Digital Security Report: Social Networking Sites Expand Risks for Employers
Social networking websites—such as Facebook, LinkedIn, and MySpace— give users the platform to post information about themselves, to stay in touch with friends and meet new ones. These sites also create a buffet of legal and IT risk that business organizations must address.
In regard to IT risk, Sophos, an international provider of enterprise cyber-security solutions, released its Security Threat Report. The report noted that criminals have increased the focus of enterprise attacks using social networking sites. Click here to be linked to Sopho’s overview of the Report and here for the full report.
The Report also provides various recommendations and insight for responding to risk created by social networking websites. Despite the risks, Sophos recommends against employers implementing a wholesale ban on these social networking websites. The rationale for this conclusion is that users/employees will likely circumvent the employer’s protective measures and thereby open up another layer of vulnerability to the organization.
In regard to legal risks, these sites hold a goldmine of information for employers that may be useful in qualifying and screening potential hires. In fact, one in five decision-makers use social networking sites to screen potential applicants. See One in five bosses screen applicants’ Web lives. But the other side of the coin is that an employer may learn about information that may later become a cornerstone in a discrimination lawsuit. For example what if the information revealed that an applicant is in a protected class under federal or state laws, e.g., photos showing a person’s race, information about a person’s religious affiliations, or that an applicant is pregnant. Whether this information was a determining factor in the adverse hiring decision will be answered against the factual backdrop that the employer checked the applicant’s profile and was therefore aware of the particular fact creating the protected class under state for federal law.
Other risks employers must address when it comes to social networking sites is the disclosure of confidential and proprietary information. In a recent and extreme example, Britain’s new spy chief’s wife, posted family pictures and exposed details of where the couple live and take their vacations (or for those outside of the U.S., holidays) and who their friends and relatives are on her FaceBook page. The British spy agency was concerned that this information could compromise security and potentially be useful to hostile foreign powers or terrorists. See British Spy Chief’s Cover Blown on Facebook . (No offense to the spy chief’s wife (Lady Shelley Sawers), but I don’t ever recall any Bond Girl exposing Mr. Bond on their FaceBook pages).
While not every business organization employs a top spy or incorporate national security into their business plans, most organizations do have information they consider to be top-secret. Whether it is marketing plans, customers, formulas, etc., inadvertently distributing such information via the social networking world may significantly undercut a business initiative or other strategic plans. I’ve also run into situations where employees exchange information in responding to and asking questions through various Listservs and similar platforms. While the motivation is generally legitimate, the unintended consequence may result in the disclosure of confidential and proprietary information or preclude protection under a particular IP strategy.
There are a numerous risks that should be weighed against the benefits of social networking sites (feel free to contact me for more information). But a few take-aways for employers are as follows:
First and foremost, start with determining what the employer’s expectations are when it comes to using company resources to access social networking sites. It may not be worth the trouble and risks and an across the board ban will be implemented. Or, it may be allowed with respect to certain departments. Ideally, formulating this expectation will involve working with your IT professionals. For instance, is it feasible to implement a wholesale ban against using social networking applications or is there a business justification for making exceptions? If so, what security gaps need to be addressed?
Second, make sure your expectations are reflected in your company’s Internet acceptable usage policy and this policy expressly applies to social networking sites. Also, make sure that the policy clearly spells out the ramifications, including the levels of discipline that may occur for violating the policy.
Third, educate users as to your expectations and be prepared to offer explanations for the policy/ban, e.g. the security risks, the risks of exposing information that provides a competitive edge to the company, etc. I know from experience that it is becoming common for employers to include social networking sections to their training on protecting corporate information. This is not a legal requirement, but speaking from experience, it is easier for an individual to “buy-in” to a policy if there is a rational reason for it.
Finally, and this relates to the first point, work with IT to determine how the policy will be enforced. While the “scouts honor” system works great for scouts, a better approach is to rely on some sort of analysis of Web logs, which will detail use during business time (if not allowed), or implementing an automated search of websites for corporate information.But that is just the cynic in me speaking.
What if the information revealed on the site puts the applicant in a protected class under federal or state laws. Whether the information putting the applicant in the protected class was a determining factor in the adverse hiring decision, the fact that the employer checked the profile and was aware of that fact may give rise to an allegation of discrimination. In addition, the applicant’s conduct could be protected concerted activity under federal labor law. Also, some states prohibit adverse employment actions based on political expression.