Social Media Risk

Future of Work Interview: Robert Brownstone, Technology, eDiscovery and Computer Forensics, Fenwick and West LLP

This interview was written up while drinking a Soy Latte at the Swank Bar in San Francisco’s Pacific Heights neighborhood.

A “Make Your Own Major” Type of Job

For the last 18 months, I have become interested in the emerging fields of Digital Risk, Crisis Management and Cyber Security. So, I decided to reach out to Robert Brownstone (@ediscoveryguru) from Fenwick and West, LLP. I know Robert from when I sought his advice on the Internet and the Law. Normally, we share stories and exchange ideas while eating Chinese food on Castro Street in downtown, Mountain View.  Our meetings remind me of George Costanza and Jerry Seinfeld, engaged in this intense conversations at Monk’s Cafe. Today, however, I telephoned him from the Human 1.0 office in Cambridge, MA, where there is only one restaurant (Italian, not Chinese) within walking distance.

Brownstone started his career on Wall Street as a white-collar crime litigator in fraud cases. He then became law school professor and program director while working as a part-time lawyer. For the last thirteen years, Brownstone has been working out of Fenwick’s Silicon Valley office where he has his hand on the pulse of legal and technical issues impacting, some which impact of the most innovative companies in America.

Bill Fenwick, the firm’s founder, originally hired Brownstone as his “experiment” and gave him the title Knowledge Manager.  He wanted to take a law teacher and litigator, and as Brownstone describes it, “pump my head with as much computer knowledge as possible in hopes that I would continue to spark some new developments and opportunities for the firm.” Fenwick asked Brownstone to focus on electronic discovery, IT, Data Security, and Legal issues with the intention of sharing these learnings in two ways: “in house” with Fenwick attorneys and “out-house” (really called “outsiders”) with Fenwick clients.

Brownstone characterizes his role at Fenwick as a “make your own major type of job,” where he has often finds himself immersed in issues such as intellectual property, the protection of trade secrets, data security strategies, and employer-employee disputes over data. To make all this new information useful, he says, “the secret sauce is understanding  (our) clients’ business and how their internal information systems work.”

Digital Law: Riding the River

In representing many high-tech and life science companies, Brownstone has found that his main challenge is in the area of Digital Law, which is in flux right now with the Courts wrestling with some major issues, such as:

  • How to protect data secrets and information and what to do when their use is in dispute
  • How to handle electronic information over a lifetime –from creation to usage to destruction
  • How to handle electronic information issues when a company gets sued or when there’s an electronic discovery (e-discovery) request 

Clog That Drain: Prevent Data Leakage and Cut Your Losses 

According to Brownstone, there are essentially three ways information can leak from a company:

  1. An employee or some other insider is intentionally trying to harm the company and puts information in front of the public (sometimes via the Internet). The most highly publicized examples would be from the Wikileaks site. Basically, someone is trying to harm an organization through disclosure or an accusation.
  2. An intentional disclosure becomes unintentionally harmful.  An employee, executive, or other insider posts something (i.e. a photo or a tweet) but he or she does not know the FTC prohibits specific kinds of disclosures under certain circumstances. [Having managed online communities and social networks since my AOL days in the mid-1990s, I would say this happens at lease once or twice a year for many companies.]
  3. An unintentional disclosure. Confidential Information gets out via a smart phone, laptop, device, or paper when the item is stolen, hacked or lost. There is no malice or intent on the part of the employee or client, but the information still gets leaked.

Even if the law does not require it, companies can reduce their risk and exposure when it comes to data leakage. Two ways to reduce a company’s risk exposure are:

  1. Role-Based Access Control or what IT folks call RBAC, which essentially means that not everything within the virtual or physical world is open to everyone in the company. For example, different permissions granted to folks who need to access databases, etc. Brownstone calls this approach “narrowing the risk of leakage.”
  2. Encryption, particularly for company-issued devices (laptops, phones, etc.) to the extent the data can be encrypted. Two purposes are served. One: companies can prevent someone who steals or finds a lost laptop “from sucking out, bit by bit, the data on that drive and booting it up in another machine.”  This measure is important.  First, companies want to protect their employees and their data. Second, companies will not have to take a hit financially or in the court of public opinion by having to announcing a data breach. (Note: some States handle this differently and for customer-relations reasons, many companies choose to voluntarily disclose breaches to their users).

The Mobile Horse Has Already Left the Barn

The ubiquitous usage of mobile devices makes controlling a company’s data even more complicated and gives Information Technology (IT) leaders multiple headaches. Brownstone advises companies to consider issuing a second phone and to officially notify, educate, and remind employees that “Anything which involves your company device” is the company’s property.

Brownstone states “this is the cleanest way under the law to handle data on a mobile device – it is a clean way to deal with a complex issue.” He points out, however, “It gets tricky because most organizations, especially hi-tech companies, are in the mode of not wanting to stifle employees from being able to hook as much as possible into the network at any time wirelessly or otherwise” and from their devices of choice.” 

Leaving employees to (literally) their own (mobile) devices exposes the company to multiple security issues. If a company decides to follow this route, it can be difficult to change how employees operate. Brownstone points out though “If the horse is already out of the barn in a data security situation, then it is a lot trickier in advance to establish good practices.” In most cases, employees are already using their own phones for work so it’s a challenge for a company to regain control. 

Warning: You Have The Whole World In Your Hands

Other significant mobile-related considerations involve location services:

  1. Due to GPS technology, employers can potentially track where their staff is and has been and has been at all times.
  2. The frictionless sharing of Facebook, for example, means that employees download an app and opt in to sharing, or when they log-in to a site that uses Facebook credentials, their personal information gets shared.
  3. The Fourth Amendment has not prevented courts from allowing law enforcement to seize an individual’s mobile device.  In some instances, officers practice computer forensics and carry a tool that can do bit-by-bit capture of certain types of data off of a mobile device, e.g. employee data, and by logical extension, employer data. This significant information becomes not just mobile, but able to be seized by law enforcement.
  4. Remember: Not everything stored on a mobile device is encrypted!

Potential Disasters and Detours

I ask Brownstone about some of the more organizational challenges his clients face. He mentions:

  1. Sales people negotiate and close business deals by sending instant messages. If there were ever a dispute about a contract, one General Counsel feared she might not have an actual copy of the final terms of the contract. She asked Brownstone to write her a new policy, forbidding negotiations over IM.
  2. General Counsel and the CIOs/CTOs are not alwasy on the same page (or even in the same meeting). Brownstone illustrates this concern with a story about how he witnessed an IT leader telling his executive team that he had thought he was following Legal Department orders when he had captured, stored, and logged all employees’ instant messages for the prior three years. This turned General Counsel red in the face and feared all of the information would be available if the company were ever subpoenaed and had to collect, process and review all the information. The discovery process alone could cost more than any lawsuit.
  3. Brownstone cites an article that says “Lawyers are from Mars and ITs are from Venus, so you need a translator.” Both groups are infamous for their acronyms and jargon. Getting them to work together during discovery can mean interplanetary mayhem. (You can find the article here as well as some material Brownstone-co-authored on that theme).
  4. Anticipate all the potential data leaks and make a prioritized list. Brownstone recommends working through them over time. Don’t try and conquer the law in one day.

Your Employees’ Own Personal Pages 

Since I am conducting a social media-training program for a Fortune 500 company, I ask about employee-owned Facebook and LinkedIn pages. Brownstone states that it’s more challenging to establish rules for company-sponsored pages than address what employees might be doing with their own pages on their own time:

“The law is really unsettled…and there are some issues that cut across both arenas of company-sponsored and individual pages. For a company of a substantial size, if someone anonymously posts praise or an endorsement of (that) product, the FTC calls it a testimonial, and if they don’t disclose that they work at the company or are a spouse of someone that works at the company that actually runs afoul of the long-standing FTC guidelines for online product endorsements“. [Disclosure: I worked with the FTC on this in an advisory capacity while serving on the board of the Word of Mouth Marketing Association in 2008.]

Brownstone points out that even in the age of disclosure and transparency, publicly traded companies need to be alert: “It is very dangerous for someone to post anonymously even if they are praising the company. In some instances this is called ‘sock puppeting.’ (Read the Wall Street Journal’s article about a famous example of this involving the CEO of Wholefoods)

Brownstone recommends that companies focus on “narrowing the risk” by:

  1. Providing training for employees
  2. Implementing a Rules Based Access Control approach
  3. Using encryption as much as possible (and don’t just depend on the Cloud)
  4. Communicating with your legal advisors as soon as possible so they can advise and reroute rather than react or put out a fire
  5. Cleaning all devices before and after international travel
  6. Having a clearly identified owner for company branded social media pages. 

Note: the law is more stringent overseas, e.g. a company cannot just say they can confiscate an employees device because it is presumed that personal information exists on it.

For More Information

Brownstone speaks at conferences often, offers webinars, and publishes quite a bit. He is also an avid online reader of law and technology items, especially of what lawyers used to call “Advance Sheets.” His favorites include Law Technology News, the New York Times (especially the Business and Technology sections), Compliance Week and beSpacific. He also relies on his mentors including:

  • Bill Fenwick, whom we discussed above
  • Matt Kesner, Fenwick’s CTO
  • Browning Marean of DLA Piper, a large business international firm
  • Kevin Moore, Fenwick’s IT Director
  • Patrick Premo, a Fenwick litigation partner championing efficiency and alternative fees
  • Delos Putz, Professor Emeritus of USF School of Law

(Brownstone provided a bibliography below about eDiscovery, Computer Forensics and Technology).

Brownstone loves eDiscovery and all things “e”.  As he explains, “My wife and friends of mine say it puts them to sleep when I start talking about eDiscovery. But, I have to say as a technologist, I have seen his passion first hand. Our one-hour scheduled Chinese food lunch hours often turn into a two and half hour discussion. Fortunately, he doesn’t bill me by the hour for these talks but freely exchanges ideas as he does in his many presentations around the hemisphere.

Thank you for visiting.

Advertisements

Don’t learn social media on the fly

Employees can handle the truth, but management can’t

A recent Human 1.0 research study showed that only half of employees feel as if they receive the proper training to successfully participate in social networks. Contrary to what Jack Nicolson says in A Few Good Men, employees can handle the truth and senior management should as well. After all, how can you address your customers’ needs if you give them a chance to speak, even if its online.

Social Media Training: available at Human 1.0 or Wildervoices.com

After working with some of the largest companies in the country, it’s clear that most employees desperately want to learn how to properly conduct themselves online as well as to reach out to unhappy customers. They want to blog well, tweet responsibly, and not break any Facebook laws so they can turn their “detractors” into Net Promoters, where they will change from stating negative comments about the company to recommending it to their peers and friends. This should not be surprising considering 40% of companies hesitate to let their staff engage with customers online for fear that someone might say something negative about their organization. Amazing, considering a survey just released of 870 employers and employees from recruitment company Hays found 19.7 per cent would reject a job offer if they did not have reasonable access to social media sites such as Facebook. (source: Herald Sun Australia)

Most companies want employees to learn social media on the fly

This highlights the need to provide the proper guidelines, guardrails, and guidance to help workers engage more effectively on Twitter, Linkedin and other networks. The problem, however, is that employees usually have to learn social media on the fly and learn how to properly engage with customers through trial and error. This is not the way to run a business.  Social Media Training can help you and your coworkers engage in more constructive conversations online.

Why Is Training Important?

  • The Broken Window Theory:  I was first introduced to this theory in 1990 when William Bratton cleaned up the streets of New York City by significantly reducing crime rates. He believed that without law enforcement, people would damage things, and if they know they could commit these crimes without any repercussions, they would continue to break the law (and not just windows). The same is true for un-moderated communities and social networks. So, its important to have well-trained moderators working in your online communities and reading your blog comments. After all, it’s human nature to test authority figures
  • You’ve Got the Whole World in your Hands:  While everyone knows that mobile devices are increasing in popularity, people often forget that these are, what Peter Mass ProPublica reporter calls, “potentially a gold mine of data-mining information for companies.”
  • The Internet Never Forgets:  All you have to do is go to Waybackmachine.org and look up your company’s home page from the 1990s. If you work at Fortune 1000 company, it’s probably there; or you can start looking at your Facebook Timeline and see some pictures of yourself.

Those are just three reasons why it’s imperative for companies to develop well-thought out social media policies and training programs.

Line Between Work and Pleasure is Fuzzy

The line between online work and personal life and the content (text, photos, video) is increasingly becoming fuzzy. There are also important legal implications concerning the fact that your staff often spends time on social media platforms at work. This has raised a number of legal issues, for example, about who owns a company-branded social media account. Before explaining how to handle online engagement (the subject of my next post), it’s important to focus on clearly defining who owns a company’s Facebook page or Twitter account and how employees should handle themselves on these sorts of networks. Companies need to be “old-schoolish” about setting up their branded social media channels and about establishing clear online policies. Rarely do these agreements explicitly address the following:

  • Policy and process for what happens to a social media after its adminstrator leaves the leaves the company.
  • How much personal information should be on a social media page; even though it’s good to list out your company moderators on a Twitter page, it might not make sense to include the employees name in the sub-branding, such as WilderWidgets, brought to you by Stan Smith.
  • Who has access to edit and change an account (I also recommend having more than one administrative owner of a page) Employees’ online behavior during and after their tenure at a company is becoming a major topic of corporate law.
  • The company’s right to access confidential information on their own social networks; Nearly 20% of companies report that they have investigated the posting of confidential, sensitive, or private information to a social network (source: Proofpoint)
  • The company’s right to terminate an employee who violates company policy; Approximately 8% of companies have terminated employees for organizational violations using social media. (source: Proofpoint)

When to Re-Tweet at a Moment’s Notice

Even though most employees want to do the right thing and post responsibility online, they are sometimes a bit too Twitter trigger-happy and re-tweet without thinking through the original source of the info or who was the original poster. Often we don’t realize that a re-tweet by an individual can be interpreted as their company’s endorsement of the original sites policy. Therefore, it’s important to provide a link to the content-owner’s site. With this, it could potentially violate copyright law, and give the content-owner publisher the rightful opportunity to pay their bills by generating another unique visitor to their site, serving up a banner add, and/or getting a chance to sign up a new registered user.

Develop your Crap Detector

While some this might seem like common sense, every day we find well-educated and street smart, savvy people making mistakes with their online posts, videos, or audio recordings.  Howard Rheingold in his excellent new book, NetSmart, recommends that we use good crap detectors to help us find information we need to know and determine if it is true or not. This is something Ernest Hemmingway talked about in the 1950s.  “Every man should have a built-in automatic crap detector operating inside him.”

Be Digital Ready

What does it mean to Be Digital Ready? (TM) Based on my years in social, ecommerce and online communities, very few companies really think through all the Digital Risks they might encounter with their web offerings. Be it on their own sites, within their own borders (behind the firewalls), on a social network (Facebook) or somewhere else, like the iPhone. Most marketers tend to wing it. I know that many of you will not agree with that last sentence, but I have a few grey hairs from not sitting down with legal, the tech group, the privacy group, etc. before launching a new product or service. Fortunately, when I was at Intuit, my manager, encouraged me to work with the great legal team there before launching Intuit’s Small Business Community. And to be honest, without them, I wouldn’t have been ‘Digital Ready.’

Are you Digital Ready? (TM)

I would be interested to hear how you work with the other divisions/groups in your company to prepare for a program. I know some companies have Social Media Task Forces, or SMTF for short. But even those only have limited cross-functional group collaboration. Thoughts?