Robust policies on Facebook, Twitter and LinkedIn can mitigate the risk of employers running into trouble, as Berwin Leighton Paisner's Adam Rose explains

Social media risk is not as exotic as it sounds. Many of the dangers organisations face from their own and their employees' use of social media are old risks in new channels. But we know that our clients need help and advice implementing robust social media policies and management frameworks. Because of this, we recently set up a multi-disciplinary group to analyse and assess the legal risks associated with social media. Here are our recommendations:

Consider three categories of use

Social media risks aren't new. They are similar to – but potentially more extreme than – email risks. Just as an email can be forwarded, social media content can be republished. It can rapidly reach a huge audience: in the UK, Twitter has 10m active users and Facebook more than 30m, and the global figures are 200m and 1bn respectively. What may look like a small-scale incident can quickly escalate into hefty costs and damage to your reputation. 

You need to consider these three categories of use to get a good picture of your organisation's potential social media risks:

• Personal use: Posts on Facebook, LinkedIn, Twitter or YouTube can include defamatory comments, disclose confidential information, and display inappropriate behaviour. They could damage your organisation's reputation and sales, or prompt third parties to take legal action.
• Professional use: A marketing or sales person's role may include using Facebook, LinkedIn, Twitter, and blogs to reach prospects and customers. All the personal-use risks apply, but an employer can be held responsible for an employee's actions if they are part of their job ('vicarious liability'). Extra risks include breaching data protection rules, losing legal privilege and patentable opportunities, and sharing confidential information.
• Organisational use: Your organisation may use secure social media sites to encourage collaboration and communication in the workplace. Or organisations may use less glamorous 'within-firewall' intranet sites that have social media features (for example, forums, chat, and the widespread ability to upload and download files). All the risks in the first two categories apply to within-firewall and secure social media, but employees are using media that the company has created or sanctioned to carry out their role, potentially sharing information that should remain either confidential or within a specific jurisdiction.

Develop a solid governance framework 

Some organisations have tried banning employees from using social media at work, and blocking social media sites. Smartphones and super-fast mobile networks make this increasingly impractical; employees always need employers' internet connections or devices to get online. 

IT bans and blocks won't work. Once you have identified your social media risks, you need to develop a governance framework that includes your social media policy, and guidance and training.

Your policy and guidance should make it clear, ideally with examples, where and how employees use of social media – in any use category – can affect the business. A clear, widely communicated policy will minimise risks and make it easier to take action if there is an incident.

Your policy, and guidance and training, should cover all categories of use and the widest possible range of likely legal risks. Particular points include:

• guidance, with examples, of what employees should and shouldn't do. For example, how to comment on, and react to, aggressive complaints from customers;
• key policies typically covered in other documents apply equally to social media. It should be clear that when employees use social media they are still bound by policies covered in other company handbooks (for example, bullying, discrimination and security); and 
• a ban on making political statements. Or any other behaviour that would damage the organisation's reputation, or conflict with the nature of your organisation).

Crisis planning

Social media incidents can escalate quickly. So make sure that any crisis-management plan lets you react quickly, and sets out responses that are proportionate to the risk and any likely damage. 

You should make sure that staff know about the plan and that they understand how it affects them. The plan should cover:

• who to tell if they discover an incident. A speedy response can make all the difference, so make sure there are fall-back contacts if the first contact isn't available;
• what to do if they've posted a comment they regret. How you deal with an incident (for example, deleting a post and apologising) can have a huge impact on mitigating – or escalating – the incident; and
• what other actions you may need to take. This may include legal action against third parties or disciplinary action against employees. But make sure that any actions are proportionate to the damage: organisations that overreact often attract damaging publicity. Take particular care if you take disciplinary action against, or dismiss, employees.

Adopt a 'reasonable response'

If it is appropriate to take action against an employee, make sure that any action is within what an employment tribunal will see as a 'reasonable response'.

We reviewed nine employment cases from the past five years that involved social media and found that tribunals will take a broad view of what is a 'reasonable response'. For example, tribunals can take into account:

• the employee's previous disciplinary record;
• how the employee behaved when the incident came to light;
• the size of any financial loss that the social media incident caused, or was likely to cause; and
• whether the organisation had a social media policy in place, and if it was clear to employees what would happen if they breached it.

Adam Rose is a commercial, outsourcing and TMT partner at Berwin Leighton Paisner. Click here for more information on BLP's social media report.