After a relatively calm Summer, it’s been a very busy couple of weeks in the world of social media mishaps. Sure, there are always a steady stream of FINRA and other financial services regulatory activity involving the misuse of social or text messaging that my colleague Marianna regularly blogs on. However, the last few days have seen a few non-standard examples that should cause others to re-examine the social activities of their organizations – as well as the risks that firms need to consider because of the practices of the social media providers themselves. For example:
- On September 25, Facebook disclosed the instance of a massive data breach that exposed account information from 50 million users. The breach was caused by a bug that allows hackers to access and potentially control user accounts, and comes at a time when Congress is already stirring on the topic of legislation that could govern how social media providers protect the security and privacy of user data in the future. Aside from the potential cost and impact of new regulation, Facebook faces an immediate likelihood of penalties in the magnitude of $1.6B from the EU alone under provisions of GDPR.
- On September 28, Bloomberg BusinessWeek chronicled an insider trading charge from the SEC against a former Morgan Stanley broker and current NFL player Mychal Kendricks, where Kendricks plead guilty to charges of turning $80,000 into $1.2M in a span of 5 months. The scheme, which carries a potential sentence of 25 years in prison, was uncovered by the SEC with the help of a series of text messages and Instagram posts.
To cap it off, we hear the news over this past weekend of Elon Musk and his $40M tweet. The news stemmed from Musk’s August 7 tweet proclaiming, “Am considering taking Tesla private at $420. Funding secured.” The tweet, which initially sent the stock price soaring, was later corrected by the company, causing gyrations in the stock and leading almost immediately to a hand full of lawsuits – including action from the SEC for market manipulation and violation of Regulation Fair Disclosure (FD) (similar to what was pursued against Netflix CEO Reed Hastings several years ago). Finally, on Sunday, the SEC announced a settlement where Musk agrees to pay a $20M fine and relinquish his role as Chairman of the company. Noteworthy in the settlement is the requirement that Telsa implements an approach to monitor Musk’s activity on social media and commentary from the co-Director of its Enforcement Division in addition to paying a $20M fine of its own. “The total package of remedies and relief announced today are specifically designed to address the misconduct at issue by strengthening Tesla’s corporate governance and oversight in order to protect investors,” said Stephanie Avakian.
Ironically, news of the settlement caused Tesla stock price to rise, as investors welcomed the reduced risk, expense, and disruption of prolonged litigation with the SEC. However, while the long term impact of removing Musk from a key position at Telsa is unclear, the message from the SEC emphasizing their expectation for an increased emphasis by Telsa on governance and oversight is telling. Here’s what organizations should take away:
- The risks from social media misuse apply to all organizations. All publicly traded corporations need to consider how they are monitoring for potential disclosure of non-public information through all communications channels, not just those approved typically utilized for investor communications.
- Social media and text messaging need to be built into ongoing content inspection and supervisory processes. As we are seeing all too frequently, content containing risk or value can live anywhere, and processes need to catch up with today’s communications and collaborative tools.
- Pre-review of social content can pay huge dividends.Specifically, tools that allow content to be inspected and approved prior to delivery or posting can generate an enormous ROI – especially when compared to a $20M fine.
- Risk is not just about “regulated users.” Executive staff, legal teams and other key stakeholder groups can be using social media or internal collaborative tools today inappropriately. Compliance teams need to broaden their supervisory lens to encompass these additional high risk/high value groups and the information they with which they interact.
- Policies need to be adaptable. Defining how corporate communications policies can be adjusted to address new communications formats – as well as new data privacy and security mandates – is fundamental. The examples we’ve seen over the past few weeks provide ample illustration of why the time has come to dust off those records classification and retention schedules.
Source: Smarsh Author: Robert Cruz.
Robert Cruz is Senior Director of Information Governance for Smarsh and Actiance. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction.
How can we help!