Let’s talk about social media communication and record retention. That’s right -- archiving. Riveting stuff, we know. But really -- keeping strong archives could be the difference between happiness, sunshine, and lollipops or facing fines, lawsuits, & PR nightmares. Yikes.
If you’re in a regulated industry like finance, healthcare, or pharmaceuticals – archiving your social media activities is most likely mandatory. Even if it’s not a legal requirement, it’s certainly considered a good rule of thumb.
Non-regulated industries aren’t off the hook – archiving remains a sound decision as it can provide backup on the chance that a series of social media communications ever come under fire or an issue with a customer handled via social media needs proper documentation. (Psst… if this applies to you, go ahead and skip down to the bottom of this post to find out how archiving can benefit your non-regulated business.)
So what, exactly, should be kept? You need to determine what type of messages are considered worthy of archiving, as the regulatory bodies don’t want or need to be inundated with every RT and “thank you!” post you may share. Lucky for you, there are guidelines for what constitutes the kind of message that should be archived. And even luckier for you, we’ve done the research and compiled them here. (You’re welcome.)
Whether you’re a bank employee, work for a credit union, or are a registered broker-dealer, if you work in the financial services industry – what you say on social media needs to meet with industry compliance regulations. Not only that – those statements you make need to be archived, on the chance that you might be audited or your social media activities are requested for a legal investigation.
So which regulatory bodies require what specific archiving activities?
The Federal Financial Institutions Examination Council (FFIEC) oversees banks and financial entities that fall under the regulatory umbrellas of the Office of the Comptroller of the Currency (OCC), FDIC, NCUA, and Consumer Financial Protection Bureau (CFPB). If you’re a member of one of these organizations, then make sure you comply with the following:
- The FFIEC considers “business communications” posted to social networks (and from any device) worthy of archiving practices, and it is up to each firm to decide what constitutes such a communication among its employees.
- While the information included in the FFIEC’s social media guidance is not exhaustive, it does provide specific examples of how and when to archive social media communications. For example:
- “Under the regulations implementing the Community Reinvestment Act (CRA), a depository institution subject to the CRA must maintain a public file that includes, among other items, all written comments received from the public for the current year and each of the prior two calendar years that specifically relate to the institution’s performance in helping to meet community credit needs. The institution must also include any response to those comments, as long as neither the comments nor the responses reflect adversely on the good name or reputation of any persons other than the institution, or publication of which would violate specific provisions of law. A depository institution subject to the CRA should ensure that its policies and procedures addressing public comments take into account such comments when they are received through social media sites run by or on behalf of the institution. However, under the CRA, comments about the institution made on the Internet through sites that are not run by or on behalf of the institution are not necessarily deemed to have been received by the depository institution and would not be required to be retained. Rather, the institution should retain comments made on sites run by or on behalf of the institution that specifically relate to the institution’s performance in helping to meet community credit needs.”
- “As required by the Bank Secrecy Act (BSA) and applicable regulations, depository institutions and certain other entities must have a compliance program that incorporates training from operational staff to the board of directors. Among other elements, the compliance program must include appropriate internal controls to ensure effective risk management and compliance with recordkeeping and reporting requirements under the BSA.”
The Securities and Exchange Commission (SEC) is responsible for enforcing the federal securities laws and regulating the securities industry, US stock and options exchanges, and US electronic securities markets. In order protect investors and ensure that the organizations it governs do not abuse social media communications, the SEC issued social media guidance in January 2012. In it, the SEC outlines the following information pertaining to SEC recordkeeping responsibilities:
- Those held to the SEC’s regulations are held to the same recordkeeping obligations for social media use as put forth in the Advisers Act.
- A firm that intends to communicate, or permit its IARs to communicate, through social media sites may wish to determine that it can retain all required records related to social media communications and make them available for inspection.
- RIAs should consider reviewing their document retention policies to ensure that any required records generated by social media communications are retained in compliance with the federal securities laws, including in a manner that is easily accessible for a period not less than five years.
- RIAs should consider whether their retention policies account for the volume of communication and unique communication channels available to each particular social media site. Investment advisers may consider adopting compliance policies and procedures that address (if relevant) the following factors, among others, relating to the recordkeeping and production requirements of required records generated by social media communications:
- Determining, among other things, (1) whether each social media communication used is a required record, and, if so, (2) the applicable retention period, and (3) the accessibility of the records.
- Maintaining social media communications in electronic or paper format (e.g., screen print or pdf of social media page, if practicable).
- Conducting employee training programs to educate advisory personnel about recordkeeping provisions.
- Arranging and indexing social media communications that are required records and kept in an electronic format to promote easy location, access and retrieval of a particular record.
- Periodic test checking (using key word searches or otherwise) to ascertain whether employees are complying with the compliance policies and procedures (e.g., whether employees are improperly destroying required records).
- Using third parties to keep records consistent with the recordkeeping requirements.
(FINRA) governs over broker-dealers (and their firms). When it comes to archiving social media communications, FINRA members are held to the following regulations: SEC Rule 17a-4 (see SEC archiving requirements), NASD 3010, and FINRA 8210.
- NASD 3010
According to the archiving rules of the National Association of Securities Dealers, “Each member shall develop written procedures that are appropriate to its business, size, structure, and customers for the review of incoming and outgoing written (i.e., non-electronic) and electronic correspondence with the public relating to its investment banking or securities business, including procedures to review incoming, written correspondence directed to registered representatives and related to the members investment banking or securities business to properly identify and handle customer complaints and to ensure that customer funds and securities are handled in accordance with the dealer’s procedures.
- FINRA 8210
The SEC recently approved amendments to FINRA Rule 8210 (Provision of Information and Testimony and Inspection and Copying of Books) that require information provided via a portable media device pursuant to a request under the rule be encrypted, as described in more detail below.
FINRA Rule 8210 confers on FINRA staff the authority to compel a member firm, person associated with a member firm or other person over which FINRA has jurisdiction, to produce documents, provide testimony or supply Regulatory Notice 10-59 November 2010written responses or electronic data in connection with an investigation, complaint, examination or adjudicatory proceeding. FINRA Rule 8210(c) provides that a firm’s or person’s failure to provide information or testimony or to permit an inspection and copying of books, records or accounts is a violation of the rule.
In accordance with the Health Insurance Portability and Accountability Act (HIPAA), healthcare professionals must retain records concerning their patients’ Protected Health Information (PHI) for a period of six years, including any information shared via social media.
- A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
For more information on staying compliant on social media for the health care industry, check out our blog post on safely entering the digital landscape.
The Food and Drug Administration (FDA) requires postmarketing surveillance to monitor the safety of pharmaceutical drugs or medical devices after they’ve been released on the market. As such, communications made regarding pharmaceutical drugs or medical devices via social media must be retained. According to the FDA's social media guidance:
- A firm is responsible for product promotional communications on sites that are owned, controlled, created, influenced, or operated by, or on behalf of, the firm. Such product promotional communications may include firm-sponsored microblogs (e.g., Twitter), social networking sites (e.g., Facebook), firm blogs, and other sites that are under the control or influence of the firm. In determining whether a firm must submit promotional material about its product(s) to FDA, the Agency considers whether the firm, or anyone acting on its behalf, is influencing or controlling the promotional activity or communication in whole or part. Thus, a firm is responsible if it exerts influence over a site in any particular, even if the influence is limited in scope. For example, if the firm collaborates on or has editorial, preview, or review privilege over the content provided, then it is responsible for that content.
- At the time of initial display, a firm should submit in its entirety all sites for which it is responsible 219 on Form FDA 2253 or Form FDA 2301. For example, the firm should submit the comprehensive static product website with the addition of the interactive or real-time components.
- For third-party sites on which a firm’s participation is limited to interactive or real-time communications, a firm should submit the homepage of the third-party site, along with the interactive page within the third-party site and the firm’s first communication, on Form FDA 2253 or Form FDA 2301 at the time of initial display.
- Once every month, a firm should submit an updated listing of all non-restricted sites for which it is responsible or in which it remains an active participant and that include interactive or real-time communications. Firms need not submit screenshots or other visual representations of the actual interactive or real-time communications with the monthly updates.
General Archiving Best Practices
When it comes to performing formal or informal early case assessment activities – such as in the case of a terminated employee – archiving social media can save a lot of time and headache. Instead of having to physically back track through pages and pages of your social timelines, you can just export your archived materials and run a simple search for particular names, words, or date ranges. Because this could be an informative step in a case assessment, the information gained from the archived social media communications could mean the difference between a lengthy, expensive lawsuit and a much smaller, simpler method.
According to the Federal Rules of Civil Procedure (FRCP) Rule 34 – Electronically Stored Information (ESI) -- including email, instant messages, and communication sent via social media -- must be produced in a usable format that meets with the specifications outlined in Rule 34 (b). Given that parties must respond to such requests for information within a period of 30 days, having a strong archiving procedure in place would ensure a timely delivery.
Gremln's Enterprise toolkit provides just the archiving practices your company needs to rest assured that its social media communications are being recorded in a matter fit with regulatory compliance standards. Once you've linked your social network account with Gremln's social media management software and elect to archive your materials, you can export these social media communications at any time. Visit our website to learn more and request additional information on Gremln's archiving abilities.