Social media and its associated risks

Social media and its associated risks

Sponsored by Grant Thornton LLP

Contents

1 Executive summary

2 Research methodology

3 Interviewee profiles

4 The corporate value of social media

6 Social media risks

13 Social media policies

15 Conclusion

16 Appendix I: Respondent demographics

18 Appendix II: Sample social media policy

19 About the authors

AuthorsThomas Thompson Jr.Senior Associate, Research Financial Executives Research Foundation

Jan Hertzberg, CISA, CISSP, PCI QSAManaging Director, Business Advisory Services – ITGrant Thornton LLP

Mark Sullivan, CFE, CFI, CPPPrincipal and Practice Leader, Forensic and Litigation ServicesGrant Thornton LLP

Local contactDavid Florio, CA, CA.IT, PCI QSAPartner, Business Risk Services – Governance, Risk & ComplianceGrant Thornton LLPT +1 416 369 6415E [email protected]

Social media and its associated risks 1

How many tweets have you sent in the last month and how many friends or likes do you have? These are questions you would not expect most senior financial executives to concern themselves with. However, with the increasing prevalence of social media in business and the rapid, fluid nature of these “sexy” new technologies, perhaps executives should be concerned. In an article titled “Users of the World, Unite! The challenges and opportunities of social media,”1 Andreas Kaplan and Michael Haenlein define social media as “a group of Internet-based applications that build on the ideological and technological information of Web 2.0 . . . and . . . allow the creation and exchange of user-generated content.” For many companies, social media is the proverbial double-edged sword. It offers both opportunities and risks. Social media cuts across many areas of a company (including HR, marketing, communications and legal, among others,); therefore any policy surrounding it should be the result of a multidisciplinary approach. Financial Executives Research Foundation, Inc. (FERF), working in partnership with Grant Thornton LLP, developed a 23-question online survey and conducted in-depth interviews to produce this report, Social media and its associated risks. The survey was conducted during August and September 2011 and was completed by 141 executives from public and private companies. The interviews involved eight open-ended questions and were conducted during September 2011. This report is based on the findings of both the online survey and the in-depth interviews.

Executive summary

Some of the key survey findings include the following:• Almost half (48%) of the senior financial executives who

responded to the survey feel that social media will be an important component of corporate marketing efforts

going forward.• More than half (53%) of respondents see corporate use of

social media increasing significantly over the next 12 months.• More than three-quarters (76%) of respondent companies

do not have a clearly defined social media policy.• More than half (61%) of respondents indicated their

organizations do not have an incident management plan to help them deal with instances of fraud and/or privacy breaches.

Key interview findings include:• The speed with which social media has grown in the last

five years caught many executives by surprise. • Executives are allocating more funds to IT security overall,

though not necessarily to address specific risks associated with social media.

• While many companies do have e-mail communication and technology usage policies, very few companies have policies that specifically address social media governance and risks.

For many companies, social media is the proverbial double-edged sword. It offers both opportunities and risks.

1 Kaplan, Andreas M., and Haenlein, Michael. “Users of the world, unite! The challenges and opportunities of social media,” Business Horizons, pp. 59–68, Volume 53, Issue 1, 2010.

2 Social media and its associated risks

The Social media and its associated risks report is based on a 23-question online survey. In-depth follow-up interviews were conducted with senior financial executives from both public and private companies, and others. The online survey was conducted during August and September 2011 and questioned participants about the following areas:

• opinions regarding social media• use of social media• concerns about the risks surrounding social media• social media policies• concerns about identity theft, and data security

The survey generated a total of 141 complete responses from a variety of senior executives, the majority of whom came from small to midsized companies, although nearly all revenue ranges were represented. Almost all of the respondent companies were located in the United States (the remainder were headquartered in Europe). Excluding the “other” category (which included responses from companies in the aerospace/defense, business services, construction, consulting, consumer marketing and products, consulting, and private equity industries among others), financial services (15%), manufacturing (14%), and professional, scientific, or technical services (10%) were the best-represented industries.

A total of 12 in-depth interviews were conducted during September 2011 and consisted of eight open-ended questions. The interviews were meant as a follow-up to the survey to uncover deeper insights into the corporate use of social media. Interviewees came from a variety of industries, including manufacturing, wholesale/retail, advertising, health care/life sciences, academia and financial services. Further, one of the interviewees was an attorney and certified information privacy professional and another was an independent, international marketing consultant. All interviewees were given the opportunity to review the notes from their interviews and could opt to be quoted directly or remain anonymous. To minimize bias, the interviews were randomly arranged. The research is not intended to cover a statistically significant sample of the corporate population. However the qualitative findings from both the survey and the interviews provide a valuable look at current social media opinions and trends. These findings offer indispensable insights into both the benefits and the risks associated with the rapidly growing use of social media. To review the graphs related to the survey demographics, please refer to Appendix I.

Research methodology


Interviewee profiles

The in-depth, follow-up interviews provided a much better feel for where companies currently are in their adoption of social media as a legitimate business tool. They also provided real-world examples of how executives can benefit from the use of social media and how they should plan to mitigate the risks associated with these new technologies. The following individuals were interviewed:

Mark Ferguson, CFO, Bench Tree Group LLCMark Ferguson has more than 20 years of finance and accounting experience. He worked at companies such as Texas Instruments, Honeywell and various venture capital-backed startups before becoming the CFO at Bench Tree Group, a manufacturer of equipment for the oil and gas drilling industry.

Melissa Krasnow, corporate partner and certified information privacy professional, Dorsey & Whitney LLPMelissa Krasnow is a partner in the corporate group in the Minneapolis office of Dorsey & Whitney LLP. Krasnow is a corporate, governance, compliance and M&A partner with a privacy and social media practice. She is also a certified information privacy professional and serves on the publications advisory board of the International Association of Privacy Professionals. She is a frequent speaker on privacy and social media, often quoted in national media.

Morris McInnes, professor and associate dean for academic affairs, Suffolk University’s Sawyer Business School Dr. Morris McInnes is a professor of accounting and the associate dean for academic affairs at Suffolk University’s Sawyer Business School, where he has taught for the past 25 years. In addition, Dr. McInnes has taught at the MIT Sloan School of Management, the University of Maastricht in the Netherlands, the Harvard Business School, the Manchester Business School in the UK and has been a lecturer for the Greater Boston Executive Program. His expertise is in corporate financial strategy and control.

Mark Scovera, president, Access Florida Finance CorporationMark Scovera is the president of Access Florida Finance Corporation. In addition, he serves on the board of the Florida Asset Building Coalition. Previously, he was the senior vice president/CFO of the Florida Black Business Investment Board, Inc., a public-private partner with the state. Scovera has 20 years of experience in accounting and finance. He began his career at Arthur Andersen LLP in the audit division and has served as the controller and CFO for various companies in the Detroit area. He is licensed as a CPA and is a member of the AICPA.

In addition to the aforementioned interviewees, eight other executives from the retail, advertising, life sciences, manufacturing, recycling, financial services and consulting industries were interviewed. For privacy reasons these individuals did not wish to be quoted directly and requested to remain anonymous. Their roles included CFO, COO, CRO, EVP, VP of finance, controller and consultant.

Will be critical for all corporate 20% marketing efforts going forward

Will be an important component of 48%corporate marketing efforts going forward

May have some value but will most 28%likely only have a peripheral valueto corporate marketing efforts

Fine for personal use, but little to no 4%value in the corporate world

Complete waste of time 1%

Corporate value of social media

Responses do not total 100% due to rounding.


The corporate value of social media

Tweeting, blogging and friending are common terms used in the world of social media, and they are becoming a part of business vocabulary as well. Still, these terms are barely the tip of the social media iceberg. Companies like Facebook, Twitter, LinkedIn and YouTube are helping to rewrite the rules for how companies are doing business in the 21st century. Social media is changing our working lives, giving employees — and employers — more flexibility and the ability to respond more quickly and, in some instances, in real time. But is all this social media technology good for business? Many companies are just now starting to take a serious look at the benefits of social media in business, and they are looking even more closely at the risks involved, such as fraud, theft, defamation, cyber-bullying and invasion of privacy among others. Almost half (48%) of the senior financial executives who responded to the survey feel social media will be an important component of corporate marketing efforts going forward and only a small percentage (5%) think social media was a complete waste of time or had little to no value in the corporate world. The chart at the right illustrates the opinions of executives regarding the corporate value of social media. While many senior financial executives see at least some value in social media, they were also asked for their opinion on how corporate usage of social media would develop over the next 12 months. The chart at right reveals that 87% expect corporate use of social media to slightly or significantly increase next year.

Increase significantly 53%

Increase slightly 34%

Remain fairly constant 11%

Decrease slightly 2%

How will corporate use of social media develop over thenext 12 months?


Across the board, senior financial executives think the speed with which social media has grown over the last five years has caught many of them by surprise. An anonymous international marketing consultant wasn’t surprised by the lag because, “social media hasn’t been the No. 1 priority for companies and it emerged at a time of great economic turmoil.” The CFO of a life sciences company pointed out, “For most of us the explosion in growth outpaced our ability to comprehend the new technology and adjust our strategies.” Mark Scovera, president of Access Florida Finance Corporation, echoed that sentiment: “It’s still a relatively new phenomenon especially for business. Business needs to figure out what [social media] can be and what we want to do with it.” Dr. Morris McInnes, professor and associate dean of academic affairs at Suffolk University’s Sawyer Business School, expanded on the theme, saying, “It’s still so new that people who make policy don’t fully understand social media. There are generational issues.” A controller from a wholesale company commented, “I think the idea of social media is growing but there was resistance at first because it was the ‘new thing.’ Some people questioned whether it was a fad.” For the interviewees, corporate use of social media ran the full gamut. Mark Ferguson, CFO of Bench Tree Group LLC, said, “Some of us do use LinkedIn but the company is not specifically pushing social media.” A vice president of finance at a manufacturer said, “I use it professionally; I’m on LinkedIn. Our company uses social media in two areas: HR and customer service/product support.”

A CFO and COO from a manufacturing company commented, “We are not using social media at this time, although it is under consideration.” A vice president of finance for a recycling company said, “We are not using it at the moment, although we are looking to use social media [to] manage information and get the message [out] about our quality of service. We’d also like to monitor our corporate image.” Meanwhile, some companies have already launched their social media efforts. The CFO of an advertising agency declared, “We use it as part of our industry. It’s part of our DNA.” McInnes commented on social media as part of the communication process. “We are using it to get our values out there — the education we stand for and the idea of transparency. Social media gives us another avenue of communication.” And Scovera said, “We use Facebook, Twitter and YouTube. We use Facebook for detailed article analysis, Twitter for quick ‘what’s happening’ alerts and updates, and YouTube for video commercials.”


Social media risks

The majority of senior financial executives surveyed believe there are potential risks involved in the use of social media; however, many respondents think that the risks can be mitigated or are outweighed by the benefits. The chart at right illustrates the varying levels of concern. There are a number of risks to be considered when using social media. However, respondents were asked to prioritize only five of them: negative comments about the company, out-of-date information, disclosure of proprietary information, exposure of personally identifiable information (PII), and fraud. The chart at right depicts their risk priorities, with 1 representing the most important risk and 5 the least important. While most executives have acknowledged the risks associated with data security and social media, many have yet to translate that acknowledgement into spending on security protections related to social media. This observation has been made in several previous documents, including the FERF report CFO Quarterly Outlook Report: August 2011. The report was created in the wake of several high-profile security breaches at major multinational companies. It noted that 61% of U.S. CFOs allocated more funds to data security, or at least are considering doing so. An executive vice president and chief risk officer at a financial services company pointed out, “We have not allocated anything more for the specifically defined purpose of social media security.”

We are very concerned 11%

We are concerned but believe risks 38% can be mitigated or avoided

We are aware of the risks but believe 25% benefits far outweigh them

We don’t believe there are appreciable 22%risks

Other 4%

How concerned is the company about potential risks of social media?

Ranked 1st Ranked 2nd Ranked 3rd Ranked 4th Ranked 5th

Disclosure of proprietary information

Negative comments about the company

Exposure of Personally IdentifiableInformation (PII)

Fraud

Out-of-date information

What is the most important social media risk?

Responses may not total 100% due to rounding.


The CFO of a life sciences company commented, “We have allocated more funds but that has not been driven by social media. It was driven more . . . by the proliferation of hacking and third-party data breaches. Intellectual property (IP) is one of the most important assets we have. We’re looking at buying a separate insurance policy for ‘cyber’ risks.” Regarding cyber insurance, Melissa Krasnow, corporate partner and certified information privacy professional at Dorsey & Whitney LLP, said, “In considering cyber insurance, a company should comprehensively review the insurance coverage, company policies and information security practices that the company has and consider the risks and regulations it faces as well as understand the different types of cyber insurance available to make sure that cyber insurance would cover the exposures sought.” Krasnow also observed, “Breaches and incidents are [occurring] frequently and people are receiving breach or incident notifications. The media is covering these, and [they] are being made public through the Internet. Breaches are occurring through social media and the Internet is publicizing . . . social media incidents. Breaches and data security … are [also] the subject of existing regulation, enforcement actions, litigation and legislative proposals. In addition, cyber attacks are happening frequently. As a result, there is more awareness of the need for data security. Policies, practices and technology can be used to help prevent or lessen the impact of breaches and incidents.”


As the use of social media continues to grow, so too does the risk of fraud involving social media. Most of our survey respondents had not directly experienced social media fraud. However, for those that had, it can be a costly and a time consuming process to undo the damage. The following three charts illustrate the percentages of respondents that had experienced social media fraud, the nature of the fraud and the estimated costs (including legal and investigative fees, and public relations costs, among others). Of the 43% who experienced a fraud other than identity theft or a scam, only one respondent specified the nature of the fraud — an HR issue.

No 79%

Don’t know 18%

Yes 3%

Has company experienced fraud involving social media?

Identity theft 29%

Scam 29%

Other 43%

Nature of fraud


Under $50,000 75%

$50,000–$100,000 25%

Estimated cost of fraud


None of the companies interviewed had experienced an incident of fraud involving social media. Here again, Krasnow’s experience provided great food for thought. “Social media exposures are new and varied. One risk in social media exposures is that there is a loss of control — one person’s or company’s information is transmitted to a social media website of another (i.e., third-party) company. The confidentiality or privacy of that information could be breached, even unintentionally, by submitting it to or posting it on a third-party social media website.” She continued, “While no company can [foresee] every risk, they need to anticipate and address significant known risks. For example, how do you go about shutting down an impostor account at a third-party social media website? This is something companies need to plan for and be prepared to do should the need arise. Time will be of the essence once an impostor account is disseminating false information. Be ready, and be prepared.”

Many interviewees said they had not directly experienced any confirmed data breaches, though a few have had to deal with hacking attempts. Scovera observed, “We did have an email hacking incident back in the spring. While no PII was lost, it did lead to some pharmaceutical advertisement e-blasts being sent.” A CFO from a life sciences company stated, “We’ve not had any breaches that we are aware of. I did hear that a major university hospital just had 20,000 names and [other] information posted to a website through a third-party vendor. Every time I hear things like this I shudder and go to speak with our vice president of IT to make sure we are covered.”

“Social media exposures are new and varied. One risk in social media exposures is that there is a loss of control — one person’s or company’s information is transmitted to a social media website of another (i.e., third-party) company. The confidentiality or privacy of that information could be breached, even unintentionally, by submitting it to or posting it on a third-party social media website.”


A timely response to any fraud or breach is essential, but prevention and early detection are perhaps even more critical. The survey asked executives whether their companies regularly review social media content to isolate potentially fraudulent activities and who is responsible for identifying these activities. The pie charts below illustrate their responses to these two questions.

Don’t know 44%

No 29%

Yes 27%

Does the company regularly review social media content?

No 58%

Yes 21%

Don’t know 21%

Does the company train employees to identify and reportfraudulent activity?

As social media continues to grow, so too will the need for adequate anti-fraud training. It is critical for management and employees to learn how to use social media appropriately, how to identify and respond to fraudulent activities, and how to address the legal issues surrounding social media. The chart below demonstrates that many companies have yet to provide anti-fraud training that is pertinent to social media.

IT 24%

Office of general counsel 24%

Corporate security 7%

Human resources 7%

Other 37%

Who is responsible for identifying and addressing fraud?



The vice president and chief risk officer of a financial services company noted, “We have employee training around security and recently did a company-wide phishing test. Unfortunately, the results were not stellar. More of the upper management failed the test compared to lower level employees.” The executive added, “I’ve asked that social media be put on the agenda for our next risk committee meeting. I want to bring social media and its risks to management’s attention.”

Having a plan in place for dealing with instances of fraud and/or privacy breaches related to social media is crucial should the company ever find itself a victim of either. Sadly, more than half (61%) of respondent companies do not have such a plan. For those that do, we asked who within the company is responsible for managing the fraud or breach event. The charts below show their responses.

No 61%

Yes 22%

I don’t know/Unsure 18%

Does the company have a fraud management plan?


Office of general counsel 24%

Corporate security 19%

Human resources 14%

IT 14%

Other 30%

What department is responsible for managing fraud/privacy breaches?



So how confident are senior executives that sensitive, confidential information is adequately protected in their social media platform? The verdict seems to be split: Based on the survey results, 51% of respondents are confident or extremely confident, while 49% are either unsure or not confident. The chart below depicts these findings. With many risks to be considered, several of the interviewees expressed some concern that the use of social media on the job may negatively impact productivity. As in the early days of the adoption of the Internet, many companies wrestle with the tradeoff between the added benefit of social media and the potential for lost productivity due to abuse by employees.

Extremely confident 9%

Confident 41%

Not confident 23%

Don’t know 26%

How confident are you that sensitive or confidential information isadequately protected on social media platforms?


The controller of a wholesale company noted, “The main [concern] is internal productivity. We are looking to flesh this out now in our strategy moving forward. We operate very lean so it is important for everyone on our team to be clicking on all cylinders.” “We do worry from a productivity point of view; similar to [the] Internet and email, there is always concern about abuse,” said the vice president of finance for a manufacturer. Ferguson agrees that social media can be a drain on productivity: “The expectation is that people will only use social media at work if it’s business-related. As a general rule, I’ve found that if people are using Facebook at work they are goofing off; if they are using LinkedIn it’s more work-related.”


Social media policies

So how should employers approach social media and social networking tools in the workplace? A good place to start is with a social media policy. However, as was discovered through the survey and follow-up interviews, many companies simply do not have a social media policy in place, even though the use of social media has grown considerably over the last few years. The survey asked executives whether they had clearly defined policies regarding social media at their companies. The chart below shows that only 23% of companies had social media policies.

No, and no plan to develop one 41%

No, but one is being developed 35%

Yes 23%

Does your company have a social media policy?


While many companies do have policies regarding e-mail communication and technology use, very few companies have policies that specifically address social media governance and risks. Krasnow pointed out, “Many companies’ e-mail or electronic communications policies do not specifically cover social media.” She went on to say, “Increasingly, companies are adopting or at least considering social media policies. A company might not need a social media policy where another policy covers aspects of social media and that policy could be amended and updated instead of preparing a stand-alone social media policy. For example, many companies have an electronic communications policy to address appropriate uses of the company’s computer system and to reduce employee expectations of privacy and a company’s risk. Often, an electronic communications policy is amended to address the use of social media. Regardless of which approach is taken, a policy covering social media should be drafted to be consistent and integrated with other company policies (e.g., electronic communications policy, employee handbook, insider trading policy and disclosure policy) . . . . If there is any inconsistency between the policy covering social media and another company policy, the one that will govern should be noted.”


Given the rapid growth of social media, we inquired why so many companies do not have social media policies. Two key points were repeated by nearly all interviewees: the innovation and speed of social media growth, and a generational gap. For those companies surveyed that do have a social media policy, we asked who monitors compliance. The chart below shows the responses. Responsibility for monitoring compliance against policy within the organization appears generally diffuse and distributed. Forty-two percent of the respondents stated that their organizations had not identified anyone for this role. Seventeen percent identified “other,” and only 8% stated that the compliance department was responsible. There has not yet emerged a coherent governance strategy in most organizations around social media compliance and risk management. Without a specific individual or group taking responsibility for risk management, it is unclear how effective compliance monitoring efforts can be. So which department has overall responsibility for driving social media strategy and implementation in the organization? More than one-half (54%) of survey respondents cited the marketing/public relations department, as shown in the chart below.

No one 42%

Marketing/Public relations 21%

Compliance department 8%

IT 7%

Chief risk officer 3%

Business development/Sales 1%

Other 17%

Who monitors compliance with social media policy?


Many organizations are unclear on how they should measure the effectiveness of their social media strategy and efforts. The controller with a wholesale company said, “We are still in the infancy stage at this point with . . . social media usage in our business. We monitor Facebook joins and likes. We also run promos through our Facebook page. I think there needs to be a cross-pollination of our e-mail files with our Facebook and Twitter followers in order to gauge the productivity of [our relationship with] those followers.” Scovera mentioned, “The most important measure for us now is friends and followers. We want to start engaging them in a two-way conversation although we don’t really have any metrics for this yet.” Another respondent noted that, “friends and followers were a crude measure.” He went on to say that the key performance indicators depend on what industry the company is in and how the company plans to use social media. “I know of companies that use LinkedIn to qualify candidates and Facebook to disqualify candidates.”

Marketing/Public relations 54%

Company does not use social media 19%

No specific group takes the lead 11%

Business development/Sales 7%

Other 9%

Responsibility for social media


Conclusion

In addition to the key survey and interview findings that were presented above, noticeable themes emerged from the research. First, social media is a growing market and will continue to grow for the foreseeable future. While some companies have already established a strong social media presence, the reality of social media is that the next Facebook or Twitter is likely in the development stage right now, and further change in this space is inevitable.

Second, research showed that governance regarding social media remains very fragmented. Each company has its own opinions about social media and its potential uses, risk management strategies, etc. As social media use continues to grow in the business world, we may see a more uniform and standard approach. Finally, the awareness of the risks around social media is fairly low. Many executives do acknowledge there is risk involved in social media; yet this risk has not been well-defined for them. Governance structures to monitor compliance and manage risk are still very nascent. As the risks associated with social media begin to receive more public attention, organizations may respond more forcefully to perceived risks.


Appendix I: Respondent demographics

The 23-question online survey generated a total of 141 complete responses from a variety of senior financial executives, the majority (46%) of whom were CFOs. Ninety-seven percent of respondents’ companies were headquartered in the United States (those not located in the United States were headquartered in Europe). Below are the graphs depicting the respondents’ current title and company headquarters location.

While the majority (86%) of responses came from companies with less than $1 billion in annual revenue, nearly all revenue ranges were represented in the survey responses. Additionally, the majority of respondents were from private companies. Company annual revenue and company type are shown in the charts below.

Chief financial officer 46%

Vice president of finance 12%

Corporate controller 11%

Business owner, principal or partner 7%

Director 6%

Management consultant 3%

Managing director 2%

Other 14%

Title


United States 97%

Other 3%

Company headquarters

Less than $25M 27%

$25M–$99M 30%

$100M–$499M 20%

$500M–$999M 9%

$1B–$4B 6%

$5B–$9B 4%

$10B–$24B 2%

More than $25B 2%

Annual revenue

Private 67%

Public 22%

Not-for-profit 10%

Government 1%

Company type


Excluding the “other” category (which included responses from companies in the aerospace/defense, business services, construction, consulting, consumer marketing and products, consulting, and private equity industries), financial services (15%), manufacturing (14%), and professional, scientific, or technical services (10%) were the most representative industries. The chart below shows all the industries represented in the survey responses.

Financial services 15%

Manufacturing 14%

Professional, scientific or technical 10%

Insurance 6%

Health care 5%

Wholesale distribution 5%

Higher education 4%

Retail 4%

Telecommunications 4%

Energy 3%

Software 3%

Transportation 3%

Life sciences 2%

Agriculture, mining and construction 1%

Government 1%

IT services 1%

Media 1%

Utilities 1%

Other 17%

Industry

Remember: Protect the brand, protect yourself.


Appendix II: Sample social media policy2

Be smart. Be respectful. Be human.

Guidelines for functioning in an electronic world are the same as the values, ethics and confidentiality policies employees are expected to live every day, whether you’re Twittering, talking with customers or chatting over the neighbor’s fence.

What you should do

Disclose your affiliation: If you talk about work-related matters that are within your area of job responsibility, you must disclose your affiliation with the company.

State that it’s YOUR opinion when commenting on the business. Unless authorized to speak on behalf of the company, you must state that the views expressed are your own. Hourly employees should not speak on behalf of the company when they are off the clock.

Protect yourself: Be careful about what personal information you share online.

Act responsibly and ethically: When participating in online communities, do not misrepresent yourself. If you are not a vice president, don’t say you are.

Honor our differences: Live the values. The company will not tolerate discrimination (including age, sex, race, color, creed, religion, ethnicity, sexual orientation, gender identity, national origin, citizenship, disability, or marital status or any other legally recognized protected basis under federal, state, or local laws, regulations or ordinances).

Offers and contests: Follow the normal legal review process. If you are in the store, offers must be approved through the retail marketing toolkit.

What you should never disclose

The numbers: Non-public financial or operational information. This includes strategies, forecasts and most anything with a dollar figure attached to it. If it’s not already public information, it’s not your job to make it so.

Promotions: Internal communication regarding drive times, promotional activities or inventory allocations, including: advance ads, drive time playbooks, holiday strategies and Retail Insider editions.

Personal information: Never share personal information regarding other employees or customers. See the Customer Information Policies for more information.

Legal information: Anything to do with a legal issue, legal case or attorneys.

Anything that belongs to someone else: Let them post their own stuff; you stick to posting your own creations. This includes illegal music sharing, copyrighted publications, and all logos or other images that are trademarked by the company.

Confidential information: Do not publish, post or release information that is considered confidential or top secret.

Basically, if you find yourself wondering if you can talk about something you learned at work — don’t. Follow the company’s policies and live the company’s values and philosophies. They’re there for a reason.

Just in case you are forgetful or ignore the guidelines below, here’s what could happen. You could:• be fired (and it’s embarrassing to lose your job for

something that’s so easily avoided);• get the company in legal trouble with customers or

investors; or• cost the company the ability to get and keep customers.

2 This social media policy has been adapted, with permission, from Best Buy Co., Inc.


About the authors

Thomas Thompson Jr. Thomas Thompson Jr. is a senior associate, research, at Financial Executives Research Foundation and the author of more than 20 published research reports. Thompson received a BA in economics from Rutgers University and a BA in psychology from Montclair State University. Prior to joining FERF, Thompson held positions in business operations and client relations at NCG Energy Solutions, AXA-Equitable and Morgan Stanley Dean Witter.

Thompson can be reached at [email protected] or 973.765.1007.

Jan HertzbergJan Hertzberg, CISA, CISSP, PCI QSA, leads Grant Thornton’s Business Advisory Services IT Audit, Security and Privacy practice located in the Chicago office. He has more than 25 years of experience and has held leadership positions with Fortune 100 companies, including IBM, Abbott and Ernst & Young. As an audit and security consulting practice leader in the United States and Latin America, he has managed teams that provided guidance and support to clients that are integrating IT controls into advanced technology solutions. Hertzberg has led numerous information security and privacy risk assessments, external and internal vulnerability scans, social engineering and war-dialing engagements, and HIPAA/GLBA privacy reviews. Hertzberg is a frequent speaker and moderator on information security and privacy topics and has written and lectured extensively on information security assessments, IT, staff development, and convergence between information and physical security. He received his MS in computer science and his MA in history from Northern Illinois University.

Hertzberg can be reached at [email protected] or 312.602.8312.

Mark SullivanMark Sullivan, CFE, CFI, CPP leads Grant Thornton’s Forensic Accounting, Investigations and Litigation Support Services for the Midwest Region. He is also the firm’s National Service Line Leader for Investigations. Sullivan specializes in corporate investigations, fraud prevention and detection, and litigation support. For more than 25 years, he has worked with companies and their counsel worldwide to investigate frauds, develop and implement anti-fraud programs, and identify organizational vulnerabilities. His advanced interviewing skills and his experienced team of forensic accountants and e-discovery and computer forensics professionals provide an unparalleled response to data breaches, complex investigations and litigation matters.

Sullivan can be reached at [email protected] or 312.602.8110.


About Grant Thornton LLPThe people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity.

In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.

About Financial Executives Research Foundation, Inc.Financial Executives Research Foundation (FERF) is the non-profit 501(c)(3) research affiliate of Financial Executives International (FEI). FERF researchers identify key financial issues and develop impartial, timely research reports for FEI members and nonmembers alike, in a variety of publication formats. FERF relies primarily on voluntary tax-deductible contributions from corporations and individuals, and publications can be ordered by logging onto www.ferf.org.


Platinum Major Gift | $50,000 +Exxon Mobil Corporation Microsoft Corporation

Gold President’s Circle | $10,000 – $14,999Abbott Laboratories, Inc.Cisco Systems, Inc.Dow Chemical CompanyGeneral Electric CompanyThe Boeing Company

Silver President’s Circle | $5,000 – $9,999Apple, Inc. Comcast CorporationCorning IncorporatedCredit SuisseCummins Inc. Dell Inc. Duke Energy CorporationE. I. du Pont de Nemours & CompanyEl Paso CorporationEli Lilly and CompanyGM FoundationHalliburton CompanyHewlett-Packard CompanyIBM CorporationJohnson & JohnsonLockheed Martin CorporationMaple Leaf Foods, IncMedtronic, Inc.Motorola Solutions, Inc.Pfizer Inc.Procter & Gamble Co. Safeway Inc. Sony Corporation of AmericaTennecoThe Hershey CompanyTyco International Management Co.Wells Fargo & Company

Acknowledgements

© 2011 Grant Thornton LLPAll rights reservedU.S. member firm of Grant Thornton International Ltd

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton client service partner.

© 2011 by Financial Executives Research Foundation, Inc.All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher.

The views set forth in this publication are those of the authors and do not necessarily represent those of the FERF Board as a whole, individual trustees, employees or the members of the Advisory Committee. FERF shall be held harmless against any claims, demands, suits, damages, injuries, costs or expenses of any kind or nature whatsoever except such liabilities as may result solely from misconduct or improper performance by FERF or any of its representatives.

International Standard Book Number 978-1-61509-080-8

Authorization to photocopy items for internal or personal use, or for the internal or personal use of specific clients, is granted by FERF provided that an appropriate fee is paid to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923. Fee inquiries can be directed to Copyright Clearance Center at 978-750-8400. For further information please visit the Copyright Clearance Center online at www.copyright.com.