May 12, 2016

WEBINAR Social Media PolicyEssentials for MortgageLenders & Brokers

WEBINAR Social Media PolicyEssentials for MortgageLenders & Brokers

Andrea Lee Negroni, JD

May 12, 2016

Introduction

Today, we'll discuss why mortgage lenders and brokers should adopt and enforce social media policies. Just a few years ago, we were talking about

whether social media was even needed in the mortgage industry...

The overwhelming sentiment now is that social media is essential for customer relationship management, marketing and brand-building. But far more companies use social media than have established policies for its use. In fact, a study cited on Smarsh's compliance

blog reveals nearly half of companies don't have social media policies!

3

• What are the risks of not having a social media policy?• What elements should be included in the policy?• Why are these elements important?• Are there best practices for social media policies?• How are social media policies enforced?

4

In this webinar we’ll consider…

One risk of having no social media policy…Wild Wild West Syndrome

• Unconstrained expression can lead to problems, including expensive litigation and long-lasting reputational harm.

• Harassment and online bullying are growing & social platform executives are taking notice.

• David Lat, founder of the Above the Law site, says user comments are "ruining the Internet," so he's deleted them.

• Basic civility is being replaced with abuse and insults. • Anyone and everyone can create content but lenders and brokers can be tarnished by

employee posts.

5

Remember Lindsay Stone?

In 2012 she visited Arlington Cemetery, flipped the bird at a gravesite and posted a photo of this behavior on her Facebook page. Her employer, a provider of services for special needs adults, took nationwide flack even

though the photo was in a personal post. Public outrage was so great it led to her firing. Lindsay lost her livelihood but the company lost time, money,

and its reputation for principled employees. Lindsay's shameful photo gained immortality on the web.

6

As Taylor Swift's song Shake it Off says...

The haters gonna hate hate hate hate hate

But a mortgage company can't just respond to hateful social messaging by saying they're gonna "shake it off."

They need a better plan to avoid reputational and financial harm...

7

Hertz learned its social media policy lesson the hard way... in court

A Hertz employee made racist, homophobic and threatening comments about a customer on Facebook -- these got back to the customer -- who sued Hertz. Ultimately, Hertz wasn't found liable for the employee's rants because the judge said they were unforeseeable, but Hertz might have avoided the lawsuit by training its employees in responsible, appropriate social media use.[Howard v. Hertz Corp., 1/25/2016]

Moreover, some states (CA, FL) recognize an employer's legal duty to train employees to avoid harm -- or allow legal claims for 'negligent training' or 'negligent supervision'There are plenty of law firms ready to help individuals bring lawsuits claiming injury from a company's negligent hiring, retention, supervision and training.

8

Another risk of no policy…Sensitive or confidential data may be disclosed.

This is especially tricky if the company has no policy on what can be shared on social media.

Your most socially active employees are likely to pose the greatest risk because the more people use social platforms, the more likely they are to rely on it, and share opinions on it (including acting on shared opinions).[Penn State Univ. research]

9

The FBI has identified the risk of disclosure of confidential information on social

media...And recommends preventative measures.

A few examples:• Establish policies about what company info can be shared on personal blogs or social sites...and

enforce the policy• Use multiple security layers in the computer network• Continuously monitor data movement on the company's network• Educate employees about how their social and online activity can affect the company• Ask employees to lend their eyes and ears to social messages and report suspicious activity when

they see it• Avoid public Wi-Fi networks and hotspots unless sending info to encrypted sites

10

So you're ready to adopt a social media policy... What are the "do's" and "don'ts"? The 10 Commandments don't work here.

Flexibility is key.

You can't force employees to share their social media passwords and usernames to monitor what they're doing. State laws limit an employer's ability to get this information via "coercive" requests.In states including AR, CA, CT, DE, IL, ME, MD, MI, MT, NJ, NM, OR, UT & VA, an employer can't require employees to change their social media privacy settings, or require the employee to add the employer as a contact associated with the account (e.g., Facebook friending).

Other laws prohibit retaliation for what an employee says on a personal (not business) social platform. This is called Facebook-fired protection.

[Might this kind of law have saved Lindsay Stone?]11

Federal labor law also matters...

The National Labor Relations Board says employers can't fire or discipline employees for some job-related posts, which may be considered protected

concerted activity.

These usually have to do with job-related benefits or comments on working conditions, which might otherwise fall into the "non-disparagement"

category of a social media policy.

12

Can we rely on best practices for our policy? What are those best practices?

Mortgage companies can look across industries for best practices, and they should. Here are some relevant principles:

• Traditional ethics rules still apply online.• Assume every social message you post will become public.• Engage with customers, but professionally.• Break news on your website, not on social platforms.• Authenticate anything found on social sites. • Always identify yourself accurately.• Admit when you’re wrong online.

13

More best practices…• Include company bloggers in developing corporate blogging policies; publish the

guidelines widely. • Seek input from legal and corporate communications experts when developing

blogging & social media polices.• Clearly define if social messages reflects employee opinions or the company’s.• Allow constructive (civil) criticism: Employees may have different points of view than

management. Open communication builds a foundation for a successful social media program.

• Include mechanisms for responding to customer or employee comments.• If information should be deleted (because it is confidential or was posted in error),

delete it promptly and explain why.• Clearly communicate to employees what information is appropriate or inappropriate to

disclose.

14

And a few more…• Respect your audience’s privacy.• Don't disparage competitors or your industry.• Let customers know you listened when they post feedback, by responding. • Cite material in your posts, linking to original sources when possible. • Don't appropriate intellectual property of others.

[Many of these best practices are from the American Society of Newspaper Editors and SocialMediaBiz]

• Encourage employees to check (prior to publishing) with parties to potentially confidential conversations, and with the subjects of photos before sharing the conversation, transaction or image.

• Understand that social media policies cannot be static. Revisit and revise them frequently.

15

Social policy essentials for employees...Similar, but not exactly the same as for the company

• Always follow the laws & rules of the mortgage industry (including your license laws).• Privacy is paramount in the financial industry. Protect customer privacy with a

vengeance.• Ethical, civil discourse is essential; be polite & respectful. Avoid anything that may be

considered harassment.• Avoid disclosure of company confidential, proprietary, and trade-secret information.• Don't comment on matters beyond your expertise.• Don't SPAM anyone.• Don't disparage your employer, customers, coworkers, or competitors.• Don't use anyone else's content without their permission (including images of others) --

my apologies to Taylor Swift, for this educational content

16

Social policy essentials for employees...• Don't link to other websites without permission

• Don't use fake profiles, pseudonyms or anonymity when representing your employer• Avoid blurring the lines between personal (Instagram, Facebook) and business social

media• Use the company's official logos and branding• Don't engage in internal personnel, salary or related conversations in public social

forums• Don't misrepresent your professional credentials, education or certifications; include

your license information in mortgage transaction-related messages• Keep separate emails for personal and business communications• Don't speak on behalf of your employer without permission• Keep your social profile pages current (don't keep an expired affiliation in your profile)• When in doubt, ask a supervisor

17

Policies are not self-policing!So...you've adopted a social media policy for the company, and a separate but consistent policy for employees. Now what?

Don't file it away and forget about it. Every effective corporate policy requires monitoring and enforcement.

Policy + monitoring & archiving + enforcement = risk mitigation

18

Monitoring social mediaEven the best-intentioned companies and employees can't assume everything will go as planned. That's why social messages should be monitored regularly for compliance with your adopted policy standards.

There are various ways to do this -- internal teams dedicated to reviewing social messaging, algorithmic key word searches of employee messages, specialized software with social reporting capability, and use of vendors specializing in "social media listening."

Consider Smarsh solutions for constructive ways to monitor social messages by your people, or pertinent to your company. For more information, contact Scott Ferguson, sferguson@smarsh.com

19

Don't just identify it, archive itEventually, you may be called upon to not only identify but produce records of your (and your employees') social media activity, in response to a regulatory demand, consumer lawsuit, or for other business purposes. This is where social media archiving comes in...

For example, if you have to show that an employee's posts were monitored, following which the employee was retrained in company policy, a claim of "negligent training" might be answered. Properly archived social media may also provide a shield, for example, in a customer's lawsuit falsely claiming racist, sexist or other "-ist" language was used in messages during the transaction.

Smarsh is an industry-leading provider of social media archiving solutions.

20

What rings the monitoring bells...?And then what?

Some types of information should trigger alerts and may necessitate retraining or enforcement activity. Obviously, highly confidential information like SSNs, offensive language, links to providers of unlawful or obscene content, and trade-protected data fall into this category. But every enterprise will have its own standards.The company should remove such information as soon as possible, but further action may be required.A social media policy must be enforced. Consequences must attend breaches, whether deliberate or inadvertent, should be impartial (e.g., similar infractions lead to similar penalties), proportionate, and involve the measure of due process that applies to other aspects of noncompliance with company policies.The HR department is a necessary participant in the enforcement element of a social media policy, but should not be the driver of the enforcement activity. That responsibility should remain with top management, which will demonstrate the company's high-level commitment to social media compliance.

21

For further information…

For more tips on social media policy development in the mortgage business, see my blogpost on the Smarsh compliance

blogs at: http://www.smarsh.com/blog/adopting-social-media-policy-12-essentials-mortgage-lenders-brokers/

22

Questions?

Thank you!