Social Media: Monitor, But With a Regard for Privacy
When working on one set of challenges, don’t create new ones.
Wise words to follow, and especially true for advisers when it comes to ensuring that employees are not using Facebook, LinkedIn, Twitter and other social media sites in a way that might violate their firm’s policies and procedures.
Social media sites provide multiple ways in which confidential information can be improperly disseminated or improper transactions can be discussed. In addition, the content on such sites could be construed as advertising of the firm or its advisory services and thus regulated by the Advisers Act. Broadly speaking, if an employee publishes anything misleading about a firm or its products, it could be deemed to be misleading and therefore fraudulent.
Most social media violations are likely to be from employees who either are uninformed about advisory firm policies and procedures, or who unintentionally err and violate them while using social media, such as a tweet about a company acquisition sent to thousands of followers. Some, however, may be intentional communications from individual employees to other parties about transactions or practices that represent conflicts of interest, personal trading, sharing of material nonpublic information, or something else.
Advisers should therefore monitor their employees’ social media use to prevent and put a stop to any such violations or misuse. There are a number of best practices to do this, but advisers should also beware of practices they should not follow (see section below) that can get the firm in trouble.
The SEC issued a January 2012 risk alert on use of social media that provides some general guidelines, and a March 2014 guidance alert regarding social media and testimonials. But it has not promulgated any specific rules that deal with social media’s inherent abilities and steps that advisers should follow. "The agency is agnostic as to the form of your communication with another person or with the public, whether it’s by email, social media or carrier pigeon," said Shearman & Sterling partner Russell Sacks. "From the SEC’s point of view, it’s all communication."
"If someone is trying to get around the system, they will find a way," said
Mayer Brown attorney Adam Kanter. But there are things you can do to mitigate the compliance threat.
Consider the following:
Policies and procedures. The best advice to give an adviser is to prohibit employees from discussing anything business/firm/client related on their personal social media sites and require them to acknowledge each year that they will adhere to this policy. If an adviser allows employees to use social media to discuss market-related issues or market
their firm, advisers should consider usage guidelines, said Montgomery McCracken of counsel Terrance Reilly. "Define inappropriate usage or messages," he said, as well as where your firm stands on topics such as whether to permit employees to contribute to third-party sites.
Restrict access to social media sites from your work computer. "It’s a little intrusive and a lot of employees won’t like it," but consider electronically blocking sites like Facebook, LinkedIn and Twitter at work, said Kanter. For company social media sites, allow only certain individuals access to them. Be aware, however, that blocking sites on a work computer only gets one so far. "It doesn’t stop employees from accessing the sites via their smart phones or on their personal computers."
Require tweet approval. Tweets can be dangerous, as they disseminate information and views – possibly confidential information – to a wide audience in a matter of seconds. If you allow employees to use Twitter for business purposes, create a tweet review and approval process, said Sacks. Firms may also want to consider monitoring employee tweets, although this can become difficult if a firm has, say, 100 employees, said Kanter. Solution: Perform spot checks and/or random sampling of employee tweets.
Monitor social media use. "It should be monitored by the compliance department, similar to monitoring other communications," said Reilly. Firms should consider performing reviews in certain time frames built to coincide with certain "trigger events," such as the internal use of information that, if released, could result in allegations of insider trading, Kanter said.
Hire a third-party "social media awareness" scanner. These companies will scan employee use of public social media sites, said Sidley Austin partner Edward McNicholas. The downside is that doing so will cost money. Advisers can do such scanning itself using one of many services available, but should be wary: They may learn more than they want if they monitor personal sites, including private information on employee religious, sexual or financial matters. That information can later bite the employer in a personnel action under privacy law or employment law, he said.
Use the Internet to monitor the Internet. Common search engines, such as on Google, can turn up a lot, but they will not reveal messages sent through private channels, said McNicholas.
Train employees not to inadvertently release information. This can occur when information on different social media create a "mosaic" that reveals more than an individual poster intended. McNicholas provided this example: A news report is published saying that a company is for sale, but the company is not named. Many in the securities industry know who would handle that kind of sale, and who the individuals at those firms might be. Shortly after, one of those individuals posts on his Twitter or Facebook account, "Can’t believe it, my big deal just blew up," allowing those with knowledge of the industry to put all three together and get a good idea of what happened. Employees should be trained not to post seemingly innocuous adviser information. In particular, employees should avoid posting their calendars, which might reveal when key individuals are in certain locations that may be where important negotiations or events are occurring, he said.
What not to do
Social media is ever-adapting, with new functionalities and new types of social media appearing, it seems, ever more often. As part of that evolution, the distinction between the business world and the personal world, at least as far as electronic communications are concerned, may seem increasingly blurred. "In a 24/7 global interconnected environment, there is such a mingling of personal and professional lives that it is very difficult not to have a mixing of information," said McNicholas.
Faced with such a social media environment, advisory firms concerned about running afoul of firm policies and procedures and meeting their fiduciary duty to clients might be understandably drawn to overly aggressive monitoring of employee social media use, including requiring them to provide the user names and passwords to their personal social media accounts. That would not be a wise course. Consider the following:State laws and regulations. There are multiple state laws that preclude employers from requiring employees to divulge user names and passwords, said McNicholas. Even if an employee signs a waiver saying that he or she is willingly providing this information, "that may not be fully effective," he said, and firms considering that course should first check their state laws and regulations to make sure that the use of the waiver form itself is not a violation.
Ethics. This would be "a horrible invasion of privacy," said Kanter, and it may not even be worth it in terms of what you turn up. "You don’t go to people’s houses and check up on them," said Sacks.
Workload. If a firm has less than five employees, monitoring personal sites may not take that much time. But monitoring the social media sites of larger numbers of employees can be very time-consuming for a compliance department, taking time from other necessary work, McNicholas said. Larger firms may wish to outsource their monitoring.
The risk of not acting
The trick for advisers today is to stay on top of social media and how employees use it without becoming overly intrusive in their employees’ private lives. That’s a balancing act that will require some attention and skill.
But not acting carries its own dangers. "You run the risk that someone does something wrong that you could have caught," said Kanter. "You run the risk of looking culpable."