The explosive popularity of social media has left corporations in the dust. Blogs, Facebook and Twitter--online forums that let like-minded people connect--attract not only employees surfing the Internet rather than doing their work, but salespeople looking for new customers, marketing executives seeking a cheap way to promote their products, and human resources staffers trying to fill jobs. Such technologies can leave companies exposed to a variety of risks. But experts say, not only have few companies taken steps to formulate policies on how to deal with those risks, many may not even recognize the danger.
Allen Nelson, general counsel, chief administrative officer and executive vice president at $1.1 billion claims administrator Crawford & Co. in Atlanta, Ga., started taking a look at social media because he was concerned that the company could be the subject of disparaging comments on the Internet. Once he began looking around, Nelson was surprised to find Facebook pages with the company name on them, set up by employees who were using them to communicate.
"That's a perfectly good thing to do, candidly, we just weren't aware from a senior management point of view," Nelson says. "That was one of the things that was kind of eye-opening."
Social media sites can act like immense bullhorns that amplify offhand comments, whether that's a complaint from an unhappy customer or an inappropriate remark by a company employee. Negative conversations about a company are nothing new, says Erin Byrne, chief digital strategist at public relations firm Burson-Marsteller, but such remarks used to be made to one's acquaintances or church group. "Now they happen online, so they're much more scalable and can be much more powerful."
"When you're on Twitter or Facebook, it could be hundreds of thousands of people who follow what you're saying," says Ken Goldstein, worldwide media liability manager for Chubb Specialty Insurance. Companies don't seem to realize that, Goldstein says, noting that organizations that use social media are not vetting the content they post in the same way they check other content they make public.
In fact, a survey earlier this year, sponsored by Cisco and conducted by the Rochester Institute of Technology and two European business schools, suggests companies are missing in action when it comes to taking control of the risks involved in social media.
Researchers interviewed executives at 100 companies worldwide that were judged ahead of the curve in their use of social media, and found just one in seven had put in place formal processes for using social media. "We are looking at the best of the best, and they are struggling with these issues," says Neil Hair, one of the lead researchers on the study and an assistant professor at the Rochester Institute of Technology.
The study also found that just one in five companies had policies in place regarding the use of social media. On that point, Hair notes a split between big and small companies, "with some of the nimble smaller organizations saying, 'we don't need a policy, other than one that encourages people to get involved with this.' Larger organizations are saying, 'we need a policy, this can't be left to chance.'"
The Cisco study shows that the use of social networking tools seems to be largely separate from companies' information technology organizations: just one in 10 of the companies said IT was directly involved in social media. And it suggests that the use of social media involves so many different groups within companies that it may be contributing to the difficulty in defining who's in charge.
At Crawford, Nelson has put together a cross-functional group to develop a comprehensive policy on the use of social media that includes corporate communications, marketing, IT, legal and human resources.
Nelson sees ways in which social media can benefit the company, like providing an opportunity to demonstrate thought leadership by having employees post information that would be useful to clients. "I think there's a tremendous opportunity to increase the touch with your clients." And he notes that clients have asked Crawford about using social networking sites to investigate suspect claims for work-related injuries by checking what the claimant is posting on line. "People who have embraced Facebook sometimes have put themselves on their Facebook page doing all kinds of things an injured person might not be able to do," he says.
But Nelson also sees the risks that such technologies pose for his employer, like the possibility that "purely personal" postings by employees on Facebook or YouTube could reflect poorly on the company, or that someone "uses the company name without authority to speak for the company." And he notes that he has found remarks about the company on the Internet "that date back six or seven or eight years. It's ancient history but the remarks are still there. You don't think of those things having a long shelf life, but once it's out there, it's out there for a really long time."
Richard Sarnie, chief operating officer of ALS-UIC, a risk management consultancy in Upper Saddle River, N.J., sees other potential hazards. "Let's say the HR department uses LinkedIn to screen applications--that's a problem," Sarnie says. "Who's verifying that the information you're using is accurate and appropriate to be used?" There could be potential employment practices liability insurance claims, he adds.
He also cites the possibility a disgruntled former employee could post inside information or erroneous information about a company on the Internet, hurting its share price. "Now you're getting sued by shareholders," Sarnie says.
In fact, so far, litigation arising from the use of social media has involved individuals rather than corporations. But United Airlines' YouTube exposure is a sobering anecdote about the power such technologies can bestow on unhappy consumers. A musician who claimed United had damaged his valuable guitar and who had gotten no satisfaction from the airline last year posted on YouTube a video of a song he wrote and performed, entitled "United Breaks Guitars." To date, the video has been viewed more than 8 million times.
The United story shows the damage that can occur to a company's reputation, Sarnie says. "Three years ago, you never would have heard about anyone who had a problem with an airline, and the airline's getting a black eye."
What should companies be doing? For starters, experts say, they should pay attention to what's being said about them online, and to assess that, they should cast their net widely.
"From a risk management perspective, what's very interesting is that very often we hear folks in those roles say, 'We monitor the five or 10 most powerful blogs in our industry,'" says Burson-Marsteller's Byrne. "This is all highly searchable content, so you need to search both from branded perspective--the company name, executive names--but also a contextual perspective--the type of business you're in, the type of services you provide--to understand the full dialogue." There are a number of companies that provide such social media monitoring services.
Should a company spot negative information about itself on the Web, she argues that action works better than inaction. "If there is a negative comment, and the company does not respond, the chatter is likely to be worse," Byrne says. "And it sends a message about the company: The company is out of touch with the way stakeholders want to communicate."
As an example of how to respond, she cites Southwest Airlines' actions a couple of years ago after it had to take some planes out of service. "They not only monitored and responded to chatter, they let their employees publish their point of view about being committed to passenger safety on their blog, Nuts About Southwest," Byrne says. "They really turned the fact that they participated into a positive interaction."
Nelson says that, "historically the corporate view was ignore it, it will go away." But Crawford has decided to become more active in responding. "If they say something that's not very nice, that's fine," he says. "If they put out information that's just false, we have in fact developed a protocol that goes to the decision-making process surrounding when you respond and how you respond." The company has not yet had an occasion to use the protocol, "but it is in place, and we've got a very clear understanding of how we'll react," he says.
Companies also need to make it clear to employees what the rules are for using social media, whether they're using it on behalf of the company or on their own outside of work hours.
Peter Foster, senior vice president for network security and privacy, media, tech professional and intellectual property at insurance brokerage Willis North America, says companies should train employees who are going to use social media, even if they're blogging on third-party sites.
"Just as there are employee policies today that talk about respect in the workplace and respect to customers, there has to be a policy in place that goes to the social media aspects of that," Foster says. "If I'm an employee who is blogging on a third-party site and I could potentially do something that disparages another corporation, the corporation needs to have a policy."
To the extent a company posts blogs on its own site and allows comments, "the company needs another disclaimer regarding things said on that blog," Foster says, adding that companies should have a policy that sets out exactly what content is permitted on a blog.
Nelson says he thinks companies should have at least three things: a policy on social media, an understanding among employees about that policy, and a technology solution that ensures that the use of social media doesn't lead to the dissemination of sensitive company data.
Such data loss prevention software can search outgoing electronic data for certain types of information. "A company could set their data loss prevention software to pick up on any variety of things--financial information, customer names, Social Security numbers--and then use that as a tool," he says.
Chubb's Goldstein says companies should maintain their standards for the material put out via social media, and should also be prepared to pull material quickly if they spot problems. "If you have something on your platform that's either offensive or a copyright infringement, act fast, take it down," he says.
Goldstein also warns about limiting access to social media accounts. "To the extent you have these corporate Twitter or Facebook accounts, make sure you're safeguarding them," he says. "So someone who's a rogue employee doesn't take the opportunity to share content in a way that seriously damages your business reputation."
Some of the risks posed by social media are covered by insurance policies, and some are not. Media liability insurance, whether it comes as part of a company's cyber coverage or as a standalone policy, covers such traditional publishing liabilities as defamation, copyright infringement, trademark infringement and invasion of privacy.
Foster warns that companies should be careful that their media liability insurance "is not just covering the development of content on your own Web site, but content you're providing to a third-party platform."
While insurance can play a role in managing social media risks, "ultimately it goes back to education of your employees," Sarnie says. "If you type it, it's there forever, is what they need to understand."