Last week's column about Facebook and privacy was sparked off by an incident that occurred to a friend on the network. His wife had been stuck over in Europe during the closure of much of its airspace last month due to the ash cloud caused by an Icelandic volcano with an unpronounceable name.

A journalist at the Bermuda Sun was part of his Facebook group and had been tracking Chris Gibbons' description of the attempts by his wife Tracey to get back to the island after a business trip.

After attempting to talk directly to Tracey, the journalist used her Facebook comments on his page as part of a larger story on the disruption to Bermuda's business sector. The journalist got the story but this prompted Gibbons to pose the question: "Should the media be able to use your Facebook comments as quotes in news stories without your permission?"

This prompted a whole series of opinions, with many chiming in that no, journalists should ask permission.

I wrote: "For my part, I consider this laziness on the part of the reporter and maybe a breach of the unwritten ethics of our profession. Although I cannot say categorically that I would never use a person's private Facebook page, I can say that I would first seek permission. I make the distinction as some people leave their Facebook public, and that to me is fair game. Public Twitter [posts] and blogs are also fair game."

To which another commentator added: "Problem is there is no real way to confirm if that person on Facebook is in fact the actual person it claims to be. Same with blogs et al. A malicious individual could easily set one up and spout all sorts of nonsense and then say, 'by all means!', to any requests to quote. Without some other form of confirmation it can be dangerous territory. Good for leads perhaps or story ideas, but it should never be touted as fact."

Gibbons closed the debate with: "Just thought it raised a few issues. Suzy – the Sun got the comments as the reporter is a friend (and still is!). Tracey's comments were part of a thread commenting on a post of mine. I agree that if the comments are public, then fair enough and if I were to pop my clogs, then I accept FB would be part of the digital record of my life and fair game.

"I guess the lesson here is – as I always tell everyone! – don't write anything online you wouldn't want brought up in court and use that 'Everyone' posting option judiciously."

That is good advice. For the same cautious reason I do not have work colleagues as 'friends' on Facebook. LinkedIn is the network for work colleagues. PS. Now that you ask, Gibbons has given me permission to mention the debate in this column.

OK. That's the personal side about Facebook. How about the corporate use of the network? Previously I had mentioned how Nestle ran into problems on its Facebook page when users objected to its restrictions. The page also became a focal point of a campaign by environmental and fair trade organisations. How about corporate policies on staff use of social networks and blogs?

I have a friend who is head of credit risk at one of the world's major banks and was surprised to learn that his company did not have a policy on this. "I am going to get someone to look into it," after he realised that perhaps it might be wise to have one.

"Someone could run down one of our clients," he mused as he thought about what I was saying during a beery debate. Oh yeah. I added that it's not so much about harming client relationships, but about protecting the bank and reminding employees about what may be obvious to some, but may be forgotten in the heat of a blog or a comment.

In a recent report, Forrester Research outlined a framework for such policies, while noting that: "While we anticipate that companies overall will adopt increasingly open access policies to social media, security and risk managers can help this process along by: 1) understanding the specific risks associated with each social networking platform like Facebook, Twitter, and LinkedIn; 2) crafting an access policy that allows the judicious access to these platforms; and 3) educating users on the security risks to induce policy compliance."

To establish an acceptable use policy consider whether all staff need the same level of access to social networking sites; whether they really need to download software; whether they should have access anytime and anywhere; and whether they should be allowed to post any information they want.

"Be very specific about corporate proprietary information, confidential data, as well as seemingly innocuous updates from which others may infer sensitive information. For example, you may want to have a policy that restricts what employees can say about their daily activities at work.

"After all, a salesperson complaining about too much rejection on the job can lead others to conclude that you are facing a sales downturn. Likewise, you may want to restrict your employees from endorsing an ex-employee or commenting on a project they worked on together."

Once a business has outlined a series of escalating penalties for habitual breakers of the policy, it must acquire the appropriate technologies to enforce that policy, unless it opts to hope for compliance. A governing process must also be put in place to include communicating the acceptable use policy, education and awareness training and a means to handle exceptions to the rule.

"For instance, violation of a data loss policy may incur a heavier penalty than those who simply waste time social networking," Forrester says.

"Often, the simple statement of penalty is enough to deter reckless behaviours."

Send any comments to elamin.ahmed@gmail.com.