As more organizations use social media to grow their online presence, questions of ownership become an increasing concern, says Alan Brill of Kroll, who advises organizations on how to mitigate the risks.
Here's a scenario: An employee is tasked with setting up and growing a company's social media presence. Over time, as the social network grows, it attracts thousands of followers. Once that employee leaves your organization, who owns that network?
"There have been a number of cases where those who have developed a social media site leave the organization and take it with them," says Brill, senior managing director at Kroll, in an interview with Information Security Media Group [transcript below].
"They say it's theirs; they're not giving it back and that they're the registered owner," he says.
These incidents often lead to litigation, where organizations and ex-employees dispute who owns that asset, Brill explains.
"It's very difficult to go in and fight these disputes if there's no agreement," Brill warns.
The best place organizations can begin to mitigate the risk is by taking inventory of all social media relating to their company, and then having contracts and agreements built with the employees who manage them, Brill says.
"This is not magic," he says. "It's a matter of doing it and keeping it up-to-date."
In an interview about social media risk management, Brill discusses:
- Risk to organizations from social media ownership disputes;
- How organizations can mitigate these risks;
- Where to begin.
Brill is senior managing director for Kroll Advisory Solutions. He consults with law firms and corporations on investigative issues relating to computers and digital technology, including the investigation of computer intrusions, Internet fraud, identity theft, misappropriation of intellectual property, internal fraud, data theft, sabotage and computer security projects designed to prevent such events. He has worked extensively on developing methodologies for collecting evidence from corporate information systems. With more than 33 years of consulting experience, he has assisted firms with a wide range of technology security issues.
Protecting Social Media Assets
TOM FIELD: Just to jump right in here, there has been a lot of recent litigation and discussion about protecting corporate social media assets and ownership. My question for you is: Protect them from what?
ALAN BRILL: That's a great question to start with. It's the not understanding that has led to so many of the problems and the litigation that we're seeing now. Essentially, the way that I think you can look at the problems involving the ownership of social media that corporations use is just a form of identity theft. Here's what I mean. The company over time, as they come to use social media more and more, learn to use it more and more effectively. They build up hundreds or thousands or tens of thousands of people who like them on Facebook; thousands of followers on Twitter; huge numbers of links on sites like LinkedIn. The number of social media sites including those that are more specialized to an industry has grown exponentially; we all know that. The companies are really enjoying the use of social media, but the problem comes in when, for example, the employee who set up the site for you or has been running it for you, or the contractor that is doing it, decides to leave or is let go for whatever reason, and suddenly the company discovers that the password to that social media site has changed and they don't know it. They check with the person and they say, "Well, you know, it's interesting. I established the site and it's actually registered in the name, and you don't have any ownership interest and I'll use it for whatever I want to."
Suddenly, they may have what's in a very real sense the equivalent of highly confidential information, like, for example, your customer list, the people that you send this information to and that interact with you. They have the ability to interact with people in a way that you won't even be able to see, so first you have to look at the ownership of the social media sites as an asset. It's a piece of intellectual property, and then you realize that, when somebody takes it over, they can pretend to be you or they can appear to be you. As the use of social media has grown, as we've started to see things like Twitter handles next to news people's online signatures and on the air signatures so they can be followed and contacted, this is a very real phenomenon. If you lose control of it, then you may well have lost an asset that can be turned into a liability and used against you.
Social Media Disputes
FIELD: That's great context. I wonder if you might be able to offer some examples now of organizations, and you don't need to name them, of course, that have been adversely impacted by social media ownership disputes. Make this real for us.
BRILL: To put it in the right context, you have to go back a few years and think of the years when Internet suddenly became real and popular, and the concept of owning an address - whether it was Myname.com or yourname.com or your company.com - suddenly became something of value. You can go back to dispute that MTV had with one of its VJs about the ownership of addresses, and over time people realized that controlling the ownership to an Internet location was important.
The same thing is happening now. There have been a number of cases where those who have developed and paid to develop a social media site leave the organization and take it with them, and say that it's theirs and that they're not giving it back and that they're the registered owner as far as that social media site knows, and if you really want it back you'll have to negotiate a payment or obviously litigate.
There have been a number of cases involving exactly that where an employee says that they're in charge of the social media. There was a major case in California recently. There's a case in Pennsylvania where a company founder was essentially forced out and, on leaving, took her LinkedIn account with her and the question was: Could they gain control back on that account? The litigation is I think usually something you want to do as a last resort, but unfortunately, because organizations haven't really considered this issue, they're often backed into the corner of either paying somebody for something that well may be the company's, or suffering damages, for example, when an employee who runs one of these sites for you, or a contractor who does so, suddenly doesn't like you anymore. You've had a dispute; you've fired them; you've terminated the use of their company if they're a contractor, and now they're going to use that site for their purposes, which are probably not your purposes. If you don't have any contractual or employee relations deals in effect, then litigation may be the only way you have to go, even though it's going to be time-consuming. It's going to be expensive, and ultimately it's going to be draining you of resources in order to get back what you probably could have avoided losing in the first place.
Risks to Organizations
FIELD: It seems like we've covered a lot here in just a short period of time. If I could ask you to sort of back up and summarize: What do you see as some of the very specific risks to organizations if they fail to properly secure ownership and assets?
BRILL: I think you have to step back one more step from that. What are the risks if you fail to recognize that these are assets, that these have value, that the intellectual property that's tied up in them is important? That's not always easy to do because social networks evolve; they change and they operate in different ways. Something that may have been fairly unimportant when it started could suddenly become very, very important. Who could have guessed the effect that Twitter would have had, the speed with which Twitter messages get out there and the extent to which they're repeated and even move into the more mainstream media?
You have to start out by saying, "Do we, as a company, understand our position relative to social media and the value that those accounts have for us?" Once you recognize it, then there are specific risks you have to worry about. What if somebody takes it over? What if somebody changes the password and won't give it back to you? What if somebody opens an account that you never authorized anybody opening? What if an employee in good faith wants to help out and opens an account and suddenly is using it to post valuable non-public information? All of these things have happened in the past and they'll probably continue to happen in the future, but every one of them is a risk and if you don't take steps to mitigate that risk, it's going to be sitting there waiting for you.
How to Mitigate Risks
FIELD: From your experience, how can organizations start to build in the right protection from the very start?
BRILL: It's interesting. I see the scenario playing out very, very much the same as we saw some years ago with the issue of who owns the Internet domain name. Ultimately, a company has to realize that, even though they're dealing with a social networking phenomenon and what's a technological issue - how you access, how you change passwords, how you secure - ultimately it's a legal issue. Those organizations that have gotten counsel - either their in-house counsel or outside counsel - involved up front to build a social media policy, to build in controls relating to the ownership of that social media, building those into appropriate contracts and employee agreements and employee handbooks that employees have to agree to, those who have done that, who keep it up-to-date and are watching, not just from a technical viewpoint, but from a legal viewpoint of the risks and how to manage them, they're doing better because they've taken it into account. They've made sure that employees understand what the rules are and, if an employee violates that agreement, that they have something that they can use both with the social media organization and ultimately with the courts to regain control.
It's very, very difficult to go in and fight these disputes if there's no agreement, if there are no rules. Having the rules, setting them out and making sure the counsel has vetted them - that they're appropriate, that they're in line with the changing face of litigation and decisions that are constantly coming out - is ultimately what you want to do. You may want to have the same corporate people who are handling the ownership of your URLs for the Internet also be the owner of record on your social media sites, for example. I think the good news is there's no magic involved here. This is basic blocking, tackling and controlling an asset, controlling intellectual property, and most organizations do that all the time. It's just that recognition that this is worth doing.
FIELD: You make great points there. I'm thinking about organizations. Many of us we've been into social media for many years now. How do we go back and build in retroactive controls once we've had this recognition that you talked about?
BRILL: The thing that I always tell companies is that there really are two sides to this, maybe three sides. The first is the technical side: understanding what systems you are up on, how they're currently being managed, who currently owns them and what the current rules are. The second is the legal side: getting counsel involved to help set up the appropriate set of rules. The third dimension of it is working with your HR people to build those rules, to build those contracts and to build those agreements into your overall HR platform in terms of employee awareness and employee recognition of the problem and that the appropriate agreements are signed. Then, proactively for the future, make sure these things are built into initial employee agreements and annual security updates, where they acknowledge as employees, vendors or contractors, the employees' ownership of certain intellectual property and resources. [It's] not magic; it's a matter of doing it and keeping it up-to-date.
Mitigating Access, Ownership Issues
FIELD: We're going forward into what clearly is an uncertain legal landscape when it comes to social media. How are you advising organizations now to mitigate the social media access and ownership issues? Anything you can add to what you've already talked back in terms of recognizing the issue and having some policies in place?
BRILL: Once you recognize the issue and you put your policies in place, I think the real keyword to think about as a manger is vigilance. You have to think about whether there are those in your organization who are looking at new media, new social media systems, and saying those could be really good for us to use, and perhaps having a process in place by which somebody who thinks that a given new media site would be useful can bring it to the attention of the company and perhaps be rewarded for that. But you want to have a system by which it's easier to do it the right way and to get permission than to do it the wrong way and have to have a dispute about it later.
Best Place to Start
FIELD: For organizations that are sort of waking up this realization now, where's the best place to start?
BRILL: The best place to start is to inventory the social media relating to your company: what's out there, who's controlling it, who's using it and how are you running it internally today? Do you have the registered ownership of all of these locations? Who's making decisions as to what gets posted and what gets tweeted; what's put on your wall on Facebook? Who makes the decision as to whether to friend people on sites? Are you following your own company's sites so that you can see what's out there and you don't get surprised? It's really very much a matter of recognizing the need to understand the asset and understand the intellectual property, because, until you do that, you're making decisions about risk mitigation without really understanding the risks, and that's always dangerous.