Social networking - harmless fun or a threat to business security?

01 April 2008

Carolyn Burbridge, Chris Waugh

Introduction

Social networking websites are perhaps the best-known brands in the so-called ‘Web 2.0 revolution’, which has put heavy emphasis on user-generated content on the internet. Probably the two most recognised sites are MySpace, which was launched in August 2003 and currently has more than 200 million accounts worldwide, and Facebook, which is adding over 250,000 users each day, and has more than 58 million active accounts. This massive growth in social networking has inevitably had a considerable impact on the behaviour of employees in the workplace because of the prevalence and accessibility of computers in the working lives of a large proportion of the UK workforce.

This chapter first seeks to establish the principal areas of risk for employers in relation to use of social networking and related technologies, principally by employees, but also non- (or former) employees. It then goes on to explore some of the ways in which organisations may actually seek to benefit from the social networking phenomenon. Finally, the chapter sets out some of the ways in which employers may seek to manage the risks associated with social networking by employees, for example through the implementation and enforcement of internet use policies.

Negative impacts on employers

Use of social networks can impact negatively on employers in a number of ways, as set out below.

Damage to business reputation resulting from individuals’ comments
An employer’s business reputation may be damaged by negative comments posted by individuals on their own social networking pages, or, more problematically because of the issue of anonymity, on those of specifically-formed networking groups. Such groups are easy to set up and so may seem attractive, for example, to current and/or former employees with perceived grievances to air in relation to a particular employer or its customers. In either case, such groups may quickly gain notoriety and therefore attract increasing levels of interest – with little, if any, control by the employer over the content, its dissemination or the development of the relevant group.

Damage to business reputation resulting from activity of host website
Commercial organisations are increasingly willing to seek to exploit the current rapid increase in the use of social networking websites through the use of advertising. However, it is prudent for organisations to bear in mind that they may inadvertently be associated with ‘unsavoury’ entities which may cause reputational damage by association. A recent example of this occurred when a number of companies removed their advertising from Facebook after they appeared on the profile homepage for the British National Party.

Compromise of IT systems caused by malware from external websites
The use of social networking sites in the workplace has inevitably led to concerns for employers in relation to the risk of security attacks. Malware (software designed to infiltrate a user’s computer system without his or her informed consent) has been reported on even the biggest and most well-known sites, and a recent US survey revealed that one in every 600 networking pages hosts malware. One recent attack forced a social networking website to shut down hundreds of user profile pages when legitimate links were altered to lead users to a phishing site which attempted to extract user names and passwords.

The problem is exacerbated by the rush to accumulate and interact with ‘friends’, which typifies much user behaviour on social networking sites. As a result, users are responding to unsolicited messages and downloading unknown files from other users’ profile pages which could also contain malware. When such behaviour occurs in the workplace, there is an obvious risk to the employer that its IT systems may be compromised as a result.

Damage to productivity of employees
Social networking in the workplace can also damage the productivity of an organisation, both by distracting employees from their work (potentially for lengthy periods) and by wasting IT system resources (especially browsing photos or watching videos, both of which are easily accessible through applications embedded in social networking sites).

One recent study of 3,500 UK companies suggested that Facebook's British members spend an average of 143 minutes a month logged in, and that overall up to 233 million hours may be lost every month as a result of employees spending time on social networks, costing firms over £130m a day.

Personal fraud leading to potential loss of business data
There is a risk that, where employees identify themselves online as working for a particular employer, it may aid potential fraudsters in gathering information to use against a company.

This has been the case for some considerable time, and is obviously not related solely to social networking. For example, it is widely recognised that the potential for a fraudster to discover information such as computer passwords, simply by asking employees questions, is high. However, social networking arguably heightens the risk of loss of data further, because users perceive the environment as being inherently social, and therefore unthreatening, despite the fact that data may be disclosed by them to many hundreds or thousands of people who are completely unknown to them.

Damage to personal reputation of employees
A recent initiative by the Information Commissioner’s Office (an independent UK authority which promotes access to official information and the protection of personal data) highlighted that many people, caught up in the current vogue for social networking, are posting information online with little thought as to how this data may be used in the future. Taken together with the blurring between private and professional identities caused by the use of social networking sites in the workplace, it is easy to see how both existing and potential employees may damage their reputations. Functions of social networking sites such as ‘tagging’ (which allows users to post pictures on their social network pages and ‘tag’ particular individuals in those pictures – thereby flagging them to numerous other users) create particular concerns in this regard.

Where potential employers are using social networking sites for the purposes of vetting potential candidates, an individual may damage his or her chances of being offered a job if material is discovered which casts doubt on his or her suitability for the role in question. Potential employers should, however, be aware that using personal data obtained from social networking websites to make employment-related decisions must be used carefully and must still comply with the law. For example, information cannot be used to refuse an individual employment on the grounds of race, sexuality or gender, simply because it was voluntarily posted on social networking sites, as this would still infringe anti-discrimination legislation. Additionally, if an employer stores such information without the consent of the relevant individual, this may amount to unlawful processing of that data, in contravention of data protection legislation.

Once individuals become aware of the potential risks, however, they may well seek to change their behaviour and reduce their exposure to such negative effects. For example, the survey carried out by the Information Commissioner’s Office as part of its recent initiative found that up to four and a half million young people in the UK would not want a college, university or potential employer to conduct an internet search on them unless they could first remove personal data from social networking sites.

Benefits of social networking and related technologies

Professional networking and recruitment
There are now a number of websites specifically set up to allow individuals to build up professional networks. Typically, such websites are structured to allow each user to establish a network of contacts with other individuals, and then permit him or her to view the list of contacts of each individual in his or her network. The underlying concept is that large networks of contacts may quickly be developed, but the networks are built on trust between individuals who are either already acquainted with each other, or are recommended to each other by mutual acquaintances.

Professional networking sites may therefore also be of considerable use to employers, who can, for example, pay for access to particular user groups in order to advertise jobs. This allows an employer to target particular types of individual with particular experience and skills more effectively than, for example, posting a job advertisement on its own website or that of a recruitment agency, and therefore increases the chances of the employer finding a suitable candidate.

Use of Wikis to encourage collaborative working
The nature of social networking, where individuals are encouraged to contribute material in collective forums, whether on a friend’s profile ‘wall’ or in a specific social networking group, may be transferred to the workplace and encourage productive working patterns from which employers may benefit. Web 2.0 technologies which are closely related to social networking such as wikis (pieces of software which allow users to create and edit documents in collaborative fashion) offer potentially powerful methods for bringing employees together to work on specific tasks within an organisation.

The collaborative approach required to develop documents through the use of wikis may encourage employees to contribute their know-how in a group environment where before they may have been too concerned with respecting office hierarchies to contribute fully. Examples of areas which might benefit from the wiki approach include:

  • producing training materials;

  • developing meeting agendas; and

  • compiling information feeds on current topics,

all of which tasks may take considerably longer in the absence of wiki technology, where it is necessary to follow a hierarchical chain in order to compile such information.

Employers who have already adopted such working practices have found that they are able to access a large pool of information of direct relevance to their businesses which has previously been under-exploited.

Employers may consider that, internally, wikis may be largely self-policing, on the grounds that any content which is inappropriate or simply irrelevant will quickly be flagged and removed by users (provided employee participation is high enough). However, where any materials are to be ‘outward-facing’ and accessible to customers, employers may wish to moderate them, both to ensure that any inappropriate comments are removed, and to ensure that the materials are presented in a uniform style to maximise the benefit to the employer’s brand.

Managing the impact of social networking in the workplace

Strategy in relation to employees

Employee access
One response to the risks posed by use of social networking sites in the workplace is simply for the employer to block access to that category of website. However, as we have highlighted, although there may be risks associated with the use of social networks by employees, such sites may have benefits for employers.

In addition, a total prohibition may be perceived by employees as overly draconian and therefore prove unpopular and detrimental to morale, especially in workplaces where employees spend the majority of their day behind a desk. Indeed, employers may find that the adverse effect on employee motivation caused by a total ban may outweigh the perceived gains in productivity from preventing access to social networks. In this regard, managers may wish to consider permitting controlled social networking access during work hours. This may be a more balanced approach since UK workers have some of the longest working hours in the developed world. It may therefore be reasonable for employees to be able to use work computers within sensible parameters for personal matters.

Network security
Traditional filtering security may be unable to keep track of the sort of constantly-changing user-generated content seen on social networking sites. For security to be effective it may be necessary to use a solution that scans websites as they are requested, as opposed to comparing them to a potentially outdated list of websites. Since this may not be a realistic solution for many employers, the education of employees as to the correct use of social networking sites becomes even more important.

An example of such successful education is the reduction in the victims of so-called ‘phishing’ attacks, where individuals were asked by email to confirm elements of their personal data, such as bank account details. When such attacks first began a number of years ago, they were perceived to be a major threat, but are now less successful because internet users have come to recognise the risk and avoid replying to such emails.

Usage policies and training
Employers should not simply assume that their employees are all technology-literate, despite the now almost all-pervasive reach of the internet into the professional and personal lives of most people. If employers assist employees with training in relation to IT security and identity theft in general, those employees are likely to be better able to minimise security risks to themselves and their employer through social networking. Accordingly, it may be advisable to educate employees as to:

  • the risk that employees’ online activity may damage both their reputation and that of their employer, and that information posted online may be accessible for a significant period of time owing to ‘cacheing’ of information by websites;

  • the scope and functionality of social network privacy settings so that, from the start, they avoid publishing information too widely (for example, where a user chooses to become a member of a Facebook group and relies on the default security settings, the information posted on his or her profile page may then be accessible by many thousands of individuals who are members of the same group. Some fairly straightforward instruction in relation to the relevant security settings clearly helps to reduce this risk.);

  • limits on the level of social networking that is deemed appropriate during office hours; and

  • the risk that putting personal data online may make employees more likely to fall victim to identity fraud, and may also pose an indirect risk to their employer if a potential fraudster is able to gain access to information related to their business through the employee.

In addition to the elements of internet use policy in the workplace, employers may usefully draw employees’ attention to guidelines issued by the Information Commissioner’s Office. The guidelines are of relevance to employees in their personal lives but may also be of assistance in protecting employers from ill-considered use of social networking sites:

  • A blog is for life. If you don't think you'll want it to exist somewhere in ten years’ time, don't post it.

  • Privacy is precious – choose sites that give you plenty of control over who can find your profile and how much information they can see. Read privacy policies and understand how sites will use your details.

  • Don't allow people to work out your 'real life' location such as your place and hours of work. Your personal safety off-line could be affected by what you tell people online.

  • Change your passwords regularly, don't use obvious words like your pet's name and don't use the same passwords on social networking sites as you do for things like internet banking.

  • Be address aware – use a separate email address for social networking and one that doesn't give your year of birth or, ideally, your full name.

  • Reputation is everything – what seems funny to you and your friends now might not be to your teachers, university admissions tutor or prospective employer – or to you in years to come.

A well-defined internet use policy including the elements set out above will assist an employer in controlling online dissemination of information (including comments on that employer) by individuals who are existing employees and are in the workplace.

Strategy in relation to non-employees

Legal strategies
In comparison with the activities of employees, the online behaviour of other individuals is likely to be more difficult to control, as it will not be possible to rely on any contractual relationship between the organisation and the individuals to enforce any internet use policies.

In the event that damaging comments are posted online, employers may wish to approach the social networking sites on which the comments appear. Such sites generally publish access policies to which members must sign up, and which entitle the sites to remove both the relevant comments and if necessary all membership rights in the event that the policies are infringed. However, where takedown by means of a website implementing its access policy proves difficult to obtain, there are a number of other legal avenues that may be open to an organisation which is the subject of comments on a social networking site, as set out below (although some may be more effective than others):

  • Trademark
    It may be possible to restrain the use of a trademark belonging to an organisation. However, if an individual or group uses such a trademark it must use it in the course of trade in order to be susceptible to being restrained. Accordingly, mere descriptive use of the trademark on a social networking site is unlikely to fall foul of trademark law.

  • Copyright
    Copyright law may be used to restrain use of an organisation’s logo, but mere use of the organisation’s name, as distinct from a specific logo, is unlikely to be amenable to restraint on the grounds of copyright infringement.

  • Defamation
    Postings which are defamatory may be the subject of actions for damages and injunctive relief to force takedown from the relevant site. For example, in 2002 a former teacher sued a former pupil in relation to libellous comments on the Friends Reunited website. More recently, a member of the UK Independence Party successfully brought a claim in relation to libellous comments posted on an internet discussion board. In addition, employers should be aware that not only the originators of defamatory comments but also online service providers (including websites and internet service providers) (OSPs) may be liable for defamatory comments, to the extent that they become aware of such comments and fail to take action to remove them. While defences such as ‘innocent dissemination’ may be available to OSPs against such claims, such potential liabilities may be used by employers as a bargaining tool to increase OSP cooperation when employers are seeking takedown of particular comments.

Conclusion

In conclusion, the online social networking phenomenon appears likely to continue to grow in popularity, and exert an increasing influence on the ways in which individuals interact, in both the private and professional spheres. It is therefore advisable for employers to understand the risks and opportunities posed by employees accessing social networking websites in the workplace, and to implement policies accordingly.

The most extreme method for employers to protect themselves from the risks associated with social networking by employees is to set up their IT systems so as to block access to such sites. However, as discussed above, this will prevent the employer from enjoying any of the benefits associated with social networking (which are likely to increase in proportion with user participation) and may also cause resentment among employees which could outweigh the benefits in productivity resulting from an outright ban.

While a well-implemented policy can mitigate the risks posed by social networking, it may not be possible to prevent all damage. Where such damage does occur, it is advisable for employers to be fully informed as to the options available to remove adverse posts by means of enforcing website access policies, or through stricter legal channels. The more employers are able to prepare in advance, the quicker they will be able to mitigate any damage.

Sources of further information

Facebook at work: David Woollcott examines the issues social networking sites pose for employers. (Audio)
http://www.workplacelaw.net/audio/index/audio_id/11092

This article was first published in Workplace Law's Facilities Management Legal Update 2008, Special Report. The full report discusses in depth the key issues affecting facilities managers in the next 12 months, through high-level research, up-to-date information and practical guidance, coupled with opinion pieces from key organisations in the facilities management industry, including the British Institute of Facilities Management, FM World magazine and FMX magazine. More information can be found at http://www.workplacelaw.net/checkout/welcome/add/647/a_id/3262