Social Media Risk Management

Page 1


B E T T E R S T E WA R D S .


CONTENTS THE REWARDS — AND RISKS — OF SOCIAL MEDIA: A REMOTE ROUNDTABLE Two esteemed experts weigh in on: • How aware churches are, generally, of the risks related to social media use • The biggest social media security risks churches face today • Tried-and-true strategies for keeping young members safe online • Strategies to protect the church-at-large online • Social media best practices for church leaders, volunteers and members • Social media risks on the horizon — and how to mitigate (and even avoid) them


Featuring Crispin Ketelhut, Associate Director of the VIRTUS Programs & Shawn T. Yingling, President of Glatfelter Religious Practice BREACHING DIGITAL DOORWAYS: SOCIAL MEDIA AND CYBER ATTACKS Cyber attacks know no bounds.


From digital extortion to database breaches, attacks are becoming more sophisticated. Hackers are not only using deceptive measures to infiltrate church systems, but also relying on church staff and members to voluntarily open the doors to let them in. Putting safeguards in place can help protect your organization from becoming a target. By Shawn Yingling & Taryn Kuhn PROTECTING YOUTH: HOW TO DEVELOP AN ADULT ELECTRONIC COMMUNICATION POLICY


There is no disputing how powerful social media or electronic messaging can be. It has increased educational opportunities; provided the capability to communicate with practically anyone anywhere in the world, at any time; it has changed the face of business and marketing — the list is quite extensive. Therefore, as organizations who work with youth, a better question is not whether we should enter into this electronic medium of conversation, but rather, how do we appropriately and safely engage others? By Crispin Ketelhut



The Rewards — and Risks — of Social Media Crispin Ketelhut, Associate Director of the VIRTUS Programs, a safeenvironment program and service of The National Catholic Risk Retention Group, Inc. (Tulsa, OK)

A Remote Roundtable

Q: In your experience working with church leaders, how aware are they — generally — of the risks social media carries for their houses of worship? Shawn: We work daily with churches of all sizes and complexity. Churches with larger buildings, multiple locations — and those with many members — often have internal or external communications that involve the use of social media. The leaders of smaller churches aren’t as aware of the risks social media use presents, mainly because they’re not engaged in social media use. Leaders of larger churches that use social media are generally aware of the risk, but they need to be made aware of the potential threats to their organizations — and the solutions available to manage that threat.

Shawn T. Yingling, President, Glatfelter Religious Practice (York, PA)

Crispin: There’s a wide gamut of awareness. Risky elements abound when churches use social media without any precautions — and could even occur when policies go overboard, or when churches don’t allow social media at all (to their detriment). This week alone, I’ve heard caring adults in three separate churches say: • “We just use common sense for our social media use.” • “ We’re so small, it doesn’t make sense for us to waste resources on social media.” • “We usually just advertise events through word of mouth.” • “I guess we might have something in our policy, but it’s really long — so, I have no idea.” Clearly, there’s room for improvement. Church size doesn’t necessarily impact responsibility or risk, and the new “word of mouth” is social media. Q: What — in your opinion and expertise — are the biggest security risks churches face today with regards to their (and their staff members’ and volunteers’) social media use? Crispin: There are several obvious risks — reputation / image, miscommunication, unintended recipients of messages, unsupervised posts, sensitive information leaks, inappropriate discussions, and disgruntled employee rants. There are also risks that aren’t commonly addressed affecting the most vulnerable in our communities: our children and youth. Isolated communication — Social media can be used to reach youth. However, online communication between two people via the Internet is, by its nature, outside the sight and hearing of others. Seemingly innocuous conversation can easily lead to more intimate communication. People with good intentions could also condition children (via one-on-one communication) to more easily engage with dangerous individuals.



“How many times has a seemingly able-bodied volunteer been welcomed into a community, because a church needs additional help? For some people (especially children), staff and volunteers might represent God. With that perceived power comes access, and thus more risk — certainly more responsibility”. Denial & avoidance — Churches are cultures of trust; they sometimes jump to evangelize via social media without safety precautions, parameters or policies. Ignoring protocol and policies forces churches to react versus mitigating the risks. Blurred lines & online disinhibition — Online, people often have trouble differentiating between personal life and work / ministry-related activities. The effect is the abandonment of typical social inhibitions while online that would be present in public or face-to-face interactions. Shawn: Churches face a variety of security risks when staff and volunteers participate in social media use. Entire church networks can be hacked with very little information — easily obtainable via social media — leading to what could be major cybersecurity issues. Misinformation on the dangers of social media, paired with sophisticated phishing practices, can make religious institutions a prime target for security breaches. Inappropriate postings made by staff and volunteers (even unknowingly) might expose the church to risks associated with defamation, privacy concerns, liability, copyright infringement and more. While risk might be inherent with social media use, it’s clear that social media is the “new” church bulletin. Churches now use social networks to attract new members, promote events and distribute information. Social media is an easy and effective way to spread the message of the church, with some congregations sharing services via video streaming. Selecting the right channels and learning to use the tools appropriately — and safely — is the challenge every church leader faces today. Q: Are there tried-and-true strategies and approaches church leaders can mobilize to keep young church members safe online? Shawn: Education is key to online protection. There’s not an age limit for online risk. Everyone who has a social profile is vulnerable, and it’s important to teach young members what’s appropriate to share online, especially when it’s related to the church. Church leaders should encourage youth to keep their social media profiles private and only accept friend requests from people they know and trust. For the protection of adult members and youth, private communication should be restricted with minors on social media sites. If youth are involved in special projects at the church — particularly those involving fundraising or confidential information — leaders should clearly state what can and can’t be discussed openly, including photos. Youth should be reminded that nothing on the internet is ever 100-percent secure and that cybersecurity is a real issue. It’s also important to educate youth on the importance of not sharing other church members’ (especially minors’) personally identifiable information without express permission. Crispin: First and foremost, churches must be proactive and have a policy for adults that clarifies proper interaction with children — particularly online. The document should be written with clear, objective, universal standards. Customize the policy, and schedule time to review it 4


again in the near future because trends, terminology and technology this year will not be the same next year. Keep an acknowledgement of receipt on file; just having an available policy isn’t enough. Take it a step further by providing safe-environment training to staff and volunteers, with best practices. Then, monitor adults’ behavior as they represent ministry efforts. If this is a challenge, create an online environment that more easily lends to monitoring. (Example: Rather than using personal social media accounts for ministry purposes, use general accounts for interaction with youth. Make sure these are monitored by more than one person.) It’s unwise to have expectations of safety and compliance if the organization doesn’t properly distribute a clear message, and then provide sufficient follow-up. Q: With regards to staff members’ use of social media, are there proven approaches / guidelines / procedures that can help protect them (and the church-at-large) from missteps? Crispin: Implement a strong screening / hiring process. How many times has a seemingly able-bodied volunteer been welcomed into a community, because a church needs additional help? For some people (especially children), staff and volunteers might represent God. With that perceived power comes access, and thus more risk — certainly more responsibility. When creating a social media policy, use a multi-disciplinary approach. Bring together several different people from the community to customtailor a document. When I assisted a church in creating one of these policies, a team of us sat around a conference table, projected our draft onto the wall, and dissected each line until we all felt comfortable with the flexibility and parameters of the policy. Provide training on creating and maintaining a safe environment. Share best practices and rules, and discuss parameters. Spotlight the reality of the issues, appropriate behavior, expectations, warning signs, and avenues by which to communicate concerns to the appropriate parties. Shawn: Every church should have a written social media policy in place for staff members, including stated consequences for breaking any regulations. Establish a point person, define goals, and have a plan for handling any issues that might arise. Clearly define how the pages may be used and the type of information that will be shared. Official church pages should have a limited number of authorized users with passwords stored in a safe, central location. Roles should be established for posting content and moderating comments, including the use of proper terminology and verbiage to stay consistent with the church’s message. Important areas to address in the policy include: permissions and consent; confidentiality; photos of and communication with minors; copyright laws; and privacy concerns. Church leaders should keep all policies documented, educate staff members and provide appropriate training, continuously monitor the social media pages, and discuss action items at monthly meetings.

“Social media risks can never be avoided — only safely navigated. Proactive involvement in the creation of policies and procedures; ensuring proper training of staff and volunteers; and developing solid expectations for social media goals are all an important piece of the risk mitigation puzzle”. Q: What about volunteers? As they use social media to promote their small groups in the church, what proactive strategies can be employed to ensure they don’t expose the church to risk? Shawn: Volunteers should receive a copy of the social media policy provided to staff and also be briefed on the same guidelines and procedures. Volunteers should not be given access to the official church social media pages; posts should be provided to an administrator for distribution. On their personal pages, church volunteers should not post official business, make mention of confidential or identifying information regarding church members, or share information in regards to fundraising dollars or collections. It’s best practice for any church-related information to be posted on the official church site by an administrator, and then shared via the original post onto the personal social page of a volunteer. Crispin: Volunteers are also representing the Church. When there’s ministry on behalf of a church, that church should hold its employees and volunteers to the same standard of behavior. This is accomplished with proper screening, and by having a good policy and code of conduct; training individuals who are employees or volunteers on safe environments; monitoring behavior; providing an avenue to communicate concerns; and practicing consistent follow-up. Q: For church leaders, church volunteers and church members, what kind of social media use guidelines would you offer for their own, personal social media communications? Crispin: Our first priority is to create a structure for a safe environment in which the ministry of that church can thrive. Regarding personal communication — consider an analogy: Before we drive a vehicle, we must get a license. When we’ve been tested and approved (read: screened by the church) and have chosen our mode of transportation (read: type of social media account), we wear our seatbelt each time we step into the car. Why? Do we assume we’ll have an accident every time we drive? No. We wear our seatbelt because it’s the law (read: similar to a church’s policy) and, more important, because there’s a potential for injury. We’re mitigating the repercussions of harm before we even turn on the car (read: apply protective measures). Once something is posted on the Internet, it will be there forever. Always think before posting, and ensure that all behavior is transparent. Ask yourself: Is it true? Is it kind? Is it necessary? Is this the type of communication I want to carry in my ever-growing, digital footprint for the rest of my life? Shawn: Racially focused, politically contentious or otherwise controversial posts made by staff members or volunteers can be detrimental to the overall reputation of the church. Those in senior positions, working with youth, or leading high-profile projects within the church should particularly pay attention to their social media postings. As social media is public and permanent, there’s a risk of potentially illegal behavior being tied to the church, including defamation, hate crime or liability concerns, as well as post information being used in litigation discovery.

Sharing photos or information that directly opposes the teachings or messages of the church could be looked down upon by the congregation and community-at-large. While the information posted might not be the opinion of the church or its leaders, aligning so closely with staff and volunteers who post contentious material can begin to alter how others perceive the church itself. Personal postings might also open up the church to unintended cyberattacks. Confrontational or highly opinionated social media posts can garner much attention, and the staff or volunteers’ personal information might end up going viral — exposing not only them, but also the church, to potentially serious outcomes. Q: What types of social media risks are on the horizon for church staff, volunteers and members? How can they start to proactively plan to mitigate — or, better yet, avoid — those risks? Shawn: Every emerging social media platform comes with a learning curve — and with that curve, comes risk. Until new platforms are understood, it’s difficult to determine how negligent their use might be. Leaders should stay abreast of trending social uses and communicate with their staff and the youth in their church to help educate themselves on the current state of the digital world. Subscribing to digital media podcasts or newsletters are free and easy ways for church leaders to establish a comfort level in the online space, as well as stay informed of new platforms, security issues and best practices. Social media risks can never be avoided — only safely navigated. Proactive involvement in the creation of policies and procedures; ensuring proper training of staff and volunteers; and developing solid expectations for social media goals are all an important piece of the risk mitigation puzzle. Crispin: An ever-present issue is when churches avoid social media like the plague. We can’t hide under a rock, and we can’t avoid change; we have to be a part of this ever-moving conversation. If we miss the boat, we miss opportunity to evangelize — and our churches could crumble, as a result, without renewed participation. What about those of us who do have policies already? Having a policy — but not implementing it, or monitoring the material, or revisiting it again over time — renders that policy to be somewhat useless and creates risk. Another risk is filling a policy with dozens of pages of legal jargon that make it inaccessible or challenging to understand and follow. Perhaps creating a policy of that nature could work; but, also creating an adjoining code of conduct — with specific appropriate and inappropriate behaviors pulled out — could be of better assistance. — Reporting by RaeAnn Slaybaugh



Breaching digital doorways:

social media and cyber attacks By Shawn Yingling & Taryn Kuhn

Cyber attacks know no bounds. What was once thought of as a concern for only mega corporations, digital security is becoming increasingly critical in organizations of all shapes and sizes — including those in the religious sector. From digital extortion to database breaches, attacks are becoming more sophisticated. Hackers are not only using deceptive measures to infiltrate church systems, but also relying on church staff and members to voluntarily open the doors to let them in. Putting safeguards in place can help protect your organization from becoming a target. As churches expand into the digital landscape to further their mission, it is important for leadership to understand both the benefits and risks involved. According to the Cisco 2013 Annual Security Report, the highest concentration of online security threats are on mass audience sites, including social media. Ransomwear attacks — where hackers steal files and demand a ransom for decryption — grew 113% in 2015, according to the report. Malware-laced emails are also spreading fast, taking only 82 seconds from the time a hacker hits send until someone becomes the first victim. Churches might also be indirect targets of attack, with cyber criminals gaining access after a mass-phishing approach. Using social media channels, hackers are letting unsuspecting users do their work, waiting on malware-infested links to be clicked, liked or shared. Referred to as “likejacking,” hackers can use fake like buttons to install malware infecting the computer or device being used, which can ultimately infiltrate the church system. According to Bitdefender, a security solutions provider, unique cybersecurity threats surpassed the 300-million mark in 2015, growing at a rate of almost 40,000 new threats a day. It takes just one cyber-attack to infiltrate a church system, damage a church’s reputation, and cause what could be thousands of dollars in costs. With more religious organizations turning to electronic donor solutions, breach of confidential financial records is also at risk. Churches must be proactive in fending off cyber-attacks and protecting confidential information. Start by creating specific policies for staff members in regards to social media and internet use. Policies must be clear and include actionable guidelines. Combine this with continued education and comprehensive training, including staging of fake attacks and roundtable discussions. Topics of training and discussion might include: • Setting privacy controls on social media profiles • Appropriate information-sharing online •T ypes of attacks, including ransomwear, phishing emails and “likejacking” • Importance of not installing apps or extensions on church devices 6


Shawn T. Yingling, President, Glatfelter Religious Practice (York, PA)

Taryn Kuhn, Social Media Manager for Glatfelter Insurance Group

• Procedures for reporting a suspected attack • Protocols for personal versus organizational device use • Reporting a lost device • Using external wifi networks for official church business Churches might benefit by speaking with a knowledgeable expert or IT consultant to implement safeguards on their computer networks. Firewalls, email monitoring systems, and the use of a “Bring Your Own Device” (BYOD) policy are all helpful recommendations. It is also recommended that church leadership speak with their insurance agents on the specifics of cyber liability coverages so that they fully understand how they would be protected in the event of a cyber attack. Having the proper coverage in place before an attack ensures peace of mind for the religious organization, its leaders and its membership, while also insulating the church from potential financial obligations of dealing with the threat after it occurs. A powerful fellowship tool Social media opens doors to fellowship and sharing of church ministry and expands the reach of the church across communities. It’s an everadvancing technology that will continue to grow and change; as it does, so will the risks associated with its use. Church leadership must also learn, grow and change in the new digital environment. Shawn Yingling is president of Glatfelter Religious Practice (GRP), a leading insurance program for churches, synagogues, temples and other religious institutions. Taryn Kuhn is social media manager for Glatfelter Insurance Group, responsible for strategy and content creation for 21 social media pages on multiple channels, spanning a variety of personal and commercial product lines. GRP is a division of Glatfelter Program Managers, a strategic business unit dedicated to Glatfelter Insurance Group’s program business.

Today’s increasingly connected world brings a host of new exposures lurking within a church’s digital doorways. From electronic privacy breaches of membership data, to staff and volunteer social media engagement and heightened hacker activity, churches need to safeguard their digital footprint from potential liabilities that can put the church and its membership at risk. Protect your fellowship.

cyber security | property | general liability | auto coverage | directors & officers liability | foreign liability missionary travel & accident | pastoral counseling service liability | abuse or molestation liability | umbrella & excess liability

Talk to a GRP insurance and risk management specialist Shawn Yingling | 800.233.1957 | Š 2016 Glatfelter Insurance Group


YOUTH How to develop an adult electronic communication policy By Crispin Ketelhut


here has been a momentous shift in communication in our society in recent years. We have traded in-person, face-toface relational interaction for a virtual and technologically advanced world of electronic exchange. Contrary to the thoughts of some, we are not in the midst of a “cultural fad.” This virtual world has become a foundational, cultural reality that is here to stay, and technology will only continue to advance before our eyes. The question that is often asked is if the organization will or will not participate in this online conversation. If we do not enter into this realm and learn how to use its assets, we will have lost the opportunity to engage the contemporary culture in the new agora. Moreover, we would be doing a great disservice to our ministries and to the people we serve — particularly our youth. There is no disputing how powerful social media or electronic messaging can be. It has increased educational opportunities; provided the capability to communicate with practically anyone anywhere in the world, at any time; it has changed the face of business and marketing — the list is quite extensive. Therefore, as organizations who work with youth, a better question is not whether we should enter into this electronic medium of conversation, but rather, how do we appropriately and safely engage others? The real issue concerns organizational and individual transparency as it relates to the establishment and continued maintenance of boundaries for meaningful electronic communication. Some of you might already have an adult electronic communication policy at your locations, while others may not yet have integrated them into your code of conduct documents. Whether or not you already have one of these policies in place, the following are some important items to remember. It has been a long-held philosophy of The National Catholic Risk Retention Group, Inc., and NCS Risk Services, LLC, that access to any ministry should be supervised administratively through proper screening and clear policies. Every organization that has a relationship with youth should adopt an organization-wide policy that requires professionalism, and espouses the virtues of prudence and transparency through a marriage of ministry and safety. From the ministerial perspective, there must be a proper framework in which all individuals can thrive. Through transparency and the establishment of boundaries, an organization may freely evangelize and deliver the message that has been entrusted to that organization for others. One of the challenges with regulating access to electronic communication is that one may never know the true identity of the other person with whom one is interacting. Another concern is the intrinsically isolated nature of the communication and the fact that the “contact” is usually outside of the sight and hearing of others. Seemingly innocuous conversation about school or ministry between the organization’s staff or volunteer member and a minor can easily move to



conversations of a more intimate nature. This direct access makes it easier for a potential threat to interact with children in ways and places that used to be considered private, such as the home. At its very core, electric communication provides the opportunity for the potential predator to enter our private realms without restriction, and breach our physical walls that traditionally have been the first line of defense. Practical questions to consider Do all adults take advantage of the rules or the vulnerabilities of others? No, of course not. Do some adults feel that they are above the rules? Sure, we see that people often disregard rules when there is little chance of being caught — perhaps most often on the road when people disregard speed limits. Do adults ignore specific rules when it comes to ministry? Not all, but some do. Does that mean that anyone who puts themselves in bad situations, or who does not follow the rules, is a child abuser who is grooming children? No, not necessarily. So, is there really any harm? If you have good intentions, why are you unable to interact or communicate in the way that you want through the Internet with youth affiliated with your organization? What is the “big deal”? It is important to understand that an adult is always in a position of authority over a child through the very nature of being an adult. This is even truer as an official volunteer or staff member of the organization. It is an elevated role that all adults must respect and acknowledge, particularly through some form of a code of conduct and / or a policy. Not only is there a due diligence concern here, but also even possible issues regarding the adult’s modeling of proper behavior in line with the values of the organization. More important, there is at least one discrete obligation of any organization or adult with ministry or contact with youth: protection. We collectively have a responsibility and privilege to protect youth and children and, as adults, an ethical duty to know and respect proper boundaries. One adult’s indifference for policies and boundaries could be teaching a child to tolerate certain types of inappropriate communication or contact from other adults. Some behaviors actually could condition children and youth to accept behavior from another that they would normally resist. Couple this with the fact that in our society many youth do not understand what boundaries are, and we have a serious issue. Even worse, perpetrators will take advantage of these actions. Thus, adults who interact with youth should exercise extreme care. Making the private, public The next essential question is this: How do we convert something that is intrinsically private — such as electronic communication — into something transparent within a public forum? The overarching

administration of an organization should create and promulgate a written policy that embraces transparency, organically grows to sustain policies for emerging technology and houses a system of checks and balances. It should denote the administrative procedures for submitting a policy violation and the rights and actions that are available for all parties. Having a policy creates accountability for the organization and the individual. Also, the organization should create and distribute a code of conduct with clearly established appropriate and inappropriate behavior. All these procedures should have a signature page to be returned back to the organization and kept on file, that acknowledges receipt and that indicates understanding of the material. These types of documents are valuable because they reduce inappropriate behavior by innocent people since they provide a standardized foundation of expected behavior from all adults. Familiarity with them also makes it easier for caring adults to communicate their concerns to the appropriate contact person regarding a warning sign / red flag or inappropriate behavior. A procedural outline A set of procedures specifically outlining social media use or electronic communication on behalf of adults should encompass, but not be limited to, the following: Definitions and parameters: The overarching organization must create a policy that has accountability for each method of communication, which also means that there should be a lengthy and encompassing set of definitions and parameters. For example, communication facilitated via laptops, smart phones, tablets, gaming consoles and sites, the Internet, including interaction through any type of cell phone, mobile device, email, webcams, social networking sites (Facebook, Vine, Instagram), content-sharing sites, blogs, microblogs (Twitter), etc. Permission: Written permission should be obtained from the parent / guardian to communicate with the adolescent minor(s) electronically or via the main phone of the household. This permission form — signed by the parent / guardian — should include what forms of communication are preferred to contact the children. In the case of young children, only parents should be contacted. There should be additional language denoting that there will be an attempt to call the home’s landline number as much as possible to reach the youth. Record keeping: Copies of all electronic communication must remain on file (either physically or electronically) for an indefinite amount of time at the sponsoring organization.

Checks and balances: It should be the policy of the organization to create a public social media account for the adult in public ministry using the name of the organization, along with oversight of more than one non-related person with access to the messages, content and passwords. Additionally, there should be regular accountability checks by another individual. The organization must also provide regular oversight and monitoring processes, and provide a clear natural chain of command in case of issues and concerns. Personal accounts and phones: People within ministry should not use personal email addresses or accounts. Unless an extraordinary circumstance (which should be defined), personal cell phones should not be used to consistently communicate with youth. Additionally, clergy members should always self-identify their clerical role. “Friending” students and private messaging: Parameters should also include the “friending” of students. No adult should “friend” a student from a personal account unless that person is older than 18 and no longer a “youth” participant. Additionally, if adolescent minors are contacted, parents should receive a copy of the communication. There should be no private, one-on-one messaging. Appropriate timeframes: Specify the hours that youth may be contacted. A good rule of thumb involves the hours that one would also be able to call a home’s landline. If one would not call the landline phone to speak to the parent at 9 p.m., then one should not be calling the youth, either. A joint effort Let us partner together to prevent conditioning youth and children for abuse and setting them up for failure. Seemingly harmless electronic communication might have a devastating long-term impact on children and youth. Becoming more aware, behaving transparently and intervening when behavior seems risky or inappropriate helps protect children and those who genuinely care for them from unsafe or even dangerous situations. The use of an electronic communication policy is not useless, extra paperwork. Rather, it’s an essential tool that can be used to protect our children and youth. Crispin Ketelhut is the Associate Director of the VIRTUS® Programs, NCS Risk Services, LLC, in Tulsa, OK.