Emerging Risks and Effective Management …Emerging Risks and Effective Management SESSION HANDOUT...

Michael Salvarezza & Virginia MacSuibhne SCCE Conference, Washington D.C.

October 2013

Records and Information Management for the Next Generation:

Emerging Risks and Effective Management

SESSION HANDOUT

Policy Considerations • Consider covering: social media, BYOD, mobile

computing, cloud computing • No policy can address all instances, so focus on principles

and extend trust • Focus on what is critical to the business to keep • Frame policies to address responsibility, not productivity

• Understand the benefits, and the risks of using social media, and include them in Records Management policy, procedures, and guidelines

• Understand the regulations that govern your company’s use of social media – FINRA, SEC, NLRB and other government agencies have

regulations which may apply – Privacy considerations

• Maintain any business records under your corporate records policies and procedures

2

FINRA Guidance for Online Communications

• FINRA, the Financial Industry Regulatory Authority, guidelines states that firms must keep records of all social media communications: – “Every firm that intends to communicate, or permit its associated persons to

communicate, through social media sites must first ensure that it can retain records of those communications.”

• FINRA’s guidance states that firms must also supervise their employees’ communications on social media sites: – “Firms must supervise these interactive electronic communications under

NASD Rule 3010.”

• FINRA does not specifically define what constitutes “social media,” but it is safe to assume that Twitter, Facebook, LinkedIn, blog posts, and blog comments are included.

3

FINRA Social Media Considerations

• Social networking activity (status updates, tweets, etc.) falls under the guidelines of an advertisement and/or sales literature.

• Sending an email using the social networks (Facebook Mail, LinkedIn Mail) or an instant message (Facebook Chat) can also be considered correspondence.

• Social networks can be updated at any time from any location. Firms must educate and provide the tools to capture and retain content that falls under the advertisement, sales literature or correspondence guidelines.

4

SEC Electronic Communication Requirements

• Social network content is electronic communication and should be captured, indexed and preserved according to Rules 17a-3 and 17a-4.

• Archived social networking content should be readily accessible.

• Content should be easily searchable by specific fields and efficiently exportable.

• Maintaining a full audit trail of all archival and supervision actions of social networking activity is necessary.

5

Web Content for Government Agencies

US Government agencies are required by federal law to maintain archives of their web content. In 2009 the Executive Office of the President (EOP) solicited for

bids on capturing and archiving the White House’s entire public internet presence, i.e., Facebook, Flickr, Twitter, etc., in order to comply with the Presidential Records Act (Executive Office of the President Solicitation Number WHO-S-09-0003 – Web Archive).

Technology is required to “capture, store, extract to approved formats, and transfer content published by EOP on publicly-accessible web sites, along with information posted by non-EOP persons on publicly-accessible web sites where the EOP offices under Presidential Records Act maintains a presence.”

6

National Labor Relations Board (NLRB) and Social Media

• The NLRB has become increasingly active in addressing social media policies in relation to the employee bill of rights in Section 7 of the National Labor Relations Act (NLRA). – Section 7 gives employees the right to engage in

“concerted activities” for mutual aid and protection; essentially protecting rights of employees to discuss working conditions and wages.

– Applies whether employers are union or non-union – See sample NLRB policy:

http://www.shrm.org/templatestools/samples/policies/pages/socialmediapolicy.aspx

Social Media Policies: Elements • State objectives and purpose

• Include definitions and examples

• Define what is proprietary or confidential and prohibit its use on these sites (e.g., customer information, financial data, legal matters)

• Identify what is expressly prohibited (e.g., libelous comments, illegal activity, obscenity)

• Specify who may speak on behalf of the company

• Specify who will own work products created on sites

• Include legal and regulatory issues that apply

• Refer to specific security concerns

• Include discipline and ramifications

8

Social Media Sample Guidelines When on a social media site: ◦ Listen first, talk later; pause and reflect before actually

posting ◦ Identify yourself/affiliation; avoid anonymity ◦ Respond to ideas…not people ◦ Be respectful; always seek to add value ◦ If you are not authorized to speak for

the company, specify that opinions are your own

◦ Know the facts and cite sources; do not guess ◦ Do not go “off the record” ◦ If you respond to a problem, you must follow up

9

Mobile Computing/BYOD Policy Considerations: General Principles

• Make sure the policy is enforceable.

• Do not rely on device specificity, make sure the policy is broad and general (devices become obsolete).

• Orient the policy from the business value perspective.

• Provide training on appropriate use of devices, proper management and security of information, segregation of personal and business data and IT information management controls.

10

Sample Social Media Policy Resources

• http://blog.hubspot.com/blog/tabid/6307/bid/29441/5-Noteworthy-Examples-of-Corporate-Social-Media-Policies.aspx

• http://www.inc.com/guides/2010/05/writing-a-social-media-policy.html

• http://www.forbes.com/sites/jeannemeister/2013/02/07/to-do-update-companys-social-media-policy-asap/

• http://www.shrm.org/templatestools/samples/policies/pages/socialmediapolicy.aspx

Sample BYOD Policy Resources

• http://www.techrepublic.com/blog/it-consultant/learn-byod-policy-best-practices-from-templates/

• http://www.whitehouse.gov/digitalgov/bring-your-own-device

• http://www.itmanagerdaily.com/byod-policy-template/

Sample Mobile Policy Resources

• http://www.csoonline.com/article/687124/mobile-device-security-5-questions-to-ask-when-creating-policy-includes-video-?page=1

• http://www.ohioemployerlawblog.com/2012/02/10-thoughts-for-your-mobile-device.html

• http://www.wisegateit.com/resources/downloads/wisegate-sample-byod-policy.pdf

Cloud Computing Resources

• http://www.educause.edu/wiki/cloud-computing-contracts

• http://www.healthlawyers.org/Members/PracticeGroups/HIT/Toolkits/Documents/Cloud%20Computing%20Resource%20Toolkit/2_ArticlesAndPapers/Trappler-If_It's_in_the_Cloud_Get_it_on_Paper-Contract_Issues.pdf

• http://www.forbes.com/sites/joemckendrick/2013/01/14/9-questions-to-ask-before-signing-a-cloud-computing-contract/

eDiscovery Resources

• http://www.dummies.com/how-to/content/ediscovery-federal-rules-of-civil-procedure-and-fe.html

• http://www.insidecounsel.com/2013/01/01/e-discovery-new-sedona-conference-developments-con

– Is there pending or reasonably anticipated litigation?

– Are there potentially relevant records/information to the litigation?

– Are the records/information in company’s possession, custody, or control?

– How can the company preserve the records and information?

– How can the company collect and produce the records and information?

16

Legal Hold Questions

Contact Information for Presenters

Michael Salvarezza

Leader, LRN

Michael.salvarezza@lrn.com

917-838-9323

Virginia MacSuibhne

Sr. Director, Legal, Ethics & Compliance, Roche Molecular Systems

Virginia.macsuibhne@roche.com

925.730.8141