Does Your Business Need To Capture Social Media Collaboration Messages To Meet Regulatory Compliance Obligations?

Social media has fundamentally changed business communications and is here to stay.  The industry surveys are undeniable.  According to Nielsen, 2/3 of the global internet population, many of them businesses, now visits social media networks.  Gartner noted that, back in 2013, 50% of companies produced social media for eDiscovery and back in 2014 over 20% of companies used social media as the primary vehicle for communication – replacing email.  What’s more Morgan Stanley recorded that social network users surpassed email users, again, way back in July 2009.  How much more so and higher are these numbers indeed today in 2017?

Businesses must retain social media for various reasons including: data security, eDiscovery and regulatory compliance.  Failure to do so can result in unwanted consequences for the business such as lost revenue, damaged brand/trust, litigation costs and, of course, the dreaded reduced stock price.

Let’s take a closer look at the last driver.  What are some examples of verticals with specific rules mandating business social media be captured and archived?

To start let’s take a peak under the hood at the heavily regulated financial services sector.  These folks must adhere to regulations promulgated by FINRA, the SEC, Dodd-Frank, NASD and the CFTC to name some.  In their world social media data must be retained up to 6 years.  FINRA’s Regulatory Notice 10-06 is clear on this obligation: “Every firm that intends to communicate, or permits its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications.”   And the SEC is there as well warning RIAs to “consider whether their retention policies account for the volume of communication and unique communication channels available to each particular social media site” so that “any required records generated by social media communications are retained in compliance with the federal securities laws, including in a manner that is easily accessible for a period not less than five years.”

Another regulated vertical in this regard is government, both state and federal.  On the federal plane FOIA and public records rules mandate public agencies preserve their record.  And this includes social media.  NARA clearly states: “each agency is responsible for managing its records” in compliance with the Federal Records Act and NARA regulations. This is “whether they reside on a third-party social media platform or are housed within the agency.”  Such is true on the state level as well.  Florida, North Carolina, Virginia, Ohio, Texas, Oregon, and Washington – all have explicitly updated public records requirements to confirm the classification of social media as a public record. For example, Texas’ policy states, “Social media sites may contain communications sent to or received by state employees, and such communications are therefore public records.”

Next we arrive in the health care space.  Did you know that HIPAA extends social media records management to healthcare?  In fact, social media data must be retained up to 21 years in some cases.  As an example after taking photos of injured patients and posting them on Twitter, two University of New Mexico hospital workers were fired. A violation of HIPAA, these uploaded photos to Twitter were considered the hospital’s liability, even though the MySpace accounts were private.

Moving over the food & drug sector the story is the same.  The FDA and 21 CFR part 11 mandate social media data be retained for: food/drug folks for 2-3 years, biological products for 5 years after manufacturing….and clinical trials for up to 35 years!

Finally we’ll conclude with the public accounting and auditing crowd.  Companies if subject to the Sarbanes Oxley Act must annually assess “the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Social media records management policies are included in this obligation and must be retained 7 years.  Fines up to $15 Million dollars may result if these records are tampered with or destroyed.   

If your business needs to retain social media messages to comply with a particular regulation – consider Globanet Merge1.  Merge1 captures social media into any archive.  For more information or to request a product demo contact us today. 

The views expressed in this blog do not serve as legal advice.  Please contact an attorney for legal counsel on your specific matter and needs.