[ISN] Infosec and Corporate Blogging

From: InfoSec News (alerts@private)
Date: Tue Feb 20 2007 - 22:29:54 PST


By Dan Morrill

Zeltzer and Villafranco have probably the most coherent list of Do's and 
Don'ts when it comes to corporate blogging out there, its an absolute 
must read.

The Law.com [1] has a great listing of Do's and Don'ts when it comes to 
Corporate Blogging out there. Here are two don'ts that I have seen in a 
lot of corporate blogs that defy the imagination for being out there.

  DON'T employ consumer bloggers to say positive things about your 
  company's products or services without ensuring that they disclose 
  their affiliations with the company. Endorsements and testimonials by 
  word of mouth have always been a popular form of marketing, but the 
  blogging world has made them even more so, thereby making content that 
  crosses the line an attractive target for regulators. Source: The 

When doing a Google search on companies to see what intellectual 
property has been exposed, and how to do some form of recovery and 
damage control. I usually run into company sponsored or company 
employees saying how great the company is, and how wonderful and life 
fulfilling those products are. The problem is when you get into the 
comments section of the file, and see that not everyone agrees with the 
wonderfulness of the product. The blog writer is then usually put into a 
position to support/defend their entry, and many times the language 
degenerates into finger pointing pain.

Alternatively, even better, it is a one off blog entry somewhere, with 
many negative comments, but no response from the original blog writer to 
support their statement or their position. All that ends up in Google, 
meaning when searching for the company, the negative comments are seen, 
and people have a way of getting their point across. A well-maintained 
blog entry usually has both positive and negative comments, or all 
negative or all positive depending on how the blog comments are being 
shaped by the blog writer. (Blog writers do shape their comments, when 
they have access to approve or disapprove of the comments being posted).

The other very important Don't

  DON'T terminate employees for posting inappropriate content to 
  corporate blogs without considering the risk of wrongful termination 
  claims, especially where the company does not have a consistent 
  practice on how it treats employees who post content online. Employees 
  may claim that the employer authorized the posting, and is now 
  discriminating against them for exercising their right to organize. 
  Source: The Law

Managers and company HR folks should be paying close attention to this 
don't. Too many people have been fired for blogging where there was no 
coherent company policy on blogging. Regardless of what the person is 
saying, if the company has not addressed the risk of blogging, and has 
it established as policy, this can open up a company to a huge liability 
issue that will cost time, money, and legal fees.

The best Do' however is:

  DO train your employees on how to avoid posting content that is likely 
  to incite tort-based causes of action, such as defamation, trade 
  libel, product disparagement, negligent or fraudulent 
  misrepresentation and vicarious liability for an employee's posting. 
  While tort-based actions like these do not frequently arise against 
  individual bloggers, the prospect of deep pockets associated with a 
  corporate blog may invite various claims associated with postings 
  (usually negative postings). Source: The Law

This is very important as a "do" because even if the blog is not 
directly associated with the company, if a person can prove that the 
person worked for the company, and wrote negative articles about people 
in the company, outside the company, where the claims can not be proved 
(or a person had a private identity), this can open up not only the 
blogger to liability, but the corporation that sponsored the blog as 
well. Corporate sponsorship of blogs can be tricky at best, and having 
an employee that is disparaging of co-workers, can not stay on script as 
to what the blog is about, or otherwise becomes a huge management issue. 
As well it can become an information security issue in the longer run if 
trade secrets or internal information is posted to the web site.

Companies should read the Do's and Don'ts from the Law.com, its coherent 
and applicable to how to manage and develop good policy around corporate 
sponsored blogs.

[1] http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1171620175568


About the Author

Dan Morrill has been in the information security field for 18 years, 
both civilian and military, and is currently working on his Doctor of 
Management. Dan shares his insights on the important security issues of 
today through his blog, Managing Intellectual Property & IT Security, 
and is an active participant in the ITtoolbox blogging community.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Tue Feb 20 2007 - 22:47:59 PST