– Sarah Carter, vice president at Actiance (www.actiance.com), says:
Have you ever logged onto Twitter and wondered what on earth that random conversation between two colleagues is really about? Imagine coming across it months or even years later and then trying to make sense of it. Whether it is for eDiscovery, disciplinary procedures or to prove a point on compliance, all business conversations need to be stored securely and social media is no different. The problem is that the process of archiving, storing and making posts easily retrievable is made exponentially more complex because of their multidimensional nature.
What happens to the social media archive if the conversation is taken from Twitter to another medium such as email? A perfectly legitimate action if you want to provide a detailed response to a customer question that is going to take more than 140 characters. Who joined a conversation within the chat function of Facebook and when they left, might be just as pertinent as the content when trying to understand the context of the entire conversation.
To meet most industry regulations and eDiscovery legislation requires special controls around how data is captured, stored, searched and recovered. Being able to archive contextually is of significant importance. Without it, even if organizations have implemented rudimentary measures to capture social media conversations, all they are left with is snippets of content and no sense of what took place without a time consuming reconstruction. That is of course, if it’s possible to retrieve all the content in the first place.
Archiving social media is also made more difficult because of the different channels available to users in which to participate. Unlike email where all messages can be driven through a designated email server, social media can easily be accessed outside of the corporate network such as home computer or on a mobile device. Key to be able to easily recognize employees in archived social media conversations, as well as controlling user activity and monitoring content, is the ability to identify individuals by their numerous social media logins and pseudo names back to their corporate identity.
In some industries, particularly in financial services where for some advisors there is requirement to control all electronic communication where the employee is identifiable, archiving and controlling content posted off–network is a prerequisite to social media’s use. With Regulatory Notice 11-39, FINRA explicitly points out that “Rule 17a-4(b) under the Securities Exchange Act of 1934 (SEA) requires broker-dealers to preserve certain records for a period of not less than three years, the first two in an easily accessible place.” Most organizations can’t – or don’t choose to monitor Facebook conversations, let alone have a searchable archive.
In addition, organizations must be able to demonstrate that posts and messages recovered are the same content that was originally stored and that it is a true representation of the original data. This requires a centralized archiving system that enables easy review of messages posted alongside detailed analysis of electronic conversations including file downloads both internally and externally. As with all tamperproof systems all of this information must of course include a complete audit trail of the auditor reviewing the information.
But there is no point in recording all of this information, if it cannot be linked to an employee’s corporate identity. Most people have different buddy-names on different types of media and possibly more than one account within one social network. Mapping user’s buddy-name to their corporate identity using tools such as Active Directory is crucial in producing a meaningful archive.
Of course, being able to retrieve content posted to social media in way that is meaningful long after anyone actually remembers what was said relies on being able to control the content in the first place and this can provide additional benefits. For instance one of the prerequisites for PCI DSS (the Payment Card Industry Data Security Standard) compliance is that organizations block all non-approved channels of communication. If you’ve approved social media’s use, then you need to be certain that credit card numbers and other personal information can’t leave the organization unauthorized.
Since traditional security infrastructures don’t detect many Web 2.0 applications and tools, this isn’t as easy as it first seems. Many legitimate social media tools and services are encrypted or use evasive techniques such as port hopping and tunneling to ensure a direct path straight to a user’s desktop or browser. Besides data leaking out, there is also the danger of malware entering in too.
The road is littered with soon to be forgotten social networks such as MySpace or Bebo, and whether Facebook will be as popular in two years time as it is today is impossible to say. But as with any archive it’s important to be able to retrieve the information a long after the application or service it was created on has disappeared. Implementing the technology required to create that archive will deliver more than just easy retrieval, it will provide the necessary security, management and compliance controls required for any business to embrace social media today.