Update on enterprise social media risks

Social Media Risks to Enterprises

Constantine Karbaliotis
Data Protection & Privacy Lead

Session Description
• Social media and software are of increasing interest to both
private and public sector organizations. While these
technologies offer exciting new opportunities to share
information and to interact with customers, they also represent
a new area of risk for the exposure of confidential and personal
information. Get an update on the changes being brought about
by social media in response to regulators’ and consumers’
concerns, and learn the latest strategies for minimizing risks to
organizational security and reducing liability.

Social Media Risks to Enterprises - Constantine Karbaliotis 2

Agenda
1 Introduction

2 Enterprise Uses of Social Media

3 Enterprise Risks from Social Media

4 Strategies and Tactics

5 Case Study

6 Conclusion/Q&A
3
Social Media Risks to Enterprises - Constantine Karbaliotis

Introduction


What is Social Media?
• “Social media” includes:

– social networking (Facebook, MySpace)
– blogging (WordPress, Blogger, TypePad, etc.)
– wikis (Wikipedia, Wikia, etc.)
– microblogging (Twitter)
– business or technical networking (LinkedIn, Spoke)

• in short, anything that can be considered user-generated
content


Generation Y/Millenials
“Who uses e-mail anymore? – that’s old school!”

• Demand …
– 42% of office workers between the ages of 18 and 29 discuss work-related
issues on blogs and social networking sites (YouGov)
– 50% of surveyed organizations indicate that at least 30% of their network
bandwidth is being consumed by social networking traffic (Forrester)
• And supply …
– It is estimated that nearly half of all web developers are already using AJAX
– 66% of surveyed organizations indicate that Web 2.0 is essential to
maintaining their company’s market position (McKinsey)


Social Networking in the News…
• Canada takes lead role in Facebook privacy issues
– Discussions between Facebook Inc. and the Office of the Privacy Commissioner of
Canada (OPC) over the social networking site's compliance with Canadian federal
privacy law are moving along smoothly, according to spokespersons from both
sides. .. Privacy Commissioner Jennifer Stoddart found Facebook in violation of
the Personal Information Protection and Electronic Documents Act (PIPEDA).
Canada is now recognized as the first country in the world to issue legally binding
recommendations to the social networking site. (NetworkWorld, August 21,
2009)
• Is Internet privacy dead? No, just more complicated: researchers
– The numbers tell one story: With 10 billion Tweets sent and 400 million Facebook
users signed, people clearly want to be heard and seen and able to hear and see
others on social networks. But Internet users also care about privacy, according
to experts. Particularly when they feel like they’ve lost control of their personal
information. That is when trust is broken. (Washington Post, March 15, 2010)
• Privacy watchdog takes issue with Google Buzz
– Canada's top privacy watchdog is taking aim at another international tech
titan.Less than a year after its investigation spurred sweeping privacy changes at
Facebook, the Office of the Privacy Commissioner of Canada is now looking into
complaints that Google Inc.'s new social networking tool, Google Buzz, might run
afoul of Canadian privacy standards. (Vancouver Sun, February 17, 2010)

Privacy’s role in selling the message in the
organization….
• The goal is not to stop innovation or creativity

• The goal is:
– To understand the risks associated with an activity;
– To address them by minimizing them to the extent reasonably possible;
and
– for a responsible person in the enterprise to accept the residual risk.

• My mantra:
– Conscious acceptance of risk
– No sleepwalking


Enterprise Uses of Social Media


Social Media and Privacy Risks
• Most privacy risks not exclusive to social media sites and
technology

• Simply blocking these sites will not mitigate the hazards of
increasingly interactive consumer Web applications

• There are corporate advantages to use of social media, the most
compelling of which are innovative marketing, attracting
employees and providing a progressive work environment

• Social media is just one part of our overall concerns about doing
privacy ‘right’


Organizational Uses of Social Media

• Internal Uses:
– Employee social networking

• External Uses:

– Employee social networking
– Technical and customer support
– Marketing and customer data collection


Content Creation
• Social media can be operated by:

– The organization

– The organization with content provided by employees and customers

– Others and used officially by the organization

– Others informally

– Others both officially and unofficially


Behavioural Profiling
• The data collected by observing what users do

• Very interesting data, very valuable and at the same time,
attracting a lot of negative attention from privacy regulators

• One of the key reasons to set up social media sites and
technologies – apart from advertising – is the generation of this
behavioral information and thus targeted advertising


Two main areas of risk for Enterprises:
1. Risks to enterprises of its employees using
social media tools that the enterprise provides
or uses (“Enterprise Social Media Risks”); and

2. Risks to enterprises from consumers using
social media tools that the enterprise provides
or uses, (“Consumer Social Media Risks”):


Enterprise Social Media Risks


Employee use of Social Media
• Internal losses: Employees can -
– Violate the privacy of others
– Violate their own privacy

• External losses: Employees can -
– Can disclose confidential company information
– Can create a ‘record’


Unintended Consequences : Security & Compliance
• Facilitating social engineering
• Additional security risk on
computers
• Spamware or spyware
• Compromise not only their own but
organizations’ security
• Even legitimate toolbar tools can
present data export issues


Unintended Consequences: TMI

•By offering TMI, employees can create awkward
situations
•Certain social networking communications may
be seen as creating a hostile work environment
and puts the company and employee(s) in
jeopardy
•Can lead to regulatory or legal actions against
both employee and enterprise


Hosting Issues

•Risks also arise from choice to host internally or
use third parties
•Hosting internally has cost, governance and
management issues associated with doing so
•Third parties raise however a whole other
dimension


Consumer Social Media Risks


Consumer Risks: Enterprises need to understand their
consumers do care about privacy, but …

• Behaviours contradict stated concerns about
privacy
• “Passwords revealed by sweet deal”, BBC News

• The why: People are terrible at assessing risk
• “The Drunkard’s Walk: How Randomness Rules Our
Lives,” Leonard Mlodinow

• Thus the duty of Enterprises as stewards

Unintended Consequences: Intended versus
unintended audience…

•Enterprise social media sites must consider the
personal risks that they may inadvertently
create for their users:

•Enterprises need to consider the forum that
they are creating and how their consumers’
information might be used, or mis-used


Unintended Consequences: The Durability of Data
•Search engines also scan social media content
created by users, including risks associated with
‘deep web’ search engines

•Enterprise risks are considerable in the retention
area of social media if not addressed through
careful design


Strategies and Tactics


Internal Governance: Revisit and Update Privacy
Policies, Privacy Notices, and Code of Conduct
• Ensure your Code of Conduct addresses the risks
associated with social media

• Revisit policies, privacy notices/statements – do they
address the risks of social media?

• Train and Inform

• Update employment contracts and acceptable use
agreements to allow for social media

Privacy Notices: Revisit Notice and Consent
Informed consent is key to obtaining and using
personal information in social media and
elsewhere

Consider use of layered notices

Update and revise the terms and conditions
associated with use


Behavioural Profiling:
FTC Principles on Behavioral Tracking
1. Transparency and consumer control
2. Reasonable security and limited data retention for
consumer data
3. Affirmative express consent for material changes to
existing privacy policies
4. Affirmative express consent to (or prohibition
against) using sensitive data for behavioral
advertising


Design Considerations: Taking the High Road in Social
Media

• Privacy impact or risk assessment

• Notify what activities are tracked

• Allow ‘opt out’ of tracking

• Always link to privacy notices

• Transparency


Design Considerations: Taking the High Road (2)

•Retention clarity

•Anonymization as part of retention

•Data Security

•Manage search engine risks


Design Considerations: Taking the High Road (3)
•Preference management

•Appropriate security for account

•Prominent display of privacy notices and terms
of use

•Effective deletion of accounts and PII


Design Considerations: Purpose & Data Minimization
• Honestly be able to assess the value of the trade being
made by your community:

– Is what they’ve traded for, a fair trade?
– Are they giving too much?
– Do they really know all that is really intended – or
perhaps unintended but likely – in relation to what
they’re trading?
– Are they entrusting it to an enterprise who can
protect that asset properly?


Design Considerations: Social Media Privacy
Considerations

• User names
• Profiles
• Uses
• User account deletion
• Lawful disclosure
• Transfers
• Complaints


Case Study


SymConnect: Technical Networking


Social Media Privacy Policy


Pseudonymity


Ts & Cs


Design Standards & Guidelines
• Developers building social media sites
– Design considerations mentioned previously

• Employees using social media sites given specific direction but
reminded to comply with:
– HR policies
– Privacy policies
– Security policies


Conclusion/Q&A


Enterprises’ Duty as Stewards
•Essential to be the ‘good guys’ in the
management of customers’ data

•Understanding risk in relation to your
stewardship of personal information in the social
media context

•Act as the customer’s IT department


Conclusion
•What is the intent of collecting this information
– no service is really for free, so what is being
‘traded’?
•Be up front about what the trade is
•Have in place the measures to enforce the deal
•And keep in mind that transparency won’t
excuse actions representing unexpected uses of
personal information


Thank you!
Constantine Karbaliotis, J.D., CIPP/C/IT
constantine_karbaliotis@symantec.com
416.402.9873

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Update on enterprise social media risks

More Related Content

What's hot (20)

Similar to Update on enterprise social media risks (20)

More from Constantine Karbaliotis (9)

Recently uploaded (20)

Update on enterprise social media risks