Wed, May
2 New Articles

How Regulatory Agencies Affect Social Media Guidelines

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Or why there's no excuse for not including that disclaimer in a 140-character Tweet.


After a meeting of the Board, the CFO of a prominent clothing retailer sent an upbeat and seemingly harmless tweet from his private Twitter account: "Board meeting: Good numbers=Happy Board." One problem: Official earnings hadn't yet been released to all investors, so the CFO's Twitter followers were now privy to insider information, and the CFO was quickly fired for "improperly communicating company information through social media."

Social media's rapid adoption and widespread use comes with new challenges for both corporations and consumers. Today, the lines are blurred between personal and work personas, work and portable devices, and work places and everywhere else.

Social media can put organizations at risk for violation of information privacy, unfair competition, libel, threat of physical security issues, and more, which for many companies spells compliance trouble. That's why regulatory agencies are taking a very active role in driving appropriate organizational social media guidelines and enforcement.

Social Media Compliance Regulations: Who's Affected?

As you might expect, financial, insurance, healthcare, and governmental organizations are those with the most stringent social media regulations. However, any company that sells goods or services must clearly define endorser relationships. Regulatory agencies state that character limits in social media platforms such as Twitter are no excuse for not providing appropriate disclosures or hashtags. Recent guidelines from the SEC state: "The words 'Sponsored' and 'Promotion' use only nine characters. 'Paid ad' only uses seven characters. Starting a tweet with 'Ad:' or '#ad' - which takes only three characters - would likely be effective." Secondly, employees of brands and employees of agencies who promote content for brands must state their affiliation in each social media post.


Financial and Insurance Industries

Regulations from both the Security and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) limit the type of financial information a firm can disclose regarding particular securities and other financial instruments, and they require financial firms to clearly disclose their financial interest in any offering being promoted. For instance, employees or corporate PR agencies cannot reveal any financial information prior to company audits and quarterly reports being filed with the SEC, as the example at the beginning of this article makes abundantly clear.


When it comes to insurance, FINRA and many state insurance commissioners require that financial institutions report statistical information about written customer complaints related to annuities and their life settlement products. In fact, both insurance and financial organizations must report customer complaints transmitted via social media and handle them according to established complaint-handling procedures. In addition, insurance companies must follow strict rules that prohibit potentially misleading advertising language. For example, insurance laws in many states specify words that cannot be used in life insurance advertisements (e.g.: "guaranteed," "free," "limited time only," etc.).


When it comes to third parties posting or commenting on social media pages belonging to a financial or insurance company, there are in fact circumstances where third-party posts, even those made without the knowledge of the company, can become legally attributable to that company. This is done under stipulations called "entanglement" or "adoption." Entanglement is when third-party content is attributable to a company because the company was somehow involved with the preparation of that content, which makes it responsible. Adoption is when third-party content is either explicitly or implicitly endorsed by the company; therefore, it is considered to be communication coming from the company even though it didn't originate from the company.


Another major compliance area for financial organizations is the archiving of communications. Financial companies must capture and archive ads and sales collateral for three years and ensure they are easily accessed during an audit. For instance, Rule 204-2(a) of the Investment Adviser's Act of 1940 outlines archiving and monitoring rules for registered investment advisers (RIAs) on advertisements and more, which very much applies to how social media is used.


Then there are rules related to how private information can be used in marketing materials. According to the Investment Adviser's Act Rule 206(4)-1, the SEC prohibits client testimonials of any kind in advertisements. This prohibition can cause problems for companies using social and professional networking sites such as LinkedIn, as the FTC requires endorsers to disclose their material connection to any company that they recommend. In addition, the SEC's Regulation S-P defines how personal information can be used (and stored) in all cases, including social media.


Healthcare, Pharmaceutical, and Medical Device Industries

In the mammoth healthcare sector, HIPAA guidelines and FDA disclosure rules have the greatest impact on social media activities.


Regarding FDA regulations, it is about the disclosure of the risks and benefits of healthcare products, which must always be accessible for reference.


For healthcare providers, as you likely have seen among the many forms you sign any time you visit a new health professional, it is HIPAA regulations that protect the privacy of patients.


Regarding HIPAA, it should be common sense that nothing published on social media should give any indication as to the identity of individual patients, but sometimes lines aren't always clear.


Sharing patient data with professional colleagues and professional communities via the Internet or smartphones, as well as blogging about one's medical practice, has become fairly standard procedure for healthcare providers. But if patients knew their information was being shared with strangers, even other physicians, they likely wouldn't be happy about iteven when their identifying information is hidden. In fact, small details such as location, time, and history can potentially divulge a person's identity. That's why it is essential in all cases to get permission from a patient before doing any type of online sharing about the facts of a case. Very often, this permission is being asked for on the forms you sign at the doctor's office.


For pharmaceutical and medical device companies, the FDA has issued "draft guidance" on how to present the risks and benefits of drugs and devices through social media. Regardless of character limits, the FDA mandates that benefit claims must be accompanied by risk information, which can be a challenge when using microblogging platforms like Twitter.


Government Agencies

Typically, each government agency, whether federal, state, or local, has its own compliance policies regarding employee use of social media. Core to these policies is that government social media accounts must only post information as it relates to the official business of that agency, and what is posted should never disclose non-public information. When it comes to government employees using personal social media accounts, as with other types of organizations, the crux lies in openly disclosing governmental affiliation in any circumstance where there could be any confusion as to whether a person is sharing a personal opinion or official information, or providing any perceived endorsement.


Developing an Organizational Social Media Policy

Of course, the previous section of this article only touches on some of the regulations a company must understand and implement when it comes to social media, which is why it's critical that executive, legal, HR, and IT staff must take the time to understand all of the applicable compliance regulations. But once companies know the regulations, they must integrate them into a formal organizational social media policy, and these policies also need a formal education and training plan. Oftentimes, social media policies are integrated with other employee codes of conduct and HR policies, and organizations often require employees to sign a yearly attestation of these policies.


A detailed social media policy should identify Acceptable Content Use Policies (ACUP) that outline how employees engage with social media. This covers things like unsuitable language, hate speech, malicious links, or otherwise inappropriate content.  


Some elements that your organization's social media policy guide should specify include these:

  • A clear distinction between personal and business communications
  • What employees are allowed and not allowed to divulge. Some sensitive topics include salaries and benefits, names of their supervisor, products in development, or even the projects they're working on.
  • Whether employees are allowed to "check in" at headquarters or client locations using location-based posts stamps. Many social media channels now include these location stamps in posts unless the feature is explicitly disabled.
  • The types of photos and videos that can be posted and to which social media sitesfor instance, limiting the posting of Vines or Instagrams from sensitive locations like security operations centers.
  • What global employees can do on overseas social media platforms like Weibo and Baidu. Also, it is important to address different cultural expectations about privacy when posting to public platforms.
  • How employees can use social media as part of their daily job, such as in marketing and public relations departments
  • The risks of using social media both at home and at work. Even the most well-meaning social media post can have devastating consequences if it violates compliance regulations.


Social media policies also need to define roles because many departments and people have a key role to play when it comes to defining and enforcing these policies. Crucial in the definition of roles is the creation of an organizational feedback mechanism so as to prevent finger-pointing when there's an incident. The issue is often beyond marketing/PR, frequently spilling into security, human resources, legal, IT, and possibly even physical security. Nearly every department has a role to play that can make or break an organization's social media policy.


Employee Education

Once social media policies and roles are formalized, it's critical to provide, as well as document, training efforts to ensure employees understand these policies. For many companies, social media education is part of an annual cyber safety class. Of course, extra attention needs to be given to executives and marketing/PR personnel (and agencies) whose job it is to make social media posts on behalf of a company.


Monitoring and Management

Of course, when it comes to marketing/PR, it is important to limit the authority or authorization of social media releases to a few individuals or teams who are able to control, monitor, and supervise posts before release because these teams are best able to respond to consumer inquiries and problems as they arise. On this topic, social-sharing software tools are available that allow management to set user-level permissions for social media, restrict incoming and outgoing messaging, and provide advance post reviewing for management and compliance officers.


Not surprisingly, one of the biggest challenges is monitoring social media and identifying actual risks and threats amidst all the noise in order to see what is coming and how to respond quickly. Policies will not be implemented without monitoring and enforcement.


Creating an audit trail for social media is difficult. Reports need to include activities, complaints, engagements, and analytics.



As policies are defined and adopted, you may need to consider technology solutions that automate and capture online communications. Regulations mandate that organizations archive social media posts in a way that preserves a complete representation of the original. Gaps in the archive or missing records can result in harsh penalties. As mentioned earlier in this article, financial companies are required to archive social media activity for three years.


Monitoring software can help regulated organizations rise to the challenge by automating a review of potential posts, issuing critical notification, and archiving posts, all in a way that is compliant. For example, social media monitoring software typically has filters that identify and isolate unauthorized posts and notify management before isolated posts are published. This type of software can help companies extend compliance and surveillance properties to interactive networks and content by collecting data, including the sorting and monitoring of social network conversations.


Proactivity, Not Reactivity, Is the Key

As with other aspects of compliance and cyber security, social media is likely to remain a critical piece of the landscape on which corporate executives, IT staff, and compliance and HR departments must keep a close eye. As compliance regulations become increasingly more strict, taking an approach to social media that is other than proactive can no longer be an option for most companies.


Bill Rice

Bill Rice is a technology marketer and founder of Humanized Communications, a digital marketing agency. He is a former editor of MC Showcase, is a former marketing communications director for Vision Solutions, and even did a stint as an IT manager for a shop that had an AS/400 model C10 (this just dated him). He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..



Support MC Press Online

$0.00 Raised:

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: