WHITE PAPER              COMPLIANCE              IMPLICATIONS OF              SOCIAL MEDIA              A Guide for       ...
WHITE PAPER – Compliance Implications of Social Media                                                                     ...
WHITE PAPER – Compliance Implications of Social Media                                             3OverviewIt took the hum...
WHITE PAPER – Compliance Implications of Social Media                                              4CUs in Social MediaWhe...
WHITE PAPER – Compliance Implications of Social Media                                            5Compliance Curtails Entr...
WHITE PAPER – Compliance Implications of Social Media                                           6CU Compliance ConcernsAs ...
WHITE PAPER – Compliance Implications of Social Media                                           7Wider Regulatory Concerns...
WHITE PAPER – Compliance Implications of Social Media                                             8Federal Rules of Civil ...
WHITE PAPER – Compliance Implications of Social Media                                                                9When...
WHITE PAPER – Compliance Implications of Social Media                                             10Key Tenets of CU Socia...
WHITE PAPER – Compliance Implications of Social Media                                          11Mitigating the Risk of So...
WHITE PAPER – Compliance Implications of Social Media                                            12Prevention of data leak...
WHITE PAPER – Compliance Implications of Social Media                                          13SummarySome analysts beli...
WHITE PAPER – Compliance Implications of Social Media                                        14About Actiance, Inc.Actianc...
Upcoming SlideShare
Loading in...5
×

Compliance implications of social media

1,570

Published on

Credit unions looking to take advantage of social media now and to be prepared for future compliance, they must consider the regulations that are already in place that govern other forms of electronic communications. Additionally, as major financial regulatory bodies around the globe, such as FINRA and the FSA, begin to issue additional guidelines to specifically include social media, it is clear that it is only a matter of time before the NCUA clarifies their position.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,570
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Compliance implications of social media"

  1. 1. WHITE PAPER COMPLIANCE IMPLICATIONS OF SOCIAL MEDIA A Guide for NCUA Credit Unions
  2. 2. WHITE PAPER – Compliance Implications of Social Media 2Table of ContentsOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Lack of specific guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Maintaining compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3CUs in Social Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Appropriate Use of Social Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Compliance Curtails Entry into Social Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5CU Compliance Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Data Leakage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Advertising. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Retention of Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Wider Regulatory Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Gramm-Leach-Bliley Act (GLBA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Red Flag Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Privacy of Consumer Financial Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Payment Card Industry Data Security Standard (PCI DSS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Federal Rules of Civil Procedure (FRCP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8When Social Media Goes Bad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Hackers Taking Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Blogging Gone Bad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Good Intentions, Bad Tweets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Inappropriate Comments Equal Lost Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Employee Tweets Create Negative Working Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Consequences of Violating Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Key Tenets of CU Social Media Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Mitigating the Risk of Social Media and Web 2.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Enforcement of Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Monitor Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Prevent Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Block Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Log All Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About Actiance, Inc.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14This white paper is for informational purposes only. Actiance makes no warranties, express or implied, in this document.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in orintroduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the expresswritten permission of Actiance, Inc. © 2001 - 2011 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage,Unified Security Gateway and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc. A-WP-008-SM-CREDIT-UNIONS-0111
  3. 3. WHITE PAPER – Compliance Implications of Social Media 3OverviewIt took the humble telephone eighty-nine years to reach the 150 million users that Facebook achieved in just five.The impact of social media can be seen everywhere, in the workplace, at home, even on billboards, and TV. Forcredit unions looking to connect with their members and grow their business, social media is a must. But what arethe dangers, who is at risk, and how can credit unions ensure that embracing Facebook, LinkedIn, and Twitter doesn’tresult in a social scandal?Lack of specific guidelinesAlthough the National Credit Union Administration (NCUA) has not yet issued additional rules or guidelines on theuse of social media, when regulations already in existence are considered, it’s easy to see that they currently coverthis new form of electronic communication. From advertising and the retention of records to the possibility of leakingsocial security numbers, account numbers, credit card data and other PII (Personally Identifiable Information), theregulations may not mention social media specifically, but it’s clearly a medium that potentially enables all of thesenegative and potentially dire circumstances to occur.Social media applications were developed with consumers in mind. Therefore, there are no enterprise controlsavailable natively. With the majority of credit unions not in a position to control the content of messages posted toFacebook by employees, let alone archive the messages with any meaningful context, many have wisely decided topostpone their social media strategy.However, the compelling evidence of the benefits of embracing social media has meant that others have leapt inwith both feet, potentially placing them ahead of their competitors and making more difficult the decision for othersto stay away from social media. The danger for credit unions is that without the right security, management, andcompliance controls in place, any benefit of its use can evaporate quicker than saying “Federally Insured”.Maintaining complianceFollowing FINRA’s footsteps in the US, the FSA in the UK has recently taken steps to ensure that members recognizethat new media such as social networking, blogs, and forums are automatically included in current regulations. It ishighly likely that the NCUA, along with other financial regulatory bodies, will follow suit and clarify that, like everyother form of electronic communication, care must be taken to ensure that social media usage complies withcurrent regulations.This whitepaper considers the threats that social media poses and the regulations they may infringe upon andsuggests how credit unions can overcome them, remain compliant, and embrace the new Internet.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  4. 4. WHITE PAPER – Compliance Implications of Social Media 4CUs in Social MediaWhen President Roosevelt first signed the Federal Credit Union Act in 1934, television was in its infancy. Whocould have predicted that nearly seventy-five years later that Larissa Walkiw’s Young and Free Alberta video for theCommon Wealth Credit Union (now Servus) would be one of the most popular credit union videos on YouTube.Social media is taking credit unions by storm. From marketing to member services, it offers several benefits overtraditional forms of communications, including cost. But perhaps the biggest reason for its success is one that fitsin very comfortably with the credit union ethos, the personal touch and dedication to superior member service.Social media experts have always advocated the use of “real people” and genuine photos of employees accessingFacebook, LinkedIn, and Twitter, and the strategy pays off. One may not know all of one’s followers or buddies, butthe interaction and conversation with a face you can put a name to, has a major impact in cultivating relationships.Smaller credit unions have been quick to take advantage of social media and Web 2.0, with a great deal of successin attracting new business and growing investment opportunities with existing ones. Their success has not goneunnoticed by the larger credit unions, which until recently have shied away from social media. However, with morethan 500 million users on Facebook, 75 million on LinkedIn, and 70 million on Twitter, credit unions can’t afford tonot include social media in their business strategy.A recent survey of 11,000 credit union members conducted by Callahan Internet Strategy Consortium, a group ofcredit unions that cooperatively conduct research, discovered that:• More than 82% of credit union members aged 18-60+ use Facebook• Members using Twitter expect their credit union to provide information, such as fraud alerts (71%), special offers (60%), financial tips (58%), and rate specials (57%).• About half of all members surveyed said they would read a credit union’s Facebook page periodically.(Source: thefinancialbrand.com)Appropriate Use of Social MediaWhen credit unions include social media in their marketing plan, they need to understand from the outset that whileit is a social interaction, it’s also a very public and professional one. Every credit union wants to show the “human”side of their operations, yet they must be careful to not become too casual in their replies to posts and Tweets, orthey face coming across as unprofessional and careless. Content on their social media sites is also important – allphotos and links must be professional as well. “Think before you post” must be kept top-of-mind at all times.Credit unions must remind their employees to consider how it would look if their post hit the front page of a leadingpublication. This advice applies whether that “leading publication” is a newspaper, website, or blog site.Without a doubt, credit union employees can be great ambassadors. If given every reason to promote the credit unionbrand and no motivation to complain, they can spread the word about the credit union advantage far and wide – andat virtually no cost. Social media proponents argue that appropriate use of social media can help create a positivecorporate culture, which in turn leads to happier and more productive employees. Some social media advocates evengo so far as to contend that the optimal use of social media can actually increase productivity, e.g., by taking a fewminutes off to play a Facebook game or watch a couple of funny YouTube videos, the employee comes back relaxed,refreshed, and ready to work!Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  5. 5. WHITE PAPER – Compliance Implications of Social Media 5Compliance Curtails Entry into Social MediaOne of the reasons for the delay by many credit unions in taking the social media plunge has been well-foundedconcerns over compliance issues. Whether this is due to a greater awareness of the potential pitfalls or waiting forguidance from regulators, such as the NCUA, is not clear, but it is worth noting that now some of the biggest creditunions such as BECU and Golden 1 can now be found on Twitter.Social media is just an extension of how credit unions converse with their members. Whether it’s assistanceon using a service, letting people know about the latest offers, or even introducing new business contacts,Facebook, LinkedIn, and Twitter simply offer another point of contact, such as walking into a local branch ortalking on the telephone.However, like every other form of communication, care must be taken that anything that could be considered anadvertisement or advice must comply with current regulations. For the majority of communications, that meanssecuring, filtering content, monitoring, and archiving each and every post. Not an easy task when there are so manydifferent social media and Web 2.0 tools and applications.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  6. 6. WHITE PAPER – Compliance Implications of Social Media 6CU Compliance ConcernsAs social media use within credit unions grows so does the risk of non-compliance. Whether a credit union is usingsocial media to communicate with members, announce new products, or promote community events, it’s not justthe outspoken views of rogue employees that they need to control. Social media can suddenly allow a vast numberof specific credit union guidelines and regulations and other associated regulations, such as the Gramm-Leach-BlileyAct (GLBA), to be broken, often unintentionally.Data LeakageAlthough not specifically covered in either NCUA or National Association of State Credit Union Supervisors(NASCUS) regulations, the use of modern communication tools is still governed by current rules. For instance, theNCUA guideline 792.67, Security of systems of records, states credit unions “…shall establish administrative andphysical controls to ensure the protection of a system of records from unauthorized access or disclosure and fromphysical damage or destruction…Procedures shall also be adopted to prevent accidental access to or disseminationof records.”In Actiance’s Fifth Annual Collaborative Internet Survey, 14% of organizations questioned had experienced dataleakage through social networks and a further 18% took disciplinary action as a result of incidents. Whether it’san instant message to the wrong person, a tweet that should have been a direct message, or a misjudged post toFacebook, the route for accidental leakage has never been easier, nor has it had such a potentially wide audience.AdvertisingAdvertising regulation is also a potential compliance failing point. From Regulation Z – Truth in Lending to theFair Housing Act (FHA), the rules around advertising are being tightened all the time. Under the Fair Housing Act,“Advertisements must not contain any words, symbols, models or other forms of communication that suggest adiscriminatory preference or policy of exclusion.”NCUA rule 707.2 defines advertisement as “a commercial message, appearing in any medium that promotes directlyor indirectly…” terms, yields, and bonus.In the case of rule 707, these “trigger” words demand that a notice must be given as to where investors can viewadditional information on the offer such as a webpage. For credit unions using Twitter, this ruling can sometimes bea challenge, but the use of shortened URLs can help to keep posts to 140 characters and still comply. Considerationshould also be given to chats over IM, as the rulings around advertising still apply and disclaimers should be given.Retention of RecordsThe Truth in Savings Act demands that “A credit union shall retain evidence of compliance with this regulation for aminimum of two years after the date disclosures are required to be made or action is required to be taken.” However,for credit unions using social media, this ruling may prove difficult to comply with. Facebook, for instance, currentlyoffers no archiving facility of members’ posts, making it impossible for credit unions to keep a reliable record ofmessages posted.Appendix A to part 749 of the NCUA regulations states that although there is no specific format in how records areretained, they must be easily accessible and accurate. In addition, “The credit union should also ensure that thereproduction is acceptable for submission as evidence in a legal proceeding.” Compliance with eDiscovery requiresa tamper-proof archive, and best practice demands that records include the context of the message, not just themessage posted.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  7. 7. WHITE PAPER – Compliance Implications of Social Media 7Wider Regulatory ConcernsGramm-Leach-Bliley Act (GLBA)Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) outlines standards for safeguarding confidential memberinformation, including names, addresses, phone numbers, account numbers, and Social Security numbers. TheGLBA requires that the content of communications should be scanned for such information, that the data should notbe sent in clear text, and that it should never be sent via public communications channels.In a survey by Actiance, over a third of the respondents that can access IM services at work admitted to sending aninstant message to the wrong person. Accidental data leakage is one of the biggest concerns for any organization.Many financial institutions take care to move conversations that require sensitive information exchange to moresecure channels, but all it takes is a simple mistake for a regulation to be violated.Red Flag RulesThe Red Flag rules require credit unions to protect information against identity theft and to implement a program thatwould detect warning signs or raise a “red flag” to possible suspicious activity. The rapid growth in social media andWeb 2.0 usage has made them a magnet for hackers and malware writers looking to steal confidential informationthat enables them to directly steal identities or to build up a profile that may lead to identity theft.One of the problems with social media is that users place too much trust in their network of followers or friends,enabling social engineering techniques that persuade users to give up passwords or click on malicious links to workwith a surprising success rate.Privacy of Consumer Financial InformationThe consumer privacy rule generally encompasses a privacy notice that details how non-public information may beused by the credit union and an opt-out clause for the consumer. Similar to the GLBA, credit unions must ensure thatnon-public information, including name and address, transaction history, consumer credit reports, and court records,is protected against malicious and accidental data leakage.In addition, guidance issued by the NCUA states, “The fact that an individual is a customer of a credit union equatesto personally identifiable financial information about that consumer,” which is something to keep in mind whendevising social media strategies to encourage new followers and fans.Payment Card Industry Data Security Standard (PCI DSS)PCI DSS requires that organizations that process payment account information should ensure that they build andmaintain a secure network, encrypt cardholder data sent over public networks, and that unique IDs are assigned toindividuals that have access to cardholder information.When using social media, credit unions need to ensure not only against data leakage, but also be able to identifythose employees that have access to both cardholder information and applications such as instant messaging or sitessuch as Facebook, which frequently involve the use of different user names.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  8. 8. WHITE PAPER – Compliance Implications of Social Media 8Federal Rules of Civil Procedure (FRCP)The FRCP defines the procedures for managing civil suits in district courts, including legal discovery. Rule 34 allowsthe requesting party to designate the form in which the electronically stored information should be produced. If thisformat is unavailable, the producer must deliver it in a form which is reasonably usable.Social media sites such as Facebook, LinkedIn, or Twitter have neither archiving facilities nor a guarantee to keepmessages for the last week, let alone the six or seven years that some legislation requires. Being able to accuratelyreproduce data for a court of law is challenging in the best of times, social media just made it harder.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  9. 9. WHITE PAPER – Compliance Implications of Social Media 9When Social Media Goes BadHere are some examples of how unchecked social media activities can cause damage to a credit union:Hackers Taking ControlIn February 2010, Omni Credit Union and Advanced Savings both lost control of their Twitter accounts by disclosingtheir password in a social engineering attack. The hackers then used the accounts to send out spam porn, includingmalicious links. Although no harm was done, besides a few surprised members being offered more than a great APR,the incident potentially damaged the reputation of the credit unions.Blogging Gone BadLast year, a receptionist from a credit union in Utah blogged about her pet peeves at work, including the name of hercredit union. Fortunately, someone quickly pointed out the error of her ways and the blog was promptly taken downand an apology issued, but it is amazing how often a lack of forethought is behind most social media faux pas.Good Intentions, Bad TweetsA loan officer at a credit union in Wisconsin was simply looking to get the word out about the credit union’s great loanrates. After all, it is his job to build the credit union’s much-needed loan portfolio. Looking to generate new business,he tweeted about their excellent new and used car rates – albeit without all of the required legal disclosures. Simplynot enough room in 140 characters!Inappropriate Comments Equal Lost BusinessA teller at a Kansas-based credit union had a negative experience with a member who was having a bad day. Beforesocial media, such an occurrence would be confined to the back office and perhaps a post-work conversation atthe employee’s dinner table. However, when the teller posted her thoughts on the member’s rude behavior on herFacebook page, it did not take long for it to circulate back to the member. Later that week, the member closed hisaccount with the credit union, and it just happened to be a quite profitable account.Employee Tweets Create Negative Working EnvironmentA group of employees were killing time on a slow day by tweeting back and forth at a small credit union in Texas –fairly harmless chit chat at first. But, when the tweets migrated into sexually oriented matters, one employee wasoffended. Fortunately, it did not lead to a sexual harassment lawsuit, but it did create tension and a negative workingenvironment at the credit union’s headquarters.Consequences of Violating RegulationsBelow are just some of the dire consequences associated with violating NCUA regulations: GLBA Substantial fines, imprisonment for up to five years and loss of reputation PCI Substantial fines and loss of reputation Red Flag Rules Penalties of up to $3,500 per violation PCI-DSS Fines of up to $500,000, possible refusal of future transactions, and loss of reputation Z- Truth in Lending Fines of up to $5000, imprisonment for up to one year Regulation E (Electronic Fund Transfers Act) Substantial fines, imprisonment for up to one yearWorldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  10. 10. WHITE PAPER – Compliance Implications of Social Media 10Key Tenets of CU Social Media PoliciesMany observers believe that there is anarchy in the absence of social media policy and training. Perhaps the first stepis to emphasize the credit union’s core values: the mission statement and member service guidelines must carry overonline. In other words, the credit union’s General Code of Ethics should provide guidance on the positive behaviorexpected from all employees, regardless of channel.Credit unions should invest in adequate training programs to remind their staff of their responsibilities and outlineclearly what is acceptable and appropriate. They should send frequent messages to employees on the misuse ofsocial media and draw upon case studies to convey the consequences of bad behavior or reputational damage tothe credit union. Credit unions must establish clear rules of engagement – these rules need to spell out employeeexpectations in terms of tone, language to be used, as well as situations that demand an employee response, e.g.,correcting misguided information related to interest rates or loans.Other items that credit unions should consider adding to their policies include:• Don’t let personal use of Twitter or other social networking sites interfere with work.• Employees must be approved to use Twitter or other social networking sites to conduct business.• Any use of the credit union’s name, trademarks, logos, or other intellectual property must be approved.• If employees make personal comments about any aspect of the credit union’s business, their profiles must carry a disclaimer that the views expressed are their own and not the organization’s views.• Tweets and other posts may not disclose confidential, proprietary, rate, or loan information.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  11. 11. WHITE PAPER – Compliance Implications of Social Media 11Mitigating the Risk of Social Media and Web 2.0Traditional security measures are no match for today’s modern communication tools. Many legitimate applicationsuse evasive techniques, such as port hopping, protocol tunneling, and encryption. In addition, some use peer-to-peerconnections. Skype, for instance, uses a peer-to-peer connection and is encrypted end-to-end, often even tunnelingthrough HTTP/port 80 if that is the only port/protocol that it finds open on the firewall, negating the use of an URLfiltering solution to control it.Aside from the obvious hazard of malware using this unauthorized channel to surreptitiously enter the network,enabling social media and Web 2.0 applications without the means to enforce other communication channels frombeing used adds the danger that organizations are not monitoring everything that leaves their network.Below are the key areas that credit unions must consider when enabling social media and Web 2.0 to be used inthe workplace. Control of social media is not as difficult as it first seems; credit unions just need to follow the bestpractice guidelines of control, including logging and archiving all pertinent content. What they must recognize is thattheir current security measures are no match for Web 2.0 applications.Enforcement of PolicySocial media and Web 2.0 applications offer huge productivity benefits, but that doesn’t mean to say that employeesshould be given free rein. Consideration should still be given to whether an employee really needs access to specificapplications or be able to transfer certain files types.In Actiance’s Fifth Annual Survey, The Collaborative Internet: Usage Trends, End User Attitudes and IT Impact(originally published as “FaceTime’s Fifth Annual Survey”), file sharing tools (websites or P2P applications) werefound to be present in 74% of enterprises, with only 32% of IT professionals estimating that they were in use. Web-based chat was also found in 95% of enterprises, with only 31% of IT professionals estimating that it was in use.Credit unions need to ensure that only authorized websites and applications are used by employees and that accessis limited to their job requirements. Whether it’s being able to post to LinkedIn but not to give recommendations orview Twitter but not to post, consideration must be given, not just from a reputational standpoint, but also from theregulations they potentially could violate.Monitor ContentIn just the same way that the majority of organizations have implemented technology to monitor email content, sothe same must be done for social media. Whether a credit union decides only to block posts that contain triggerwords such as “APR” or “yield,” or send all posts to a compliance officer for monitoring will depend on individualcircumstances. However, without some form of monitoring in place, it will be impossible for credit unions todemonstrate compliance with many advertising regulations.Prevent Data LeakageAs credit unions turn to social media to collaborate with colleagues and members, the risk of accidental data leakagehas increased significantly. A small lapse in judgment can have serious consequences. Controlling how social mediais used in the workplace is not just about stopping an inappropriate comment; it’s also about preventing users fromsharing business-critical information in what is essentially a public forum.In Actiance’s Fifth Annual Collaborative Internet survey, 69% of IT respondents reported incidents of malware and/or information leaks due to the use of Internet applications. Viruses were most common at 55%, followed by spywareinfiltrations at 45% – but in new statistics gathered for the first time this year, 14% have seen data leakage throughsocial networks.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  12. 12. WHITE PAPER – Compliance Implications of Social Media 12Prevention of data leakage features prominently in virtually every regulation that a credit union must comply with.For example, a quick tweet of “@(member name) thanks for stopping by the branch today”, could potentially break aconfidentiality clause if the recipient hasn’t indicated publicly that they did so themselves.Block ThreatsIt is no secret that Web 2.0 applications, public IM, peer-to-peer file sharing and social media introduce risk to thecredit union. The productivity advantages of collaboration are quickly lost when malware infections send the IT staffinto the equivalent of search and rescue mode to clear malware from end points and protect the credit union fromsensitive data loss.Unsurprisingly, social engineering tactics are used extensively by malware writers who hijack IM buddy lists totrick users into thinking a link coming in on their IM screen is actually from a trusted friend on the system. Onceintroduced to the network, multi-protocol malware can quickly jump from the public IM system to internal systems.Credit unions need to ensure that all entry points for malware are blocked, not just email and basic Internetgateway ports.Log All ContentIn order to comply with industry regulations and eDiscovery requirements, credit unions need to be able to log eachand every interaction posted to social media and other Web 2.0 applications. Although sites like Twitter and Facebookhave not been specifically mentioned yet in guidelines, such as those issued by NCUA, the current regulations makeit perfectly clear that records pertaining to transactions, advertising, and other credit union activities should bearchived. Aside from non-compliance, the consequences of not logging content is that it potentially leaves the creditunion at the mercy of the other party in a legal dispute.Currently, the majority of social media sites do not offer any means to log and store content, nor do they giveany guarantees that the information there today will be available tomorrow. Going further, it’s not a given thattoday’s social media darling will still be around in two years time to retrieve content and conversations. To ensurecompliance, credit unions need to consider how to log content posted to social media, including the context of thewhole “conversation”.ArchiveThe process of archiving, storing, and making social media conversations easily retrievable for regulatorycompliance and legal discovery is made exponentially more complex because of the multidimensional nature ofthese conversations. For example, a chat on a Facebook wall can include numerous participants joining at differenttimes, creating a requirement to understand the context surrounding each participant’s understanding of theseconversations.To simplify retrieval, credit unions need to ensure that content and context of posts and messages can be exported,along with corporate identity credentials, to an email archive or WORM storage, for a single discovery location.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  13. 13. WHITE PAPER – Compliance Implications of Social Media 13SummarySome analysts believe that usage of social media will follow a trajectory similar to email and instant messaging:discouraged or even blocked by organizations at first, then approved for use by a few individuals, and eventuallyopened up to the majority of employees. The trajectory often changes as the organization identifies ways the new toolcan make it more competitive or more efficient in conducting its business.For credit unions looking to take advantage of social media now and to be prepared for future compliance, they mustconsider the regulations that are already in place that govern other forms of electronic communications. Additionally,as major financial regulatory bodies around the globe, such as FINRA and the FSA, begin to issue additionalguidelines to specifically include social media, it is clear that it is only a matter of time before the NCUA clarifiestheir position.For the majority of communications, that means securing, filtering, monitoring, and archiving each and every post -not always an easy task given that there are so many different social media and Web 2.0 applications with no nativecontrols in the enterprise. However, so long as credit unions look to include the same controls they do over otherelectronic communication, such as email, and partner with the right vendors to put such controls in place, it needn’tbe too onerous.Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.
  14. 14. WHITE PAPER – Compliance Implications of Social Media 14About Actiance, Inc.Actiance enables the safe and productive use of unified communications, collaboration, and Web 2.0, including blogsand social networking sites. Formerly FaceTime Communications, Actiance’s award-winning platforms are used by 9of the top 10 US banks and more than 1,600 organizations globally for the security, management, and compliance ofunified communications, Web 2.0, and social media channels. Actiance supports all leading social networks, unifiedcommunications providers, and IM platforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype,Microsoft, IBM, and Cisco.SocialiteSocialite is Actiance’s security, management, and compliance solution for Social Networks, providing granular controlof Facebook, LinkedIn, and Twitter.Socialite not only controls access to 150 different features across social networks, but can also moderate, manage,and archive any social media traffic routed through the solution, which can either be on-premise or hosted.Socialite includes a number of key features for securely enabling the use of social networks, including:• Data leak prevention: preventing sensitive data from leaving the company, either maliciously or inadvertently• Identity management: establishing a single corporate identity and tracking users across multiple social media platforms (e.g., @JohnJones on Twitter is the same as JohnHJones on LinkedIn)• Activity control: managing access to features, such as who can read, like, comment upon, or access specific features• Moderator control: pre-approving content for Facebook, LinkedIn, and Twitter, where content is required to be reviewed by a corporate communications officer or other third party• Granular application control: enabling access to Facebook but not to Facebook Chat or downloading/installing any of the applications in the gaming category• Conversation and content logging: capturing all posts, messages, and commentary in context, including export to an archiving platform of your choice for eDiscovery purposesWorldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.com©2001-2011 Actiance, Inc.

×