4 Areas of Social Media Risk

With so many risks involved with social media and your organization, you may be tempted to say to yourself, “Let’s make it easy. Let’s have our social media policy be… No social media!”

There are two significant problems with this approach:

  1. Such policies are impossible to enforce. Most employees can access social media at work through their own mobile phones, which employers cannot control.
  2. Employees can easily use social media outside of work. Even in one of the most highly regulated industries, the financial industry, more than half of financial services professionals use Linked-In or Facebook for work or personal reasons.

To be clear, banishment is not a policy. It’s a fantasy.

When designed holistically and communicated correctly, policies help to influence all major actions and activities that take place within the boundaries set by them and can help eliminate or at least mitigate risk in one of the four major risk areas:

1. Regulatory Requirements

Restrictions, licenses, and /or laws applicable to a product or business, imposed by the government.


  • Social media policies created by the Gramm-Leach-Bliley Act (GLBA). Under GLBA, financial services firms are obligated to protect the privacy of consumers and their non-public personal financial information. Intentional or even accidental disclosure of such information, possibly via your your organization’s social media platforms, could put you at severe regulatory risk.
  • SEC Regulation Fair Disclosure (FD). Regulation FD is designed to prevent an issuer of stock from selectively disclosing material non-public information.

The ubiquity of social media and its “S2 Twins” Speed and Scope make for powerful downside risks if employees are not fully aware of the expectations on their behavior 24 x 7. So ask yourself, “Do our employees know what they can and can not share publicly? With whom? And when? If you said, “yes” how do you know this? Can you point to specific documentation that indicates your organization has both clearly written policies as well as has communicated these policies to all relevant employees?

2. Legal Requirements

Those areas associated with the communication of unlawful content – either intentionally or accidentally.

The first legal area we’ll discuss is that of Vicarious Liability. This is the legal term that is used when an organization is held legally (and financially) responsible for the unlawful, offensive, or otherwise inappropriate action of its employees. Vicarious Liability applies regardless of whether the offending employee’s violation was accidental or intentional.

As it relates to social media platforms, it also may apply regardless of whether the employee commits the offense at the office using company-issued computer resources OR at home using personal devices and private accounts, sites tool and technologies.

Put very plainly, thanks to Vicarious Liability, an employer might be held legally responsible for the obscene, harassing, discriminatory, or otherwise illegal or objectionable blog posts, tweets, Facebook comments or Youtube videos…Regardless of where, when, or how the offending content was created, posted or published. Not something to be taken lightly given the enormous potential for both financial and reputational loss.

3. Security

The presence of social media in the workplace greatly increases the risk of potentially devastating security breaches and/or data leaks.

While many organizations spend millions of dollars on sophisticated IT infrastructure and complicated access protocols, social media in the workplace can expose this confidential information.  It is therefore critical that employers clearly communicate their policy as it regards the safeguarding of confidential data.

They should also make it clear that in the United States, employees have “No reasonable expectation” of privacy when using the company’s computer systems, sites accounts or devices.

The Federal Electronic Communications Privacy Act (ECPA) makes it clear that the company’s computer system is the property of the employer. Note that laws do differ from state to state on whether the employer must notify employees that their computer use is being monitored.

4. Culture

How you want your social media policies to impact your organizational culture: loose or tight?

The fourth area that impacts the development of your SM policies is probably the one that is the most flexible but also the one that can have significant organizational ramifications.


  • Do you want “loose” policies that puts the behavioral responsibility squarely on the shoulders of the employee? “Don’t put anything on the internet or in an electronic communication that you wouldn’t want your grandmother to see.”
  • Do you want “tighter” policies which go into great detail around what is and is not acceptable behavior.

It’s very important to note that while there are no “right” or “wrong” cultures, organizations who are lax in promoting strict compliance with both regulatory, legal, and security requirements may find themselves inadvertently directing their cultural norms in ways that they had not intended.

And while no specific “right” or “wrong” policy approach exists, what does exist is the ability of poorly administered policies to either directly or indirectly cause employees to exhibit inappropriate and even illegal behaviors. Behaviors which could have been far different and caused far fewer headaches if only more time had been spent on both the thoughtful development and communication of well thought through policies.