Managing social media risks



FW moderates an online discussion on managing social media risks between Stephen Bonner, a partner at KPMG, James Gatto, a partner at Pillsbury Winthrop Shaw Pittman LLP, and Jeffrey S. Bosley, a partner at Winston & Strawn LLP.

FW: Drawing on current trends, could you provide an overview of the risks to businesses associated with the increasing use of social media?

Bosley: According to a published survey, Americans spent 53.5 billion minutes on Facebook in May 2011. As smart phones, tablets, and other portable media screens continue to proliferate, it is impossible for businesses to stay on the sidelines concerning social media, or ignore the risks created by social media. These risks include regulatory risk, such as compliance with Federal Trade Commission (FTC) guidance regarding product endorsements and evolving Fair Credit Reporting Act requirements regarding data collection and usage; compliance risk, such as unauthorised disclosure of ‘inside’ or confidential information and violation of employment, privacy or other consumer protection laws; reputational risk, including unfair competition claims, and potential claims of defamation or slander; and commercial risk, such as loss of intellectual property, or dilution of copyrights or trademarks.

Bonner: According to our research exploring how businesses are making the most of social media, it is the emerging markets which seem to understand that social networks offer a relatively low cost opportunity to leapfrog the competition in more developed environments. Clearly, this means that the biggest risk is not using social media effectively and allowing your competitors to steal a march on your business. However, non-participation isn’t the only risk. Potentially more damaging is the impact of getting involved without having a defined structure or approval process in place. Think, for example, about the commercial impact of staff inadvertently sharing sensitive information through what they may see as innocuous comments or the damage to your brand if advertising guidelines or financial selling controls are ignored because some see mistakenly social media as an informal ‘selling ground’. There’s also the risk of malicious users purporting to represent your brand and harming (online) reputations or the impact of staff being targeted by fraudsters because of the footprint they leave in social media. The point is that precautions need to be taken to mitigate risks in the shape of content policies, privacy settings and passwords.

Gatto: Many companies are unaware of all the legal issues implicated by various social media implementations. The regulators are also getting up to speed on some of the issues, so as usual the law is lagging behind the market. Many companies think it is okay to do something just because their competitor is doing so. Often this results in enforcement actions against each of them. It is critical to stay ahead of the curve, understand the legal issues and the risks and to make sound business decisions based on that.

FW: How important is it for companies to develop a comprehensive and effective social media strategy? What primary goals should they look to achieve? 

Bonner: Executives may be naive in thinking that banning access to social networks eliminates employee use and mitigates risk. Yet all the evidence suggests that such a move drives employees to using less secure personal devices, so rather than leave things to chance it is far more effective to create a social media strategy. We found that more than 70 percent of companies globally are now active on social networks and see them as viable and effective business tools. Yet they would be unwise to let things follow an organic growth path and, just as they would with other business platforms, it makes sound business sense to have goals, actions and checks and balances in place to mitigate risk. This also means measurement is critical. From our research it is clear that the most quoted benefits include a wider knowledge pool, an increased public profile, increased job satisfaction and the opportunity to cultivate relationships. Essentially this means that strategy should consider risk but focus on meaningful business growth and set targets for that growth.

Gatto: It is critical to develop and publish a comprehensive social media policy to ensure employees know what they can and cannot do, to protect the company’s assets, reputation and goodwill and avoid liability. Companies need to be clear when employees are using social media in a personal capacity and when they are doing so on behalf of the company. It is critical for companies to make sure they are proactive in ensuring they own all of the IP to which they are entitled. There are some pending suits – for example, Phone Dog – where companies have not done so and the companies are in jeopardy of losing valuable IP. Social media policies cannot be overreaching. The NLRB has struck down some big companies’ social media policy as violating employee rights. The list goes on.

Bosley: A comprehensive strategy is essential to managing the risks of social media. A comprehensive strategy not only establishes ground rules for users, it can also provide a helpful defence against unauthorised usage by ‘rogue’ employees or vendors. While not a panacea, in at least one case the existence of a written social media policy was key in closure of an FTC investigation of a social media promotion conducted by a company’s media firm. Because anticipating all situations that may arise concerning social media is difficult, if not impossible, incorporating broader key goals into a company’s strategy is an effective way to create a compliance culture. Common broader goals include: respect for the reputation, views and intellectual property of others; honesty and integrity in communications about the company and its products; adherence to company policies prohibiting discrimination and harassment; transparency in endorsements of products; and consistency in enforcement.

FW: What provisions do companies need to consider and include in their social media policies?

Gatto: Each company needs to create a customised policy depending on corporate philosophy, how they are using social media and other factors. Some of the common issues are: use of social media in hiring and firing employees; employee usage issues; ownership of IP in social media assets such as domains, blogs, twitter handles and followers; prohibition on misuse of confidential information; prohibition on misuse of third party IP in social media posts; ensuring the company, not an employee in an individual capacity, controls social media accounts; prohibiting violation of FTC Endorsement Guidelines; document retention; privacy and data usage issues; securities laws issues; and many more.

Bosley: Social media policies need to clearly set forth who is authorised to speak on behalf of the company concerning business or legal matters, and what conduct is prohibited concerning social media usage. Delineating what conduct is prohibited must be done carefully in the United States, particularly as to off-site or off-duty communications. The National Labor Relations Board, which possesses jurisdiction over many US employers, has recently been very active concerning social media policies. The NLRB’s Acting General Counsel has issued several memoranda describing the agency’s attempts to balance the interests of businesses in protecting confidential information and maintaining production against the rights of employees to engage in collective activity around the modern social media ‘water cooler’. While the NLRB has found narrow proscriptions on protecting competitive information to be lawful, it has found broad confidentiality clauses unlawful. In cases where obligations under a policy may be vague, the NLRB encourages US employers to adopt examples to illustrate what conduct is prohibited under the policy. For those employees who are tasked with speaking on behalf of the company and building its social media presence, care should also be taken to lawfully protect intellectual property created by those persons as property of the company. Such property may include Twitter account names, contact databases, and so on.

Bonner: It’s encouraging to note that 55 percent of the companies we have surveyed in the UK already have policies in place regarding social media use – but it is concerning to see we are behind the curve compared to the US and China, at 60 and 63 percent, respectively. Perhaps this is because there is no defined ownership of social media, as it is an area touched upon by so many departments within a business. But whether it’s a dedicated online team, customer relationship managers or the marketing department, organisations need to build provisions around four key areas. To begin with, consider who can use social media on behalf of the organisation, define the official channels – a decision which should be based on customer behaviour – and also make it clear the extent to which staff who use social media in a personal capacity can talk about their work. There will also be times when customers or third parties using social media refer to the company or brand and there need to be provisions for how to deal with any issues which arise. The trick is not to panic, but to have a number of scenario plans in place – just as organisations would for any form of proactive reputation or crisis management activity.

FW: What issues should companies consider in developing strategies to monitor and respond to online discussions associated with their businesses or brands? 

Bosley: In developing both social media policies and strategies to monitor and respond to online discussions, a multidisciplinary approach is recommended. The issues raised are not restricted to marketing, public relations, legal or human resources, but cross all disciplines. For example, an emerging issue in the US is how and to what extent employers can gather information from social media sites concerning job applicants. While information gleaned from social media sites may be valuable, it can also be a source of unwanted legal liability. Many states are now considering express rules prohibiting employers from asking for passwords to social media sites as part of the hiring process. Risks may even vary by site or medium. While visiting a public LinkedIn page may provide useful information concerning an applicant’s work history or professional commitment, a Facebook page may reveal information that could form the basis for a discrimination charge, such as a medical treatment for an otherwise undisclosed disability, or a messy divorce, followed by missed work due to childcare needs. The Fair Credit Reporting Act and similar state statutes also regulate how certain information is gathered. If outside resources are improperly used or relied on to gather information, this presents additional risk. Navigating these risks requires a multidisciplinary coordination, and a deliberate, considered approach to what information is accessed and who accesses the information.

Gatto: First, do no harm. If someone raises a reasonable concern, address it if you can. Be factual and do not incite people further. Sort through legitimate feedback from people who are just looking for attention. Some of these are tough calls, but use reasonable business judgement and sometimes it is best not to engage certain users.

Bonner: A key ingredient for successful social media engagement is taking the time to listen before talking. Due to the speed and ‘always on’ nature of social media it’s tempting to rush a response, but it is often better to take a considered approach, giving the organisation time to understand the tone, conventions and intentions of the community engaged in discussion. It is also worth investing time building an online following. Just as brands have dedicated supporters in, say, the High Street environment, it is increasingly likely that they will have online ‘followers’. Think about the value they bring as it is much easier to respond and handle issues when you have an existing contact base where reputation and trust has been earned as these supporters can be called upon to help get your points across. However, at the same time, it is important to avoid being seen as directing conversations or placing stooges in discussion groups as the tech-savvy consumer is all too aware of this form of guerrilla marketing.

FW: Crisis management is a key aspect of handling any negative fallout from social media. What action should companies take to minimise damage to their reputation following discovery of a social media storm?

Bonner: The common misconception is that it’s all about how organisations are seen to react. Nothing can be further from the truth because the best approach is solid preparation. By identifying potential pitfalls, carrying out scenario planning and testing the implementation of crisis management plans with all the relevant business units within an organisation, businesses will be in a much better position to defend their reputation than struggling to come up with a response, action plan and allocation of responsibilities in the midst of a crisis. By ensuring there is a controlled workflow/approval process for social media updates the risk of causing a storm is reduced. Similarly, having a good records management system will allow you to be certain what was said by whom and when. At the same time it is important to have a ‘rapid detection team’ in place. Effective situational awareness allows for faster response and can help put out fires before they become infernos. Companies should scan their official accounts for malware or offensive content being published so they aren’t blindsided by issues. 

Gatto: Companies need to be prepared to handle these issues before they happen. Each situation is different, but there needs to be a clear plan that includes, where appropriate, an immediate response team to fix whatever the issue is, and a corporate communication strategy to address customers and the press, notification to appropriate government authorities as needed. Companies that have no plan and fumble around for days get hammered.

Bosley: In the highly interactive and real time world of social media, it is essential to be prepared to play offence, as well as defence, when a company’s reputation is challenged. By playing offence, Domino’s Pizza was able to generate a positive social media image, after initial missteps and a delayed response to a viral video damaged its products and reputation. In order to be ready to react quickly, stakeholders should be identified in advance to evaluate first whether, and then how, to respond to social media attacks. In some cases, a response may risk making a situation worse, not better; however when a response is required it must be swift.

FW: What advice would you give to companies on how to deal with an employee in the event of misuse of social media?

Gatto: These are often dealt with like other HR issues. It starts with having a clear written policy so it is clear what is a violation. From there it depends on the severity of the issue. For minor issues, often a warning may suffice. In extreme cases dismissal may be appropriate. This is highly fact specific. 

Bonner: Employees should be governed by a code of conduct that governs all forms of representing the brand. The point is that social media is just another medium and misdemeanours in the online world should be treated exactly as any other employee misuse issue would be dealt with. Don’t overreact – that’s why you have a plan in place – but do make sure you maintain your normal standards and take coherent and consistent action against anyone involved. If you have a clear and fair process against a published policy that has been communicated, with access to tools to do the right thing, then employees know where they stand and can embrace the business benefit without unnecessary risk.

Bosley: In the US, discipline or discharge of an employee for misuse of social media presents many potential legal issues, particularly if the misuse of social media occurs outside the workplace or is arguably protected by a regulation or law, such as the National Labor Relations Act. Many states expressly restrict discipline of employees based on off-duty activities, and others restrict or prohibit discipline for certain types of ‘whistle-blowing’ activity. Clearly, discipline is both possible and appropriate in some cases, and a written policy is the first line of defence. Navigating lawful versus unlawful discipline requires first asking some fundamental questions, including the following. Did the conduct violate a clear and unambiguous policy which was communicated to the employee? Did the conduct create potential commercial or legal liability for the company, such as a loss of material competitive information or potential regulatory fines? Did the employee act in a way that potentially binds the company to the employee’s statements or conduct? Is the discipline proposed commensurate with the conduct at issue, and consistent with how others who have engaged in similar misconduct have been treated? In some cases, there is also risk of a social media backlash from adverse action; however, often discipline or termination of employment is appropriate despite this risk.

FW: What steps can companies take to stay ahead of the changing social media landscape, from both a risk management and legal standpoint?

Bosley: The courts, administrative agencies, and businesses continue to attempt to catch up to the social media explosion. Continued monitoring of specific regulatory guidelines, such as recent guidelines issued by the Federal Trade Commission and other state and federal agencies, including the National Labor Relations Board and the Food and Drug Administration, is essential. However, an even more fundamental approach should not be forgotten. While technology continues to change, certain basic rules of conduct do not. Encouraging decorum, respect, integrity and adherence to fiduciary and confidentiality obligations will always be important, regardless of technological advances.

Gatto: Work with a law firm that stays on top of these issues, be proactive in reviewing and revising policies periodically and have a legal diligence process for new uses or offerings regarding social media. 

Bonner: Social media is a fast moving disruptive technology and companies should pay attention to developing tools, techniques and technologies so they are not left behind. Due to the public nature of failures in this space there is much that can be learned from the mistakes of others. It’s also worth considering that many of the existing controls for engaging with media and the public will work very well to manage social media while also considering how to take advantage of the knowledge and experience of others.


Stephen Bonner is a partner in KPMG’s Information Protection & Business Resilience team. Prior to joining the firm, he spent 12 years working with investment banks, exchanges and retail banks in the UK and globally. Mr Bonner has led a number of global transformational change projects and programmes across a variety of banking functions including IT infrastructure security, where he was responsible for the delivery of comprehensive security controls across all IT infrastructure and data privacy – focusing on the defining of legal and regulatory requirements in over 60 jurisdictions, assessing compliance, and resolving gaps internally and with 3rd parties. He created a social media policy for a global bank to enable business usage and staff participation while managing risks and he has delivered a series of award-winning awareness campaigns. He can be contacted on +44 020 7694 1644 or by email:

Jim Gatto created and is the leader of the firm’s Social Media, Entertainment and Technology team, leader of the Virtual Worlds and Video Games team and co-leader of the Open Source team. He leverages his unique combination of over 25 years of IP experience, business insights and attention to technology trends to help companies develop IP and other legal strategies that are aligned with their business objectives. His practice focuses on all aspects of intellectual property, internet and technology law, including patent, trademark, copyright, trade secret and open source. His areas of technical focus include computer software, social media, video games, social networks, virtual worlds, mirror worlds, augmented reality, user-generated content, location-based services, business methods, internet and e-commerce technology, media, financial services, and wired and wireless telecommunications. He can be contacted on +1 (703) 770 7754 or by email:

Jeffrey S. Bosley is a partner in the San Francisco office of Winston & Strawn LLP who concentrates his practice on labour and employment litigation and counselling matters. Mr Bosley has represented employers in a broad range of industries including distribution, technology, entertainment, hospitality, retail sales, energy, and health care. He has litigated employment disputes before state and federal judges and juries, and state and federal agencies, including the National Labor Relations Board. He also counsels clients on labour and employment matters, including drafting, negotiation, and enforcement of employment agreements and policies, and employment law issues arising in mergers and acquisitions. Mr Bosley briefed and argued as amicus curiae a precedent-setting case concerning use of email in the workplace, The Guard Publishing Company d/b/a The Register Guard, 351 NLRB 1110 (2007), and has written and spoken extensively on technology issues in the workplace. He can be contacted on +1 (415) 591 1412 or by email:

© Financier Worldwide



Stephen Bonner



James Gatto

Pillsbury Winthrop Shaw Pittman LLP


Jeffrey S. Bosley

Winston & Strawn LLP

©2001-2019 Financier Worldwide Ltd. All rights reserved.