitored.
Clearly states what is proper and allowed on the organization's behalf and what is forbidden in social media posts or using organization resources.
Instructs employees to always avoid engaging in company-confidential or even controversial discussions.
Encourages/requires employees to include a standard disclaimer when publishing content that makes clear the views shared are representative of the employee and not the organization.
Strictly forbids the use of profanity and uses a professional business tone, albeit more informal than in other corporate communications.
Strictly forbids any statements that could be construed as defamatory, discriminative, or inflammatory.
Outlines clear punishments and negative actions that will occur to enforce social media policy.
Draws clear rules on the use of the company name and logo
Electronic records management (ERM).
Marking an electronic document as a read-only electronic record
Protecting the record against modification or tampering
Filing a record against an organizational file plan or taxonomy for categorization
Marking records as vital records
Assigning disposal (archival or destruction rules) to records
Freezing and unfreezing disposal rules
Applying access and security controls (Security rules may differ from the source electronic document in an electronic document management system or enterprise content management [ECM] software.)
Executing disposal processing (usually an administrative function)
Maintaining organizational/historical metadata that preserves the business context of the record in the case of organizational change
Providing a history/audit trail
Records Retention Guidelines Some basic records retention guidelines:
Make records threshold determinations. Examine the content to see if it in fact constitutes a record by your own organization's definition of a record, which should be contained in your IG policies. This records determination process likely also will require consultation with your legal counsel. If the social media site has not been kept operating, or it was used for a specific project that has been completed (and all pertinent records for that project have been retained), then its content may not require retention of records.
Use existing retention schedules if they apply. If your organization already has retention policies for, say, e-mail, then any e-mail sent by social media should adhere to that same scheduling guideline, unless there is some legal reason to change it.
Apply basic content management principles. Focus on capturing all related content for social media posts, including conversation threads, and associated metadata that may be required in legal discovery to provide context and maintain the completeness, authenticity, and integrity of the records.
Risk avoidance in content creation. Instruct and reinforce the message to employees participating in corporate social media that content on the Web stays there indefinitely and that it carries potential legal risks. In addition, once something is posted on the Web, completely erasing and destroying the content at the end of its retention period is nearly impossible.
Emerging Best Practices for Managing Social Media Records
Identify records during the social media planning stage. Both a social media policy and the records and information policy should refer to a form to be completed by the person or unit proposing a new social media initiative. The person completing the form should indicate if records will be created and, if so, how they will be managed.
Promote cross-functional communications. A social media team of representatives from various departments, such as IT, social media, legal, compliance, records management, and other stakeholders, is formed, and communication and collaboration is encouraged and supported.
Require consultation in policy development. Extending beyond the social media team, input and advice from multiple stakeholder groups is essential for creating IG policies that cover social media records management.
Establish clear roles and responsibilities. The cross-functional social media team must lay out clear expectations and responsibilities and draw lines of accountability so that stakeholders understand what is expected of them.
Utilize content management principles. Management of social media content should fall under an ECM software implementation, which can capture and track content, including associated metadata and external content, and manage that social media content through its life cycle.
Implement RM functionality. Management by an ERM system that offers features that enable records retention and disposition, implementation of legal holds, and lifting of legal holds is essential.
Control the content. Clear guidelines and monitoring mechanisms must be in place to control and manage content before it gets published on the Web, when possible (e.g., static content on blogs and profiles in social networks) if there is any potential legal risk at all.
Capture content in real time. By implementing a real-time content capture solution for content posted directly to social media (e.g., comments on blogs and posting of someone else's content or retweets), organizations will begin their control and management of the content at soonest point and can more easily prove it is authentic and reliable from a legal perspective
Champion search capabilities. After capture and preservation of records and associated metadata, search capabilities are the single most important feature that the technology must provide.
Train, train, train. Social media is a new and emerging technology that changes rapidly. Users must be trained, and that training must be updated and reinforced on a regular basis so that employees have clear guidelines, understand the technology, and understand the business objectives for its use.
Organizations are increasingly using social media and Web 2.0 platforms to connect people to companies and government.
Social media use presents unique challenges because of key differences with other electronic communications systems, such as e-mail and IM.
Two of the biggest risks that social networking poses to organizations are (1) not having a social media policy; and (2) employees may be—intentionally or not—exposing information that is not meant for public consumption.
Enterprise social networking software has many of the features of consumer social applications such as Facebook, but with more oversight and control, and they come with analytics features to measure adoption and use.
Various software tools have become available in recent years for archiving social media posts and followers for RM purposes.
An IG framework provides the overarching policies, guidelines, and boundaries for social media initiatives, so that they may be controlled, monitored, and archived.
Social media posts are more than the post itself; they include metadata and also include hyperlinks to external content—and that external content must be preserved in its native format to meet legal standards.
Robust search capabilities are the most crucial component of a social media ERM or archiving solution.
Social media policy will be unique to each particular organization.
Best practices for managing social media business records are still evolving but include forming cross-functional social media teams with clear responsibilities, encouraging communication, and capturing complete content in real time.