Managing the social networking data sieve

CIO - Twitter, Facebook, LinkedIn and other social networking sites practically beg you to reveal even more information about yourself. Log on, and you're asked: What are you doing? What are you doing right now? What are you working on?

Whether they mean to or not, any of your employees active on these sites can give away company secrets as easily as they do personal ones, 150-odd characters at a time. For CIOs trying to get a grip on social networking by employees, Tom Mighell, a lawyer and senior manager at Fios Inc., an electronic discovery consulting firm, offers some starting points:

1. Accept and train. Many employees will use social networking tools regardless of what you want them to do. Instead of trying to stop them, teach them what to say -- or what not to say -- about work. For example, employees might be tempted to promote the features of a new product. But should that product become the subject of a product-liability claim, those statements could be used as damning evidence, Mighell says. Also, they should be clear about which statements are opinion and which are fact. Talk frankly about the legal risks.

2. Influence the socializing. Show how to use social networking tools productively and creatively for work without giving away too much information. For example, solicit expertise but don't get too specific.

Wrong: "About to blow major deadline for Project Anaconda. Any SAP Netweaver experts out there? Help!"

Right: "Looking for an SAP NetWeaver expert."

3. Consider the complexities. If information posted on social networking sites becomes relevant in a lawsuit, you will have to collect it, review it and search it so you can comply with discovery requests. That may mean your social networking employees may have to give up some privacy -- their site passwords, for example. This particular situation hasn't yet come up in court, but it could get messy if the employee refuses to cooperate, Mighell notes.

4. Monitor. Designate a couple of people from the tech or legal groups to do sweeps of Facebook, LinkedIn and other known hangouts of your employees, to see who's saying and doing what. Talk to those who aren't following policy, and keep records to prove regular monitoring and enforcement of your rules, he says. You can't defend yourself if you set policy but never enforce it.