Social Media and Compliance: Overview for Regulated Organizations

Transcription

1 Social Media and Compliance: Overview for Regulated Organizations Chris Ricciuti - Vice President, Financial Services Archiving & Governance Robert A. Cruz - Sr. Director, Archive & ediscovery threat protection compliance archiving & governance secure communication

2 Contents Introduction...3 Social Media v. The SEC...3 Social Media in Financial Services...5 Social Media in Health Care... 8 Social Media in Other Regulated Industries... 8 Best Practices... 9 How Proofpoint Can Help...10 Glossary / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

3 Introduction The growing use of social media in business today is undeniable. Twitter has over 550 million users sending over 58 million tweets per day, 1 while LinkedIn now boasts over 225 million users, including users from over 200 countries and executives from all Fortune 500 companies. 2 Companies are also using Salesforce Chatter, Microsoft Yammer, and other collaborative tools to promote products and services, conduct market research, build brand awareness, and resolve customer problems. Social media is fast, ubiquitous, and in many cases produces measurable ROI to a business; however, it also poses significant risks that can become public and propagate virally. Consider the following: Action CEO of Netflix posts on his Facebook account that his company streamed 1 billion hours of content in the current month A registered broker tweets about stocks in which her family has a substantial position Broker accused of making more than $500M of fraudelent offers via LinkedIn A doctor working in an ER posted information about a patient, without mentioning the patient s name, to her personal Facebook page Consequence SEC investigation, leading to additional guidance on the use of social media in light of existing SEC regulations (described below) 3 $10K fine, suspended for 1 year by FINRA (FINRA S first social-related sanction) 4 $150K penalty imposed by SEC, license revoked 5 Fired from her position at the hospital, reprimanded by the State medical board and fined $500 In addition to carrying malicious content to deliver targeted attacks and resource consuming spam, the improper use of social media can lead to damaged brands, regulatory fines and other harsh consequences in terms of ediscovery. This paper will discuss social media in light of specific rules and regulations, with emphasis on the financial services and health care industries. It will also offer best practices in holistically managing social media to minimize data security, privacy, and legal discovery risks. Social Media v. The SEC The proliferation of social media business use has recently drawn the attention of the U.S. Security and Exchange Commission (SEC), who has provided guidance to all publicly traded companies on the use of social networking sites in order to avoid issues with federal securities laws including Regulation FD (see glossary). In April 2013, the SEC opened an investigation that attempted to determine if Netflix CEO Reed Hastings had violated Regulation FD when he posted on his personal Facebook page that Netflix had streamed 1 billion hours of content in June The potential violation to Regulation FD was raised due to the facts that 1) Hastings personal Facebook page had not previously been used to make company announcements, 2) shareholders had not been informed that it would be used to disclose company information, and 3) following the Facebook disclosure, Netflix did not post the information on its web site, issue a press release, or file a Form 8-K Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings, Release No (Apr. 2, 2013). 4 SEC Charges Illinois-Based Adviser in Social Media Scam (Press release), December / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

4 Ultimately, the SEC chose not to pursue enforcement action against Netflix, but instead used the matter to provide additional guidance on the use of social networking sites to disclose material, nonpublic information. The guidance focused on the applicability of Regulation FD, as well as the extension of its 2008 guidance focused on the use of company web sites. Applying Regulation FD to Disclosures of Material, Nonpublic Information on Social Networks The SEC guidance indicates that companies may use social networks to disclose material, nonpublic information, but such disclosures must comply with Regulation FD (Fair Disclosure). Regulation FD states that companies must distribute material in a reasonably designed way to get that information out to the general public broadly and non-exclusively. The SEC guidance suggested that companies should analyze whether specific social media postings contain material, non-public information; and if yes, and the company does not file a Form 8-K, whether the information was distributed in a way that provides broad, nonexclusionary access to the information by the public. Applying the SEC s Guidance on the Use of Company Web Sites to Social Networks The SEC s 2008 Guidance on the Use of Company Web Sites 6 explained that, for purposes of complying with Regulation FD, a company makes public disclosure when it distributes material, non-public information through a recognized channel of distribution. Focusing on the use of company websites, the 2008 Guidance indicates that determining what are recognized channels of distribution depends on the steps that the company has taken to alert the market about those channels and its disclosure practices, as well as the use of those channels by investors and the market. With its most recent ruling, the SEC is stating that the 2008 ruling was intended to be interpreted broadly; therefore applying equally to social media and classifying it as a recognized channel. The SEC Bottom Line All publicly traded corporations must notify investors of the social media channels that are intended for use in distributing material, non-public information in order to minimize the scrutiny of selective disclosure under Regulation FD. While this is great news for those seeking to deploy a social platform as a way to communicate with investors who may have been hesitant to do so because of lack of clarity from regulators, there are additional considerations when assessing the use of social media at your organization, including the following: Do not use personal social media accounts of company officers to distribute information. As noted by the SEC, personal employee social media pages are not appropriate channels for material corporate information. Notify the public about the communication channels that you intend to use to disseminate material, non-public information, including the types of information that may be disclosed through social media. Maintain control over material, non-public information to be disseminated. This should include approval processes for posting information, as well enhancement of corporate communication policies to outline acceptable and prohibited uses of social media channels. 6 Commission Guidance on the Use of Company Web Sites, Release No (Aug. 7, 2008) ( 2008 Guidance ). 4 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

5 Provide regular training to key employees on compliance with Regulation FD. Organizations must ensure that all employees who have access to social media accounts understand the associated regulations. Archive social media content. Optimally, an archiving solution also must be able to capture posted social media content for long-term retention and ediscovery, should a regulatory request for information arise. Social Media in Financial Services The Securities industry has seen significant evolution in the acceptance of social media use by broker dealers and their firms. In fact, a recent study conducted by LIMRA found that 9 in 10 financial services companies were using social media in The industry has also been the most advanced in issuing specific social media guidance, building on Rules 17a-3 and 17a-4 of the Securities Exchange Act of 1934 and NASD Rule 3110 requiring broker-dealers to retain business communications. The Financial Industry Regulatory Authority (FINRA) provided its initial social guidance with the issuance of Regulatory Notice 10-06, which was further clarified in 2011 with the release of Regulatory Notice was issued to establish best practices, but clearly states that the posting of any social media content by a member firm is communication under FINRA rules and, accordingly, is subject to applicable FINRA recordkeeping requirements. These guidelines are outlined as follows: 1. Maintaining Records If a social media post constitutes a business communication, then SEC Rule 17a-4(b) requires broker-dealers to preserve certain records for a period of not less than three years, the first two in an easily accessible place. The SEC has stated that the content of an electronic communication determines whether it must be preserved. Implication: For business communications made via social media, even if only distributed internally, records must be kept. Most firms have chosen the safe route and capture all social media communications, similar to what is presently done for Supervision NASD Rule 3010 requires each firm to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable federal securities laws and FINRA rules. This responsibility includes reviewing material intended for a business purpose prior to its posting. Implication: Before approving a social media site for use by registered representatives, firm management must ensure that representatives fully understand and will comply with the applicable social media rules. Firm management should also check sites frequently due to their dynamic nature / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

6 3. Posting 3 rd Party Links and Data Feeds Firms may not establish a link to any third-party links or data feeds that the firm knows contains false or misleading content. Implication: Unsupervised 3rd party content can create unnecessary liability for information that members of your organization did not generate themselves. 4. Application of Suitability Rules When a firm or its personnel recommends a security through a social media site, this triggers the requirements of NASD Rule 2310 regarding suitability. Firms should consult Notice to Members (NTM) (Online Suitability) for additional guidance concerning when an online communication falls within the definition of recommendation under Rule Implication: When determining suitability, be sure to keep in mind the scope of social media distribution to help ensure that recommendations are relevant to the entire audience. But FINRA says Wait, There s More The increased regulatory scrutiny toward social media was illustrated in June 2013 with FINRA s Targeted Exam Letter notice. 8 The FINRA letter calls out Rule 2210(c)(6) that states that each firm s communications are subject to a periodic spot-check procedure that will include the following: An explanation of how the firm is currently using social media in the conduct of its business, including specifics on the business purpose, URLs, and dates that the firm begin using each social media platform; The identity of all individuals who post and/or update content of the sites identified above, including the date(s) the firm began allowing the use of each social media platform and whether such usage continues; The portion of the firm s written supervisory procedures concerning the production, approval and distribution of social media communications in effect during the time period February 4, 2013 through May 4, 2013; An explanation of the measures that the firm has adopted to monitor compliance with the firm s social media policies (e.g., training meetings, annual certification, technology). A tabular list of your firm s top 20 producing registered representatives (based on commissioned sales) who used social media for business purposes to interact with retail investors as defined in FINRA Rule 2210(a)(6) during the time period February 4, 2013 through May 4, The FINRA Bottom Line With social media use growing in financial firms, FINRA is concerned not only about firm policies but also the potential relationship between use of social media and the performance of individual broker-dealers. FINRA will likely expand the use of spot checks and regulations will be further refined to reflect their findings. 8 Targeted Examination Letters Re: Spot-Check of Social Media Communications, June 2013, FINRA. 6 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

7 And More Regulation: Federal Financial Institutions Examination Council (FFIEC) In light of social media proliferation across the industry, the Federal Financial Institutions Examination Council (FFIEC) released a draft in the first half of 2013 with new guidelines for social media that would apply to banks, savings associations, and credit unions, as well as non-bank entities supervised by the Consumer Financial Protection Bureau and state regulators. 9 The proposed regulations would require that organizations have a documented social media policy in place, along with enforcement and employee training. The FFEIC document also outlines other financial regulations that should be considered as part of an analysis of social media, including: Truth in Savings Act/Regulation DD and Part 707 Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3 Fair Housing Act Truth in Lending Act/Regulation Z Real Estate Settlement Procedures Act Fair Debt Collection Practices Act Unfair, Deceptive, or Abusive Acts or Practices Deposit Insurance or Share Insurance Electronic Fund Transfer Act/Regulation E Bank Secrecy Act Community Reinvestment Act Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines CAN-SPAM Act Telephone Consumer Protection Act Children s Online Privacy Protection Act Fair Credit Reporting Act The final version of the FFIEC Social Media Guidance is expected to be published in the 2nd half of The Bottom Line for Financial Services Given the rate of change and innovation in technology, and increased frequency in response from financial regulators, the best bet is to play it safe when employing social media define policy, actively archive, supervise often, and review and revise your social media strategies and policies frequently. If the cases of every other form of communication have taught us anything - it s to be safe, rather than sorry. 9 Social Media: Consumer Compliance Risk Management Guidance, FEDERAL FINANCIAL INSTITUTIONS. 7 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

8 Social Media in Health Care While HIPAA has yet to release specific language concerning social media use, if one reads the HIPAA Privacy Rule, it s easy to see that the current rules apply to social media. In fact, employers that are covered entities under HIPAA face direct liability for the acts of any member of their workforce that are inconsistent with the data privacy and security regulations issued under HIPAA. All such workforce members are prohibited, with limited exceptions, from using or disclosing individually identifiable health information (PHI) without a written authorization from the individual to whom the PHI pertains, and any such authorization must contain very specific language to comply with HIPAA. Social media can be a useful resource channel to connect with patients, but only when done with careful consideration of HIPAA restrictions. Basic precautions that health care providers can undertake include the following: Request a HIPAA Waiver: HIPAA puts the burden of preserving patient privacy squarely on the shoulders of the provider, but an individual patient can always waive those rights. Patients that have a good experience, that are happy to share their stories, can waive their privacy rights. Having a simple waiver form available for patients, releasing the health care provider to share their patient information for marketing purposes, satisfies the necessary documentation. Review Social Media Terms of Service: Social media sites are constantly changing their terms of service in response to changes in data privacy regulations and litigation rulings that can change how information can be accessed and retrieved, so is important to keep up current with the Terms of Service that you intend to enable access to. Create Social Media Policies and Training Programs: Any staff in the health care industry, from hospital administrators to front desk receptionists, needs to understand the limits imposed by HIPAA and how it applies to social media. This includes clearly articulating what are permissible and prohibited communications via social media with specific examples. Ensuring that every staff member understands the policy helps eliminate potential violations. The Bottom Line for Health Care Much like with the Financial Services industry, using social media archive services helps health care providers avoid issues and maintain HIPAA compliance. Monitoring posts allows administrators to spot potentially problematic posts, quickly. Social Media in Other Regulated Industries In June 2011, The Environmental Protection Agency (EPA) released its Representing EPA On-Line Using Social Media 10 guidance, requiring that posts must be preserved and maintained with applicable records schedules as outlined in agency guidelines governing communications with the public. 10 Representing EPA On-Line Using Social Media, issued by the EPA Chief Information Officer, June / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

9 The National Archives and Record Administration (NARA) continues to refine policy regarding the retention of social media communication. In its October 2010 bulletin, NARA stressed that open and transparent government relies on emerging communication tools, and as they are adopted, agencies are responsible for complying with all applicable laws, regulations, and policies. explains that NARA stresses that the principles for analyzing, scheduling, and managing records are based on content and are independent of the medium; where and how an agency creates, uses, or stores information does not affect how agencies identify Federal records. 11 The Food and Drug Administration has been slow to act in the case of social media guidance uncharacteristic for this agency. As a result, many companies have chosen to delay the implementation of social media programs or simply attempted to block their use internally. As of the end of 2012, the FDA issued its first draft guidance for drug makers on interacting with consumers via social applications. The guidelines recommend that companies respond to public social commentary by providing a private and direct communications channel with consumers. Best Practices in Managing Social Media Today, many regulated companies are examining how to manage, secure, and leverage social media for improved marketing and customer service while also adhering to applicable regulatory requirements. Given the rapidly evolving sets of regulation, companies can move proactively by following these best practices in order to leverage social media in light of their specific regulatory requirements: Step 1: Establish a Clear, Unambiguous Social Media Policy Engage a team of Subject Matter Experts (e.g. IT, compliance, legal, marketing) to assess the security risks and business goals for social media usage Treat social media governance as a component of IT governance overall Provide specific examples of acceptable and prohibited uses of social media Step 2: Seek Tools that enable flexibility and quick response to change Consider solutions that integrate with your existing communications infrastructure and can evolve as social media technologies continue to evolve Seek tools that can automate policy enforcement in order to speed response to regulatory inquiry Continue to monitor regulatory and legal precedents in order to inform policy change Step 3: Provide On-going Training and Policy Refinement Train employees on best practices, internal policies and relevant industry regulations Engage users for feedback in order to periodically examine social risks vs. returns Talk to your industry peers to leverage experience 11 NARA Bulletin / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

10 How Proofpoint Can Help Since its founding, Proofpoint has been focused on helping organizations manage critical information. Today, Proofpoint has enabled the world s largest and most complex organizations to address the rigors of legal discovery, regulatory compliance, and advanced threat protection, with a technology infrastructure that was explicitly built for the cloud. Most recently, this capability has been extended with our Archive for Social Platform, which automates the capture and archiving of social media content from specific social channels as required for regulatory and legal discovery purposes. Amongst these capabilities is the Enterprise Archive solution, which has been recognized by industry analyst Gartner, Inc. as a Leader in the 2012 Magic Quadrant for Enterprise Information Archiving. The unique features provided by Enterprise Archive include: Fast Access to Information Guaranteed: Using a unique grid-based storage architecture, Proofpoint delivers information in seconds regardless of how much data is archived, how complex the query, or whether information requested is contained within social content, , IM, or collected files. This provides fast, reliable, and consistent response to regulatory inquiry or legal discovery Unsurpassed Data Control enabled by DoubleBlind TM Key Architecture: Unlike any other cloud archiving solution, Proofpoint ensures that the customer remains in exclusive control over the decision of information access by separating encrypted archived data from the keys to that data, which are possessed by the customer; Robust, yet Flexible Policy Management: Organizations can create and, most importantly, enforce an unlimited number of retention policies, as required by multi-national, and multi-product organizations, as well as those that face evolving regulatory requirements. Information is securely retained in a SSAE-16 audited, tamper-proof repository that address even the most stringent regulatory requirements Additionally, Proofpoint has introduced two new products as part of its Archive for Social Platform that include: Proofpoint Social Platform Archiver for Chatter is a Salesforce.com Chatter archiving and compliance solution. With Archiver for Chatter, your Salesforce.com Chatter content is fully integrated into the archiving solution that you already have in place, thereby eliminating the need to manage multiple e-discovery tools for electronic communication compliance. Proofpoint Social Platform Archiver for Yammer is a Microsoft Yammer archiving and compliance solution. With Archiver for Yammer, your Yammer content is fully integrated into the archiving solution that you already have in place, thereby eliminating the need to manage multiple e-discovery tools for electronic communication compliance. For more information about social media and regulatory compliance, please visit 10 / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13

11 Glossary Summary of Regulations Impacting Management and Control of Social Media Security and Exchange Commission, Regulation FD (all publicly traded corporations) SEC, Release No (Web Sites) (all publicly traded corporations) Financial Industry Regulatory Authority, Regulatory Notices and (U.S. Financial Services) FINRA, Targeted Examination Letter re: Social Media FFIEC Social Media: Consumer Compliance Risk Management Guidance (Draft) IIROC Notice (Canadian financial services) The Health Insurance Portability and Availability Act of 1986 (U.S. Health Care) U.S. Federal Rules of Civil Procedure, Rule 26 U.K. Rules of Civil Procedure, Part 31.4 The Electronic Communications Privacy Act (ECPA) of 1986 The Stored Communications Act (SCA) of 1986 The Securities and Exchange Act of 1934 forms the basis of U.S. financial market regulations. Created in 2000, Regulation FD specifically addresses the selective disclosure of information by publicly traded companies. It provides that when a company discloses material non-public information to certain individuals or entities it must make public disclosure of that information. Issued in 2008, Commission Guidance on the use of Company Web Sites specifies the conditions under which material, nonpublic information can be distributed via recognized channels of distribution, including company web sites and (as denoted in April 2013 Guidance) social media. FINRA is a Self-Regulatory Entity (SRE) with charter to protect investors through oversight of the securities industry. FINRA Rules and Regulations notice issued in January 2010 requires financial services industry firms to monitor and maintain records on social media site usage. FINRA Regulatory Notice states that Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule FINRA issued Regulatory Notice (Social Media Websites and the Use of Personal Devices for Business Communications) in August 2011 that addresses questions raised by firms that are affected by Issued June 2013 and requiring a spot-check procedure for firm s use of social media, and reporting of broker-dealer activities between February 4, 2013 to May 4, Federal Financial Institutions Examination Council (FFIEC) is an interagency body attempting to create consistency across regulation of banks, savings associations, and credit unions, as well as nonbank entities. In January 2013, it released a draft of new guidelines for social media that would require monitoring, supervision, and training around use of social media. The final version is expected to be published in late The Investment Industry Regulatory Organization of Canada (IIROC) is the regulatory authority overseeing the Canadian securities industry. Issued December 2011, IIROC Notice defines supervisory and reporting requirements for firms utilizing social media for business communications. HIPAA requires healthcare organizations (HCOs) to protect patient-specific data over all electronic communications, which now includes social media. The American Recovery and Reinvestment Act of 2009 significantly increased the penalties for HIPAA security violations and gave regulators an added incentive for imposing fines. In addition, ARRA broadened the coverage of HIPAA standards to include all business partners of HCOs. FRCP Rule 26 Duties to Disclose: Provisions for Discovery (a)(ii) requires initial disclosures to include a copy of all ESI that the disclosing party has in its possession, custody or control that may be used to support its claim or defense. The UK Civil Procedure Rules (CPR) defines documents as anything in which information of any description is recorded, CPR Part 31.4, and the Practice Direction includes and other electronic communications. Enacted in 1986, it passed the ECPA to extend government restrictions on wire taps to cover computer transmissions of electronic data. Part of the ECPA (described above), the SCA establishes privacy protection for digital communications stored on the Internet, even if they are stored by third parties like ISPs. The SCA limits the ability of the government to compel an ISP to turn over content information and non-content information. Proofpoint, Inc. 892 Ross Drive, Sunnyvale, CA Tel: / Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. 08/13