10 Steps to Managing Risk and Regulatory Compliance in blogs and wikis

10 Steps to Managing Risk and Regulatory Compliance in Blogs and Wikis Techrigy - SM2 White Paper September 2007 Techrigy, Inc. Web: www.techrigy.com Tel: 1-585-586-0160 Email: info@techrigy.com 10 Steps to Managing Risk and Regulatory Compliance in Blogs and WIkis Techrigy, Inc. Many organizations are beginning to realize the value of using collaborative tools such as blogs and wikis. When used appropriately, these tools can help organizations gain a competitive edge. However, these tools can often lead to legal liability and regulatory problems. Many companies want to use blogs and wikis but are afraid of what their employees might say on them. Large organizations have a natural tendency to want to maintain control over what is said by the organization, and some organizations think these tools might lead to loss of that control. Moreover, even if an organizations thinks it can stop what employees are saying from the workplace, there is little control over employee blogging at home and off hours. We all believe in the freedom of expression and any company that would try to restrict that freedom would likely not retain talented employees. However, the freedom of expression does not apply to revealing trade secrets, sharing proprietary company intellectual property, sexual harassment, or violating other company or organizational policies. This is exactly what organizations fear. For example, “Mini-microsoft” is a blog run by a Microsoft employee which often criticizes Microsoft management. Comments include those such as “People need to be fired and moved out of Microsoft today. Where’s the freakin’ accountability?” Another blogger, Heather Armstrong of Dooced.com, made well-documented satirical remarks about her employer. Inevitably, all organizations will need to manage this type of problem. Even if an organizations decides to disallow all social media in your organization, compliance policies must still be enforced both inside and outside your network. The following ten steps should help you reduce many of the risks associated with the use of social media. 1) Create a policy for use of blogs and wikis Organizations should not leave it to employees to create personal blogging policies. Without a set of organizational guidelines to clearly define when someone steps too far over the line, the result is the Wild Wild West. The vast majority of employees will use common sense when blogging. However, best practices require an organization to not only “trust” but also “verify.” This means organizations should accept that employees are smart, reasonable people, but also realize that by not monitoring the activity of blogs and wikis, employees may be lulled into a sense of complacency, saying things that are not appropriate. Additionally, Blogs are public. When an employee makes a statement on a blog, it can spread through the blogosphere like wild fire. A blogging policy makes it clear what is acceptable and not acceptable. The blogging policy should be broad enough to cover the basics of what you can and can not address in a public forum, and should include specifics about when blogging is acceptable (during work hours), where bloggers may post (may employees have blogs at work, should a employee access a personal blog from work, etc..), and how they should blog (should avatars or pseudo-names be acceptable). As well, a blogging policy should require employees to disclose any personal blogs to the employer. This should not restrict what the person can or cannot say on their blog, but by sharing the fact that a personal blog exists with an employer, an employee is most likely to understand that they are accountable for what they say. 10 Steps to Managing Risk and Regulatory Compliance in Blogs and WIkis Techrigy, Inc. 2) Know who is saying what and what they are saying It’s not likely that an organization will be able to effectively manage this risk if it hasn’t properly inventoried all sources of social media. Communications such as email are relatively easy to monitor because email is typically channeled through a small number of email server operated by the organization. However, social media is architecturally very different. Social media can be hosted in disparate places ranging from a user’s local PC to a web server running in an individual department to a remote provider such as Google’s BlogSpot or WordPress.com. Creating a complete and accurate social media inventory can be very challenging. As an organization attempts to inventory where employees are using blogs and wikis, it is best to break the task into two separate pieces - internal and external. Start by attempting to generate a list of blogs and wikis running inside your organization’s network perimeter. Inventorying these applications requires a TCP/ IP discovery tool such as nmap (www.nmap.org). Begin this TCP/IP discovery process by gathering the IP ranges on your organizations network and look for HTTP web servers running on common ports such as 80 (HTTP) or 443 (HTTPS). Before you run any discovery scans, one should check with the IT department to ensure that this process is allowed and will not be disruptive. Once the running web servers have been identified, one should look at each one to detect if the web server is running a blog, such as WordPress or Movable Type, or a wiki, such as MediaWiki or Twiki. Employee blogs or wikis outside the network perimeter must also be checked. Certainly, some employees could be blogging anonymously and never reveal their place of employment. In that case, it will be very difficult to track down that a blog author is an employee. However, if the organization is not mentioned in the blog, there will be very little risk to that organization since that blog is not associated with the organization. However, if an employee does make any reference to the work place, partners, customers, confidential information, or fellow employees, the risk becomes real and the blog will need to be monitored. What can an organization do when an anonymous blogger reveals they work at the organization? If real damage is occurring to your organization, there are steps to shut down the blogger including the possibility of subpoenaing the internet service provider or blog host. Less severe measures include sending a gentle reminder to the blogger that references to the work place should not be included in an anonymous blog. This is often enough to stop any damage-once an employee realizes they are not as inconspicuous as they may have believed, and they will often clean up their act. However, this is the Internet and anonymity is an aspect of it, so an organization may not always be able to prevent detect or stop every blogger. Even if you cannot stop a blogger, documenting the problem and monitoring the issue is your next best option. 3) Monitor for offensive or inappropriate language or behavior Any form of harassment has become a major risk in the corporate environment. Legal courts have created a world in which a hostile work environment is no longer acceptable. The slightest inappropriate comment or joke can lead to distracting lawsuits which defocus a company from running efficiently and can lead to large monetary settlements or judgments. Using the inventory of your blogs and wikis, one can monitor new content being posted on these blogs and wikis. Checking for recent additions or updates can typically by done by checking the RSS or Atom feed for the blog or wiki. Each new update should be checked for policy violations such as: 10 Steps to Managing Risk and Regulatory Compliance in Blogs and WIkis Techrigy, Inc. - Making any lewd, degrading, threatening, or derogatory statements - Using slurs, strong offensive language, or inappropriate jokes - Discussing fellow employees in a negative way At the one end of the spectrum, the list above includes items that are clearly inappropriate. There are also many shades of grey for which an employee may feel a topic is appropriate but the employer may not. For instance: - Heated discussions involving religion or politics - Bad-mouthing of the company in an unproductive fashion In these cases, the employer will need to make a reasoned decision on whether the topic is copasetic or not. Monitoring for these inappropriate behaviors can be done manually by reading each blog, but this method is not one that scales well. A more robust strategy would be to setup a series of keywords and regular expressions designed to hone in on these inappropriate behavior and notify the employer when a match is detected. 4) Monitor for PII or PHI being leaked Protecting Personally Identifiable Information (PII) or Personal Health Information (PHI) is becoming a major organizational concern. In past times, an organization could get away with simply hiding or staying tightlipped about security breaches. The cost of the theft of PII/PHI was bore solely by the individuals that were the unwitting victims of identity theft or credit card fraud. More recently, legislature such as California Senate Bill 1386 imposes the possibility of jail time for management at organizations that do not notify victims of theft of their PII. Because of the public nature of blogs and wikis, any intentional or accidental exposure of PII or PHI on one of these platforms can lead to significant legal liability. A discussion on a blog about a patient may inadvertently reveal too many details leading to damage for the patient. Wikis are great for storing information for collaboration, but inadvertently uploading a document containing social security numbers or credit card numbers may go unnoticed until it’s too late. The social media in your inventory should be checked for any content that resembles PII/PHI. This can be done by having an employee read each blog and look for PII and PHI. Again, this type of solution does not scale well at all, even on a very small scale. A better solution would require scanning the social media programmatically for content with characteristics of PII/PHI. For instance, an employer may programmatically scan using regular expressions to detect social security numbers or credit card numbers. These methods introduce the challenge of managing false positives. False positives are content that flags as a match but is not truly a match. For example, any 16 digit number may appear to be a credit card number but may instead simply be a large number. Any programmatic system would need to handle false positives and learn to exclude them. 5) Monitor for confidential information or trade secrets being leaked Certain sensitive information simply does not belong on a public forum such as a blog or wiki. While a user 10 Steps to Managing Risk and Regulatory Compliance in Blogs and WIkis Techrigy, Inc. new to wiki or blog may feel that the information is inconspicuous because of the vastness and anonymity of the internet, however, sensitive information should seldom be discussed on a blog. In order to monitor for these types of events, an organization or compliance manager will need to come up with a list of confidential projects, Other types of sensitive data to monitor for include: - salary or compensation information - usernames and passwords - non-public financial results or reports - patent or secret formulas It may be acceptable in some environments for these types of content to exist on a blog or wiki if appropriate access controls and authentication are being used. However, make sure that information is not being inadvertently exposed by incorrectly configured wikis. By default, wikis are publicly accessible. These technologies by design make their content as open as possible, and configuring wikis to make them private is not a straight-forward process. Organizations must take steps to ensure that confidential information is not inadvertently exposed due to an innocent mistake. 6) Use of disclaimers Blogs and wikis can be hotbeds of sensitive topics. Because of their nature, it’s recommended that you request employees that blog to label their blogs with disclaimers and perhaps even privacy policies. Just as a TV station or movie producer labels any politically charges show as “not necessarily reflecting the view of the station,” you should consider the same type of disclaimers for your employees which choose to blog. This type of policy allows your employees to express their own personal views without worrying about those views coming across as the company’s. A company simply may not want to have a view on topics that are not relevant to the company’s business. Whether the company decides to make a public statement about an issue, it should not be perceived as adopting the view of an employee that is blogging. 7) Don’t allow anonymous posts or comments Anonymity can often lead to trouble. When people believe they cannot be associated with what they say, they also believe they are cannot be held accountable. Allowing employees the capability to remain anonymous will lead to individuals voicing opinions that are far more offensive and can lead to legal liability. Anyone that has visited an anonymous chat room, bulletin board, or forum will know how fast an argument can degrade – likely due to the fact that these people are not accountable for what they say. Of course, there are situations in which anonymous posts or comments may make sense. For instance, if you want honesty, allowing anonymous opinions may be the best method to get the truth. In general, anonymity 10 Steps to Managing Risk and Regulatory Compliance in Blogs and WIkis Techrigy, Inc. should be the exception not the rule. There are a number of types of anonymity for which you want to monitor. First, attempt to locate bloggers or wikis that are anonymous employees. This is not simple, but there are techniques that can be utilized. Looking on the blogosphere to phrases such as “I work for CompanyX” or “my job at CompanyY” can uncover employees blogging anonymously. In addition there may be other hints that can uncover an anonymous blog such as situational details. You certainly aren’t going to be able to uncover every anonymous blogger, but these techniques should provide some insight. You should also look for anonymous comments being allowed on a blog. Anonymous comments allow flame wars and derogatory statements to go unchecked. One blogger, Kathy Sierra, received multiple death threats in the comments on her blog, the majority of these threats by anonymous bloggers. These threats lead to Sierra temporarily shutting down her blog and cancelling public speaking engagements. Blogs should be configured to disallow anonymous comments, record IP addresses and require registration of users wanting to post comments. Again, freedom of expression is a tenet we all respect, but we should each be accountable for what we say. 8) Archive social media content Legal discovery of electronic records has been recently codified in the Federal Rules of Civil Procedures. In the past few years courts have been making discovery of electronically stored information based on ad hoc rulings. With the new rules, which went into effect in December of 2006, electronically stored information are records that must be maintained for legal discovery purposes. In a situation in which a defamatory or damaging post on a blog is made, the offender can easily delete the post leaving the offended with questionable evidence. If an employer attempts to fire an employee for something posted in a blog, the blogger can easily make the blog disappear, leading to some tricky questions. Situations like this make it imperative that you properly archive all social media using a method that allows the integrity of the content to be verified. For instance, archiving an entry with a timestamp and a signature makes the evidence that much stronger. By not recording blogs entries, you open yourself up to possible risks of legal fines. We have already seen many fines based around “lost” electronically stored information in the form of email. As blogs move into the mainstream, more and more lawsuits will revolve around what is said or posted in a blog or wiki. Because what is said in social media is public, it will be even more likely that law suits will involve what’s said in them. Professional golfer Fuzzy Zoeller recently filed a lawsuit against a firm whose employee made false statement on Wikipedia alleging that Zoeller beat his wife, was an alcoholic, and was addicted to prescription drugs. This is just one example of the liability associated with utilizing these social media. Archiving all records also provides the security against content being lost. This may not correspond to legal risk, but will lead to loss of valuable content which can be quite painful. 9) Ensure social media applications are secure 10 Steps to Managing Risk and Regulatory Compliance in Blogs and WIkis Techrigy, Inc. Another area of concern is the security of the applications. Not properly locking down these applications leads to a few risks. One obvious risk is that these systems will be destroyed or the content of the system stolen by an attacker. Likely the risk of content begin stolen is not at the top of the list of problems since this content is open and shared among anyone that can view the application. There are some social media applications that will need access controls and authentication. In those cases the risk of theft is important. But this is the exception rather then the rule. Manipulation of content or manipulation of the underlying application is a significant threat. An attacker that gains control of a blog or wiki can add content which can lead to legal liability. Worse than that, it may lead to loss of credibility in the marketplace. Allowing a system to be hacked, no matter which system it is, leads to loss of consumer confidence and will cause some percentage of your customers to move to a competitor. Vandalism of a malicious nature can result in your name being smeared or associated with a defaced public image. This is not something you want your company to be known for and can result in backlash from top management against any form of social media. The other issue is destruction of content. An attacker with access to a system can destroy thousands of hours of collaboration by simply deleting the records from the system or even corrupting the content in a way that makes it unusable. Locking out valid users, adding a back door to the system, and even taking down the system can cause serious problems for an organization. Archiving the contents of the system can mitigate some of this risk by providing a way to restore destroyed or manipulated content. It is equally as important that an organization have a working archive system in place. Backup on the underlying software is not as critical – those pieces can simply be reinstalled. What’s most important is to have a complete archive of the content in the application, including blog entries, comments, wiki pages, and the wiki page histories, because recreating that content from scratch is an expensive task. Attackers have many methods to breach a system. For instance, an attacker can subvert the underlying operating system, can impersonate a user or administrator, or can find a security hole in the application itself. In order to reduce the risk of being hacked, security procedures should be instituted to protect these applications. The first step in a security policy is to ensure a recurring patching process is in place. Social media applications and the underlying operating system should be checked to ensure the latest patches and versions are installed on a monthly or quarterly basis. The more often the better, but practically speaking the environment dictates how often patches should be installed. On an internet facing blog or wiki, security patches may need to be applied very quickly after a serious security hole is discovered. When tools to exploit a security hole are released on the internet, patching becomes top priority. When the blog or wiki is on the intranet, it can be patched on a lower priority schedule. To keep informed of security vulnerabilities in blogs and wikis, you can subscribe to various list serves such as Security Focus (http://www.securityfocus.com). You’ll need to filter the list to just blogs and wikis that you are interested in since this is a generic list. Another basic security measure to institute is the use of strong, hard-to-guess passwords. Attackers will use brute-forcing tools on an application to attempt to force their way into an application. For instance, a Perl script combined with a dictionary can be used to attempt to guess a password by trying to login using every word in the dictionary as the password. An attacker will likely focus on hacking an administrative account such as WikiSysop for MediaWiki or TwikiAdmin for Twiki. As well an attacker will attempt simple 10 Steps to Managing Risk and Regulatory Compliance in Blogs and WIkis Techrigy, Inc. hacks such as trying default usernames and password. For instance, Movable Type is installed with a default username of Nelson and a password of Melody. On occasion, the administrator may forget to remove the default accounts allowing the attacker easy access to the system. 10) Educate Employees Many of these potential problems can be mitigated by simply educating employees about the dangers of using social media. Employees unaware of legal and regulatory risks are much more likely to create and ignore risks simply because the employee is unaware of the potential consequences. Educating employees and encouraging them to help eliminate misuse of social media can lead to an army of employees helping each other avoid risks and liabilities. When employees realize the potential consequences of their actions, they are much more likely to avoid these mistakes. Organizations can educate employees by taking a few steps. Creating a blog and wiki usage policy and explaining the reasons behind each policy can provide a easily-accessible reference for employees unsure of how to operate a blog or wiki. Creating a blog or wiki that discusses compliance issues related to socialmedia use can also help open the door for discussion with employees, ultimately helping employees and management feel more comfortable with social media. Additionally, creating a wiki listing the company social media usage policy is a great central resource for employees to learn about the usage policies, as well as a resource for allowing employees to recommend and discuss changes to the usage policy. Ultimately, employees and management must work together when implementing social media. Employees angry about their inability to communicate through social media at work can lead to damaging situations. Employees that are satisfied with their ability to utilize social media can become your organization’s best evangelists. Conclusion These ten steps cannot eliminate all risk. It’s just not possible to create an ideal world. However, by implementing these steps, one can create an environment in which the likelihood of damages, a regulatory fine, or a lawsuit is minimized and certainly your liability is reduced. These steps reveal an plan to help ensure your social media are in compliance. In the worst case scenario, a lawsuit or regulatory issue, a judge, jury, or regulatory agency will surely recognize and reward you for your earnest efforts in implementing such a plan. By properly managing the risk and legal liabilities, you can help make collaborative tools such as blogs and wikis safe to use. Once large enterprises realize they can protect themselves from the fears they may have about social media, we will see the adoption of such technologies accelerate. About Techrigy Techrigy helps organizations utilize social media by providing a full range of compliance and riskmanagement solutions for social media. Techrigy’s products allow organizations to discover and consolidate social media from both inside and outside the network and analyze this content to identify and address risks. Our enterprise products enable organizations to ensure that social media are complying with corporate policies and are not creating legal liabilities.