Introduction: What Is Regulatory Compliance?
Regulatory compliance is often defined as the goal that organizations aspire to achieve in an effort to ensure that they are aware and ready to abide by relevant laws, policies, regulations and standards. Recent research shows that there are now more than 14,000 different regulations in the United States only. In order to navigate the strict (and often confusing) regulatory landscape with more ease, organizations adopt harmonized and consolidated compliance controls and policies, including specialized technological solutions that facilitate the management of company’s digital information.
Albeit traditional and defensive, compliance remains the top reason for archiving enterprise information.
Given that we are living in the age of Big Data, where a huge portion of company information is stored in digital form, compliance has become inseparable from electronically stored information (ESI). Compliance data is another term used to refer to the information that belongs to an enterprise and can be used for compliance purposes.
Ever since the infamous Enron case in 2001, significant regulations have been enacted to enforce stricter compliance, particularly for publicly listed companies. Roughly at the same time, office workers and entire companies started to get hooked on email. These days, people send 130 billion business-related emails a day, and this immense growth seems to have happened overnight.
As email communication became ubiquitous in the workplace, many laws and regulations needed to be updated to include this new, near-instant, yet tricky form of doing business. Every day, important business decisions are communicated by email. Sensitive, business-critical information and confidential financial documents are sent via email as well. This is why companies are required to preserve email correspondence in accordance with specific laws and mandated retention periods. Non-compliance can have serious consequences, including legal penalties such as fines or even imprisonment.
According to the Radicati Group, the number of business emails sent by an average office worker is expected to grow from 128 to 140 in 2018.
This sparked the need for implementing a technological solution that could automatically capture, index and retain all corporate email. Email archiving solutions soon turned out to be the best and most comprehensive option, as they were able to both provide quick access to messages and allow users to search, export or print email. These functionalities made them not only suitable for retention and compliance requirements, but also for legal discovery purposes.
The technology was quite expensive, so the practice caught on slowly and the fines were plentiful. However, 15 years later, a large number of enterprises understand the importance and benefits of email archiving and an estimated 70% of them are diligent archivers of email, especially in regulated industries.
If this sounds like a happy ending, that’s only because there has been no mention of the new challenges that arose in the meantime ‒ the fresh, convenient and addictive communication tools that quickly became entwined with email and essential for business: social media.
How Social Media Changed Compliance Forever
It wasn’t long after private users embraced social media that companies saw its enormous potential, both in terms of internal and external communication. In 2018, we are witnesses to organizations openly allowing their employees and even third-parties to represent them and their brand online, create online content, engage in discussions with their audience and even resolve customer issues. Some of the famous public and government entities on social media are NASA (with 30.5 million Instagram followers), Library of Congress, State Department, the Federal Bureau of Investigation (with 2.16 million of followers on Twitter) etc.
There are more than 9000 social media accounts owned by US Government agencies, but only a half of them ever get archived.
Social media and their integrated direct messaging functionalities have become our go-to places when we need to quickly exchange info, ask questions, get up-to-date information, share business updates etc. In a business environment, social media allows us to communicate to our coworkers or followers instantly and less formally than we would in an email. Almost 50% of companies in the United States use social media to stay in touch on a daily basis.
As digital communications started with email, many companies have already found compliant solutions for archiving this type of information. However, given the rapid and inevitable advent of social media for business, an archiving and monitoring strategy that begins and ends with just email no longer matches up with the reality of day-to-day operations for the majority of businesses. Many regulations have been amended in recent years to include the archiving of all social media activity, including comments, posts, and direct messages in a compliant format for a specific period of time.
The Business Risks of Social Media
Despite the many benefits that social media can bring to an organization, some companies are still wary when it comes to using these channels for business purposes. And rightfully so. If corporate social media is not regulated and directed by strict and clear policies, it can present both a legal and a reputational risk.
The lack of an appropriate social media policy can cause an employee to unintentionally make an offensive or inappropriate comment on the company’s social media account or divulge information before regulations or laws allow it. Moreover, no oversight of social media channels and non-existence of policies could allow room for employee misconduct, primarily instances of sexual harassment, discrimination or libel. Social media content, including direct messages, can now be used as evidence in legal proceedings, and the legal costs of defending such claims can often amount to half a million of dollars. There is also a possibility of losing intellectual property in case an employee inadvertently shares internal communications or trade secrets.
92% of Government agencies use social media but lack standards for record management.
Regardless of the risks mentioned above, ignoring the benefits for fear of negative consequences can no longer be considered a sound and justifiable business practice in times when social media has become a necessary business tool. The key lies in the proper retention and archival of social media communication, something that only a handful of companies seem to be aware of. A recent survey shows that while 96% of organizations know that they should retain email, only 15-20% archive social media.
Does My Organization Need to Preserve Social Media Content?
Although social media retention laws vary based on an organization’s location and industry, compliance should always be at the top of your list of priorities. Even if your organization does not belong to the highly regulated sectors, remember that social media posts on official channels are considered business records, which need to be preserved for various reasons if not for compliance purposes.
“Businesses understand that they have an obligation to preserve potentially relevant evidence. Social media evidence is no different and should be preserved in the same way as paper documents and emails.” Margaret DiBianca, Discovery and Preservation of Social Media Evidence
Here’s a list of some of the regulatory bodies and laws that govern the proper social media use in the workplace.
SOX (Sarbanes-Oxley Act), especially section 409, mandates that publicly traded companies which use social media need to monitor information to ensure compliance with SOX and pay special attention to how they communicate financial statements on social networking sites.
FOIA (Freedom of Information Act) is the federal law that ensures public access to government records. Every US state has an additional public records law based on FOIA.
SEC Rule 17a-4(b) mandates that all employee business communication on social media must be archived for at least 3 years.
FINRA’s regulatory notices 10-06 and 11-39 deal with corporate use of social media sites, record-keeping and content requirements for such communications.
HIPAA prohibits the use of information that can be used to identify patients and their medical records. Protected Health Information (PHI) is outlined in HIPAA’s Privacy and Security Rules.
What Social Media Archiving Means for Compliance
Managing risk is one of the most important ongoing needs for businesses. While plenty of companies have teams or entire departments dedicated to managing various forms of compliance, regulatory requirements and legal matters, this approach to risk management hasn’t been adopted in a widespread fashion when it comes to social media.
The first step towards social media compliance is the creation of a social media policy. It should govern the acceptable use of social media, define the platforms that can and cannot be used for business purposes and specify the individuals in charge of monitoring and archiving of social media communications. Your social media policy should be regularly updated in order to stay up-to-date with new laws, regulations, best practices and social media tools.
The media giant Netflix was investigated in 2013 after its CEO posted financial information on his personal Twitter, which prompted an investigation by SEC.
After developing a corporate social media policy and ensuring that all employees are informed about the appropriate way to use the company’s social media accounts, companies can go on to implement an archiving solution. A social media monitoring and archiving solution will keep you in compliance, allow you to have complete insight into your corporate social media landscape and prevent the sharing of sensitive company information or posts that can negatively affect your brand. It will help you to identify the employees who ignore best practices and who can expose your organization to security threats, data breaches and scams.
Why You Need Special Social Media Archiving Technology
1. Social networks do not offer any archiving options of their own
Organizations that are active on social media typically use more than one channel to connect with their audience. None of these many channels has built-in archiving options, which means that you cannot rely on Facebook, Instagram or Twitter for any kind of long-term record keeping. The content on your social media pages is completely out of your control, and even if you give your best to protect your own posts, your audience is still free to edit and delete comments.
2. Alternative ways of preserving social media content simply don’t work
Pressed by regulations but unfamiliar with better archiving options, many organizations attempt to preserve social media records by printing or taking screenshots of posts and conversations. Taking manual records requires effort, it is time-consuming and ultimately ineffective, as it fails to capture the underlying details (e.g. metadata) and both physical documents and screenshots can be edited or forged. As a result, such evidence would never hold up in court nor would it be valid in a regulatory context. Another obvious setback is that screenshots are not searchable, which could easily turn an eDiscovery request into a nightmare for your data protection officers.
3. Oversight and business intelligence
If you are already using an email archiving solution, you probably know how much valuable insight you can get from your archived data. The same goes for social media. An archiving solution will give you oversight of what is being communicated and in what manner. Your compliance officers will have supervision and control of time-sensitive data or words and expressions that require further review. This will reduce the possibility of employee misconduct and lawsuits that could follow. Extracting business intelligence from your archive will give you precious insight into your organization and offer possibilities for improvement. Which employees are most likely to expose your company to a cyber attack? Who spends too much time on social media? How are complaints handled? Is the tone your employees are using on social media appropriate?
When they first appeared at the beginning of 2000s, archiving solutions were considered major investment. Today, on-premise archivers are compact, sleek and powerful and there is also the option of cloud or hybrid deployment. Although archiving appliances remain large budget items, a growing number of organizations understand their importance and benefits, especially when it comes to the long-term sustainability of business, its efficiency, legal preparedness and reputation.
If your organization implements an email and social media archiving solution, your employees’ inbound, outbound and internal communication will remain archived in a safe repository even if they delete potentially incriminating posts or messages. The advanced search options that archivers posses will let you locate a specific conversation in millions of archived social media exchanges. Your IT team will no longer have to waste time on finding and restoring messages. Perhaps most importantly, an archiving solution will ensure that your organization is completely prepared for audits and legal requests. An often-quoted high profile case of social media non-compliance involves a school which had to pay $2,000,000 for improper use of corporate social media channels. Compared to that, an archiving solution sounds like an affordable and worthwhile investment.
How to Choose the Right Social Media Archiving Solution for Your Business
Social media is captured and archived in roughly the same way as email. The majority of social media archiving providers offer solutions which have a separate system, their own dashboard and require users to master the interface from scratch. If your organization already archives email, it would be wise to opt for a vendor that can integrate the social media archiving functionality into its existing email archiving software. This will save the time needed for implementation and help you avoid explaining the new technology to your staff.
There is a thin line between social media being an asset and being a liability. Your choice of an archiving solution can mean the difference between the two.
A SAAS-based social media archiving platform that is integrated into the email archiving solution and can potentially be extended to include instant and text messages would allow your organization to adequately respond to both present and future information archiving challenges.
Options such as message indexing, advanced search, message flagging, the ability to select keywords and get alerts and comprehensive export options should definitely be on your list of priorities.
In recent years, corporate social media usage has grown immensely, and organizations’ social media channels are buzzing with activity. Keeping track of this activity can be difficult, especially for companies which have not adopted a social media archiving solution. In order to be able to maintain business continuity in the strict regulatory climate, organizations need to adopt a social media strategy with archiving as its vital component. A good archiving solution will give you the peace of mind that your social media content is preserved in compliance with all relevant regulations, provide effective analytics and offer a fresh look at your social media data.
To learn how Jatheon can help you implement an email archiving solution, book a personal demo or contact us.