Social networking boosts legal, regulatory compliance headaches
For companies, the sites are too valuable as sales tools to block
Computerworld – Popular social networking sites, such as Facebook, Twitter and LinkedIn, are causing a stir in the financial services community as well as other highly regulated industries as companies seek ways to control how the sites are used to communicate with potential clients and colleagues.
Social networking sites have proved valuable for sales-lead generation, marketing and general broker-client relations, but regulators have been quick to take notice and to offer the same warnings they did more than a decade ago when e-mail and instant messaging (IM) became common.
However, controlling communications on social networking Web sites is far more complex for corporations because they’re attempting to control communications on Web sites that are outside their IT systems and that are almost continuously changing or adding to the number of applications that can be used to network.
“It is a big issue. In fact, I think it’s a bigger issue [than e-mail and IM],” said Ted Ritter, an analyst with Nemertes Research. “For IM and e-mail, you pretty much use standard port and protocols. You just have to be in the right spot in the network to capture it and monitor it.”
Social networks are more akin to webmail, where there are many different ways to access the sites, which makes it more complicated from a technology standpoint, Ritter said.
“For instance, what do you do about people who have mobile updates to Facebook?” he said. “From an audit standpoint, as auditors become more aware of the issues, they are going to look for controls.”
Ritter said businesses will not only have to monitor social networking communications, but they will have to capture the traffic, audit it and log it.
Issue first cropped up with e-mail, IM
Around the turn of the century, the financial services industry grappled with controlling IM and e-mail traffic. Soon after the electronic messaging mediums became popular, a pattern emerged in the business community where financial firms would first block all electronic communications external to the company, then they would adopt proprietary e-mail applications for corporate wide communications or restrict the ports over which IM traffic could travel in order to monitor and capture the communications.
The same patterns are emerging with social networking, experts say, and seeding a cottage industry of vendors offering software and services to control and capture corporate social networking traffic. Some of those vendors include enterprise instant messaging security vendor FaceTime Communications, firewall provider PaloAlto Networks, IM and mobile text messaging archiving firm DexRex Gear and SaaS middleware provider Socialware.
Today, many businesses are attempting to simply block all access to social networking sites for employees who would fall under regulatory scrutiny, such as broker-dealers and sales and marketing representatives, even though these employee are finding the sites invaluable.
“The first step organizations needs to take is they need a reality check,” Ritter said. “They need to take ownership of what’s going on in social networking. Just blocking sites doesn’t work. Employees always find a way around it. And letting everything through is too risky.”
Ritter and other industry experts say social networking sites present a far greater oversight problem than IM or e-mail — even webmail – because there are so many applications associated with them, including instant messaging tools and gaming applets, such as Farmville or Mafia Wars on Facebook. Simply blocking sites such as Twitter or Facebook with a URL filter isn’t difficult.
“The problem you have is all the tunneling applications that can get around those controls,” said Chris King, director of product marketing for PaloAlto Networks. “Google [the term] ‘circumventing URL filtering,’ and you’ll see what I mean. Some blog sites like Lifehacker.com, and even the Wall Street Journal, publish things like top 10 ways to get around your security controls.”
For example, King said, a company employee could simply install a proxy on a home computer, connect it to a cable modem, and when the employee is at work he can connect to that home IP address and circumvent the corporate filter.
“There’s everything from Proxy.org, an application called UltraSurf, which is the darling of high school students, to something called Core, which is the darling of spies,” there’s a whole bunch of applications that make getting around traditional controls easy.
Regulators cast a watchful eye
Over the past 10 years, the U.S. Securities and Exchange Commission (SEC) and other regulatory bodies have focused more attention on strict enforcement of communications rules. For example, the SEC’s Rule 17a-4 requires the monitoring and capture of electronic communications, and the National Association of Securities Dealers (NASD) Rule 2210 and 3010, also requires firms to monitor and store communications with clients. Neither agency has as yet felt compelled to specify requirements around social networking traffic, but it is implicit that they fall under the same rules as e-mail and IM, Ritter said.
In 2006, the Federal Rules of Civil Procedure (FRCP) established that companies must establish protocols for capturing electronically stored information prior to civil court cases. Electronic discovery of e-mails for civil court cases can run into the millions of dollars, and violations of federal regulatory statutes could lead to penalties that aren’t cheap either. In 2002, the SEC fined five firms a total of $8.25 million for violating 17a-4 and NASD Rule 3110 by not properly monitoring and capturing e-mail traffic.
In a more recent example, several hedge-fund executives and managers with the Galleon Group, were charged with insider trading. The evidence that cracked the case open? A single text message.
Most recently, the Financial Industry Regulatory Authority (FINRA), the enforcement arm of the SEC, issued Regulatory Notice 10-06, a document presented in a Q&A format, that provides guidance on the responsibilities of firms to supervise the use of social networking sites. The guidance was issued to ensure that recommendations to clients on social networks are suitable and that their customers are not misled.
“The FINRA guidance has sent the financial community scrambling to figure out what to do,” Ritter said. “Let’s say a broker becomes a fan of a company on Facebook. Is that an endorsement? In essence it is.”
Other regulations focused on corporate transparency and consumer privacy will likely also affect controls around social networking communication. Those regulations include the Sarbanes-Oxley Act, HIPAA (the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act of 1999.
Social networks too valuable to block
Social networking is an enormously popular way to communicate with prospective clients and to generate sales leads, particularly among younger financial services employees, experts say.
“We’ve heard anecdotally that the top advisers at [a leading financial planning and investment firm] – the number one and two advisers – are some of the most proficient users of social media,” said Chad Bockius, vice president of marketing and product strategy at Socialware, a provider of SaaS social network monitoring and management tools.
Bockius said Socialware is about to publish the results of a survey of more than 200 financial advisers who were asked how many new clients and new sales leads they generated as a result of social media. “The results are pretty impressive, as in 20%,” he said.
“You still have people saying, ‘we don’t need to use Facebook or need to be on LinkedIn. Those tools are for high school kids, or they’re for use by people stopping by Starbucks.’ That’s just simply not the case,” Bockius continued. “There really is tangible business value you can get from these tools.”
King said the problem with social networking is the business side of a company wants to interact with the younger generation of customers through their preferred channel, but the company’s IT side has a hard time finding the tools necessary to control that traffic.
New tools for compliance
“The compliance and security folks are saying, ‘Whoa, we’re completely unable to adopt these communications channels given the regulatory requirements,” King said. “We’re in a unique position because we’re a firewall company and can see and control these applications.”
PaloAlto uses firewall policy management software to control external communications at the application layer, through a user’s ID and by content type.
Global investment bank Greenhill & Co. Inc. used PaloAlto’s software to monitor and capture webmail used by its employees, which it said raised concerns about data security and its overall compliance stance.
“We needed better visibility into our network in order to block access to certain applications – especially Gmail over HTTPS,” John Shaffer, Greenhill’s director of global systems and technology said in a statement. “We could see users were circumventing our blocking solution by switching to SSL encrypted versions of webmail applications.”
Greenhill’s URL filtering, spyware and firewall activities were being managed by separate devices, and the company was looking for way to consolidate those services on one control panel to reduce complexity and expense.
The company allowed PaloAlto to demonstrate its firewall, and “it instantly unearthed users accessing Facebook, Gmail, RSS, Google Desktop, AOL Instant Messenger (AIM), Meebo, Skype and Yahoo! Mail.”
“For the first time we could see exactly which users were accessing specific applications,” Shaffer said.
The market potential for supplying social networking monitoring software hasn’t been lost on entrepreneurs either.
DexRex, for example, was launched from a University of Massachusetts at Amherst dorm room in 2005 by two avid text messagers, Derek Lyman and Richard Tortora. The company recently secured $1 million in private funding..
Earlier this week, DexRex launched ChatSync v2.2, which uses extensible APIs (application programming interfacea) to plug into users’ devices, messaging clients or servers in order to archive social networking communications. The service is offered both through an onsite appliance or a cloud-based SaaS model. The software provides real-time capture of social networking communications by pushing content and its metadata from Web access portals.
ChatSync 2.2 also can monitor and capture for audit e-mail, IM, SMS and social media communications, including LinkedIn, Twitter and Facebook, according to Lyman.
Lyman said the market for message capture is driven by regulatory data retention requirements, with legal discovery needs taking second place.
“We’re capturing the whole category of alternative text-based communications and partnering up with the existing e-mail service providers,” Lyman said. “The e-discovery side really does dictate why they want these records, and the regulators are expecting to see them.”
Dan Srebnick, associate commissioner of IT Security for the New York Department of Information Technology and Telecommunications, said the city is using FaceTime’s software for malware, spyware and Web filtering rather than for controlling employees’ attempts to use social networks. The agency is also monitoring that activity to ensure it is consistent with the city’s communications, marketing and branding policies.
“Our issue with social media is less about how to restrict it, and more about how to enable it,” Srebnick said.
The DoITT acts as the clearinghouse, or registry, for municipal agencies that have pages on social networking sites for posting public announcements and for interacting with residents. Agencies with those pages much declare them and give DOITT their user IDs and passwords to ensure those pages can continue to be maintained if the employee in charge leaves the agency.
“These sites are not about the person. They’re an official communications mechanism of the City of New York,” Srebnick said. The DoITT also developed a citywide social media policy that provides overall governance on how agencies should use social networks.
Srebnick said he recognizes that in the future, he will likely look into enabling Facetime’s security features. He pointed to last week’s Facebook glitchwhere a bug allowed users to view friend’s chat sessions as a reason why.
“If we had that kind of control available to us and we knew there was a problem on a particular social media site that could compromise the city’s ability to do business in a secure manner, we could take control over that or we could have the ability to audit that,” he said. “The idea of having flexible control over a media site in terms of what features could be used and how they’re used could be a very powerful thing from a security perspective.”
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. . His e-mail address is email@example.com.
Read more about Financial Services in Computerworld’s Financial Services Knowledge Center.