The Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) recently conducted a survey on Social Media and Compliance (available to download after registering).  The purpose?  To look at how businesses manage increased use of social media by employees.  The results are in and are not surprising… while businesses are taking some steps to protect against employee misuse of social media, they are still largely reacting to problems after-the-fact, rather than actively managing social media use to avoid risk.

According to the respondents of the survey:

  • Only 31% reported that their employer had adopted specific policies addressing the use of social media outside of work;
  • 45% said their company had no policy at all; and
  • 21% reported their company had only a general policy. 

This means that 66% did not have a social-media specific policy.  Do you think these businesses are adequately protected?  We do not.

So what about access to Facebook or Twitter during the workday?  Interestingly, of the companies that had site-specific policies, the results were almost even between companies that completely blocked access to Facebook or Twitter (35% for both sites) and companies that allowed completely open access those sites (32% and 31% respectively).  Companies allowed much greater access to LinkedIn (47% allowed open access).  To me, these results indicate that other than LinkedIn, there still is very little consensus on whether employees should be able to access social media sites like Facebook and Twitter while at work.

The survey did demonstrate some consensus – there is no question employees are increasingly being disciplined based on their behavior on social media sites.  In 2009, only 24% of respondents reported that their company had disciplined an employee for social media conduct.  In 2011, that percentage jumped to 42%.  So, did those companies that disciplined employees because of social media conduct also have social media-specific policies, only general policies, or no policies at all?  The survey did not include this information – but it would be interesting to know.  These numbers do show that employers should be more proactive about training employees on appropriate online behavior to try to avoid some of the conduct leading to discipline.  What is that cliché about “an ounce of prevention …”?

Finally, the survey reported that “despite the growth in usage of social media, the availability of monitoring solutions and the increase in policies restricting use,” 48% of respondents (up from 32% in 2009) were engaged only in “passive” monitoring – that is, they only monitored when apprised of an issue.  This “lack of rigor” as the survey authors put it, is more evidence that many companies are being reactive rather than proactive about employee misuse of social media.

Now, we can debate whether a proactive approach is always the answer, or whether in some cases (depending on the business’s size, the resources available to it, etc.) a more reactive stance is acceptable.  Whether proactive or reactive, however, an organization’s approach to employee misuse of social media should always be purposeful and the result of a careful risk assessment.  Unfortunately, it seems that in too many cases, companies fall within the reaction camp simply because they have not taken the time to sit down and truly evaluate what steps they need to take to protect themselves.  They may not even know what social media sites their employees or owners are using.

Do you know how your organization’s employees use social media?  Are you prepared to take proactive steps or merely react?  Your thoughts?