Managing Social Media Risks for Municipalities (and More)


Published on

This is a 45 minute presentation I gave at a government liability conference when asked to deal with social media risk management and data breach management.

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • So that’s issue number oneIssue number two is about corporate use of social mediaHere’s a scenario that illustrates a danger of jumping on the corporate communications social media bandwagon without thinking through some important employment-related issuesHow many of you are concerned that Tim has just assigned work?
  • I amHere are the two legal risks flowing from that statement…And I think they are relatively self-explanatory to most of youSo as HR or legal, reach out to your communications prosWork with them, but make sure they understand these risks
  • Managing Social Media Risks for Municipalities (and More)

    1. 1. Managing Social Media Risks for Municipalities (and more)<br />February 9, 2010<br />Dan Michaluk<br />
    2. 2. Outline<br />Harm from off-duty expression<br />So you want to blog eh?<br />Policy model for managing social media risks<br />Current employees as targets<br />Risk and control of corporate information<br />Due diligence and employee malfeasance<br />
    3. 3. Current Employees as Communicators<br />Bob and Sue had a long day. They go to the Dirty Dog Pub after work and, over the course of four hours, take jabs at their supervisor, Phil.<br />
    4. 4. Current Employees as Communicators<br />Jack had a long day. He goes home, cracks open a beer, and boots up his home computer.<br />Using a picture of his supervisor taken from the company intranet and some internet based software, he alters the picture so the manager looks ridiculous.<br />Jack posts it to his Facebook page. He feels good.<br />
    5. 5. Current Employees as Communicators<br />Duty of fidelity applies when employee expression is likely to significantly affect a legitimate employer interest<br />All other activity is “private”<br />The kind of social interaction we engage in today is more likely to conflict with employer interests<br />Duty of fidelity is the basis for conflict of interest and other restrictive policy<br />
    6. 6. Current Employees as Communicators<br />Employee speech can negatively…<br />…affect an employer’s duty to other employees<br />…affect an employee’s ability to do his/her job<br />…affect public perception of employee performance<br />…affect an employer’s reputation<br />
    7. 7. So you want to blog eh?<br />Tim is the CAO at an upper tier municipality who fancies himself a social media guru. He sends and e-mail to all that says, “We ought to be leaders in our field. Accordingly, I encourage all of you to use social media to advance our municipal interests.” <br />
    8. 8. So you want to blog eh?<br />Risks<br />Tim could now be responsible for everything his employees do online<br />The municipality may now be responsible for a large wage and overtime bill for “work” assigned by Tim<br />
    9. 9. Policy Model for Managing Risk<br />Municipalities should consider two policies<br />One that guides all employees<br />One that guides those who are licensed to speak on behalf of the municipality<br />
    10. 10. Policy Model for Managing Risk<br />Policy for all employees – theme<br />You can do it if you want<br />Here’s how you meet our expectations<br />Be careful<br />If you publish to “friends” you’re still accountable<br />Identifying yourself as an employee comes with risks<br />Identify special risks (e.g., relating to care and control of sensitive personal information)<br />
    11. 11. Policy Model for Managing Risk<br />Policy for all employees – content<br />Start with a statement of principle<br />Then rules that address<br />Confidential information, personal information<br />Respect for other employees, clients, citizens<br />Conflict of interest, conflict with job duties<br />Time theft<br />Refer to other policies<br />Offer support<br />
    12. 12. Policy Model for Managing Risk<br />License “deputized communicators” on special terms<br />Establish clear objectives<br />Identify forbidden topics - never<br />Identify safe topics – go for it, no review<br />Create a workable review process<br />Measure time, effort and outcome<br />Pay wages for work, reward performance<br />
    13. 13. Employees as Targets<br />Consider the expression, don’t react to it<br />Show support for the employee<br />If you take steps to facilitate “takedown,” make clear that you’re taking one step at a time<br />Frame your engagement properly from the outset<br />Tell the employee to get independent legal advice (Defamation claims are time-sensitive!)<br />
    14. 14. Risk and Control of Corporate Information<br />Factors reducing control<br />The “cloud”<br />Mobile storage media<br />Mobile devices<br />
    15. 15. Risk and Control of Corporate Information<br />Implication for solicitors<br />The acceptable use policy is not a sufficient administrative control<br />New policies and protocol<br />Internet publication policies<br />Mobile media policy<br />Personal device policy<br />Departing employee protocol<br />
    16. 16. Risk and Control of Corporate Information<br />Implications for litigators<br />The “get it back” engagement<br />Rests on detinue (and breach of confidence)<br />Must make a clear and specific demand for “return”<br />Should reckon with privacy implications of inspecting a “mixed use” device<br />Usually involves retaining a computer forensic specialist<br />
    17. 17. Due Diligence and Employee Malfeasance<br />New Ontario PHIPA order – HO-010<br />Unauthorized access by diagnostic imaging tech.<br />Second similar breach at hospital (see HO-002)<br />Limited role-based access restrictions on health care providers (access to systems and not within systems controlled)<br />All systems not audited<br />
    18. 18. Due Diligence and Employee Malfeasance<br />Findings on duty to manage malfeasance<br />Unreasonable to continue access without a written undertaking to abide by rules (ordered)<br />Hospitals must report to regulatory college (ordered)<br />Complainant has right to know what discipline was imposed<br />Post-breach communiqué to employees called for (ordered)<br />
    19. 19. Due Diligence and Employee Malfeasance<br />Suggestion that identity of wrongdoer and penalty imposed should be published<br />A suggestion at best… not backed by order or reasoning in text of order<br />Not normative in employee and labour relations<br />Seems mean-spirited<br />Raises defamation issues<br />
    20. 20. Managing Social Media Risks for Municipalities (and more)<br />February 9, 2010<br />Dan Michaluk<br />