Managing compliance and legal risk in internal social networks

3
4960

If the matter was largely overlook while enterprise social networks projects were in their infancy, compliance is becoming a major concern for many businesses.

What is it ? Ensuring that the use of a social network complies with regulations. Regulations being national, international or only internal policies.

Examples : how to make sur employees won’t share highly confidential information in the enterprise social network (ie : a future product still under developement) ? How to make sure no group will be created with a forbidden focus ? How to know if the social network is used to organise and even conduct activities that may be subject of prosecution) ?

The list is long and concerns go to over-protection (businesses try to prevent from things that have no consequence) to simply respecting the law. For instance the banking industry is subject to regulations that forbid practices that may look normal anywhere else.

Compliance : the mine field of the social intranet

A last point before going further. The matter is not peculiar to enterprise social networks but encompasses any collaboration/communication tool available in the workplace. The implementation of a social network is sometimes the occasion to realize how businesses have been careless in the past or, on the contrary, to calm things down in face of exaggerated and counterproductive concerns.

The point can be seen from two perspectives : preventing bad uses a priori or fixing things a posteriori.

As for prevention, there are two well known simple mechanisms. The first one is technological and consists of approving any content before it’s published. Let’s be clear : it will never work in the context of a social network or any application used for actual work. So there’s only one left : making employees aware of the risk and establishing guidelines. Anyway, establishing guidelines and policies is a must-do in such projects, no matter one is paranoid or not. Just a matter of common sense.

More important is the matter of fixing things a posteriori. Even if the best of all worlds, guidelines and common sense are not always followed. First because mistakes exist, even in good faith, second because because people with bad intentions won’t care about guidelines. Please calm down : I have no example or story of any kind of hostile use of an enterprise social network but, anyway, a business that would not hav taken precaution may be held responsible in the very unlikely case the risk becomes reality. That’s not a matter of trust but a matter of respecting the law. Period.

So stop inveighing against the legal department that may look like the party pooper. For them this field is a mine field and any negligence comes with a huge price.

So there are three possible attitudes facing this matter.

• Do nothing

This solution has been prevailing for long and is still popular among many organisations even if more and more begin to understand what’s at stake. It was the typical attitude when today’s leaders started, years ago, when this matter was far from being at the top of the list. But enterprise social networks reached a critical mass and position over time and they know they’ll have to deal with the issue one day or the other.

This is a very “2.0” attitude and is based on trust towards users and the will to respect a “non-control” philosophy. That’s a philosophical stand that can be praised but is way too risky.

Let things go, human compliance or technology based compliance

• Implement a human compliance

The idea is to identify forbidden matters. One or many people, often the community managers, are granted rights so they can see everything on the platform, either spaces are secret, private or public, in order to make sure no one uses the platform to plan a terrorist actions, share clients credit card numbers of talk about the DXB489 project that is a future product supposed to save the company.

This approach has one big advantage : it’s simple to implement and does not require a big investment (except the day the social network will be so widely used that an army of watchers will be needed). On the other hand it raises a major concern about trust : to what extent users will trust the social network if they know that one or many people can have a look at what’s happening in their private spaces ? Risks of policing, arbitrary judgement… the risk of nipping the social network in the bud is high.

That said there’s  nothing new here. At the IT department, software administrators can already access the content of spaces, emails and and the instant messaging logs are stored. But end users often ignore it and, moreover, what’s new here is that such permissions are now granted to non IT people. What brings the question at the ethics level and questions the level of control community managers are subject to.

• Implement a technology-based compliance

The problem with human compliance is not the access to data : anyone knows that businesses log, store and control them…and that’s sometimes even made compulsory bu law. What raises a concern is the human nature of the system : people can fail, there’s a risk of arbitrary decisions, people have opinions, people can leak information they’ve read.

So the problem can be solved by technology. Nothing new here : e-discovery solutions have been around for a while and are already monitoring emails and instant messages for years. What’s new is to use them for social networks that used to be a poorly controlled haven of peace. How they work is easy to understand : the software is scrutinizing any log, action and try to detect the use of some words, of a kind of content (ie a number that looks like a credit card number…) and alerts the administrator. This latter only sees the text in question, not the whole community or conversation. He can decide that the content is compliant, ask the author for explanations before making a decision or remove it.

Technology based compliance : the only solution that scales

First, please notice that in some industries such mechanisms are made mandatory by law. Businesses need to be able to prove that a given information has been shared (or not), who read it, and even if the information has been removed a couple of minutes after.

I once attended a session on compliance at IBM Connect 2013. As enterprise social networks initiatives become bigger and more visible I found that the demoed solution (Actiance’s one  in the case) echoed many concerns organizations are trying to deal with as well as the legal constraints international businesses must face, having to deal with specific regulations depending on the country.

– e-discovery mechanisms as described above.

– ability to hide contents based on local laws requirement. For example (I see this case happening), a community on oenology and some tags on personal profiles that are acceptable in France may be forbidden in some Middle-East countries. Or, in the case of a merger, some contents from one company should not be visible from the other while the process is completed.

– having a single compliance platform for all the tools : instant messaging, social network…

– ability to deal with external social networks (Facebook etc…)

The implementation of such a solution is more expensive but it is scalable and fixes trust related issues.

If no response is perfect, one thing is sure : hiding the problem and being in denial is he worst one. There’s something between doing nothing and removing communication tools as it’s happening at JP Morgan.

Last point : whatever one decides, it won’t prevent from establishing the right procedures and responding to human risk with human responses.