Social Media Policy Development

Social media tools such as blogs, microblogs like Twitter, video, and social networking sites such as LinkedIn and Facebook represent an emerging collaborative environment for customers and employee engagement. But organizations that use these tools must begin—or expand—their conversations with employees about keeping confidential information private.

The 2009 Electronic Business Communication Policies & Procedures survey from the American Manage-ment Association (AMA) and The ePolicy Institute underscores the issues involved. According to the survey of employees at 586 companies, 14 percent of employees admitted e-mailing confidential information, and another 14 percent said that outsiders have seen “eyes-only” corporate e-mail. Even worse, 6 percent have used e-mail to transmit confidential customer data.

Similarly, a 2009 Proofpoint survey of 220 e-mail decision-makers at large companies found that 34 percent reported that a loss of sensitive information had affected business. The same study found that 13 percent had investigated troublesome Twitter usage, and 15 percent had disciplined employees for unauthorized posting of videos on YouTube and similar sites.

Usually, the problem is caused by a lack of knowledge about the ramifications of social media usage. For example, the AMA/ePolicy Institute electronic business survey indicated that 24 percent of the respondents don’t know whether their organization has a written policy about instant messaging; 27 percent don’t know whether there’s a policy dealing with personal tweets during business hours; and 30 percent don’t know whether their organization adheres to regulatory requirements concerning e-mail.

Violations, intentional or not, can lead to legal problems or damaged reputations. The best solution, argues Nancy Flynn, executive director of The ePolicy Institute, is a clearly written, firmly communicated policy concerning all electronic communications. Such policies should be developed with the input of IT, HR and legal personnel. “You can’t expect an [uninformed] employee to be a compliant employee,” she says.

This education should consist of training, distributing copies of the company’s e-policy and a signed acknowledgment of receipt by employees. Compliance can be enforced through URL blocks, monitoring tools or review by authorized employees.

A Velvet Glove Approach

Some companies are opting for the velvet glove rather than the steel fist. At EMC, blogs and tweets are part of daily life and an intrinsic element of communications with customers. “We prefer to call them social media guidelines, not policies,” says Len Devanna, the company’s director of Web strategy. “Policy sounds a bit legalistic, and we want to encourage etiquette based on integrity, responsibility and civility. My fear is that if you stipulate every detail, you’ll stifle the benefits of interaction.”

The guidelines were mainly developed via employee crowdsourcing, and workers learn the rules of the road on the EMC intranet before going outside. “Our communities are self-policing, and employees help others understand what is and isn’t acceptable,” Devanna says.

Last fall, Xerox used a company Webcast to unveil social media guidelines developed by a cross-functional team. The guidelines are part of a “social media hub” that includes information on registration for Twitter handles, Facebook pages and external video.

On the registration form, the worker outlines the business purpose, acknowledges understanding the guidelines and confirms managerial support. After review, the employee gets a confirmation e-mail with a reminder of best practices. The hub also has links to Xerox’s social media channels, including Twitter, YouTube and a “Blog Talk Radio Station.”

“Our goal is to enable social media usage, not restrict it,” says Celeste Simmons, social marketing program manager. “During registration, we work to spot any red flags. We use personal consultations and coaching to make sure employees have a proper understanding of the social media tool.”

Mel-O-Cream, based in Springfield, Ill., does not have an official electronic business policy. “We let everyone know what’s acceptable through our handbook, orientation, meetings and corporate newsletter,” says David Ryan, director of HR. “We subscribe to the view that employees are responsible and want to do what’s best for the company.” If there is an issue, the employee’s manager will “gently” address it.

But that policy may change. “It’s uncharted territory,” says Ryan. “At this point, we don’t need a policy, but in the future, who knows?”

Nick Wreden is a writer and marketing specialist in business and technology.