Revisiting enterprise social media risks; managing risks from an enterprise perspective, when companies and their employees venture into social media and networking. Delivered at the IAPP Global Privacy Summit (Washington DC) on April 20 and 21, 2010.
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Update on enterprise social media risks
1. Social Media Risks to Enterprises
Constantine Karbaliotis
Data Protection & Privacy Lead
2. Session Description
• Social media and software are of increasing interest to both
private and public sector organizations. While these
technologies offer exciting new opportunities to share
information and to interact with customers, they also represent
a new area of risk for the exposure of confidential and personal
information. Get an update on the changes being brought about
by social media in response to regulators’ and consumers’
concerns, and learn the latest strategies for minimizing risks to
organizational security and reducing liability.
Social Media Risks to Enterprises - Constantine Karbaliotis 2
3. Agenda
1 Introduction
2 Enterprise Uses of Social Media
3 Enterprise Risks from Social Media
4 Strategies and Tactics
5 Case Study
6 Conclusion/Q&A
3
Social Media Risks to Enterprises - Constantine Karbaliotis
5. What is Social Media?
• “Social media” includes:
– social networking (Facebook, MySpace)
– blogging (WordPress, Blogger, TypePad, etc.)
– wikis (Wikipedia, Wikia, etc.)
– microblogging (Twitter)
– business or technical networking (LinkedIn, Spoke)
• in short, anything that can be considered user-generated
content
Social Media Risks to Enterprises - Constantine Karbaliotis 5
6. Generation Y/Millenials
“Who uses e-mail anymore? – that’s old school!”
• Demand …
– 42% of office workers between the ages of 18 and 29 discuss work-related
issues on blogs and social networking sites (YouGov)
– 50% of surveyed organizations indicate that at least 30% of their network
bandwidth is being consumed by social networking traffic (Forrester)
• And supply …
– It is estimated that nearly half of all web developers are already using AJAX
– 66% of surveyed organizations indicate that Web 2.0 is essential to
maintaining their company’s market position (McKinsey)
Social Media Risks to Enterprises - Constantine Karbaliotis 6
7. Social Networking in the News…
• Canada takes lead role in Facebook privacy issues
– Discussions between Facebook Inc. and the Office of the Privacy Commissioner of
Canada (OPC) over the social networking site's compliance with Canadian federal
privacy law are moving along smoothly, according to spokespersons from both
sides. .. Privacy Commissioner Jennifer Stoddart found Facebook in violation of
the Personal Information Protection and Electronic Documents Act (PIPEDA).
Canada is now recognized as the first country in the world to issue legally binding
recommendations to the social networking site. (NetworkWorld, August 21,
2009)
• Is Internet privacy dead? No, just more complicated: researchers
– The numbers tell one story: With 10 billion Tweets sent and 400 million Facebook
users signed, people clearly want to be heard and seen and able to hear and see
others on social networks. But Internet users also care about privacy, according
to experts. Particularly when they feel like they’ve lost control of their personal
information. That is when trust is broken. (Washington Post, March 15, 2010)
• Privacy watchdog takes issue with Google Buzz
– Canada's top privacy watchdog is taking aim at another international tech
titan.Less than a year after its investigation spurred sweeping privacy changes at
Facebook, the Office of the Privacy Commissioner of Canada is now looking into
complaints that Google Inc.'s new social networking tool, Google Buzz, might run
afoul of Canadian privacy standards. (Vancouver Sun, February 17, 2010)
Social Media Risks to Enterprises - Constantine Karbaliotis 7
8. Privacy’s role in selling the message in the
organization….
• The goal is not to stop innovation or creativity
• The goal is:
– To understand the risks associated with an activity;
– To address them by minimizing them to the extent reasonably possible;
and
– for a responsible person in the enterprise to accept the residual risk.
• My mantra:
– Conscious acceptance of risk
– No sleepwalking
Social Media Risks to Enterprises - Constantine Karbaliotis 8
9. Enterprise Uses of Social Media
Social Media Risks to Enterprises - Constantine Karbaliotis 9
10. Social Media and Privacy Risks
• Most privacy risks not exclusive to social media sites and
technology
• Simply blocking these sites will not mitigate the hazards of
increasingly interactive consumer Web applications
• There are corporate advantages to use of social media, the most
compelling of which are innovative marketing, attracting
employees and providing a progressive work environment
• Social media is just one part of our overall concerns about doing
privacy ‘right’
Social Media Risks to Enterprises - Constantine Karbaliotis 10
11. Organizational Uses of Social Media
• Internal Uses:
– Employee social networking
• External Uses:
– Employee social networking
– Technical and customer support
– Marketing and customer data collection
Social Media Risks to Enterprises - Constantine Karbaliotis 11
12. Content Creation
• Social media can be operated by:
– The organization
– The organization with content provided by employees and customers
– Others and used officially by the organization
– Others informally
– Others both officially and unofficially
Social Media Risks to Enterprises - Constantine Karbaliotis 12
13. Behavioural Profiling
• The data collected by observing what users do
• Very interesting data, very valuable and at the same time,
attracting a lot of negative attention from privacy regulators
• One of the key reasons to set up social media sites and
technologies – apart from advertising – is the generation of this
behavioral information and thus targeted advertising
Social Media Risks to Enterprises - Constantine Karbaliotis 13
14. Two main areas of risk for Enterprises:
1. Risks to enterprises of its employees using
social media tools that the enterprise provides
or uses (“Enterprise Social Media Risks”); and
2. Risks to enterprises from consumers using
social media tools that the enterprise provides
or uses, (“Consumer Social Media Risks”):
Social Media Risks to Enterprises - Constantine Karbaliotis 14
15. Enterprise Social Media Risks
Social Media Risks to Enterprises - Constantine Karbaliotis 15
16. Employee use of Social Media
• Internal losses: Employees can -
– Violate the privacy of others
– Violate their own privacy
• External losses: Employees can -
– Can disclose confidential company information
– Can create a ‘record’
Social Media Risks to Enterprises - Constantine Karbaliotis 16
17. Unintended Consequences : Security & Compliance
• Facilitating social engineering
• Additional security risk on
computers
• Spamware or spyware
• Compromise not only their own but
organizations’ security
• Even legitimate toolbar tools can
present data export issues
Social Media Risks to Enterprises - Constantine Karbaliotis 17
18. Unintended Consequences: TMI
•By offering TMI, employees can create awkward
situations
•Certain social networking communications may
be seen as creating a hostile work environment
and puts the company and employee(s) in
jeopardy
•Can lead to regulatory or legal actions against
both employee and enterprise
Social Media Risks to Enterprises - Constantine Karbaliotis 18
19. Hosting Issues
•Risks also arise from choice to host internally or
use third parties
•Hosting internally has cost, governance and
management issues associated with doing so
•Third parties raise however a whole other
dimension
Social Media Risks to Enterprises - Constantine Karbaliotis 19
20. Consumer Social Media Risks
Social Media Risks to Enterprises - Constantine Karbaliotis 20
21. Consumer Risks: Enterprises need to understand their
consumers do care about privacy, but …
• Behaviours contradict stated concerns about
privacy
• “Passwords revealed by sweet deal”, BBC News
• The why: People are terrible at assessing risk
• “The Drunkard’s Walk: How Randomness Rules Our
Lives,” Leonard Mlodinow
• Thus the duty of Enterprises as stewards
Social Media Risks to Enterprises - Constantine Karbaliotis 21
22. Unintended Consequences: Intended versus
unintended audience…
•Enterprise social media sites must consider the
personal risks that they may inadvertently
create for their users:
•Enterprises need to consider the forum that
they are creating and how their consumers’
information might be used, or mis-used
Social Media Risks to Enterprises - Constantine Karbaliotis 22
23. Unintended Consequences: The Durability of Data
•Search engines also scan social media content
created by users, including risks associated with
‘deep web’ search engines
•Enterprise risks are considerable in the retention
area of social media if not addressed through
careful design
Social Media Risks to Enterprises - Constantine Karbaliotis 23
25. Internal Governance: Revisit and Update Privacy
Policies, Privacy Notices, and Code of Conduct
• Ensure your Code of Conduct addresses the risks
associated with social media
• Revisit policies, privacy notices/statements – do they
address the risks of social media?
• Train and Inform
• Update employment contracts and acceptable use
agreements to allow for social media
Social Media Risks to Enterprises - Constantine Karbaliotis 25
26. Privacy Notices: Revisit Notice and Consent
Informed consent is key to obtaining and using
personal information in social media and
elsewhere
Consider use of layered notices
Update and revise the terms and conditions
associated with use
Social Media Risks to Enterprises - Constantine Karbaliotis 26
27. Behavioural Profiling:
FTC Principles on Behavioral Tracking
1. Transparency and consumer control
2. Reasonable security and limited data retention for
consumer data
3. Affirmative express consent for material changes to
existing privacy policies
4. Affirmative express consent to (or prohibition
against) using sensitive data for behavioral
advertising
Social Media Risks to Enterprises - Constantine Karbaliotis 27
28. Design Considerations: Taking the High Road in Social
Media
• Privacy impact or risk assessment
• Notify what activities are tracked
• Allow ‘opt out’ of tracking
• Always link to privacy notices
• Transparency
Social Media Risks to Enterprises - Constantine Karbaliotis 28
29. Design Considerations: Taking the High Road (2)
•Retention clarity
•Anonymization as part of retention
•Data Security
•Manage search engine risks
Social Media Risks to Enterprises - Constantine Karbaliotis 29
30. Design Considerations: Taking the High Road (3)
•Preference management
•Appropriate security for account
•Prominent display of privacy notices and terms
of use
•Effective deletion of accounts and PII
Social Media Risks to Enterprises - Constantine Karbaliotis 30
31. Design Considerations: Purpose & Data Minimization
• Honestly be able to assess the value of the trade being
made by your community:
– Is what they’ve traded for, a fair trade?
– Are they giving too much?
– Do they really know all that is really intended – or
perhaps unintended but likely – in relation to what
they’re trading?
– Are they entrusting it to an enterprise who can
protect that asset properly?
Social Media Risks to Enterprises - Constantine Karbaliotis 31
32. Design Considerations: Social Media Privacy
Considerations
• User names
• Profiles
• Uses
• User account deletion
• Lawful disclosure
• Transfers
• Complaints
Social Media Risks to Enterprises - Constantine Karbaliotis 32
37. Ts & Cs
Social Media Risks to Enterprises - Constantine Karbaliotis 37
38. Design Standards & Guidelines
• Developers building social media sites
– Design considerations mentioned previously
• Employees using social media sites given specific direction but
reminded to comply with:
– HR policies
– Privacy policies
– Security policies
Social Media Risks to Enterprises - Constantine Karbaliotis 38
40. Enterprises’ Duty as Stewards
•Essential to be the ‘good guys’ in the
management of customers’ data
•Understanding risk in relation to your
stewardship of personal information in the social
media context
•Act as the customer’s IT department
Social Media Risks to Enterprises - Constantine Karbaliotis 40
41. Conclusion
•What is the intent of collecting this information
– no service is really for free, so what is being
‘traded’?
•Be up front about what the trade is
•Have in place the measures to enforce the deal
•And keep in mind that transparency won’t
excuse actions representing unexpected uses of
personal information
Social Media Risks to Enterprises - Constantine Karbaliotis 41