Defending The Digital Workplace

An publication

Adding to your Business Toolbox: A Roundup of Resources for Business Organizations

Business ToolboxA number of resources are available at that are relevant to starting or improving your business operations. In addition to those resources, the following links also provide information worth checking out:

  1. Entrepreneur: How to Protect Remote Employees’ PCs from Security Threats
  2. Federal Trade Commission: Revised Endorsement Guides for businesses & bloggers (regulations applicable to testimonials and endorsements)
  3. Entrepreneur: Google Apps for Your Business: The Good, the Bad and the Ugly
  4. Hennessey Capital, by Joe Romeo: Business Plan Basics
  5. Mashable – Business: 5 Small Biz Web Design Trends to Watch
  6. Entrepreneur: Big Marketing Stunts, Small-Business Style
  7. Business Model Alchemist a/k/a Alexander Osterwalder a/k/a genius (ok, this might be more personal commentary than fact. Although, based on Mr. Osterwalder’s work, genius status should not be ruled out) :Combining Business Model Prototyping, Customer Development, and Social Entrepreneurship
  8. Mashable – Business: 4 Lessons Small Businesses Can Learn from Apple’s Antennagate

How to Increase the Likelihood Employees will Follow Your Social Media Policy

A lot has been written about social media, its impact on business, and risks for employers. See my prior posts here (Digital Security Report: Social Networking Expand Risks for Employers) and here (Another Reason for Employers to be Wary of Social Media – Unfair and Deceptive Acts). And to mitigate these risks the conventional wisdom says to put a policy in place that applies to employees’ use of social media. But it is also important to implement a policy that is actually effective and will be followed by employees.

Before discussing such a policy, a little foundational information is needed. In their book “Switch: How to Change Things when Change is Hard,” Chip and Dan Heath explain that any change must consider what is described as the “Rider” and the “Elephant.” This analogy is, in turn, taken from Dr. Jonathan Haidt’s book “The Happiness Hypothesis,” which describes the emotional side of our brain as an elephant and the rational side as its rider. This analogy creates a vivid image of a person sitting atop an elephant holding the reins seemingly in control. Or at least until the elephant and rider disagree about which direction to go at which point the rider will ultimately lose the battle. (This analogy also vividly explains why despite wanting to lost 10 lbs I can’t put down these delicious cookies. Damn you elephant, Damn you!).

This is a very cursory and simplified explanation of a great book.* But with this explanation, let’s insert the Rider/Elephant into the social media policy implementation equation.

Direct the Rider: The Heath Brothers note that resistance is often due to a lack of clarity. In this regard, social media policies are simultaneously too specific and too broad. This leaves the Rider with information overload and too much ambiguity to process, which undercuts the Rider’s ability to control the elephant. This is because the Rider experiences a decision paralysis, i.e., too many choices consume the Rider’s cognitive resources making it that much easier to give into the immediate emotional needs of the elephant.

For example, a proposed social media policy was forwarded to me by an attorney (a non-client. The attorney wanted to know my thoughts – i.e., free legal advice). This policy was more of a manual, which came in at just over 14 pages. Now imagine you are  John Doe, disgruntled employee blowing off steam on Facebook about a dispute he had with Jane Doe manager. Or that you are Jane Doe manager twittering about your company’s upcoming product release. In these examples, John Doe would need to review Section III, paragraph A(1) to evaluate what his company considers to be appropriate on-line discussions of co-workers. Jane Doe, however, would need to consult with Section V, paragraph B(1) to evaluate how company information should be treated, and would probably want to consult with Section VII, which deals with marketing and communications with the public. Any bets that this policy will be followed?

So lets replace the preceding 14 + page manual with a set of rules that script the critical points your organization wants an employee to consider before publishing  something on any social media outlet. I call this the “Think Before you Publish” Social Media Policy (I know, I’m very creative):

  • Rule No. 1 – Assume anything you blog about, tweet, update on Facebook, or otherwise publish will appear on the cover of the Wall Street Journal;
  • Rule No. 2 – Assume you will have to explain to your mother, father, children, or any loved one why you published any of the preceding and what you were thinking at the time; and
  • Rule No. 3 – If your social media publication involves your employer, any of its managers, employees, products, or services, assume you will also have to explain why and what you were thinking when you made such post to any of these constituents.

These rules taken together provide a working framework for an employee to consider, where the focus is on “specific behavior,” i.e., think about what you are about to publish before making it public. These rules also do not tax the Rider’s cognitive processes by requiring the Rider to evaluate the content of a “tweet” or a Blog posting, or a Facebook update with sections from a 14 + page manual.

I fully concede that it will be important to supplement these three rules with explanations, especially when it comes to work related publications that may not seem facially inappropriate. Examples may include releasing non-public information about an upcoming product release, endorsing a produce or service without considering the Federal Trade Commissions recent expansion into this subject, or if your product or service is in a heavily regulated industry with specific issues to address. But at the very least, these three rules are intended to provide a moment to reflect before hitting that “share” button.

Motivate the Elephant: Motivating the elephant means appealing to a person’s emotional side. This is because simply speaking to the rational rider will not carry the day (I know if I want to lose weight, I need to exercise and eat fewer calories, like from cookies. Yet here I am enjoying one two cookies). Similarly, employees are often given a policy manual to read and review and a form acknowledging the employee has done both. Applying this approach to social media does little to appeal to the “Elephant.” But how do you appeal to an employee’s self-interests to obtain actual buy-in when it comes to following your social media policy?

There are innumerable examples of what happens when social media goes wrong. For example, recently a female middle school teacher was discharged after photographs of her engaged in a simulated act of fellatio with a male mannequin appeared on an internet website (Land v. L’anse Creuse Pub. Schs. Bd. of Educ.). These pictures were taken at a combined bachelor/bachelorette party. The discharge was later reversed by the Michigan Teacher Tenure Commission and affirmed by the Michigan Court of appeals. While this case had a happy ending for the teacher in that she got her job back, it came after a prolonged litigation process that was witnessed, at a minimum, by school employees, students, and parents.

Another great example occurred last year when a consultant/VP tweeted about being in Memphis: “… i’m in one of those towns where I scratch my head and say ‘I would die if I had to live here!'” Unfortunately for the consultant, he was in Memphis because he was presenting to a major client headquartered in Memphis (a little company called FedEx). Worse, employees at FedEx ran across the tweet. And even worse, FedEx responded. Click here for the full write-up and the response.

There is even a website called that allows one to look through posts on Facebook users’ walls, including the potentially embarrassing and  career-ending kind. In perusing through this site, I was amazed how many people have a boss who is an idiot!

Using these examples – and many, many others – to illustrate why an employee should follow the company’s social media policy appeals to the elephant, i.e., “follow these rules so you don’t end up like the last jack-ass that called me an idiot.” Again, the intention is that before an employee hits the share button, he or she will reflect on what might happen to the individual if the publication became public knowledge.


Social media is widely considered a “must’ for business organizations. That might be true. Even if it is not, however, it is a must to have a social media policy.  To increase the effectiveness of that policy keep in mind your Riders and Elephants. In other words, make the policy succinct and readily translate into expected concrete behavior. Second, when presenting the policy to your employees, don’t forget to appeal to their elephant by addressing their emotional interests, i.e., show why the policy is intended to help the individual.

Feel free to forward me any outrageous or noteworthy social media policies with a brief explanation of why the policy is either. Also, contact me with any questions about this topic.

* I don’t know the authors Chip and Dan Heath. I’ve never spoken with either individual. In fact, other than seeing their pictures on the inside of the book jacket, I couldn’t pick Chip or Dan out of a line-up. I bring this point up because Switch and their earlier book, Made to Stick, are both fantastic reads, worth picking up and this recommendation is based solely on the merit of those books and no personal connection or personal interest on my part (I’m deliberately not including a link to either book to remove any suspicion that I’m even getting compensated for referrals to the books). Although, in full disclosure, if the Heaths would like to give me a cut from the increased book sales my post is certain to generate, I’m willing to negotiate (and please read the preceding disclosure with heavy sarcasm).

Written by Jason Shinn

July 5, 2010 at 10:01 pm

Internet Privacy to be Examined by Commerce Department

U.S. Commerce Secretary Gary Locke announced the launch of an initiative designed to gather public input and review the nexus between privacy policy and innovation with respect to the Internet. Additionally, Mr. Locke announced the formation of a Department of Commerce-wide Internet Policy Task Force to identify leading public policy and operational issues impacting the U.S. private sector’s ability to realize the potential for economic growth and job creation through the Internet. Click here for the full press release.

Mr. Locke explained that the motivation for this initiative is “[b]ecause of the vital role the Internet plays in driving innovation throughout the economy, the Department has made it a top priority to ensure that the Internet remains open for innovation while promoting an environment respectful of individual privacy expectations.”

Further, the Commerce Department is seeking public comment from all Internet stakeholders through a Notice of Inquiry (NOI) published in the Federal Register. One question the Department seeks to answer is “whether current privacy laws serve consumer interests and fundamental democratic values.”

Please contact me about offering insight on this topic or joining in the submission of a comment pursuant to the NOI. Your suggestions would be greatly appreciated. Thanks.

Social Media Revolution & What it Means for Employers

A number of my blog posts have discussed the importance of having an employee policy applicable to social media – think Facebook, LinkedIn and MySpace. These posts have generally discussed specific risks that employers are exposed to as a result of  the increased use of social media by employees. Click here (Another Reason for Employers to be Wary of Social Media – Unfair and Deceptive Acts) and here (Digital Security Report: Social Networking Sites Expand Risks for Employers) for representative posts.

I recently ran across a phenomenal video, Social Media Revolution, that brilliantly puts into perspective the significance of social media (a big thanks to Wizard Media’s Jimena Cortes for sharing this video).

Also, a recent study tries to quantify the impact social media has on employers. The study by the Network Box (article  discussing the report is available here) notes that 6.8% of all business internet traffic going to Facebook. This means that approximately 7 times out of 100, the site visited by an employee at an average business is Facebook.

There is no single best approach for managing social media risks. Similarly, there is no single best approach for leveraging the opportunities presented by social media. It is important, however, to take a broad view so that you can operate in full awareness of the risks and opportunities in determining what role social media will play when it comes to your business and employees. With such an awareness, the risks can be managed to best serve your commercial endeavors.

Click here and sign up for the Client Alerts (right column) and select the HR 2.0 Alert, to receive updates on Social Media and other employment matters, including a free Social Media Employee Policy .

Written by Jason Shinn

April 18, 2010 at 10:02 pm

Posted in Uncategorized

What your Company Should Know when it comes to Cyber Attacks

Concerns that U.S. business organizations are losing the digital arms race, a/k/a cyber-warfare, are widely reported. Among those raising concerns is Amit Yoran. He was appointed director of the US-CERT and National Cyber Security Division of the Department of Homeland Security, and also acted as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. He is presently the CEO of NetWitness and serves as a commissioner on the CSIS Commission on Cyber Security for the 44th Presidency and numerous other industry advisory bodies. In short, this guy might know a thing or two about the digital challenges U.S. business organizations are facing and what can be done.

And in fact, Mr. Yoran was interviewed by about these subjects and provided insight as to what steps business organizations can take to, at least, minimize the chance of being on the losing side of the cyber-war. Click here to be taken to the video clip. It is short but informative.

Free Pass for Attorneys when it comes to “Monumental” E-Discovery Violations?

The E-Discovery Team (courtesy of Mr. Losey) reported that the Qualcomm Order concerning whether six attorneys would be personally sanctioned for discovery misconduct relating to their defense of their corporate client came down (click here for Mr. Losey’s post). Here is a link to the April 2, 2010 Order. If you’re short on time, read the image that accompanies this post – it reaches the same conclusion.

For those that have not followed or forgotten about this e-discovery saga, it arose out of an order sanctioning Qualcomm and a number of its outside attorneys for failing to produce tens of thousands of relevant and responsive documents during its patent suit against Broadcom.

These documents also consisted of emails and documents that undercut Qualcomm’s position at trial (I hate it when the facts get in the way). Taking a page from the Watergate playbook, Qualcomm then attempted to cover up these documents after they emerged at a critical point in the trial. But at the end of the day, Qualcomm was ordered to pay Broadcom $8,568,633.24 and found that six attorneys personally contributed to what the Court described as a “monumental discovery violation.” See Qualcomm Inc. v. Broadcom Corp. 2008 WL 66932, 13 (S.D.Cal. 2008).

Around March 2008, the case was remanded to the Magistrate Judge for additional consideration and, specifically, to provide the sanctioned attorneys an opportunity to defend their actions. With the benefit of this second-go-around, the finding that these attorneys contributed to a “monumental discovery violation” might have been a little harsh. Or in the words of the Court’s Order declining to hold those six attorneys responsible:

There still is no doubt in this Court’s mind that this massive discovery failure resulted from significant mistakes, oversights, and miscommunication on the part of both outside counsel and Qualcomm employees. The new facts and evidence presented to this Court during the remand proceedings revealed ineffective and problematic interactions between Qualcomm employees and most of the Responding Attorneys during the pretrial litigation, including the commission of a number of critical errors. However, it also revealed that the Responding Attorneys made significant efforts to comply with their discovery obligations. After considering all of the new facts, the Court declines to sanction any of the Responding Attorneys.

While the Qualcomm attorneys were eventually exonerated (although, this may be a quintessential Pyrrhic victory for the attorneys and law firm involved – see this article) it is likely that this case will continue to be the equivalent of “Kaiser Soze” for the legal community, i.e.,  “a spooky story” told as a reminder of what could happen to an attorneys who doesn’t comply with his or her ethical and legal obligations. Right … what could happen ….

In any event, the “major errors”highlighted by the magistrate’s April Order are instructive for both in-house and outside counsel. The first “fundamental problem” was “an incredible breakdown in communication,” which “contributed to all of the other failures.” Other specific failures recognized by the court included a failure to present evidence establishing that any attorney (in-house or outside counsel) explained the legal issues to the appropriate employees or discussed collection procedures; the failure to obtain sufficient information to understand the relevant computer systems; and the failure of any attorney to take on a supervisory responsibility for verifying that the necessary discovery was conducted.

Written by Jason Shinn

April 6, 2010 at 4:47 pm

Cybercrime – FBI Reports Increase in Complaints & Losses for 2009.

As if your organization didn’t have enough to worry about – the FBI reported that cyber-crime is on the rise (click here for a post at InsideCounsel). The full report is available here.

Among the cyber-crime victims coming forward is a law firm that filed suit against the Chinese government (Click here for the full story from Wired’s Threat Level). In fact, the Wired article notes that “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it.” The types of threats that such law firms and other companies face are called Advanced Persistent Threats (APT). An APT attack is distinctive in that they are rarely detected by antivirus and intrusion programs. Further, these attacks are espionage focused. In other words, APT hackers attempt to take business intelligence, e.g., files, e-mails, etc., rather than financial or customer data, which serves as a precursor for identity theft. For an in depth, yet very readable discussion about APT attacks, click here (also a Dark Reading post).

Equally dangerous as APT hackers or other cyber-criminals is the current or former rogue employee. For example, a federal grand jury recently indicted a former employee of the Transportation Security Administration (TSA) for trying to corrupt a database of terrorism suspects in an inside job that many within the information security industry say is a stark reminder of how important it is to track insider access to sensitive data stores. (click here for the full story originally posted at Dark Reading. ).

The preceding FBI report and stories illustrate that business organizations should assume that an attempt will be made to compromise their IT infrastructure.  I’ve talked with various IT security professionals about what are the appropriate steps to prevent APT or other cyber-attacks. Unfortunately, the general and unsatisfying response has been to the effect of if someone wants in bad enough and has the resources, they will get into your network. The sophistication and resources of some of the high-profile of cyber-victims (Google, Marathon Oil, ExxonMobil, and ConocoPhillips, to name a few), would seem to confirm this conclusion.

And many remedies available to business organizations are only available after the fact (Click here for prior post discussing theft of business assets and Computer Fraud and Abuse Act). But when it comes to discharging employees, low-tech and common sense go a long way in preventing near disasters like that allegedly committed by the former TSA employee: Make sure your termination process first removes all access to sensitive information, databases,  e-mail, etc., and then terminate the individual  – not the other way around. Such steps are especially important when the employee has administrative rights to the IT infrastructure.