• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Managing Social Media Risks for Municipalities (and More)
 

Managing Social Media Risks for Municipalities (and More)

on

  • 1,015 views

This is a 45 minute presentation I gave at a government liability conference when asked to deal with social media risk management and data breach management.

This is a 45 minute presentation I gave at a government liability conference when asked to deal with social media risk management and data breach management.

Statistics

Views

Total Views
1,015
Views on SlideShare
1,015
Embed Views
0

Actions

Likes
1
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • So that’s issue number oneIssue number two is about corporate use of social mediaHere’s a scenario that illustrates a danger of jumping on the corporate communications social media bandwagon without thinking through some important employment-related issuesHow many of you are concerned that Tim has just assigned work?
  • I amHere are the two legal risks flowing from that statement…And I think they are relatively self-explanatory to most of youSo as HR or legal, reach out to your communications prosWork with them, but make sure they understand these risks

Managing Social Media Risks for Municipalities (and More) Managing Social Media Risks for Municipalities (and More) Presentation Transcript

  • Managing Social Media Risks for Municipalities (and more)
    February 9, 2010
    Dan Michaluk
  • Outline
    Harm from off-duty expression
    So you want to blog eh?
    Policy model for managing social media risks
    Current employees as targets
    Risk and control of corporate information
    Due diligence and employee malfeasance
  • Current Employees as Communicators
    Bob and Sue had a long day. They go to the Dirty Dog Pub after work and, over the course of four hours, take jabs at their supervisor, Phil.
  • Current Employees as Communicators
    Jack had a long day. He goes home, cracks open a beer, and boots up his home computer.
    Using a picture of his supervisor taken from the company intranet and some internet based software, he alters the picture so the manager looks ridiculous.
    Jack posts it to his Facebook page. He feels good.
  • Current Employees as Communicators
    Duty of fidelity applies when employee expression is likely to significantly affect a legitimate employer interest
    All other activity is “private”
    The kind of social interaction we engage in today is more likely to conflict with employer interests
    Duty of fidelity is the basis for conflict of interest and other restrictive policy
  • Current Employees as Communicators
    Employee speech can negatively…
    …affect an employer’s duty to other employees
    …affect an employee’s ability to do his/her job
    …affect public perception of employee performance
    …affect an employer’s reputation
  • So you want to blog eh?
    Tim is the CAO at an upper tier municipality who fancies himself a social media guru. He sends and e-mail to all that says, “We ought to be leaders in our field. Accordingly, I encourage all of you to use social media to advance our municipal interests.”
  • So you want to blog eh?
    Risks
    Tim could now be responsible for everything his employees do online
    The municipality may now be responsible for a large wage and overtime bill for “work” assigned by Tim
  • Policy Model for Managing Risk
    Municipalities should consider two policies
    One that guides all employees
    One that guides those who are licensed to speak on behalf of the municipality
  • Policy Model for Managing Risk
    Policy for all employees – theme
    You can do it if you want
    Here’s how you meet our expectations
    Be careful
    If you publish to “friends” you’re still accountable
    Identifying yourself as an employee comes with risks
    Identify special risks (e.g., relating to care and control of sensitive personal information)
  • Policy Model for Managing Risk
    Policy for all employees – content
    Start with a statement of principle
    Then rules that address
    Confidential information, personal information
    Respect for other employees, clients, citizens
    Conflict of interest, conflict with job duties
    Time theft
    Refer to other policies
    Offer support
  • Policy Model for Managing Risk
    License “deputized communicators” on special terms
    Establish clear objectives
    Identify forbidden topics - never
    Identify safe topics – go for it, no review
    Create a workable review process
    Measure time, effort and outcome
    Pay wages for work, reward performance
  • Employees as Targets
    Consider the expression, don’t react to it
    Show support for the employee
    If you take steps to facilitate “takedown,” make clear that you’re taking one step at a time
    Frame your engagement properly from the outset
    Tell the employee to get independent legal advice (Defamation claims are time-sensitive!)
  • Risk and Control of Corporate Information
    Factors reducing control
    The “cloud”
    Mobile storage media
    Mobile devices
  • Risk and Control of Corporate Information
    Implication for solicitors
    The acceptable use policy is not a sufficient administrative control
    New policies and protocol
    Internet publication policies
    Mobile media policy
    Personal device policy
    Departing employee protocol
  • Risk and Control of Corporate Information
    Implications for litigators
    The “get it back” engagement
    Rests on detinue (and breach of confidence)
    Must make a clear and specific demand for “return”
    Should reckon with privacy implications of inspecting a “mixed use” device
    Usually involves retaining a computer forensic specialist
  • Due Diligence and Employee Malfeasance
    New Ontario PHIPA order – HO-010
    Unauthorized access by diagnostic imaging tech.
    Second similar breach at hospital (see HO-002)
    Limited role-based access restrictions on health care providers (access to systems and not within systems controlled)
    All systems not audited
  • Due Diligence and Employee Malfeasance
    Findings on duty to manage malfeasance
    Unreasonable to continue access without a written undertaking to abide by rules (ordered)
    Hospitals must report to regulatory college (ordered)
    Complainant has right to know what discipline was imposed
    Post-breach communiqué to employees called for (ordered)
  • Due Diligence and Employee Malfeasance
    Suggestion that identity of wrongdoer and penalty imposed should be published
    A suggestion at best… not backed by order or reasoning in text of order
    Not normative in employee and labour relations
    Seems mean-spirited
    Raises defamation issues
  • Managing Social Media Risks for Municipalities (and more)
    February 9, 2010
    Dan Michaluk