A clear, well-worded company policy backed by adequate employee training can help avoid many of the potential problems caused by the use of social media.

“Unless you have a very strong social media policy, you don't necessarily know what your employees are saying about your company or about your competitors, and so it just creates all kinds of risks,” said Scott L. Vernick, a partner with law firm Fox Rothschild L.L.P. in Philadelphia.

In developing a policy, risk managers must “find out how your company is using (social media), both in the (human resources) sense and in the operational sense, dealing with customers, dealing with vendors, dealing with employees,” said Alan E. Brill, Secaucus, N.J.-based senior managing director of secure information services at Kroll Ontrack Inc.

“Look at it and apply your expertise, not the expertise of a computer person, not the expertise of a teenager, but how does this change the risks of your company? Are people doing things that are inadvertently creating risks that you really would rather not have to face? While you cannot restrict workers' personal activities, you can have rules about what they can release about the company,” Mr. Brill said.

Joseph P. Cutler, counsel with law firm Perkins Coie L.L.P. in Seattle, said, “The best advice is to embrace social media” and monitor its use by your employees, as well as the interactions they have with the public through social media.

“Do not be afraid to set thoughtful social media policies that establish some boundaries and expectations for use,'' Mr. Cutler said. “I don't think that employers that ban the use of social media in the workplace are going to be ultimately successful, and they're missing an opportunity to use it for the powerful thing that it is.”

Aaron K. Tantleff, senior counsel with Foley & Lardner L.L.P. in Chicago, said a social media policy often emerges from a firm's human resources department, while the “bring-your-own-device” policy comes from the information technology department. The two policies should be coordinated, he said.

%%BREAK%%

“A social media policy needs to go hand-in-hand” with a company's information technology policy or a loophole could result, Mr. Tantleff said.

Mr. Brill said the human resources, risk management and legal departments should work together to “come up with a simple series of guidelines. It should probably fit on one side of one piece of paper, and not in microscopically small letters,” he said.

“But it should be something that people could read and understand, and you should really consider making the policies so that you have guidelines, and you have a standard against which to measure activities and hold (employees) responsible for their actions,” Mr. Brill said.

A social media policy should clearly establish the type of information that is prohibited from being disseminated, including proprietary information and “anything that's subject to some type of regulation,” Mr. Tantleff said. It also should establish rules against publishing discriminatory or harassing comments on social media, he said.

The policy also should establish that individuals disclose their relationship with the company “as well as make clear that their views are their own and not those of the employer,” Mr. Tantleff said.

The social media policy should “very carefully spell out” what must be approved in advance, Mr. Vernick said.

Rebecca L. Stuart, an associate with Wilson, Sonsini, Goodrich & Rosati P.C. in Palo Alto, Calif., suggested employers have social media polices in place addressing when workers leave the company. “How can we be sure they haven't offloaded things to their personal computer?” she asked.

“Companies need to be more aware of what's going on in the post-employment context,” she said. Taking a “tough stance on proprietary information is really essential.”

%%BREAK%%

Workers should be educated so they “really appreciate the danger” of exposing company data, said Phil Mayes, London-based senior vice president in the global technology and privacy practice of Lockton Cos. L.L.C.

“There's a multiplicity of security solutions that are available, but what people too often miss is the softer side” around education and training, he said.

Once a social media policy is in place, workers “should get some good media liability training so they understand what the rules of the road are” and employment contracts should be modified “to clearly stipulate who's responsible for what data,” and who has jurisdiction over it, Mr. Mayes said.

Companies should be alert to any mention of their company's name on social media and pick up on themes that emerge involving the company and address those immediately. “This is something where you don't wait until next week because it'll be too late,” Mr. Mayes said.

Insurance also should be considered, experts say. Firms' general liability policy may not cover claims related to social media, Mr. Tantleff said.

The right privacy and network security policies “will extend to online or offline exposures,” said Matt Donovan, assistant vice president-technology and privacy underwriting leader at Hiscox USA in Atlanta.

Companies should “analyze their exposures and see if risk transfer and purchasing the right insurance is right for them,” he said.

Nothing is totally safe, said Bob Parisi, network security and privacy practice leader at Marsh Inc. in New York. “There's always a residual element of risk, and that's where insurance comes in,” he said.