By Ben Rothke, Senior Security Consultant, BT Global Services

The action earlier this month from the National Labor Relations Board when a Connecticut woman was illegally fired from her job as an emergency medical technician after she posted disparaging remarks about her boss on Facebook is a big wake-up call – both for the employer and the employee. 

An administrative law judge is expected to hear the case in January 2011, but it is likely not to end there, as the losing party will certainly appeal.  It is expected that this case will make its way to the Supreme Court.

From an information security perspective, far too many firms wait for these kind of wake-up calls before taking action.  Leading companies, however, will be proactive to ensure that the appropriate information security policies and guidelines are there from the beginning. 

The truth is that the term “wake-up call” may understate the situation.  This is a legal issue — and if organizations find themselves at the losing end of such a case, it can turn out to be an expensive proposition — lawyers’ fees, punitive damages, negative PR, regulatory findings, and more.  Not being prepared can be an extremely expensive lesson.

The courts seem to be leaning to where comments in a social network setting are constitutionally protected speech, a factor that would allow employees to discuss their jobs and working conditions with co-workers.  Those employee rights translate into responsibilities that employers must undertake.  

As more employers and employees are using social networking sites, this is a most topical issue.

The way to deal with social networking in the workplace needs to be dealt with differently for the employer and employee.

For an employer, the following are a few of the many steps you need to take action on:

1. First off, get in front of the social media wave.  Be proactive and assign a dedicated team to deal with the myriad issues around social networks.
2. As social networks blur boundaries between roles, policy and strategy are crucial.  The border between the company and the outside world is evaporating, so your policy and strategy must reflect that.  Two firms that have comprehensive social media guidelines are IBM and Intel.
3. Social networking policy is a must.  Even if your course of action is to completely prohibit social networking, you still need a clear and established policy.
4. Create a rational, sensible program around your employees’ use of social media services.  Make sure this includes photography and video, and common sense advice (don’t reference clients, customers, or partners without obtaining their express permission, etc.).
5. Human resources must be involved as social media can open a Pandora’s Box of HR issues.  HR needs to create directives for managing personal and professional time and create reasonable guidelines.  As part of the HR awareness process, explain how innocent social media postings can be misconstrued, how confidential data can accidently be shared, and other germane topics.
6. Social media security awareness is crucial.  Don’t just give employees a generic five-slide PowerPoint.  Follow the “three Cs” of information security awareness — make it clear, comprehensive and continuous.

For the employee:

1. For those new to Facebook, Twitter and other social media sites, curb your enthusiasm.  This is especially true for those with OCD or addictive personalities who often don’t appreciate the addictive nature of social networking.  Facebook is viral and indeed addictive — and as a salaried employee, don’t waste your workday on it.
2. Realize that Facebook and postings on other social sites can get you fired. When at work, realize that you are being paid to work.  Don‘t abuse the trust your employer had in hiring you.
3. Most jobs in the US are at-will employment.  This is a doctrine of American law that defines an employment relationship in which – a) either party can break the relationship with no liability, provided there was no express contract for a definite term governing the employment relationship; and b) that the employer does not belong to a collective bargaining group (i.e., has not recognized a union).  Simply put, you are but one Facebook post away from losing your job.
4. Ensure you know about and are compliant with your employer’s social media guidelines.  In the event you post something corporate, ensure that it is public information. 
5. Take extra care if you “friend” your boss on Facebook

Social media is awesome, but it is undeniable that it has introduced significant information security and privacy risks and issues.

At the organizational level, companies must recognize these risks and take a formal approach to deal with them.

At the individual’s level, employees can’t be naïve about their responsibilities when using social media.