Social media being used as an attack vector for cybercriminals is nothing new. Recently, Chipotlewas in the news after a hacker hijacked their Twitter account and posted several racist and anti-government messages, leading to embarrassment for the company.
How concerned are companies about their social media accounts and what should they be concerned about?
“The two biggest mistakes a company can make in connection with using social media is, one, being reactive instead of proactive and, two, having knee-jerk reactions to online social media posts,” said Ethan Wall, social media law professor, author, and creator of Social Media Law and Order.
To get more insight about companies and their social media accounts, I reached out to Wall about the subject. We talked about his website, what companies should be aware of concerning social media, and how a company needs to protect their intellectual property from social media.
Our edited conversation follows.
Social Media Law and Order, I like the name. Could you tell me about your website?
The website is designed as a resource for people looking for information about the effect of social media on the law. I have been practicing social media and Internet law for about eight years now. I just published a book, and now I blog about it. I enjoy teaching in this area so much that I wanted to create a hub for people who are looking for information about this stuff and wanted to learn more could find me, and I would be able to help them out and teach them about how Facebook, Twitter, LinkedIn, and all these other great social media sites are effecting the practice of law and businesses in 2015 and beyond.
One of the great things about writing for HackSurfer is that I get access to all of SurfWatch Labs’ data. I get to see firsthand massive amounts of data pertaining to all things cyber related. In that data, we see a lot of social media related content. More recently, there was an attack on Chipotle’s Twitter account where the hacker hijacked the account and posted several anti-government and racist content. We hear about companies having their websites and social media accounts hacked all the time. What are some of the worst things you have heard a business do with their social media account?
If a company doesn’t anticipate the fact that there is the potential for problems with their social media … they are going to find themselves in some real trouble. I think in today’s society we understand and expect that mistakes are going to happen. When something happens like with the Chipotle situation, Chipotle and other companies need to know what the procedures are when a social media emergency arises so they can handle it as quickly as possible.
Are you familiar with Digiorno the pizza company?
“It’s not delivery, it’s Digiorno.” Yep, very familiar.
Digiorno has an incredibly personal social media account. … One of the things that they do is they watch Monday Night Raw live and tweet about the program as it goes on. One day, Digiorno didn’t do their homework and took a Twitter hashtag that was called #WhyILeft. They used it in connection with pizza, saying #WhyILeft, and the tweet would say something like because I was ordering pizza. The #WhyILeft was based upon domestic violence for women. There was a huge uproar about the fact that Digiorno was making jokes about domestic violence when really it was just a mistake of someone seeing a hashtag and not doing their research to use it in an appropriate way.
What did Digiorno do? They had a plan. If and when someone was operating their Twitter account makes a mistake and says something bad, they would spend the next week personally apologizing to each and every single person who mentioned Digiorno in a tweet. … Hundreds if not thousands of tweets were sent by that account to admit that they had made a mistake. They didn’t hide from it, and I think it blew over pretty quickly. That is number one.
Number two is having a knee-jerk reaction to something. A lot of companies who use social media and have a negative review, and instead of thinking about it, the company will respond or disagree. The next thing you know, it blows up into something bigger. … That is a big mistake companies can make, that sort of tweeting first and asking questions later.
When I think about companies using Twitter and protecting their brand, I usually think about athletes. For example, Robert Griffin III seems to be in constant trouble over his social media activity and has paid the price for it. I believe athletes are their own personal business and need to also treat their social media accounts as such. Do you agree?
Is an athlete the same as a business in terms of their social media presence and value as a brand? The answer is yes in some respects and no in others. It is certainly true that an athlete says and does just like an entertainer. An example would be Kanye West and that whole Grammy spat with Beck. Social media is blowing up with people saying how foolish it was [for Kanye West] to do something like that. So just like entertainers, when an athlete does or says something, it hurts their brand. The difference with a company is that the company will generally have tons of resources into training and compliance about what they should or shouldn’t say online. Therefore, it is less likely that a company would say something bad because their employees have been trained to know what is responsible and there is probably some oversight. Athletes are just human beings, and they are susceptible to finding themselves saying something stupid.
I want to switch gears here because of your experience with intellectual property (IP). A target that comes to mind when I think about IP and cybersecurity is Sony Pictures. What do companies need to be concerned about when it comes to IP and social media?
Companies need to be concerned about what information is being published online, how it is being published, and who is publishing it. I don’t think we need to go too deep into a discussion about what could happen if a hacker goes in there and steals information, like Sony, and what the potential fallout could be. Obviously, if somebody external to your organization is somehow breaking into your security system and stealing sensitive data and putting it online, that is a big problem and companies need to know about it.
What I think is new and interesting and more critical for companies to keep their eye on is what their employees may be saying or doing online in a manner that could really hurt the company. One the one hand you have your obvious stuff: trade secret information, the secret recipe for Coca Cola, or the 11 herbs and spices from KFC. Companies obviously take very strong precautions in ensuring that their employees and independent contractors are saying or doing something that will leak that sensitive information. In today’s society, there are a lot more seemingly innocuous things that could cause a lot more potential harm that a company might not think about. For example, let’s say a large company does a ton of business manufacturing things out of China. The company learns it is a lot cheaper to produce their good and services out of Thailand, India, or some other location. Some of these sales reps are going to these factories and begin checking in on social media and being posting pictures of them out in Thailand. A competitor who does a reasonable amount of research may be able to benefit from something like this. … Companies really need to have a system in place that has social media policies that govern what their employees can and can’t say online.
As I said previously, social media is a huge target. Having said that, do you think we are starting to learn lessons from the past? Are people finally seeing that you have to treat and protect your social media accounts as an extension of themselves?
I think so long as people are born, new technologies are created and we are using them, there will be new and unique types of problems. Technology advances so much faster than the law can adapt. I can’t say across the board people have learned from their mistakes and won’t remake them because there will be new people who are sharing things online. There might not be enough oversight, control, training and management to prevent these things from happening.
What is more important is this: as new technologies are created, more opportunities will be created for cybersecurity risk.