Plugging the Holes in Social Media: Balancing Knowledge Management and Privacy Concerns

LESLIE BENDER, CIPP/US, IFCCE, CCCO VP, GOV’T AFFAIRS & GENERAL COUNSEL ARS NATIONAL SERVICES INC.

© 2016. LESLIE BENDER AND LITMOS.COM/HEALTHCARE

Legal Disclaimer Any content included in this presentation or discussed during this session (“Content”) is presented for educational and general reference purposes only. Litmos Healthcare/ARS National Services Inc., either directly or through provides the Content as a courtesy to be used for informational purposes only.

The Contents are not intended to serve as legal or other advice.

Nobody represents or warrants that the Content is accurate, complete or current for any specific or particular purpose or application. This information is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel. The Speaker and Litmos Healthcare are the sole owners of the Content and all the associated copyrights. By using the Content in any way, whether or not authorized, the user assumes all risk and hereby releases the Speaker, ARS National and Litmos Healthcare from any liability associated with the Content.

The views and opinions of the speaker expressed herein are solely those of the presenter and not anybody else.

Learning Objectives for Seminar The learning objective for this seminar is as follows:

To introduce a compliance perspective for social media and social networking – at work.

Resources NIST Publication 800-124, Revision 1, Updated June, 2013, http://csrc.nist.gov/publications/PubsSPs.html#800-124

Section 2: Balancing Social Media and Workplace Privacy/Security

Agenda Social networking pros and cons Legal issues social media raises about

privacy and security Striking a Balance: formulating (and

updating) company policies

Definition of SOCIAL MEDIA ◦ forms of electronic communication (as Web sites for

social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content (as videos)

◦ http://www.merriam-webster.com/dictionary/social%20media

Social Media – Described

Four “C’s” of Social Media Customers – getting people to know you, like you, trust you – and then for you to keep them.

Content – providing valuable information that meets your customer’s needs, may be sharing valuable information of others.

Context – liking brands – must share information that people expect, they do not want to be marketed to (white papers and marketing demos do NOT work well in social media).

Channel – situating yourself in social media where you belong; know who your customer is, figure out where they spend their time, decide what content is most helpful to them (measured from their perspective) and understand what context they needs to receive it in before you head into social media.

Result: Fifth “C” – Connection or Community – SUCCESS!

Social Networking

Why? Why have social networking sites attracted so many people?

Friends. Connections. Community.

Remarkable Statistics Twitter users are 33% more likely to be Democrats

Only 33% of Americans have ever followed a brand in social media

56% of Americans have a profile on a social networking site

55% of Americans 45-54 have a profile on a social networking site

22% of Americans use social networking sites several times per day

47% of Americans say Facebook has the greatest impact on purchase behavior

Source: Convince & Convert, Social Media Research, www.convinceandconvert.com

Estimated Numbers of Users …

Twitter, 974 million, but nearly half are “robots” and 44% have never tweeted. 270 million active users.

Zynga, 320 million users playing “social” games using Zynga applications (FarmVille, Mafia Wars…), but since Candy Crush “active” users down to 200 million.

Facebook, 1.39 billion users Linked In, 277 million users (as compared to 161 million users in 2012, 66 million a year ago).

• Ahead of its competitors Viadeo (35 million) and XING (10 million)

• Membership grows by approximately 2 new members a second

My Space, 200 million users in 2014, but only 50.6 million in 2015.

Current Users

Internet users: try this counter for exact figure http://www.internetlivestats.com/internet-users/

Facebook: 12 years old in February, 2016 ◦ Used by 57% of all American adults ◦ Used by 73% of 12-17 year old Americans ◦ Percentage of users who check it at least daily: 64% ◦ http://www.pewresearch.org/fact-tank/2014/02/03/6-

new-facts-about-facebook/

(C) 2015ACA INTERNATIONAL. ALL RIGHTS RESERVED

Facebook Users

(C) 2015ACA INTERNATIONAL. ALL RIGHTS RESERVED

Now there are even services to track your social life online…

….”Take social media a step further

We don't just listen to social media, we help you make better decisions. Whether it is making a list of complaints or managing an optimized marketing campaign, we can help you do it! Learn more!”

…”Measure your online pulse

Read what thousands of customers say about your business through social media, blogs, online reviews and more.”

Social Media vs. Newspapers…

“Facebook gained 100 million unique visitors per month over the same time last year and now stands at 590 million unique visitors per month.”

“Twitter is the runner-up at 97 million unique visitors.”

“To put Facebook's Internet presence in perspective, the combined daily circulation of the Wall Street Journal, USAToday, New York Times, Los Angeles Times, The Washington Post, the New York Daily News, and the New York Post equals only 36% of the average daily unique visitors (19 million) of Facebook.”

Source: http://socialmediatoday.com/paulkiser/

Facebook Stats

60% of Facebook’s users are women

Seventy-two percent of users are between 25-54 years old

50% of our active users log on to Facebook in any given day

Average user has 338 friends, half have 200+ friends

People spend over 700 billion minutes per month on Facebook

Linked In Stats

Most folks do not realized that LinkedIn (launched 2003) predates Twitter (July, 2006), Facebook (February 2004) and MySpace (August, 2003)

Reputation is as a social media tool for businesses

Experts feel LinkedIn lacks a higher level of interaction due to users who have an agenda (selling themselves) which studies show is annoying to most Social Media users

Why do people use social media?

National Science Foundation grant to University of California Riverside yielded a study released January, 2012. ◦ http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1989586

As people remain “always on” the Internet, the use of and variety of social media continue to “personalize” the Internet and continue to create interactions that “connect” people ◦ You Tube: 35 hours of video uploaded every minute ◦ Facebook visits: 25% of internet page views and 10%

of all Internet visits in the US

Social Media and Business.

From a 2012 USA Today Report:

“After a slow start, Big Business is embracing social media in a big way. Forrester Research says the sales of software to run corporate social networks will grow 61% a year and be a $6.4 billion business by 2016.

“Two-thirds of big companies surveyed now use Web 2.0 tools such as social networks or blogs, with use of internal social networks up 50% since 2008, according to a survey by McKinsey & Co. Nearly 90% said they have reaped at least one measurable business benefit, though most say the improvements have been modest.

“Heavy use of social tools has a statistically significant correlation to profitability, said Michael Chui, senior fellow at the McKinsey Global Institute. But it's early: Only about 3% of respondents used social business tools for all three major uses — reaching customers, connecting employees and coordinating with suppliers, McKinsey said.”

http://www.usatoday.com/money/economy/story/2012-05-14/social-media-economy-companies/55029088/1

Patients want social media for healthcare

PwC Study commissioned by the American Medical Association in April, 2012, shows patients want social media to be something that helps them coordinate care and navigate the health system ◦ 72% patients want to use social media to schedule

appointments ◦ 71% patients want social media to remind them about

appointments ◦ 70% patients want to be able to get referrals using social

media ◦ 33-1/3% patients willing to have monitored social media

conversations if it would help them identify ways to improve their health and coordinate better care

How is social media being used in healthcare?

Mercy, a multi-hospital system, created a social media site at www.mercypulse.org to allow its patients to “share” their physician’s profile with Facebook friends, among other thing (blogs, You Tube, tweets…).

Over two years ago the Cleveland Clinic established its social media presence through a host of popular social media channels to encourage its patients to connect with others throughout the world. ◦ Chats ◦ Online learning center ◦ Patient portal to access EHR, apply for assistance, pay bills ◦ Symptom checker, e.g., interactive diabetes tracker took ◦ Wellness

What does this mean for your organization?

Social Media and reputation management

Use of Google AdWords and other tools to monitor and preserve your online corporate reputation.

Job Seekers: More than 17 million Americans use sites like Glassdoor to read about reviews of employees to decide whether or not to apply for a job with you. What do your reviews say?

Balancing: Privacy/Security vs. Social Media?

Concerns: ◦Data security safeguards ◦Your consumers’ privacy ◦Your employees’ privacy?

Test: Which Statement is False?

Statement #1: As the use of social applications increased, so did the use of other communications tools like instant messaging and webmail.

Statement #2: Most employees keep Facebook or Twitter open in the background while they’re at work, like email.

Statement #3: Employees that use social applications are less productive than employees that do not.

Test: Which Statement is False? Statement #1: As the use of social applications increased, so did the use of other communications tools like instant messaging and webmail. ◦ True: overall growth in all types of online communication tools

Statement #2: Most employees keep Facebook or Twitter open in the background while they’re at work, like email. ◦ True: more widespread access to better tools leads to more time

being spent interactive online.

Statement #3: Employees that use social applications are less productive than employees that do not. ◦ False: research shows employees are always connected and that

they take shorter work breaks than before (on average 35 minutes less/day). Moreover, employees can check work related email 24/7 and actually work regularly in “off hours” by checking their smartphones.

Do Employers “Like” Social Media at Work?

2 in 5 Gen Y workers rate social media access above receiving a higher salary.

Over 50% of workers 55 and older use social media at work everyday.

Source: PayScale.com, 6.2012

Companies like social media for brand promotion but worry about employee use.

42% of companies ban Facebook, Twitter at work, according to study by PayScale.

53% have a formal policy on the use of social media.

Recommendations Smart workplace policy on social applications will support employees’ natural inclination to connect using social media while protecting your company from security risks.

Know the law (NLRA, FTC and state laws).

Need to keep the lines of communication open, but secure, within your own four walls and relative to your vendors and other contractors, service providers and clients in your business network.

Create balance, revisit it often as new social media opportunities for interaction evolve.

Recommendations, cont.

Train your workforce and update your training on your social media policies.

Do not assume that all of your employees, vendors, contractors or even clients have evolved social media policies, procedures, etc. or are aware of all of the risks.

Have a look at the excellent twenty minute “on demand” interactive tutorial video on the Federal Trade Commission’s website offering some guidance to businesses on privacy.

http://business.ftc.gov/multimedia/videos/protecting-personal-information

Productivity Concerns: Are They Real?

Employee productivity drops 1.5% at companies that allow full social networking use at work, see study by Nucleus Research.

Survey also showed that 77% of employees use Facebook while at work.

1 in 33 workers report that they only use Facebook while at work and ◦ Of those 87% admitted that they had no business

reason to do so.

Workplace Privacy – A Legal Perspective

Most Common and Costly eRisks

Workplace Lawsuits

Sexual Harassment Claims

Trademark and Patent Infringement Suits

Sabotage and Internal Security Breaches

External Cracker and Hacker Attacks

Public Embarrassment

Lost Productivity

Wasted Computer Resources

eViruses

Lengthy Business Interruption

Six-Figure Fines and Jail Time for Software Piracy

Million Dollar Legal Fees and Settlements

Media Scrutiny

• One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, • Is subject to liability to the other for invasion of his privacy, • If the intrusion would be highly offensive to a reasonable person. (Emphasis supplied)

Offensive to Reasonable Person

Moving standard Balancing needs for productivity, privacy, data security with quickly evolving technology

Developing Case law

Key facts in recent cases: ◦ Use of workplace internet/computing

resources to email with personal attorney ◦ Ability of an employer to insist upon access

to a user ID to enter a private “group” of its employees in a social networking site

◦ Digital video/camera within wireless phone in worksite

Drafting Tactics: Reviewing Some Sample Policies, Procedures

Acceptable Use Policy – Sample

The following activities are strictly prohibited, with no exceptions:

Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by <Company Name>.

Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which <Company Name> or the end user does not have an active license is strictly prohibited.

Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.

Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).

Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

Using a <Company Name> computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.

Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

eMail and Communications Prohibited - Sample

Email and Communications Prohibited Activities Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. Unauthorized use, or forging, of email header information. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. Use of unsolicited email originating from within <Company Name>'s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by <Company Name> or connected via <Company Name>'s network. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

Blogging - Sample Blogging

Blogging by employees, whether using <Company Name>’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy.

Limited and occasional use of <Company Name>’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate <Company Name>’s policy, is not detrimental to <Company Name>’s best interests, and does not interfere with an employee's regular work duties. Blogging from <Company Name>’s systems is also subject to monitoring.

<Company Name>’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any <Company> confidential or proprietary information, trade secrets or any other material covered by <Company>’s Confidential Information policy when engaged in blogging.

Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of <Company Name> and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by <Company Name>’s Non-Discrimination and Anti-Harassment policy.

Employees may also not attribute personal statements, opinions or beliefs to <Company Name> when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of <Company Name>. Employees assume any and all risk associated with blogging.

Workplace Relationships – Sample – Too Far?

Dating and romantic relationships between employees can cause problems for the employees involved in the relationship, as well as their co-workers and managers. For this reason, dating and romantic relationships with other employees are discouraged. Employees who do engage in such relationships should give due consideration to the complications that such relationships can cause and take care not to let the relationship interfere with their work or judgment or cause discomfort to co-workers. Any relationships between employees must be mutually consensual.

Dating and romantic relationships may present a conflict of interest where one individual is in a position to make or influence employment-related decisions regarding the other. Thus, there may be no such relationships between employees with solid-line and dotted-line reporting relationships or anyone in the line of authority from the solid-line or dotted-line supervisor. (For example: an employee may not date his supervisor, or his/her supervisor's manager.) This prohibition also includes anyone who may be in a position to enforce Company rules or influence employment decisions regarding that employee, such as members of the Human Resources Department, certain members of the Legal Department, certain members of the Environmental, Health & Safety Department, top executives etc. Additionally, this prohibition includes anyone who may be in a position to approve work, expenses, compensation or contractual obligations of the other individual.

Employees must disclose any relationship that may present a conflict of interest (as described in the previous paragraph) within 30 days after the relationship begins so that measures may be taken to eliminate the conflict of interest. In some instances, this may involve removing any influence for decisions regarding the employee involved. (For example: if the relationship involves a member of Human Resources, then the Human Resources responsibility for the employee with whom he or she is involved may be transferred to another Human Resources member, if feasible.) However, in situations where the employees are in a direct or indirect reporting relationship, it will usually be impossible to shift such responsibility, so one of the individuals involved must leave their current position, either by obtaining another position within the Company or finding other employment.

Violation of this policy will result in corrective action, up to and including termination.

Reactions to sample policies? In your mind do any strike a proper balance between social networking and workplace decorum?

For the latest in social networking shorthand, try http://www.acronymfinder.com/ or

http://www.netlingo.com/acronyms.php

Sources of sample policies: ◦ http://www.sophos.com/sophos/docs/eng/dst/sophos-

example-data-security-policy.pdf ◦ http://www.sans.org/security-resources/policies/

Compliance Strategy – Do’s

Documented policies and procedures establish a baseline of expectations for workplace conduct.

Training/awareness conveys content of policies/procedures to employees.

Periodic auditing confirms behavior is conforming to policies/procedures.

Performance reviews reinforce results of audits and intent (and importance of) of policies/procedures.

Compliance Strategies – Don’t’s

Do not seek information about job candidates on social networking sites that is information that is otherwise protected (e.g., age, race, marital status, religious affiliation, political views).

Do not violate your employees’ privacy.

Do not punish your employees for lawful activities (e.g., consuming alcoholic beverages).

If subject to NLRB regulations, do not infringe upon them (e.g., prohibiting employees from rights to self-organize, complain about the terms and conditions of job or a worker’s performance).

Pros and Cons of Social Networking, at Work

•PROS: •Would you preclude your employees from receiving a call from a spouse or child during the workday? •If you expect your employees to work long hours, how much do you benefit if they have no balance in their lives between work and personal life?

•CONS: •Time management: how much time can you afford to have your employees Facebooking or Tweeting? •Security risk: to what extent might photos, information, etc. be vulnerable if employees have social networking sites up and running throughout workday?

Practical Guidance

Digital Natives vs. Digital Immigrants

Workplace Privacy vs. Individual Privacy

As the workforce becomes more and more populated with “digital natives,” how far can a “you have no privacy expectation at work” policy actually go?

Where are the boundaries and what should the filters be?

Training and Mindset of New Hires

As technology advances, this topic will need to be regularly revisited.

Summary/Recap

1. Evaluate the pro’s and con’s of social media in your workplace; being aware that even if you limit access via your internet resources, your employees and visitors can readily access social media via smartphones and other portable devices.

2. Develop “technology neutral” approaches to social media – assuring that key privacy and data security principles are carried forward in your social media policies.

3. Be aware of activities such as blogging, chatting, and other means by which your employees, clients and visitors may be commenting in social media about you or your business.

Thank you! Visit: www.litmos.com/healthcare

© 2016. LESLIE BENDER AND LITMOS.COM/HEALTHCARE

Resources for Increasing Privacy and Data Security Awareness.

App: ARM Law

http://epic.org/privacy/privacy_resources_faq.html

http://www.microsoft.com/security/online-privacy/resources.aspx

https://www.aclu.org/ordering-pizza