When it comes to social media, it’s easy to put your foot in your mouth. A poorly considered, hastily written Twitter message can reach millions of people in seconds. A thoughtless remark posted on Facebook will be read by all your friends and family.
That’s as true for organizations as it is for individuals. More and more businesses are finding social media is a space that can’t be ignored. But with their online presence comes online pitfalls.
Take the case of shoe and clothing designer Kenneth Cole. During the height of the revolution in Egypt, the company sent out a tweet that was less than sensitive to the protestors in the streets risking their lives after years of oppression.
“Millions are in uproar in #Cairo,” the company said via Twitter. “Rumor is they heard our new spring collection is now available online.”
Cole personally acknowledged that the post was in bad taste. “I apologize to everyone who was offended by my insensitive tweet about the situation in Egypt. I’ve dedicated my life to raising awareness about serious social issues, and in hindsight my attempt at humor regarding a nation liberating themselves against oppression was poorly timed and absolutely inappropriate,” he tweeted.
Organizations need to tread carefully in the electronic age to avoid a potentially embarrassing—or worse, potentially litigious—situation. “The risks that businesses are facing with the explosion of social media aren’t anything new,” says Kevin Shook, an attorney with Frost Brown Todd. “Companies have always advertised, and companies have always allowed employees to speak on their behalf. It’s just that the social media that is now out there heightens the risk and puts companies in situations where the damage can be greater and invite litigation.”
It’s a risk that companies need to be mindful of, he says. “If you’re a business that allows your employees to engage in social media at work, or maybe you have a blog for your business where you allow your employees to make comments on behalf of your business, you have to be aware that civil lawsuits can be brought against you for things like defamation.”
By the Book
In spite of the risks, many businesses are willing—even eager—to have their employees post business news to Twitter or product launches on Facebook. Before they do that, however, they should establish a social media policy, says Ted Motheral, an attorney with Benesch, Friedlander, Coplan & Aronoff.
The policy should be comprehensive, addressing both what employees can say while they’re on the clock and what the company expects from them as they conduct their personal lives online, he says. “The first thing you need to do is gather the right team internally,” Motheral says. “You need someone from HR, someone from IT and someone from legal.”
The policy should be clear and straightforward, he says. “Don’t reinvent the wheel, and keep it simple. You don’t need to put in a lot of legal jargon.” Give employees a place to turn if they have questions. “Always have a follow-up. If you have additional questions, please contact a particular person,” Motheral advises.
A social media policy should address both internal situations (when an employee is using official business channels or speaking for the company) and external situations (when an employee is posting to his or her own page off the clock).
When it comes to internal situations, companies can be as restrictive as they like. The internal policy should list exactly what employees can and can’t do, Shook says. “Maybe there is a specific blog they are allowed to engage in. Or maybe it’s all forms of social media.”
He says it’s a good idea to require employees to have written permission before posting items to social media on the company’s behalf. They also should go through training that includes education on customer privacy, advertising laws, copyright infringement, proper security precautions and appropriate interactions with customers. “You generally want to prohibit employees from making statements that could be considered harassment or derogatory—that could invite lawsuits,” Shook says.
More complex is how the policy applies to an employee’s home life. What can employees say on their own time, using personal social media accounts?
Motheral says employers should include a statement in their social media policies that all employees act as “brand ambassadors”—whether they are posting to a company site or a personal site. If an employee does something so offensive that it damages the company’s brand, he or she could be held responsible. Such a policy is not a magic bullet, however. Most people consider what they do on their own time to be none of their employer’s business, and there could be backlash from employees—and the courts.
“Is it foolproof? No. In the law, everything is on a case-by-case basis,” Motheral says. “This is new and fresh, and the law is trying to catch up.”
A social media policy covers employees, but what about potential employees? Shook says organizations can look up a prospect on Facebook and Twitter before making a job offer, but he advises caution: Sometimes a little knowledge is a dangerous thing. A social media site, by definition, contains a lot of personal information—possibly including race, gender, religion, age and other characteristics that shouldn’t be considered when hiring an employee.
“If that [information] would come into play in decision making or hiring, someone could bring a discrimination case,” Shook says. In order to minimize risk, he recommends someone other than the decision maker do the research. This third party could see what’s on the site, but only report information that can be used when making a hiring decision. This insulates the hiring manager from claims that discriminatory information taken from the page resulted in the candidate being turned down for the job.
When researching job applicants on social media, Shook says companies should also make sure that they are doing so in an open matter. Don’t pretend to be someone you aren’t or engage in other deceptive practices to get access to a candidate’s profile or page.
The “Ex” Business
Social media risk doesn’t just come from employees. External sources may pose a big threat to companies, in large part because of the ease with which someone can post things online.
A company may invest millions of dollars in an online advertising campaign, for example, only to have it undermined by hostile bloggers or social media posters who may not even identify themselves. “There is this big risk when some anonymous person gets on and starts making claims,” says Whitney Gibson, an attorney with Vorys, Sater, Seymour and Pease. “That can hurt all the investment that they’ve made.”
Compounding the problem is the fact that consumers put a tremendous amount of faith in online recommendations. According to social media research firm Socialnomics, 70 percent of online consumers trust recommendations from unknown users, while only 14 percent trust advertising.
If consumers take an anonymous poster seriously, the post may be repeated endlessly on blogs, Facebook, Twitter or other social media channels. “The further it spreads, the harder it is to shut down,” Gibson says.
Many social media attacks stem from ex-employees or ex-spouses, says Chris Anderson, co-founder of Cyber Investigation Services, a firm focused on online and Internet security. The Florida-based business works with clients around the country.
Another typical source of online attacks is rival companies. “There are an awful lot of attacks that we deal with [from competitors] rising to the top by cheating—and that means destroying the competition,” Anderson says.
In one case, he says his company was able to track down a single person working in the carpet industry who had attacked all six of his closest competitors online. “What most people assume is that a lot of these reviews that are out there are from unhappy legitimate clients,” Anderson says. “And that couldn’t be further from the truth.”
Cyber Investigation Services receives about 400 requests for help a month, Anderson says, and about 99 percent are reactive rather than proactive. “The interesting thing, too, is that a lot of time it’s reactive and late,” he says.
To explain why so many companies are late in reacting, Anderson describes a typical scenario. The CEO of a company under attack goes to his or her general counsel and describes what’s going on. The general counsel does research and concludes that the person is either hidden from identification or protected by First Amendment free speech rights. The CEO and general counsel decide to stand back and hope the issue goes away. “It almost never does,” Anderson says. “Then it gets to a serious pain point. And about that time, we get the phone call saying, ‘Help.’ ”
The notion that no one can discover the identities of anonymous social media posters is a common, but largely false, idea. Anderson says his company is “highly successful” at identifying libelous posters. About 10 percent of the time, they can be identified simply by digging through screen names to find information that leads back to their true identity.
There also are a number of ways to identify what Anderson calls “the ultimate digital fingerprint”—a user’s Internet Protocol, or IP, address. Once this is identified, a post can be traced back to one specific Internet connection. In certain situations, getting the IP address is harder and requires a subpoena. In those cases, Anderson takes the case to the client to decide whether to pursue further action.
Monitoring every social media channel for negative posts is a huge job, which is why the work is often farmed out to specialists. R&A Marketing, a full-service agency in Columbus, recently launched “Just Be Sociable with R&A Marketing,” an offering that includes a reputation-monitoring tool to track what the online world is saying about a business.
The agency uses software that monitors a client’s news mentions, public relations campaigns, employees and competition. The service also includes access to a social media specialist who can “help manage every type of social media that you can imagine,” says Kevin Doran, co-owner and vice president at R&A Marketing.
Clients receive hourly, daily, weekly or monthly notifications. “It will have everything that’s ever been said about that client in the social media space,” Doran says.
Comprehensive social media monitoring is something few companies do on their own. “They just don’t have the time, and they don’t know how to track all the social media outlets that are out there,” he says.
R&A Marketing also gives clients advice on how to respond. Doran suggests doing so as quickly as possible, just as they would with a customer service complaint. If someone tweets about receiving a T-shirt with a hole in it from an online retailer, for example, the company can tweet back and offer to correct the problem. “Just like you would return a call 10 years ago, now it’s about responding on Facebook or Twitter,” he says.
Protecting the Business
With all the risks that social media can bring, it’s no surprise that “cyber liability” insurance is growing in popularity. These policies can cover a number of problems that companies face online, says William Kientz, principal and owner of Kientz Risk Management.
What a specific policy may protect against varies greatly. Most policies focus on losses from data breaches, but may include coverage related to social media losses, such as revenue lost as a result of publishing confidential information, copyright infringement, online defamation and more.
Kientz says he’s seen the steady evolution of such policies over the last few years. “Seven or eight years ago, that product was like a simple Corvair car,” he says. “Today, in 2012, that cyber policy is like a very sophisticated Mercedes-Benz.”
Lawsuits and social media missteps are reshaping and strengthening these insurance policies, he says. “Five or six years from now, it will have even more bells and whistles on it.”
Time has also increased businesses’ sophistication in dealing with all types of social media risk. Gibson says one positive change he’s seen in the last few years is that companies aren’t being caught off-guard by social media as much as they once were. “We are seeing an increase in clients asking us to be proactive about this,” he says.
That’s a good thing, Gibson says, because the stakes couldn’t be much higher. He says he knows of a multimillion-dollar company that went bankrupt after false information about it went out online. “The amount of harm that it can do a company is truly amazing.”
Lawrence Houck is a freelance writer.
Reprinted from the October 2012 issue of Columbus C.E.O. Copyright © Columbus C.E.O.