Social media incidents cost a typical company $4 million over the past 12 months, according to the results of a Symantec survey published today.
There have been a number of legal actions about social media in recent years, including a Financial Industry Regulation Authority (FINRA) regulatory notice, the Romano vs Steelcase Inc and Bass vs Ms. Porter’s School cases (where both plaintiffs were granted discovery of the defendant’s Facebook Profile), and the sexual harassment case EEOC vs Simple Storage Management LLC (where a US District Court held that social networking sites — or SNS for short — were discoverable). This means that what your employees do on their personal time on SNSs can open your company to embarassment and litigation. The survey, then, sought to find out how big this problem is in the enterprise. They hired Applied Research to interview IT professionals from 1200+ enterprises with 1000+ employees.
45% of respondents use SNSs for personal use, and 42% use them for company use. IT folks are worried about employees sharing too much information (46%), the loss or exposure of confidential information (41%), damage to the brand (40%), exposure to litigation (37%), malware (37%), and violating regulatory rules (36%).
The respondents to the survey listed 9 social media “incidents” in the past 12 months, with 94% of those incidents having consequences, including damage to the brand (28%), loss of data (27%), or lost revenue (25%). The average cost of a social media incident was listed as $4.3M!
Most of the companies are discussing creating a social media policy, training their employees, putting processes to capture confidential information, and putting technology in place to stop these things from happening as well. However, what was suprising was that — while almost 90% of respondents felt they needed to have these things in place, only 24% had a social media policy, 22% were training their employees on social media, and about 20% were using technology to control this process.
Folks, it’s happening and it isn’t going away. The very least you can do is to create a social media policy and train your employees why it is important. Those employees who are allowed to blog about company matters need to be continually reminded that their actions are discoverable. Even if their personal site may not be demonstrated to be official company policy, it surely states the opinion of one of its employees — and those employees make up the company. And if it can be shown that one of its employees was continually doing something damaging on a publicly accessible social site and the company did nothing to stop it, that can be actionable.
Just remember: It’s really easy to be a jerk on the Internet where you’re not facing the person you’re talking to. You might want to dial it down a notch or two. Just a thought.
Update 25 Jul 2011: I was given a briefing about this survey and didn’t read the press release until today. During the briefing, Symantec seemed to be playing down the role that technology had to play in helping to solve this problem. However, in the press release, it seems as if they’re saying that Enterprise Vault is going to handle this by archiving social media content. First, I have no idea why anyone who is not required to archive any content — be it email or twitter — would do such a thing. If you’re not required to keep something and keeping it adds no value to your business — don’t keep it! Second, even if you did archive it, I’m trying to understand how that would help you in a discovery situation. If someone wants to see your Facebook logs, they’re going to subpoena Facebook. That’s what happened in the cases listed in this article. So if you did archive it, now you’re required to produce it. So why would you do this if you weren’t being forced? And how would doing this help you in a trial?
----- Signature and Disclaimer -----
Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Architect at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.