Legal Considerations for Your Organization’s Social Media Policy

Why Have a Social Media Policy?

It's important to have an online presence in today's market. But if not properly managed, social networking can create potential liability. A social media policy is your company's internal control for protecting the organization's existence online. It guides employees on what is acceptable when interacting in the virtual world and maintains clear messaging for the business. By having clear expectations for employees in the form of a written policy, social media can be more useful.

Some Strategic Considerations for a Social Media Policy

When considering a unified social media policy, a good place to start is with the big picture. Think strategically about how social media will play a part in the organization's business plan. Once you've identified your goals for social media use, you can develop a policy to help encourage these goals and provide guidance during implementation. You can also consider how to avoid problems.

Here are some general considerations for your strategy discussion:

  1. Will you restrict personal social networking while at work? 
    Some companies want to limit how much time their employees spend on social networking sites while on the clock. The policy can address this aspect of social media use, and also whether the company will monitor use on company equipment.
  2. What do you consider proper online conduct?
    The policy should explain the do's and don'ts of social media use, both for official company accounts and for employees' personal accounts. Explain how a violation of the policy can result in discipline, up to termination. While there are limits to what the organization can control with regards to individual employee accounts, you can set boundaries during work time and can limit what employees say when acting on behalf of the business. Be clear about accountability for online participation.
  3. Are there guidelines for what can or cannot be shared? 
    You can consider confidential or proprietary information restrictions or prohibit posting personal information about clients. Consider legal compliance as explained below.
  4. Who will have authority to post on behalf of the organization? 
    Be clear who has the authority to speak on behalf of the organization and who is responsible for content on the business's official social media accounts. For other employees, consider explaining how employees can differentiate their own opinions from those of the company's, such as through a disclaimer.
  5. Who controls the account?
    What will you do if a retraction is needed, or an employee posts something inappropriate? What if the account is compromised? A tip here is to make sure that the organization itself owns the account and any MFA credentials required to access the account is within the organization's control. Employees should not control accounts with their personal emails and individual cell phones. (This is true for all organizational accounts, not just social media.)

When You Don't Have Social Media Policies

If an organization either doesn't have or doesn't implement its social media policy, there can be significant risks.

  1. Reputational damage and loss of trust
    If content isn't carefully monitored, a post can tarnish the company's image. The worst–case scenario can be a public relations nightmare. Even in less serious situations, conflicting messaging can erode consumer trust and loyalty.
  2. Legal issues
    Inappropriate posts can create legal challenges—everything from intellectual property infringement to breach of confidentiality or even defamation. 
  3. Appropriate productivity
    Everyone knows employees need their breaks—but spending extensive work time playing on social media is one of the most common disruptors to productivity.

Minimize Risks of Being on Social Media

  1. Guard your access
    The social media policy should implement security measures around password management, multi–factor authentication, and response plans for suspicious activity. It should control who can log in and how they have to do it.
  2. Defend against threats
    While all employees should be educated on scams and cyber threats, those in outward communications should be extra well–equipped to identify phishing, scams, and fraudulent activities. Keep current on good training, such as Upfort.
  3. Train on privacy and confidential information
    People who can post on the organization's social media sites should be well trained to identify confidential information and understand how to preserve the privacy of individuals and the trade secrets of the organization. Oversharing can put the organization at risk.
  4. Consider legal issues
    Legal considerations include privacy laws, defamation laws, and intellectual property laws. The social media policy will need to address possible legal violations.
  5. Credit sourcing
    The policy can address credit sourcing. If an article or individual is quoted, how will that be attributed? Back links and acknowledgment of the author/owner of creative works are not only legally and morally appropriate, but can strengthen the social media presence.
  6. Industry–specific regulations
    The policy should consider any industry–specific limitations in place. For example, for law firms, ethics rules require that anything posted that could be considered "advertising" must be approved by an attorney.
  7. Control the accounts
    Make sure the organization itself controls all its own accounts, from website ownership to every single social media account. Many times, an organization has found itself held hostage by a disgruntled employee.

Security and Privacy Guidelines for a Social Media Policy

  1. Protect confidential information and privacy
    The policy should direct employees not to share proprietary or sensitive business information. This includes trade secrets, information from client lists, financial data of the organization, and confidential internal communications. For organizations that work with confidential data (law firms, counselors, medical providers, etc.), there will be overarching ethical and legal guidelines in addition to the basic ones.
  2. Define appropriate content
    The policy should prohibit publishing defamatory, derogatory, or inflammatory remarks. The policy should prohibit posts or images that suggest any involvement in illegal conduct. This will protect both the organization and employee integrity.
  3. Define who can post
    Probably not every employee should be allowed to post on behalf of the organization, and the policy should define both who is allowed to post, and how posts will be approved.
  4. Password and authentication
    The policy should require strong, secure passwords and two–factor authentication for all organizational accounts.
  5. Software and device security
    This may not be part of the social media policy, but generally, the organization needs to require software and digital device security. This includes regular patches and security updates.
  6. Incident response protocol
    What happens if a post is inappropriate, or there is a security breach? The policy should include a protocol on how and to whom to report, and who is responsible for the response.

Other Guidelines for an Organizational Social Media Policy

Here are some general points to consider for the policy.

  1. Purpose of the policy
    Stating the purpose of the policy is important because it helps employees understand how it aligns with the organization's values and what it is trying to accomplish—such as supporting the organization's brand.
  2. Scope of the policy
    It helps to clarify both that the policy applies to everyone in the organization, and if necessary, how it applies. This will help with uniformity in social media activities.
  3. Require good judgment
    Encourage employees to use good judgment and act prudently on social media, because no policy can possibly address every issue involving social media use.
  4. Reference other policies
    A social media policy should affirm that the company's other policies—regarding discrimination, harassment, confidentiality, security, etc.—apply to employee social media use.
  5. Consider third parties
    If the organization works with third parties that post about it—such as recruiters or influencers—how does it monitor what is posted? There may need to be a tailored version of the policy for such partners.
  6. Employee creative work
    Employees may create amazing blogs, videos, or images. Collaboration and sharing can be encouraged. The key is to have an approval and posting process for employee work that is to be shared on social media platforms.

Public Relations and Crisis Management

  1. Monitoring and enforcement
    Who will be responsible for monitoring the social media accounts and enforcing policy? Who will monitor the organization's online presence and any criticism? If a serious situation arises, what are the channels for discussing and addressing issues internally? This likely involves both someone whose job includes the monitoring, and a process for interacting with the crisis management team.
  2. Handling negative comments
    What is the policy for handling negative (or positive) comments from the public? It can be helpful both to have pre–crafted responses and to have a process in place where appropriate team members are prepared to respond well.
  3. Crisis management
    The social media policy should interact with the crisis management plan. Responding on social media can help to manage public relations events. But to do so, the communications team must understand how to work with the crisis management team (including legal ramifications).

Support Brand Identity

Most organizations use social media to set brand identity. The policy should consider how this is done, to ensure consistent brand image and voice.

  1. Unified messaging
    Whether in a small way or across a large team, the social media policy should ensure that every post aligns with the brand. This builds trust among those viewing the posts. Those posting should be trained so they avoid inconsistent messaging.
  2. Brand recognition
    Social media posts should use consistent images, logos, and messaging to support the brand. Posts should be considered in light of how well they will support the brand. The brand should also be presented consistently across every platform where the organization is engaged.
  3. Train employees in communication
    Employees can be trained in brand representation, etiquette of communication, and keeping appropriate confidentiality. If they understand how social media is to support the brand, they are less likely to make mistakes.

Private Social Media Use and Legal Limitations

You may want a separate policy, or a portion of the social media policy, to address private social media use. Not addressing this area can also create risks for the organization.

  1. Private social media versus organizational use
    Individuals may post on their own social media. If they endorse or criticize the organization (or competitors), they should identify that although they are organizational employees, they are only speaking for themselves. If they are using the channel for business purposes (such as a missionary raising support or to promote their own role), they must comply with the organization's policy. 

    The organization can require professionalism and that the employees not violate workplace codes of conduct. If the organization is a religious organization, it can require behavior consistent with its religious beliefs.

  2. Employee advocacy
    Social media is an important tool for employee advocacy. While this is not necessarily a favorite of management, employees have legal rights to advocacy. The National Labor Relations Board takes the position that employees can address work–related issues and share information about pay, benefits, and working conditions. Statements must have some relationship to group action.

    Also, statements are not protected if they are "egregiously offensive" or "knowing and deliberately false." And statements are not protected when an employee publicly disparages the organization's products or services in a way that is not related to a labor controversy. (See National Labor Relations Board Social Media Guidelines)

    The policy can define "offensive" language as that violating the organization's values or other policies such as discrimination and harassment, but clarify that it is not intended to limit discussion about pay, benefits, and working conditions. It can also state that employees are not to make statements that are knowingly and deliberately false.

    In defining confidential information that cannot be shared, information about pay, policies, or procedures should not be included, because that can violate state or federal law. 

  3. Train employees on how to advocate
    For employees to be able to advocate effectively for themselves, without creating unnecessary damage, training and resources can be effective. Training can explain that employees can discuss conditions of work but should avoid using offensive or personally derogatory language in doing so.

  4. Create guidelines for personal accounts
    Employees should be informed that their online behavior can reflect on the organization. They should be encouraged to fact–check before posting, to respect legal boundaries, including law about intellectual property, and generally to avoid negative comments about the company or competitors (with appropriate exceptions about work conditions). For some organizations, such as religious groups or those where personal ethics are important, employees should be aware that their online behavior affects their professional reputation.

Conclusion

Social media can be a really important aspect of an organization's public reputation. However, there are risks and pitfalls. Having a really good policy, with training to back it up, can help an organization maximize the usefulness of social media and avoid trouble.

_________________________________________

Featured Image by Rebecca Sidebotham.

Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations