Professionals, business people, and government employees are increasingly using Facebook and other social media for official business, often as agents of their employers. Commonly, the employers are required or well-advised to make and keep records of the employees’ social media communications.
This issue arose in a workshop that Messaging Architects and I led at a sizable enterprise (having about 8000 employees). The purpose of the workshop was to establish policy on the retention of electronic records. The workshop pulled together representatives of disparate stakeholders within the enterprise, including the IT, legal and compliance departments.
Workshop participants, including representatives from human resources, feared that employees would ignore a policy that forbids them from using text messages, Facebook and Google Buzz to transact business. So the workgroup drafted this language for adoption as HR corporate policy:
“If an employee uses electronic messages for business, outside an enterprise email system account, the employee is expected to strive to make records of the messages such that they are within the control of the enterprise.”
Dear Reader: What do you think of such a policy?
Next question: Speaking practically, how would an employee make and keep records of Facebook communications? I don't have all the answers, but here's a step to consider:
Facebook allows a user to submit many of his postings via email. So at http://www.facebook.com/mobile/?v=web Facebook shows the user that if he sends some text to a special email address, then the text will be posted as coming from the user.
For example, . . . here is a screenshot of a message I posted from my email account:
Facebook posts this kind of incoming email as a status update to the user’s Wall. Note that when a user like me submits text via email, the only text that appears on the user’s Wall (status update) is the text in the subject line of the user’s email. If the user writes anything in the content of the email, Facebook seems to ignore it and seems not to post it.
Thus, in the example above, I wrote all the text in the subject line of the message from my email account to my FB account.
If an employee were to submit to FB by way of her employer-controlled e-mail account, then the account would retain the submission according to whatever record retention/destruction policy the employer has set – 90 days, seven years, or whatever. [Interesting questions: In the employer's email system, are there limits to the number of characters that can be transmitted in the subject line of an outgoing message and can be stored in the record of that message?]
A FB user can submit more than text from his email account. The FB user can also submit a photo (or even a video). FB posts the photo on the user's Wall, with text taken from the subject line of the email. For instance:
So . . . the above is one convenient way for a business professional to store her Wall posts into her employer's email system, such that the posts will be preserved for audit, inspection, supervision, ediscovery, litigation hold and the like.
I argue that email archives are the starting place for any enterprise that wishes to maintain electronic records for legal compliance purposes. I argue the same goes for Twitter.
My ideas here leave scads of answered questions, such as how to record comments that others post on the user's Wall.
Mr. Wright teaches IT and records management law at the SANS Institute, where social network law is part of the curriculum. He chairs a (proposed) SANS conference on e-records and e-discovery slated for Las Vegas, September 2010.
Update: Cutting-edge Web 2.0 lawsuit.