Social Media Policies for Business

It’s a lesson that all employees have to learn: What may be OK around the water cooler is not acceptable when an electronic business tool is used. Len Devanna, director of Web strategy at EMC, remembers once having to phone an employee who had tweeted an inconsequential gripe about an internal tracking tool, thinking the comment was just confined to his dozen followers. Devanna informed him that a public channel like Twitter was not the best place for personal frustrations, and the employee apologized. It was the only time in three years an issue with social media usage had emerged, and no confidential information was involved. 

Social media tools such as blogs, micro-blogs like Twitter, video and others represent an emerging collaborative environment for customers and employee engagement. But they also mean that companies must expand the conversation they have been having with employees about keeping important information private. While an email goes out to a person, a blog comment can go out to the world. As a result, the repercussions can be great, whether the act was intentional or not.

The 2009 Electronic Business Communication Policies & Procedures survey from American Management Association (AMA) and The ePolicy Institute underscores the issues involved. According to the survey of employees at 586 companies, 14% of employees have admitted emailing confidential information. Another 14% said that outsiders have seen “eyes-only” corporate email. Worse, 6% have used e-mail to transmit confidential customer data. Similarly, a 2009 Proofpoint study of 220 email decision-makers at large companies found that 34% reported that a loss of sensitive information had impacted business. The same study found that 13% had investigated troublesome Twitter usage, and 15% had disciplined employees for unauthorized posting of video on YouTube and similar sites.

Usually, the problem is less about nefarious intent than a lack of knowledge about the ramifications of social media usage. For example, the AMA/ePolicy Institute electronic business survey indicated that 24% don’t know if their organization has a written policy concerning instant messaging, 27% don’t know if the organization has a policy concerning personal tweets during business hours and 30% don’t know if they adhere to regulatory requirements concerning email.

Violations, intentional or not, can lead to legal problems or damaged reputations. The best solution, argues Nancy Flynn, executive director of the ePolicy Institute, is a clearly written, firmly communicated policy concerning all electronic communications. Such policies should ideally be developed with the input of IT, HR and legal personnel. “You can’t expect an uneducated employee to be a compliant employee,” she says. Such education should consist of training, distribution of policy copies and a signed acknowledgement of receipt by employees. Compliance can be enforced through such technologies as URL blocks, monitoring tools or review by authorized employees.

But, for the time being, some companies are opting for the velvet glove rather than the steel fist. Blogs and tweets are part of daily life at EMC, and an intrinsic element of customer communications. “We prefer to call them social media guidelines, not policies,” Devanna says. “Policy sounds a bit legalistic, and we want to encourage etiquette based on integrity, responsibility and civility. My fear is that if you stipulate every detail, you’ll stifle the benefits of interaction.”

The guidelines were mainly developed via employee crowdsourcing, and employees learn the rules of the road on the EMC intranet before going outside. “Our communities are self-policing, and employees help others understand what is acceptable and what isn’t,” he says.

At Xerox, social media guidelines developed by a cross-functional team were unveiled last fall via a company Webcast. The guidelines are part of a “social media hub” that includes information on registration for Twitter handles, Facebook pages and external video. On the registration form, the employee outlines the business purpose, acknowledges understanding of the guidelines and confirms managerial support. After review, the employee gets a confirmation email with a reminder of best practices. The hub also has links to Xerox’s social media channels, including Twitter, YouTube and a “Blog Talk Radio Station.”

“Our goal is to enable social media usage, not restrict it. During registration, we work to to spot any red flags. We use personal consultations and coaching to make sure employees have a proper understanding of the social media tool,” says Celeste Simmons, social program marketing manager at Xerox.

David Ryan, director of human resources at Mel-O-Cream Donuts in Springfield, Ill., points out that social media partly represents a new face on an old problem: “25 years ago, we worried about Suzie talking to friends all day.” Officially, the Mel-O-Cream does not have an electronic business policy. “We let everyone know what’s acceptable through our handbook, orientation, meetings and corporate newsletter,” he says. “We subscribe to the view that all of our employees are responsible and want to do what’s best for the company.” If there is an issue, the employee’s manager will “gently” address it.

But that policy may change. “It’s uncharted territory,” says Ryan. “At this point I don’t need a policy, but in the future who knows?”