How To Manage A Company’s Social Media Presence

Having a social media presence has become a necessity of both private and professional life in the 21st century, and managing it effectively is more important than ever. A social media presence can manifest itself in a variety of ways - from commenting on websites and live chat systems to more formalized social media platforms such as Twitter, LinkedIn, Facebook and beyond - but in all instances, it projects the company's brand to untold numbers of people.1 Many of the most popular social media outlets - such as Facebook, which surpassed one billion users in 2012 - are blurring the lines between professional and personal social media.2 As a result, use of social media by companies has exploded, quickly overtaking previous methods of corporate outreach. For example, in 2012, 73 percent of Fortune 500 companies reported using a corporate Twitter account (an 11 percent increase over the previous year), and 66 percent had a Facebook page.3 By comparison, only 28 percent of these companies had a corporate blog (still, a significant increase over previous years).

As discussed in further detail below, these activities create compliance obligations for regulated entities - such as financial institutions and financial advisors - that are in the process of being addressed and clarified by regulators. But even for non-regulated entities, social media activities can be the focus of potential litigation and discovery obligations. Therefore, in addition to addressing best-practices of social media management (using recent regulator guidance as a reference), this article will briefly discuss a party's obligations once in litigation.

The Importance, and Best Practices, of Social Media Management

As the use of social media by companies has become nearly ubiquitous companies have begun to grapple with the implications of social media use by both the company and its employees. As summarized below, certain regulated industries are at various stages of implementation of social media policies based on guidance issued by government and industry regulators. Likewise, many professional organizations, such as the American Medical Association, and various legal associations and bar organizations, have issued social media guidance to their members.4 However, even for companies in unregulated industries it is important to have a well thought out, and implemented, social media policy. Certain lessons can be drawn from the guidance issued by the Federal Financial Institutions Examination Council (FFIEC), the Securities and Exchange Commission (SEC), and the Financial Industry Regulatory Authority (FINRA) regarding the core principles of such a social media policy. This article will examine the regulatory guidance issued or proposed for financial institutions with an eye to articulating those lessons for companies in other, unregulated industries.

Social Media Obligations of Regulated Financial Institutions

Recently, the FFIEC - a body that is empowered to "prescribe uniform principles, standards, and report forms for the federal examination of financial institutions" and to "make recommendations to promote uniformity in the supervision" of those financial institutions - promulgated a proposed "Social Media: Consumer Compliance Risk Management Guidance" (the FFEIC Guidance) to its members.5 Although the proposed guidance is still in the 60-day comment period as of this writing, it is designed to address "the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media" by financial institutions.6

These institutions would be expected to "use the guidance in their efforts to ensure that their risk management practices adequately address the consumer compliance and legal risks, as well as related risks, such as reputation and operational risks, raised by activities conducted via social media." The FFIEC recognizes that this form of customer interaction "tends to be informal and occurs in a less secure environment" and therefore presents "unique challenges" to these institutions. According to the FFIEC, one of the principal ways risk can increase is from "poor due diligence, oversight, or control" of the social media activities by the financial institution.7 Therefore, the guidance is designed to "ensure institutions are aware of their responsibilities to oversee and control these risks within their overall risk management program." Specifically, the guidance provides that:

A financial institution should have "a risk management program that allows it to identify, measure, monitor, and control the risks related to social media", and the "size and complexity" of the program should be "commensurate with the breadth" of its social media activities. The risk management program should be "designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing." As part of that process, it should have an "[a]udit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance." This program should include a "governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution" and "establishes controls and ongoing assessment of risks in social media activities." This would include parameters "for providing appropriate reporting to the financial institution's board of directors or senior management." The institution should have policies and procedures "regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance." These policies and procedures "should incorporate methodologies to address risks from online postings, edits, replies, and retention." The institution should have "[a]n employee training program that incorporates the...