Is Social Media a Corporate Spy's Best "Friend"? How Social Media Use May Expose your Company to Cyber-Vulnerability, Contributed by Fernando M. Pinguelo and Bradford W. Muller, Norris McLaughlin & Marcus, P.A.
The rise of social media has ignited a societal change in how people across the world communicate and “stay in touch.”1 These social networking websites allow users to create personal profiles, post comments, join groups, add contacts,2 and most important, find like-minded people with whom to share ideas, interests, and experiences. They give users the opportunity to link with others, both near and abroad, based on shared personal interests and business or academic affiliations.3
However, in the business community, social networking also makes companies more susceptible to corporate espionage, i.e., “clandestine techniques used to steal valuable information from businesses.”4 This is caused, in part, by the fact that “[t]he general informality of social media sites like Twitter or Facebook encourages employees to let their guard down and casually share information without thinking twice.”5
The risks created from social media use by employees are too great to ignore. For example, the development of “scraping” software allows cyber-spies to harvest personal details from thousands of users on social networking sites.6 When scraping software7 is targeted at the profiles of a certain company’s employees and the information gathered is reconstituted, it has the potential to alert a competitor to such things as a new product launch or internal strife at the target company. Further, even top level managers occasionally post less than flattering pictures of themselves on their Facebook pages, and such personal information can easily be used for blackmail purposes.8
These risks are reinforced by a recent survey of large companies that found the average corporation lost $4.3 million as a result of negative consequences associated with social media, with contributing factors including damaged brand reputation or loss of customer trust, loss of data, compliance costs, regulatory fines, litigation costs, etc.9 While these costs10 should not negate the value active social media use offers a company and its employees, and the added benefits that such use brings to a company’s marketing and brand recognition in a global market, it requires businesses to consider the growing need for adopting a comprehensive social media policy.
One way to attempt to limit a company’s vulnerability to corporate espionage is to bar the use of social networks during business hours.11 For example, Porsche SE has “blocked employees from using Facebook to help reduce potential access points for cyber spies.”12 Many commentators, however, suggest that companies should not reflexively ban the use of social media by employees, but rather develop a measured approach for effective and safe corporate and personal use.13 This approach is often preferable. While a company may attempt to regulate its employees’ use of social media during business hours by blocking access to certain websites, it is more difficult to prevent them from discussing their work life on their MySpace pages when they are in the comfort of their own home.
Accordingly, while this article addresses a few of the innovative ways in which a company may be exposed to increased cyber-vulnerability through its employees’ use of social media, it in no way suggests that a blanket anti-social media policy should be adopted. Rather, a company should follow a policy that builds off of one of the many model policies currently available,14 and should find a balance that fits its own corporate structure.15 This article also offers suggested measures for companies to consider.
Let’s Just Keep This Among “Friends”: Employees’ Natural Inclination to “Bare All” on Facebook, MySpace, Google+ and Twitter Puts Their Employers’ Interests at Risk
Perhaps the largest risk created by social media is that users seem to forget that what they intend to remain “private” can become public very quickly on the Internet. An obvious example of this is Weiner-Gate;16 though in the business setting this could involve such things as raunchy photos from an overly exuberant company holiday party,17 or an ill-timed joke (just ask Gilbert Gottfried, the former voice of the AFLAC duck).18 However, even seemingly innocuous comments by employees on their social media19 pages about the launch of a secret company product, or the rumored resignation of a top level executive, could have major ramifications if discovered by a cyber-spy working for a competitor.
Further, “vulnerable” employees may be targeted by cyber-spies. Such employees include those who provide minute-by-minute details of their life through frequent “status” updates on their Facebook pages, or who post seemingly endless amounts of photos, or those who “friend” anyone who makes a request (even complete strangers). Using publicly available data, including information found on social media websites, these employees may be induced or coerced to cooperate with bad-actors, or face a targeted “spear phishing” attack20 that uses social engineering to trick the employee into disclosing sensitive corporate information or access codes.21 Such an attack was recently executed against WilmerHale, as an e-mail from a fictitious WilmerHale attorney was sent, instructing recipients to click on a link to respond to a subpoena. The link contained a malicious program that was designed to infiltrate the recipient’s computer system.22 This type of malware could cause massive data breaches that require costly reporting to state, and perhaps, federal authorities.23 Accordingly, employee awareness of the dangers posed to both themselves and the company through free-wheeling social media use must be a component of any effective social media policy.
When Does Corporate Espionage Move From Competitive Due Diligence To Cybercrime?
The dearth of case-law discussing the intersection of corporate espionage and social media begs the question: When does the use of social media to gain insight into the non-public information of a competitor go from being savvy use of digital tools to illegal corporate cyber-espionage? There is obviously a monumental difference in the ethics and legality between following the Twitter feed of a competitor’s CEO and engineering a “dirty-tricks” campaign, but where is that line and when is it crossed?24
One example of when cyber “tricks” go too far may be seen in the HBGary Federal Security firm’s alleged plans to use social media and other digital tools to undermine supporters of WikiLeaks and opponents of the U.S. Chamber of Commerce.25 HBGary first gained public notoriety in early 2011 when its chief executive claimed to have discovered the identities of leaders of the hacktivist26 group Anonymous27 by using publicly available information from various social media outlets.28 Not amused, hackers promptly attacked HBGary’s computer system and website, causing the security company great public embarrassment, eventually leading to its CEO’s resignation.29
That hacking incident revealed damaging HBGary emails which showed that the firm had planned some of its own borderline illegal, and completely unethical, cyber tricks as part of a sales pitch to the Hunton & Williams law firm whose clients included Bank of America and the U.S. Chamber of Commerce.30 Although these plans were never acted upon, they involved efforts to sabotage the WikiLeaks website on behalf of Bank of America through such measures as cyberattacks and a digital misinformation campaign. Similarly, a second plan was developed to combat foes of the U.S. Chamber of Commerce by, among other things, monitoring their communications, planting false information to embarrass them, using software programs to scrape social media sites for opponents’ personal information, and creating fake personas on social media websites to gain more access to opponents.31
Organized misinformation campaigns such as those contained in HBGary’s alleged sales pitch are troubling and certainly straddle the line of legality. This is but one example of the many ways in which social media can be used to infiltrate and undermine an organization.
The Corporate Response: How to Address the Social Media “Threat” Without Sacrificing Employee Morale, Marketing Opportunities, Innovation, Business Growth, and the “Plus” Side
Faced with this pervasive threat, many corporate leaders may find it easier to simply bar the use of social media during work hours, warn employees not to post any work related information on their social media pages during their personal time outside the office, monitor, and keep their fingers crossed that a mis-Tweet does not lead to their company’s undoing. Indeed, the luxury German car-maker Porsche, despite having an expansive Facebook page, adopted a policy that forbids staff from accessing social media during work hours,32 as the company was acting out of concern that “foreign intelligence services may be spying on workers posting ‘confidential’ information” on their social networks.33 However, the effectiveness of such a policy is dubious, as smart-phones allow for unbridled social media access during work hours, and any attempt to police employee use of social networks off-site would likely have little success.34 Indeed, an anti-social media policy may reduce employee morale, and breed a culture of skirting company rules.35 Further, exceedingly expansive restrictions on employee social media use are not the answer either, especially because such restrictions have emerged as a major issue in recent National Labor Relations Board reviews.36 Even when a company has harsh restrictions in place, an attempt to enforce the policy through, for example, terminating offending-employees, may be fodder for a lawsuit.37
Accordingly, companies would be well served adopting a comprehensive, reasonable social media policy that incorporates vigorous employee training and awareness.38 Such training must inform employees of the risks of posting even seemingly innocuous comments about confidential company information on their social media accounts. In the realm of protecting trade secrets and other intellectual property, this training is key, along with other reasonable measures, such as posting signs to remind employees to keep private company information confidential, requiring key employees and contractors to sign non-disclosure agreements or restrictive covenants, barring visitors from sensitive areas of the company’s facilities, and marking important documents “confidential.” 39 Despite the potential risks noted above, every policy should incorporate a provision (subject to relevant state law), widely disseminated within the company, and agreed to in a written consent form, which makes all employees subject to discipline for work-related misconduct that occurs through a social networking site, even if the act is perpetrated while the employee is outside the office.40 However, it is critical that once a social media policy is adopted, a subsequent management system is developed to ensure that the policy is actively and fairly enforced.41
Further, mechanisms should be created for identifying and dealing with “high risk” employees whose social media use could pose a danger to the company.42 Finally, top-level staff must be made aware of their vulnerability to both phishing attacks and blackmail campaigns. While all employees should avoid posting information or pictures/video on their social networks that could be embarrassing or compromising, it is especially important for upper-level staff, who are likely under the watchful eye of competitors’ representatives, to avoid such conduct. Indeed, if the CEO of a large company were to have his or her own “Weiner-Gate,” it could be disastrous for the corporation’s stock price, brand, and reputation in the business community.
Social media has brought with it a world of new marketing opportunities, making our society a smaller, more close-knit community, while allowing its users to reconnect with long-forgotten friends and meet new colleagues from across the globe. However, like every new technology, social media’s rewards are balanced by equally staggering risks. Although these risks do not merit a wholesale repudiation of social media use by a company and its employees, they do require the adoption of a comprehensive social media policy focused on educating employees and reducing vulnerabilities. While no policy is foolproof, as a simple mis-Tweet or rogue Facebook post about confidential company information could have a devastating effect on a business’s competitive position, taking a proactive approach to employee social media use can reduce any company’s risk of exposure.
Fernando M. Pinguelo, a Partner at Norris, McLaughlin & Marcus, P.A. and Chair of its Cyber Security & Data Protection Law Group, is a United States-based trial lawyer who devotes his practice to complex business lawsuits with an emphasis on how technology impacts disputes. He has lectured globally and written dozens of articles on the topic; and appeared on television as a legal commentator on various high-profile cases. He works closely with businesses to develop strategies to manage business and legal issues related to electronic data. As an adjunct law professor at Seton Hall University School of Law, Mr. Pinguelo developed and teaches a state-of-the art course on electronic discovery (“eDiscovery”) and how technology impacts lawsuits. Recently, the U.S. Fulbright Program designated him a Fulbright Specialist for his work in eDiscovery; and he will guest lecture at Mackenzie University, São Paulo, Brazil. Mr. Pinguelo also founded and contributes to the ABA Journal award-winning blog, eLessons Learned – Where Law, Technology, & Human Error Collide. To learn more about Mr. Pinguelo and effective training programs to address business vulnerabilities to cyber activities, visit www.CyberJurist.com or email him at info@ CyberJurist.com.
Bradford W. Muller, an Associate at Norris, McLaughlin & Marcus, P.A., is a member of the firm’s Litigation and Internet Law groups. Muller has published in the area of cybercrime and cloud computing, and has spoken at international conferences held at the University of Virginia School of Law, Seton Hall University School of Law, and The Masters Conference in Washington, D.C. Muller is a graduate of Seton Hall University School of Law, magna cum laude, where he was a Comments Editor on the Seton Hall Law Review. Prior to his current position, Muller was a Judicial Law Clerk to the Honorable Anthony J. Parrillo, New Jersey Superior Court, Appellate Division.
© Fernando M. Pinguelo and Bradford W. Muller
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.