Educating Employees

Educating employees about copyright restrictions in social media is a good way to avoid infringement by your Marketing department. Regulations like the HIPAA Security Rule (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/) and PCI DSS standards (https://www.pcisecuritystandards.org/) include an education component. As a security best practice, we always want to have education programs in place. The PCI DSS standards say

12.6.1.a Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web-based training, meetings, and promotions).

HIPAA Standards require

(1) training each member of the workforce no later than the compliance date of the covered entity; (2) training each new member of the workforce within a reasonable period of time after the person joins the workforce; and (3) training each member of the workforce whose job functions or duties are affected by a material change in the HIPAA Privacy Rule policies and procedures within a reasonable time after the material change becomes effective.

Your security dollar is more valuable when invested in education. Just throwing money at a problem with more technology will not give you the right controls. With education and training, you can help employees determine what is restricted content, determine what the data classification schemes are that require different levels of security, and what data can and can’t be shared.

Social media requires various levels of security over different types of data. The first step is to integrate social media processes, procedures, and tools into your current data classification model. A typical data classification scheme is Secret, Proprietary, Confidential, Non-Public, and Public.

The mediums for social media dissemination are varied. This means you have to change the requirements for the types of data you have to classify. Education has to address the following:

Audio, video, and photography What are employees allowed to take pictures of on premises? If you’re in a data center, you probably do not want employees posting pictures of the systems. But if you’re having a promotional activity, you may want to post pictures of the event. This also has to apply to any vendors, customers, or visitors who come to your office. They have to be made aware, notified, or handed a policy of what audio visuals are allowed. Your practices should also cover pictures of other employees, partners, or customers. There should be an “ask first” practice before posting.

Publicly available guidelines Explicitly state what your guidelines are on the use of copyrighted assets. Employees, customers, or the general public can inadvertently break your rules if you do not make them obvious.

Making public assets available If you make specific resources available to be remixed, then you have more control over your material by creating a channel where you can manage public assets. The public will most likely infringe on your copyrights, so you may as well make certain assets available to better control those assets.

The development of processes and training regimens is the best solution for controlling how content is handled. When images or other material is included in a blog post, for example, the author of the post should inventory where the image came from and attribute the photograph to the photographer with a link back to the original source, at a minimum, and only when a Creative Commons license exists. If the Creative Commons license cannot be found with the original content, then the author must be contacted for permission, prior to publishing the content. In all cases, it is common courtesy to contact the author. These principles must be explained to employees responsible for the company’s social media, and corresponding reporting or inventorying processes should be put in place.

NOTE

These issues become even more complex when material that is posted to social media platforms is lifted by the company’s Marketing or Advertising team for reuse in advertising. Even when such use is authorized by the original authors of the content, best efforts must be made to contact them for permission and waivers, and it is wiser to err on the safe side.

In certain cases, the fair use doctrine in United States copyright law allows for the limited use of copyrighted material without permission from rights holders and generally applies to news reporting, research, teaching, and scholarship—not for marketing, sales, or any other commercial enterprise. All material that is borrowed from somewhere else should be clearly identified and credited in the post and linked back to the original source. (For more information, see the U.S. Copyright Office, http://www.copyright.gov/fls/fl102.html, or check another country’s regulations.)