Earlier this month I posted some thoughts on legal issues when using social media in your organization.
We had a really great comment to that post, and one that deserves being called out and highlighted. Doug Davidson, who blogs over at Secure Value, works with ” business leaders and executives who are nervous their company’s critical data might be exposed and who are scared they are not compliant with government rules and regulations” and he had some in-depth insight into this topic:
Great points and good advice when working with legal.
I wanted to share a point on working with the legal department and identify two close relatives of legal that may present similar constraints as legal offers.
First, don’t forget our legal system is built on precedent. While legal departments may act like Luddites regarding new technologies they are following training and practice. You have to be patient enough to wait for case law to begin to provide them guidelines to work within. Most corporate or institutional counselors don’t relish being in that cutting edge that defines case law. That in my non-legal professional opinion is a great reason much of the innovation in this country comes out of small business who don’t have legal departments in the first place.
Second, if legal departments are an obstacle you’ll find compliance officers and security officers/departments will quickly follow. The technology is here to build the social networks but our ability to implement within a regulated framework is not. For instance, we haven’t entirely solved the problem of managing access to accounts. And we haven’t adopted tools yet that prevent protected information types (health care, student records, etc.) from exposure in the networking stream.
I recommend that when you are dealing with a regulated business in areas that touch on protected data take some time to understand the issues. For higher ed that is going to include an alphabet soup including FERPA, HIPAA, HITECH, NACAA, Payment Card Industry’s DSS, each state’s data notification law (you MA folks have one of the toughest) and so on.
Failure on the part of a school to follow correctly this alphabet soup can result in fines (HIPPA = $25K per individual exposed) or criminal penalities (HITECH which is an addendum to HIPPA).
You don’t need to KNOW the regulations just be familiar with the pressures they create and how it might impact your projects.
Coaches can not text with prospective athletic recruits. Can they twitter?
FERPA protects student records which includes communications with the school. But a record isn’t a “student” record until a class is taken. When does Admissions consider a record to be a student record?
With that knowledge pick projects as pilots that are high impact without the risk of leaking or mishandling protected data or crossing compliance boundaries. If you can show low risk to the legal, compliance, security triangle your path to success might be a whole lot easier to travel.
Thanks for the follow-up Doug!