By James Bone, Skytop Contributing Author
March 9, 2021

Industry leader and practitioner with more than 20 years of senior risk leadership experience. Thought leader in cybersecurity and enterprise risk management. Author of Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind and founder of innovative solutions for the human element of risk management. Frequent speaker and contributing writer for the Institute of Internal Audit magazine, Corporate Compliance Insights, Compliance Week, Forbes magazine and others.

Founder of Global Compliance Associates, LLC and TheGRCBlueBook a risk advisory service to the GRC technology community for 11 years providing strategic product development services including market positioning and insights to understand the integration of effective risk solutions. Lecturer-In-Discipline ERM Risk Management Columbia University. Founder and creator of several courses in the School of Professional Studies ERM program including: Traditional Risk & ERM Practices, Company Failure, Behavioral Science and Cognitive Bias.

Led the development of industry leading enterprise risk management, cybersecurity and operational risk and risk advisory programs for organizations including Fidelity Investments, Department of Treasury (Making Home Affordable), Liberty Mutual, Freddie Mac, private equity, public accounting and public consulting firms.

Graduate of Drury University, BA Business Administration, Boston University, MEd Organizational Design, Harvard University Extension School, MA Management


New technologies have often played an outsized role in the growth and advancement of global economies. However, over the last 20 years there has been an explosion in diverse technologies that is unprecedented. The pace of growth has been fueled by fast chips and cloud computing on the one hand and digital platforms on the other. We are entering a new digital age of discovery, influence and creation. Today’s technology is designed to enable the end user to create a digital sphere of their choosing – albeit on a platform provider’s solution.  Social media encompasses all three of the attributes of discovery, influence and creation.

As a technology social media has defied simple definitions because of its greater utility provided to savvy users. The platform that social media rests is flexible enough to create a business site replete with webinars, sales campaigns and other targeted media to reach new markets. There is a social and business side to the platforms that evolves around empowering the user to create their own space. This is an exciting time for innovation and portends even greater flexibility in future advancements. Unfortunately, bad actors have equal access to the same tools of innovation and creation and have become quite skilled at exploiting trust over the internet.

As innovators continue to create increasingly more complex technology the need for coherent policy and adequate regulatory guardrails is required to avoid systemic failure. We may be reaching that point now in social media.

The new self-empowerment element in technology opens two doors: Door 1 invites innovation;  Door 2 invites the weaponization of innovation. This has been a truth since the creation of the World Wide Web which is predictable and should be a consideration for developers, creators and regulators.

The latter is a symptom of the ill that has manifested in technology but what are its origins? To understand how we got here it is important to put social media in context with other technologies and explain the challenges that still exist.

In thinking about the role of social media it is important to look at how others describe its purpose. Invariably, social media is seldom defined as a technology but as a communications tool in marketing to reach customers. Others describe social media as an outlet for people to share their goals, achievements and increasingly to promote oneself to attract followers. Social media has transformed how marketers reach and target customers. Social commerce, social media platforms, influencer marketing are all new terms that define platforms used to reach digitally savvy customers. 

Social media is used extensively in industries as diverse as entertainment, education, information, financial services and journalism forcing every industry to consider adopting some form of digital platform. Consider that Facebook; founded in 2004, Twitter in 2006; and Google; the elder statesman in 1997, have become indispensable in daily life. In human age, these companies are mere teenagers and young adults mirroring their youthful founders. Nevertheless, social media is no longer an entertainment tool for millennials. Users have found utility in the power to organize and form communities of every kind – most for good and others to cause harm.

Globally, the impact of social media has been felt in ways the founders could never have imagined. Some give credit to social media platforms for the rise of the Arab Spring. Others have attributed the success of UK Brexit results to effective campaigns in social media. The point being, users of social media have learned to reach millions of people from around the world, directly, to influence public opinion. The dawn of the “influencer phenomena” has grown in importance but what is social media, really? 

Naming conventions matter because they help define the domain of control used to regulate the use of different tools. The ‘social’ part of media is the source of its super power. The power to organize and influence people is especially compelling and concerning to authorities. Social media is a grown up and is morphing into new forms that will soon emerge. There is little doubt that social media has become a tremendously powerful tool but society has yet to define its role as an innovation of communication.

Almost every country has a regulatory regime for telecommunications including the U.S. Federal Communications Commission. Even so, regulation of social media has been nascent, but that may be changing. Ironically, “in a tweet, FCC Chairman Ajit Pai indicated he will move forward with a rulemaking to “clarify” Section 230 of the Communications Act of 1934, which currently acts as a legal shield for tech companies’ handling of user generated content.” 

Yet, while searching for a definition of social media on the FCC website I got this message. Undaunted, I thought surely there would be exacting definitions of social media by the legal community. 

Two examples were found. The first a fairly obscure website, Law Insider, a for-profit site selling subscriptions to lawyers wrote, [social media] “includes all means of communicating or posting information or content of any sort on the Internet, including to your own or someone else’s web log or blog, journal or diary, personal website, social networking or affinity website, web bulletin board or a chat room, whether or not associated or affiliated with the company.”

The second example came from Black’s Law Dictionary whose definition included “any cell phone or internet based tools and applications that are used to share and distribute information. Sites such as Facebook, Twitter, YouTube, blogs.” The former description is clearly more comprehensive yet is so ambiguous it applies to many forms of communication across the Internet. Both definitions struggle with the multidimensionality of social media because it is organic by design.

Social media appears to suffer from an identity crisis and therein lies the problem! It is hard to measure or manage something that has not been defined. Eventually, a definition will emerge but for now a way forward is still possible by observing the different forms of trade conducted on social media sites like Facebook, Twitter, and Google. 

The two dominant forms of trade include the exchange of communications and marketing. In both of these forms the common denominator is data. Human behavior data to be exact. Surprisingly, there has been very little progress on regulatory guidance for social media. One would assume that digital commerce should be treated the same as all other commerce from a privacy standpoint. 

Unfortunately, all 50 states have varying degrees of conflicting regulation on privacy. And no federal agency has definitively assumed responsibility for regulatory oversight of social media. If you are keeping track we have no legal definition for social media and no regulatory oversight at the federal level. 

The two most logical homes for federal regulatory oversight of social media are the Federal Trade Commission and the Federal Communications Commission. Social media’s size, power and influence has now become too large to ignore any longer. 

The Federal Trade Commission is responsible for truth in advertisements. According to the FTC website, “when consumers see or hear an advertisement, whether it’s on the Internet, radio or television, or anywhere else, federal law says that ad must be truthful, not misleading, and, when appropriate, backed by scientific evidence.” 

Social media is not specifically called out by the FTC instead the Internet is included in the FTC’s mandate. Given the vastness of all websites on the Internet it is unclear whether the FTC has the capacity to cover the entire space.

The Federal Communications Commissionregulates interstate and international communications by radio, television, wire, satellite, and cable in all 50 states, the District of Columbia and U.S. territories.” Let’s extend the argument that social media, as a technology, is multidimensional and spans the regulatory scope of both the FTC and the FCC. This is what happens when 19th century regulatory regimes fail to keep pace with 21st century technology. 

Regulatory overseers are only partially to blame with the remaining accountability falling squarely on Congress which has failed to provide leadership on the oversight of social media. The much maligned 47 U.S. Code 230 – Protection for Private Blocking and Screening of offensive material has become a scapegoat for the lack of comprehensive legislation needed to define the role of social media in the U.S. and to set a higher standard for others to follow. Code 230 is narrowly defined and incomplete at addressing the full range of issues related to the role of social media and regulation of the diverse forms of communications and commerce taking place on and across these sites?

This begs the question, is social media a public good or simply a marketing channel that facilitates domestic and international commerce? If social media is a public good then it must be protected and nurtured including the protection of personal data of users on these sites. If social media is a public good then the answer is clear and requires proper guidance and regulatory oversight. 

If, however, social media is a marketing channel then the answer is also clear that the appropriate regulatory body must be assigned with the responsibility for defining what is acceptable or not acceptable marketing and commerce on these sites as well as “buyer beware” disclaimers and remedies. Either way, social media should not be left to its own devices like Facebook’s Privacy Committee. The idea may be well intended but the consequences to privacy regulation may result in even more confusion and ambiguous legal precedence that may require the courts and Congress to sort out later.

The lessons and consequences we are learning in real-time of not addressing these questions should serve as a reminder that technology will continue to demand regulatory leadership that keeps pace.