Failure to police social media postings by corporate insiders can result in reputational harm, litigation, financial penalties, and mandated governance and oversight changes. But what are the recommended best practices to mitigate such risks?
The U.S. Securities and Exchange Commission’s (SEC) recent securities fraud enforcement actions against Tesla Inc. and its Chairman/CEO for failing to have adequate disclosure controls and procedures related to the Chairman/CEO’s posting of allegedly misleading information on social media, resulted in a combined $40 million in monetary penalties, governance changes and mandated improvements by the issuer in disclosure controls and procedures.
The settlement is subject to court approval and the defendants have neither admitted or denied the SEC’s charges.
These latest actions by the federal regulator should serve as a cautionary alert to issuers, investment advisers, broker-dealers and other SEC-regulated entities that the SEC views policing the social media airwaves for false and/or misleading disclosures and representations as part of its core investor-protection mission.
To quote SEC Chairman Jay Clayton, “…when companies and corporate insiders make statements, they must act responsibly, including endeavoring to ensure the statements are not false or misleading and do not omit information a reasonable investor would consider important in making an investment decision.”
From an organization’s perspective, including at the board and general counsel level, the recent enforcement actions by the SEC is a teachable moment and, at a minimum, prompt a review of the organization’s policies, practices and procedures relating to the issuance of public statements generally, but more specifically the dissemination of statements via social media.
Well-meaning corporate desire to quickly push information to investors or customers, or to react to news and market developments are unlikely to be a viable defense to false or misleading information.
Five best-practices recommendations in response to the SEC’s action
While the specific cases involving what could be called the “$40 Million Tweet” were brought under SEC-enforced rules, organizations not subject to SEC guidance, wherever they are located, should carefully consider whether their social media policies represent reasonable and adequate protection against the issues raised by the Commission.
We recommend five important best practices that an entity, regardless of jurisdiction, should implement to mitigate the risk of regulatory actions and/or reputational and financial harm based on social media posts.
First, organizations should consider having their General Counsel or Chief Legal Officer issue a notice to company personnel explaining that while posts on social media may seem like personal activity, those posts may have negative consequences for the individual and/or the organization.
For example, communicating about non-public (insider) information or information that is either false or misleading may potentially subject a person or entity to serious civil or criminal charges. Postings on social media about matters not made public by a company may also violate fair disclosure obligations, nondisclosure agreements, and can impact stock prices, affect negotiations or deals in progress or interfere with trade secrets.
When reviewing or restricting “personal tweets,” entities should carefully consider local jurisdiction privacy, constitutional and other legal rights that may restrict the entity’s options to control individual speech.
Second, entities should have a mechanism in place to enable insiders to “pre-clear” social media posts before they are disseminated publicly. An effective pre-clearance mechanism, coupled with effective training, facilitates compliance with the entity’s policies and procedures and minimizes excuses based on lack of knowledge of the entity’s requirements.
Third, before reacting to postings purportedly disseminated by “official” entity social media channels or by “authorized” company personnel, it is important for entities to take the preliminary step of authenticating the posting source and the identity of the poster.
There are a disturbing number of cases where damaging social media posts which seemed to originate with a company or its executives, were instead posted by persons who were not part of the organization. It is therefore advisable not only to verify the identity of the poster but also to regularly check whether there are accounts that claim to belong to the entity but don’t. The entity should set up “official” accounts and make those known.
Additionally, the entity should have someone (which could be an outside service) monitor major social media networks to discover whether there are posts that pose a risk.
Fourth, entities should have an escalation plan when problematic statements are identified to promptly disseminate corrective information to constituents, and to consider making proactive disclosures to boards, investors, regulators, law enforcement and others.
Fifth, regulated entities that permit the use of social media to disseminate material information about the entity, should deploy systems to pre-clear and capture those postings so that there is an audit trail of approvals and to otherwise comply with all applicable record keeping requirements.