By MATTHEW BRODSKY, senior editor/Web editor of Risk & Insurance®
VANCOUVER---Risk managers need to stop thinking of social media as some new confounding technological risk that they pass off to the information-technology department.
"That's the worst thing you can do," said Toby Merrill, vice president of ACE Professional Risk, speaking with Risk & Insurance® while the latter was in Vancouver for the annual meeting of the Risk and
Insurance Management Society Inc. (RIMS) and he was on the phone in his Philadelphia office.
Instead, risk managers should consider all of the everyday exposures that social media impacts. A biggie is employment practices liability (EPL). But the social media activities of employees can also expose a company to intellectual property risks, privacy and security issues, and even directors' and officers' liability exposure, according to Merrill. Company officers and directors must be very careful how they disclose earnings and other information through social media channels.
"It's too easy today to slip up," Merrill said.
With EPL exposure, Merrill researched quite a bit of litigation in the past couple of years where social media brushed against employment law. It can involve employees posting negative comments on Facebook, for instance, about their bosses. Or bosses being sued for defamation of character for posts about employees. Merrill estimates that a large percentage of organizations investigate job applicants on social media sites during the interview process without disclosing that they do.
The overall problem it appears is that the speed at which social media has taken hold on a personal, societal and even business level has been astonishing. Controls are "trailing big time," Merrill said.
And again, often IT is asked or allowed to manage those controls alone.
"That's the biggest mistake," Merrill said.
It's not that IT should be banished from the responsibility altogether. They can bring valuable tools to the table to help control and monitor social media exposure--tools that should be viewed as sprinklers are to fire risk. The problem is that more than IT should be involved here.
To help develop a social media policy, a data breach reaction plan, and to apply technological controls, risk management should also bring such departments as legal and communications to the table.
May 9, 2011
Copyright 2011© LRP Publications