Update on enterprise social media risks

Social Media Risks to Enterprises

Constantine Karbaliotis

Data Protection & Privacy Lead

Session Description

• Social media and software are of increasing interest to both private and public sector organizations. While these technologies offer exciting new opportunities to share information and to interact with customers, they also represent a new area of risk for the exposure of confidential and personal information. Get an update on the changes being brought about by social media in response to regulators’ and consumers’ by social media in response to regulators’ and consumers’ concerns, and learn the latest strategies for minimizing risks to organizational security and reducing liability.

Social Media Risks to Enterprises - Constantine Karbaliotis 2

Agenda

Introduction1

Enterprise Uses of Social Media2

Enterprise Risks from Social Media3

Social Media Risks to Enterprises - Constantine Karbaliotis3

Strategies and Tactics4

Case Study5

Conclusion/Q&A6

Introduction

4Social Media Risks to Enterprises - Constantine Karbaliotis

What is Social Media?

• “Social media” includes:

– social networking (Facebook, MySpace)

– blogging (WordPress, Blogger, TypePad, etc.)

– wikis (Wikipedia, Wikia, etc.)

– microblogging (Twitter)

– business or technical networking (LinkedIn, Spoke)

• in short, anything that can be considered user-generated content


Generation Y/Millenials

• Demand …

– 42% of office workers between the ages of 18 and 29 discuss work-related issues on blogs and social networking sites (YouGov)

– 50% of surveyed organizations indicate that at least 30% of their network bandwidth is being consumed by social networking traffic (Forrester)

“Who uses e-mail anymore? – that’s old school!”


bandwidth is being consumed by social networking traffic (Forrester)

• And supply …

– It is estimated that nearly half of all web developers are already using AJAX

– 66% of surveyed organizations indicate that Web 2.0 is essential to maintaining their company’s market position (McKinsey)

Social Networking in the News…• Canada takes lead role in Facebook privacy issues

– Discussions between Facebook Inc. and the Office of the Privacy Commissioner of Canada (OPC) over the social networking site's compliance with Canadian federal privacy law are moving along smoothly, according to spokespersons from both sides. .. Privacy Commissioner Jennifer Stoddart found Facebook in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Canada is now recognized as the first country in the world to issue legally binding recommendations to the social networking site. (NetworkWorld, August 21, 2009)

• Is Internet privacy dead? No, just more complicated: researchers


• Is Internet privacy dead? No, just more complicated: researchers

– The numbers tell one story: With 10 billion Tweets sent and 400 million Facebookusers signed, people clearly want to be heard and seen and able to hear and see others on social networks. But Internet users also care about privacy, according to experts. Particularly when they feel like they’ve lost control of their personal information. That is when trust is broken. (Washington Post, March 15, 2010)

• Privacy watchdog takes issue with Google Buzz

– Canada's top privacy watchdog is taking aim at another international tech titan.Less than a year after its investigation spurred sweeping privacy changes at Facebook, the Office of the Privacy Commissioner of Canada is now looking into complaints that Google Inc.'s new social networking tool, Google Buzz, might run afoul of Canadian privacy standards. (Vancouver Sun, February 17, 2010)

Privacy’s role in selling the message in the organization….

• The goal is not to stop innovation or creativity

• The goal is:

– To understand the risks associated with an activity;

– To address them by minimizing them to the extent reasonably possible; – To address them by minimizing them to the extent reasonably possible; and

– for a responsible person in the enterprise to accept the residual risk.

• My mantra:

– Conscious acceptance of risk

– No sleepwalking


Enterprise Uses of Social Media


Social Media and Privacy Risks

• Most privacy risks not exclusive to social media sites and technology

• Simply blocking these sites will not mitigate the hazards of increasingly interactive consumer Web applications


• There are corporate advantages to use of social media, the most compelling of which are innovative marketing, attracting employees and providing a progressive work environment

• Social media is just one part of our overall concerns about doing privacy ‘right’

Organizational Uses of Social Media

• Internal Uses: – Employee social networking

• External Uses:


– Employee social networking

– Technical and customer support

– Marketing and customer data collection

Content Creation

• Social media can be operated by:

– The organization

– The organization with content provided by employees and customers


– Others and used officially by the organization

– Others informally

– Others both officially and unofficially

Behavioural Profiling

• The data collected by observing what users do

• Very interesting data, very valuable and at the same time, attracting a lot of negative attention from privacy regulators

• One of the key reasons to set up social media sites and technologies – apart from advertising – is the generation of this behavioral information and thus targeted advertising


Two main areas of risk for Enterprises:

1. Risks to enterprises of its employees using social media tools that the enterprise provides or uses (“Enterprise Social Media Risks”); and

2. Risks to enterprises from consumers using


2. Risks to enterprises from consumers using social media tools that the enterprise provides or uses, (“Consumer Social Media Risks”):

Enterprise Social Media Risks


Employee use of Social Media

• Internal losses: Employees can -

– Violate the privacy of others

– Violate their own privacy

• External losses: Employees can -


• External losses: Employees can -

– Can disclose confidential company information

– Can create a ‘record’

Unintended Consequences : Security & Compliance

• Facilitating social engineering

• Additional security risk on computers

• Spamware or spyware

• Compromise not only their own but • Compromise not only their own but organizations’ security

• Even legitimate toolbar tools can present data export issues


Unintended Consequences: TMI

•By offering TMI, employees can create awkward situations

•Certain social networking communications may be seen as creating a hostile work environment and puts the company and employee(s) in and puts the company and employee(s) in jeopardy

•Can lead to regulatory or legal actions against both employee and enterprise


Hosting Issues

•Risks also arise from choice to host internally or use third parties

•Hosting internally has cost, governance and management issues associated with doing so

•Third parties raise however a whole other •Third parties raise however a whole other dimension


Consumer Social Media Risks


Consumer Risks: Enterprises need to understand their consumers do care about privacy, but …

• Behaviours contradict stated concerns about privacy

• “Passwords revealed by sweet deal”, BBC News

The why: People are terrible at assessing risk• The why: People are terrible at assessing risk

• “The Drunkard’s Walk: How Randomness Rules Our Lives,” Leonard Mlodinow

• Thus the duty of Enterprises as stewards


Unintended Consequences: Intended versus unintended audience…

•Enterprise social media sites must consider the personal risks that they may inadvertently create for their users:

•Enterprises need to consider the forum that •Enterprises need to consider the forum that they are creating and how their consumers’ information might be used, or mis-used


Unintended Consequences: The Durability of Data

•Search engines also scan social media content created by users, including risks associated with ‘deep web’ search engines

•Enterprise risks are considerable in the retention •Enterprise risks are considerable in the retention area of social media if not addressed through careful design


Strategies and Tactics


Internal Governance: Revisit and Update Privacy Policies, Privacy Notices, and Code of Conduct

• Ensure your Code of Conduct addresses the risks associated with social media

• Revisit policies, privacy notices/statements – do they address the risks of social media?address the risks of social media?

• Train and Inform

• Update employment contracts and acceptable use agreements to allow for social media


� Informed consent is key to obtaining and using personal information in social media and elsewhere

�Consider use of layered notices

Privacy Notices: Revisit Notice and Consent


�Consider use of layered notices

�Update and revise the terms and conditions associated with use

Behavioural Profiling: FTC Principles on Behavioral Tracking

1. Transparency and consumer control

2. Reasonable security and limited data retention for consumer data

3. Affirmative express consent for material changes to existing privacy policies


existing privacy policies

4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

Design Considerations: Taking the High Road in Social Media

• Privacy impact or risk assessment

• Notify what activities are tracked

• Allow ‘opt out’ of tracking • Allow ‘opt out’ of tracking

• Always link to privacy notices

• Transparency


Design Considerations: Taking the High Road (2)

•Retention clarity

•Anonymization as part of retention

•Data Security

•Manage search engine risks


Design Considerations: Taking the High Road (3)

•Preference management

•Appropriate security for account

•Prominent display of privacy notices and terms of use

•Effective deletion of accounts and PII


Design Considerations: Purpose & Data Minimization

• Honestly be able to assess the value of the trade being made by your community:

– Is what they’ve traded for, a fair trade?

–Are they giving too much?–Are they giving too much?

–Do they really know all that is really intended – or perhaps unintended but likely – in relation to what they’re trading?

–Are they entrusting it to an enterprise who can protect that asset properly?


Design Considerations: Social Media Privacy Considerations

• User names

• Profiles

• Uses

• User account deletion• User account deletion

• Lawful disclosure

• Transfers

• Complaints


Case Study


SymConnect: Technical Networking


Social Media Privacy Policy


Pseudonymity


Ts & Cs


Design Standards & Guidelines

• Developers building social media sites

– Design considerations mentioned previously

• Employees using social media sites given specific direction but reminded to comply with:

– HR policies

– Privacy policies

– Security policies


Conclusion/Q&A


Enterprises’ Duty as Stewards

•Essential to be the ‘good guys’ in the management of customers’ data

•Understanding risk in relation to your stewardship of personal information in the social

•Understanding risk in relation to your stewardship of personal information in the social media context

•Act as the customer’s IT department


Conclusion

•What is the intent of collecting this information – no service is really for free, so what is being ‘traded’?

•Be up front about what the trade is

•Have in place the measures to enforce the deal•Have in place the measures to enforce the deal

•And keep in mind that transparency won’t excuse actions representing unexpected uses of personal information


Thank you!Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Constantine Karbaliotis, J.D., CIPP/C/IT

[email protected]

416.402.9873

Update on enterprise social media risks

Technology

Transcript of Update on enterprise social media risks