Social Networking Policies: Best Practices For Companies

Tuesday, January 5, 2010 - 01:00
Steven C. Bennett

Steven C. Bennett

Rudimentary forms of social networking have existed for more than a decade, but the past few years have witnessed an incredible increase in the use of social networking tools (sometimes called "Web 2.0"). Time spent on social networks now exceeds time spent on email, signaling a social, business and technology paradigm shift. Continued development and expansion of social networking services and use seems inevitable.

For companies, the social networking phenomenon presents a new set of challenges. Social networking may offer a host of advantages, improving efficiency and spreading marketing messages at very low cost. But social networking also presents significant risks, and the trade-offs between efficiencies and risk may be difficult to weigh. Worse, even when companies try to ban or regulate social networking, ingenious employees may find ways to evade the company's directions.

This Article outlines some of the factors that companies should consider in formulating and implementing policies regarding social networking. Significantly, although the Article stresses that there is no "one size fits all" policy in this area, there are certain basic principles that should apply in most companies.

What Is Social Networking?

Social networking web-sites allow registered users to upload profiles, post comments, join "networks" and add "friends." They give registered users the opportunity to form "links" between each other based on friendships, hobbies, personal interests, and business sector or academic affiliations. Social networking sites can be used both personally, to contact friends and find old classmates, and professionally, to look for employment or find someone with whom to collaborate. Most social networking systems are available to all users. Some are available by invitation (or special qualification) only. Most began with a personal focus on linking "friends," but many now focus on both business and personal networking.

What Are The Benefits Of Social Networking For Companies?

Many companies have embraced social networking as yet another tool for effective research and communication. Employers now often search social networking sites before hiring employees. Advertisers, moreover, increasingly seek ways to exploit social networking systems to entice users into commercial relationships. Some companies offer internal social networking tools to aid collaboration within the business. Workers in general have come to use social networking systems in ways that tend to blend work life and social life.

What Are The Risks Of Social Networking For Companies?

In some regards, the use of social networks can be as harmful as (or more than) conventional email and other communications. Employers often have legitimate concerns about the degree of employee time-wasting associated with social networking. Social networking sites, moreover, may be misused by company employees in ways that can do significant harm to a company's reputation. Social networking may (inadvertently or intentionally) reveal confidential or proprietary information.

Companies may find themselves subject to complaints of harassment or discrimination, as employees (including managers and supervisors) may post offensive language or pictures on social networking sites that can be viewed by co-workers and clients. Network users, moreover, often comment upon information or pictures on social networking sites. Such comments can include direct (and quite unwelcome) communication between co-workers about personal social networking pages and information and pictures presented there. Social networking information thus can become explosive evidence in litigation.

Why Not Just Ban All Social Networking?

Some companies have sought to block all employee access to social networking sites. Tools for restricting access to specific sites, or types of sites, or to restrict total time spent on the Internet, are commonly used. Yet, that approach may be unrealistic and unproductive. Employees may simply continue their practices but through techniques that are subject to little or no regulation by the company. Time spent on these "back door" approaches to social networking, moreover, is additional time wasted at work. Similar problems have arisen where companies have attempted to ban other technologies, such as instant messaging.

Are There Any Clear "Best Practices" That Companies Should Follow?

The rapidity of change in this area of law could create confusion, indecision and mistakes for many companies. But there is no "head in the sand" solution to the problem. Companies must make sure that they at least think carefully about how they are regulating (or not regulating) the use of social networking tools.

Companies should incorporate Web 2.0 technologies into their existing information and document management policies. A team approach to policy formation, including representatives of all affected constituencies (legal, records, risk management, IT, business units and others) is essential. Start with some form of survey or assessment of current social networking practices within the organization and the needs of the organization going forward. A policy that does not fit the actual circumstances of the company may be ignored, and thus do more harm than good.

What If The Company Permits Social Networking?

If a company does not entirely ban social networking, it must provide reasonable "rules of the road" for the use of such technology. Key components of such a policy statement may include:

Notice : Make sure that any policies the company adopts are easily accessible to employees. Include them in orientation materials and employee manuals. Consider including reference to them on start-up screens for company-issued computers. Consider whether acknowledgments (through "click wrap" or "browse wrap" agreements) may strengthen compliance with company policies.

Competence : Inform employees that they should not use any social media tool unless they really understand how it works. Offer frequent training regarding these technologies and the company's approach to social networking. Insist that employees think before they click, tweet or post. Companies should encourage personal responsibility and treat employees like adults, while also explaining the risks for the company and the consequences of wrongful social networking behavior.

Purpose : Remind employees that company communications and computer technology are designed and intended for work, not for personal use. Make sure that employees know that social networking must not interfere with their work obligations. Further, remind them that information exchanged on social networking sites can be accessed by vendors, suppliers, business partners and competitors. Suggest that employees ask themselves, whenever using company systems: "how does this help the company perform better?"

Respect : Inform employees that they must not use social networking accounts to harass, threaten, libel, malign, defame, disparage or discriminate against co-workers, managers, customers, or anyone else. Consider prohibiting supervisors, managers and administrators from "friending" subordinates. Consider a prohibition on employees writing about, posting pictures of, or otherwise referring to any other employees without their permission.

Employment Decisions : Consult with counsel to determine what steps the company may legally take to obtain information from social networking sites as part of hiring, promotion and other employment decisions. Some states place restrictions on reference to behavior outside the workplace as the basis for an employment decision. Further, access to information about a candidate's background may expose the company to claims of discrimination.

Integrity :Remind employees that the company expects ethical and honest behavior from all its employees, at all times. Thus, any information exchanged on-line must be absolutely accurate. Insist that in blogs, wikis or other forms of online participation that relate to the company employees use their accurate identities.

Appropriate Content : Remind employees that any electronic communications and social networking activities for work-related purposes must maintain and reflect the company's standards for professionalism, including proper tone and subject matter. Thus, for example, profanity and vulgar or demeaning jokes are inappropriate. Employees should also avoid discussions of conduct that is prohibited by company policies, such as alcohol and drug use on the company's premises.

Confidential Information : State unequivocally that employees must comply with all company policies covering confidential information and trade secrets. Prohibit employees from posting confidential, copyrighted, or otherwise legally protected information or materials on their social networking accounts. Consider prohibiting employees from posting photographs taken at the company's premises or events, without explicit permission.

Disclaimers :Remind employees (and officers, especially) to state in any social media environs that what they write is their own opinion and not that of the company. Prohibit use of the company's logos, marks and other intellectual property without prior written consent.

No Right To Privacy : State, in clear terms, that employees have no right to privacy with respect to any information sent, received, created, accessed, obtained, viewed, stored, or otherwise found at any time on the company's systems. Remind employees that the hardware, software, and all communications, files and records transmitted through and residing on those systems remain, at all times, company property and may be monitored or viewed by the company at its sole discretion, at any time, without consent from or notice to employees.

Prepare For Litigation : Think about the procedures and methodologies that may be required to capture and preserve fluid Web 2.0 data in the event of litigation. "Litigation hold" procedures may include notification to third parties of the need to secure data, where applicable.

Penalties/Discipline :Explain that any violations of the policy will be subject to discipline, up to and including termination. Enforce the policy uniformly. Ensure that sufficient resources are dedicated to the enforcement process. Periodically audit compliance with the policy.

Modifications :Reserve the right to modify, discontinue, or replace the policy or any terms of the policy. Regularly review the policy to ensure that it remains effective for its intended purposes. Endeavor to give, but do not promise, notice of changes in the policy.

What About Social Networking Outside Work?

Companies cannot prevent the social networking that will often occur outside the workplace, with employees using their home computers and communications devices. Companies may, however, provide guidance regarding social networking that could be associated with the company, its employees, or its customers. Components of such a policy statement may include many of the points outlined above, as well as the following:

Identification: Inform employees that, if they choose to identify themselves as company employees in their personal social networking accounts, they must state explicitly and prominently that any views expressed are their own and not those of the employer or any person or entity affiliated with the employer.

Links: Admonish employees not to provide links to the company's external or internal websites from their personal social networking accounts.

Endorsements : Inform employees that posting statements about the company's goods and services may be considered advertising and should be cleared with company officials. Remind them that recommendations of former employees or other persons as representatives of the company may indicate that the company endorses the individual. Prohibit the posting of recommendations on social networking sites without explicit permission.

Where Can The Company Find A Sample Policy?

Sample social networking policies abound on the Internet. For example, the Association for Information and Image Management ("AIIM") and the American Records Management Association ("ARMA"), among many others, offer useful guides on communications and records management policies. Significantly, all sample policies, from whatever source, should be viewed as starting points only. A company must adapt any social networking policy (and, in general, any computer and communications usage policy) to the specific needs of the organization.

Steven C. Bennett is a Partner Jones Day in New York City and Chair of the firm's E-discovery Committee. The views expressed are solely those of the author and should not be attributed to the author's firm or its clients. For a bibliography of additional works by this author, please visit our website at

Please email the author at with questions about this article.