Types of Monitoring to Ensure Security Practices Are Followed
Most companies face the challenge of employees not using the Internet appropriately. It’s easy for an employee to update a personal blog, send out Twitter messages, or update Facebook during the day. Employees will invariably bend the rules unless they understand there is a credible possibility of being caught. Just as policies without enforcement are like speed limits without tickets, operational monitoring and reporting serves the key purpose of maintaining functional policies and identifying areas where the policy may need adjustment.
In addition to supporting internal policies, operational monitoring plays a key role in ensuring your company adheres to federal, industry, and agency regulatory compliance requirements. In the U.S., regulatory agencies including the Federal Trade Commission Safeguards Rules, the Gramm-Leach-Bliley Act (GLBA), and the Health Information Portability and Accountability Act (HIPAA) require companies in related industries to implement information security processes and systems. HIPAA requires healthcare organizations to ensure patient information remains confidential. In the financial sector and for financial reporting in general, GLBA and the National Association of Securities Dealers (NASD) require that written and electronic correspondence with customers be archived, while the Sarbanes-Oxley Act is designed to prevent the destruction of data, including electronic data. For just about every industry, the Payment Card Industry (PCI) standard sets guidelines for protecting consumer information. In these and other industries, legislation mandates keeping records of correspondence and transactions in the event of an audit or legal action. Enforcement of these regulatory acts and legislation include penalties, litigation, and revocation of licenses.
The financial industry is required to have operations monitoring and reporting in place. Recently, InvestmentNews.com reported that the Securities Exchange Commission (SEC) in the United States requested financial advisors provide social network usage for 2010. From the letter sent out, the SEC required1:
1 “What the SEC Is Requesting from Advisers on Social Media,” Investment News (February 16, 2011), http://www.investmentnews.com/article/20110216/FREE/110219945.
1. All documents sufficient to identify [Adviser]’s involvement with or usage of social media websites, including, without limitation: a. Facebook; b. Twitter, including, without limitation, AdvisorTweets.com; c. LinkedIn; d. LinkedFa; e. YouTube; f. Flickr; g. MySpace; h. Digg; i. Reddit; RSS; and j. Blogs and micro-blogs;
2. All documents concerning any communications made by or received by [Adviser] on any social media website, including, without limitation, snapshots of documents responsive to Item 1, above;
3. All documents concerning [Adviser]’s policies and procedures related to the use of social media web sites by [Adviser], including, without limitation:
a. All policies and procedures concerning any communication posted on any social media website by [Adviser]; b. All policies and procedures concerning any prospective communications to be posted on any social media website by [Adviser]; and c. All policies and procedures concerning any ongoing monitoring or review process related to communications posted on any social media website by [Adviser];
4. All documents concerning [Adviser]’s policies and procedures concerning a third party’s use of any social media website maintained by [Adviser], including, without limitation: a. All policies and procedures concerning any communication posted by a third party, including, without limitation, actual or prospective clients of [Adviser], on any social media website maintained by [Adviser]; b. All policies and procedures concerning any approval processes for prospective communications to be posted by a third party, including, without limitation, actual or prospective clients of [Adviser], on any social media website maintained by [Adviser]; and c. All policies and procedures concerning any ongoing monitoring or review processes related to communications posted by a third party, including, without limitation, actual or prospective clients of [Adviser], on any social media website maintained by [Adviser]; (and it goes on and on)
The SEC is already anticipating the damage that can be done if financial advisors are not controlled in how they use social media. For financial advisors, any communications or solicitations to clients are highly regulated. This means the right processes have to be in place to monitor and report on any employee interactions on social media that can be used to discuss financial advice.