Developing an Effective Employee Social Media Policy

of this report

You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Developing an Effective Employee
Social Media Policy

by Geoff Keston

Docid: 00021178

Publication Date: 2211



Many corporate employees now use social media for business, such as
answering customer questions or promoting a new product. But mistakes on
social media can hurt a company’s reputation or expose it to lawsuits.
Good policies help to prevent these problems, so it has become vital for
companies to understand the risks that social media presents and the best
practices for how to use it well.

Report Contents:

Executive Summary

[return to top of this

Since social media involves interaction rather than a one-way delivery of
information, employees and employers both need to be protected by an
effective social media policy.

Faulkner Reports
Social Media for Enterprise
Marketing Tutorial
Enterprise Uses of
Gamification Tutorial

But crafting such a policy is difficult. For policies to be lawful, they
should provide specific examples of acceptable and unacceptable social
media usage, even if they cannot cover all social media. At the same time,
the policy should not infringe upon free speech and labor rights, or
employees may challenge the policy in court.

An effective employee social media policy should also consider the
benefits of leveraging social media. If a company uses social media, it
can heighten its presence by keeping content new and active to encourage
repeated visits. Moreover, links to a company’s social media pages (on
Facebook, Twitter, etc.) from the corporate Web site can be used as a
branding tool to grow an online presence and community. Therefore,
companies should not only consider developing an employee social media
policy, they should also have well-defined guidelines in place for
employees to harness the potential of social media as well, and they
should train employees on the policy to maximize compliance and results.


[return to top of this

Social media offers the opportunity to interact with partners and
customers on a global stage. But despite years of practice, it remains
difficult for businesses to use well. For example, in 2018, Lockheed
Martin asked people to post photos of the company’s products with the
hashtag #WorldPhotoDay. But the attempt at gaining free promotion failed,
as some people posted politically critical messages such as a picture of a
bomb that had hit a school.1 A social media policy should
therefore optimize the opportunity to build stronger relationships while
protecting against activity that could damage a company.

The scope of a policy should cover sites for social or business networking,
photo- and video-sharing (including streaming videos and podcasts),
blogging, or contributing to a wiki; however, it should not be limited to
these technologies alone. For example, e-mail, texting, videotexting,
chatting, gaming, and instant messaging can be included as well. A company
must first decide what it legitimately and legally needs or wants to
control, which can be difficult. For example, gaming might seem to be a
clear choice to ban, but “gamification” is now commonly used for training
and other corporate activities, so even a seemingly commonsense policy
against gaming may be problematic.

In addition, policies that are too prescriptive may be ineffective. With
technology advancing exponentially, being too specific may necessitate
continual policy updates to keep pace with new social media sites and new
practices. However, trying to avoid revisions by being overly broad can be
deemed illegal – creating a catch-22 for social media policy makers. For
policies to be considered lawful, they need to cite specific examples of
acceptable and unacceptable social media usage, even if they cannot cover
all social media. The examples should be in plain language and be
informative so that employees can understand what is and is not covered.
At the same time, the policy should not infringe upon free speech and
labor rights, or employees may challenge the policy in court.

Companies need to consider the characteristics that social media have in
common: short, concise bits of information easily accessed and read on a
small screen. For an employee social media policy to be effective, it
needs to mirror its subject. If the policy is too intricate, detailed,
aimed at multiple audiences at once, and full of legalese, the employees
who use social media probably won’t read it until they are asked to leave
the building and try to figure out what happened. Clear, unambiguous,
applicable, and easy to understand language with illustrative examples
should be the standard for the policy.

A policy can also cover acceptable usage of social media in hiring
practices. For example, hiring decisions cannot be based on protected class
information: Did a potential employee’s Facebook page reveal that person’s
age? Was this person hired or not hired based on this protected class
information? Can the company use social media to learn about a potential
employee in the first place? Most companies today do this as an acceptable
practice, but is the protected class information hidden from the hiring
manager? Has a company recruiter required a potential employee to friend him
or her on Facebook? First, this behavior may not impress the potential
candidate; second, it is illegal in many states. Thus, social media policies
may need to connect to HR practices.


[return to top of this

Apart from using a policy to control employee social media use, companies
might block access or promote a more fundamental awareness of how to make
good judgments. These approaches are alternatives – or, more likely,
complements – to a social media policy.

Blocking Access to Social Media

Some companies might take the somewhat radical step of severely or entirely
blocking employee access to social media. The advantage of this approach is
that it avoids the difficulty of creating a policy, enforcing it, and
keeping it up to date amid changes to technologies and user habits. But with
as social media has become part of many people’s daily lives, it is
increasingly hard for companies to avoid it use. Many prospective employees
also want to know how social media usage integrates with the company’s
mission and marketing, as well as the preferred (and sanctioned) platforms
and applications, before joining a company. A new generation of workers is
going to use social media anyway, so it benefits a company to develop an
effective policy to stay ahead of the curve.

Figure 1. Intel’s Three Rules of Social Media Engagement

Figure 1 Intel's Three Rules of Social Media Engagement.

Source: Intel

Emphasize Awareness of Best Practices

Rather than asking employees to simply follow policies, another approach
is to train them to be aware of social media best practices. Table 1
describes some of the most noteworthy aspects of representative social
media policies.

Table 1. Sample Social Media Polices
Company Unique Policy Elements
Coca-Cola Coca-Cola is simple and
succinct: “Have fun, but be smart” and “[w]hen in doubt, do not
post.”2 The company also offers training that it
continues to regularly evaluate and update as social media evolves.
CVS CVS treats social media
similarly to traditional media. It only allows designated employees
to speak as a company representative and requires employees who are
not authorized to state that they aren’t speaking for CVS.3
HHS The US Department of
Health and Human Services requires that any information posted on
social media also be available on its own Web site or through
another agency publication. Its policy says that “members of the
public should be able to learn about the agency’s activities and to
communicate with the agency without having to join a third-party
social media website.”4
Intel At Intel, before
employees can post to social media on behalf of the company, they
must complete internal training. Intel specifies three rules of
engagement: be upfront, focus on the good, and use your best
judgment.5 Some of the guidelines are specific, such as
instructing employees to use the hashtag “#IamIntel” when writing
about the company’s offerings. But other guidelines are broad and
require judgment and interpretation to apply. For example, the
guidelines advise the following: “If you’re about to publish
something that makes you even the slightest bit uncomfortable,
respect your gut feeling and don’t publish it.”

Intel also monitors how its resellers are discussing the company
on social media and states that it could sever ties with those
partners for offenses such as failing to correct false

National Public Radio
NPR offers broad
guidelines that help users to make good judgments: “Conduct yourself
online just as you would in any other public circumstances as an NPR
journalist. Treat those you encounter online with fairness, honesty
and respect, just as you would offline. Verify information before
passing it along. Be honest about your intent when reporting. Avoid
actions that might discredit your professional impartiality. And
always remember, you represent NPR.”6


[return to top of this

Adapting to Frequent Changes

The social media landscape changes quickly. New sites emerge. Existing
sites add features or change policies. User habits evolve in unpredictable
ways. For an enterprise to keep up with these changes requires an
understanding of both technology and consumer activity.

And the industry’s understanding of social media’s risks and benefits
also changes, which organizations must keep up with as well. For example,
the longstanding belief that social media distracts employees has been
disputed by Lorenzo Bizzi of the Department of Management at California
State University, Fullerton. Bizzi’s research argues that the problem with
social media use at work isn’t a dip in productivity, which doesn’t appear
to occur, but an increased likelihood that employees will leave the

Preventing Malware Infections

There are risks associated with malware infiltrations via social media.
For example, if an employee exposes a company to phishing by using a
social network and getting duped into providing password information, the
company can experience costly hacking, spamming, and theft of data. A 2019
analysis from security firm Bromium reports that Facebook, Twitter,
Instagram, and other high-traffic social media sites are centers for
malware distribution, with one in five organizations having been infected
with malware distributed via a social media platform, and more than 12
percent experiencing a data breach as a result. In addition, the report
noted that four of the top five websites hosting cryptocurrency mining
tools were social media sites.8

In such cases, where does the liability fall? If the employee was social
networking for fun, is he or she automatically at fault? If the employee
was social networking to market a company product, then a policy should be
in place to protect that employee.

Managing Bandwidth

Bandwidth consumption is also a consideration in determining a social
media policy. Company business, data, and archiving take up enough server
and networking space already; adding social networking into the equation
just costs accompany more money, in addition to loss of employee

Managing an Organization’s Reputation

Employees need to be concerned with comments they make publicly using
social media. Will complaining about a boss get an employee fired? Will
putting a birthdate on a site lead to ageism at work? Federal law protects
employees against discrimination based on sex, race, age, and other
factors, but such information is often posted on social sites. Will use of
foul or sexist language be considered grounds for dismissal if a worker
has his current place of employment listed on a social networking site?
What about posting unprofessional videos? These are all questions that
employees should ask themselves as part of their social media self-review.

Ensuring That a Policy Is Fair and Legal

The National Labor Relations Board (NLRB) has made distinctions between
lawful and unlawful social media policies, and has taken actions against
specific organizations if they are found to violate employee rights
regarding social media. In 2018, the NLRB ruled that CVS violated Section
7 of the National Labor Relations Act by requiring employees to identify
themselves with real names when discussing the company online.9

Although the NLRB standard can often be subjective in its interpretation,
basically it encourages employers not to have policies that are so
sweeping that they prohibit the kinds of activity protected by federal
labor law, such as the discussion of wages or working conditions among
employees; at the same time, an employee’s comments on social media are
generally not protected if they are mere gripes not made in relation to
group activity among employees or expressions of personal frustration over
an individual dispute. It is interesting to note, however, that clicking
“Like” on Facebook can be considered protected and concerted employee

Managing Security Credentials

Whereas access control for traditional corporate resources like email are
managed by an enterprise’s own IT department, access control for social
media sites is managed by third parties. This scenario creates two potential
problems. First, users themselves choose passwords, request resets, etc.,
without oversight from their employer. As a result, organizations may
struggle to enforce their own security standards and ensure regulatory
compliance. Second, users may suffer “password fatigue” because of the many
passwords they need to remember.10 This fatigue can lead users to
bad habits, such as writing down passwords or using similar passwords to
access many systems.

Step-by-step Implementation

[return to top of this

The use of social media in corporations is becoming more standardized.
For example, Cornell University offers a certificate program it calls
“Social Media in HR: From Policy to Practice.” The course covers policy
development as well as ways to use social media for brand promotion and
hiring.11 And new laws, such as one in California, constrain
how employers can restrict the social media speech of current and former

Social media can often be used to advantage for company business. An
effective policy should thus take both private and company use of social
media into consideration. Moreover, companies should not assume that
employees will read a policy; an evangelization and training program should
be in place to ensure employee awareness and compliance. Below are a few
guidelines to follow when developing a policy:

  • Put the policy in writing.
  • Reinforce and reflect the company personality and culture or the
    policy may be deemed detrimental to morale as opposed to organic.
  • Avoid being overly broad. The NLRB has found provisions to be unlawful
    when they are so broad that they can interfere with the rights of
    employees under the National Labor Relations Act to discuss wages and
    working conditions with co-workers.
  • Use short, crisp, and readable bullet points for the policy.
    Employees, especially younger ones more accustomed to social media, may
    not read longer versions.
  • As much as a company might like to, it cannot legislate common sense.
    For instance, a policy should not assume all employees understand the
    term social media in the same way. Define it by naming and describing
    the technology (such as Facebook or video-texting), but add a simple
    disclaimer that social media include, but are not limited to, listed
  • Refer all employees to the company non-disclosure policy that they
    have already signed. Include a live link, so if the policy gets updated,
    the employees can connect to the current version.
  • Give employees reasons for limiting or prohibiting social media
    activity during the workday, such as it hinders employee productivity,
    hogs bandwidth, etc. In other words, provide an incentive for employees
    to avoid abuses for the company good.
  • Define acceptable workplace usage and encourage productive social
    media usage.
  • Express in plain language when the company logo can and should be used
    for brand management.
  • Explain that posting negative comments about the employer or
    customers, as well as inadvertently or purposefully revealing company
    intelligence, can be considered a violation. Hate and intolerance are
    not acceptable in the workplace or online.
  • Give specific examples of violations.
  • Include approved verbiage (for example, to show transparency of
    employees’ relationship to the company, disclosure statements, how to
    respond to negative posts, etc.).
  • List abusive behaviors, such as creeping, stalking, sexting, etc., and
    give specific examples of these abuses. (Again, policies that are overly
    broad may be unlawful.) In fact, both employers and employees must abide
    by this rule. Employers should not search out data on employee ages, for
    instance, and employees should not stalk potential customers.
  • Urge employees to be cautious about being tricked into revealing
    confidential or proprietary information.
  • Ensure that employees understand that copyrighted information must be
  • Distinguish between personal and company matters, as applicable, but
    insist on civility when representing the company. Give specific examples
    of civil interaction.
  • Cite repercussions for violating the policy, but before disciplining
    or terminating an employee, consult the legal department.
  • Train employees on the policy.
  • Inform employees that the company can monitor social media, especially
    on company systems.

For employees, perhaps the most basic recommendation is to not post
anything that you would not be willing to say to your employer
face-to-face. It may be seemingly hard to prove that an employee
intentionally harmed or damaged a business, but why take the chance? Be
respectful. For employers, it is always recommended to consult the legal
department before developing a policy and before disciplining employees. A
frequently asked questions page with specific examples would also go a
long way to clarifying issues and avoiding potential problems, especially
with National Labor Relations Act issues.

[return to top of this


About the Author

[return to top of this

Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.

[return to top of this