Companies that jump on the social media bandwagon need to be careful about how much information they divulge, warns a privacy expert at Ernst & Young.

Sagi Leizerov, Ernst & Young LLP’s Americas leader of privacy advisory and assurance services, and the principal author of a recent report on privacy trends for the firm, told me in an interview Thursday that E&Y is seeing more of its clients experimenting with how to use social media. And that’s not just because they want to get in on the Facebook IPO.

“Many U.S. multinationals are at different stages of using social media in a commercial way,” he said. “I don’t know that anybody has found the best formula to use that kind of tool for marketing. Because companies are still experimenting about how they want to interact with potential clients and existing clients via social media, we see areas of risk. Things can go quickly into areas where too much information is being communicated. The company exposes itself to getting a lot more personal information that is being otherwise volunteered by a potential customer.”

He believes companies need to “draw the line” in their activities so they know what will be accepted and expected by consumers, and what would lead to a feeling of being too much. He advises clients to not put themselves in a position where they create undue exposure or risk for their organizations.

Similarly, he advises health care clients about their privacy responsibilities and risks.

“On the health care side, there will be a lot more activity this year in terms of the assessments that the Department of Health and Human Services, through the arm of the Office of Civil Rights, will be conducting,” he said. “If you take the fact that you have this federal agency that has started sending messages to companies that they will come and audit them, and on the other hand we have federal breach notification laws for health information, which has been in place because of the HITECH Act, you now have a way to potentially correlate breaches with government audits and government enforcement. While it might seem obvious now, that wasn’t the case in 2011 or before. So now we do see that connection, and companies are thinking a lot more seriously about it. They know that when they notify both the government and individuals that their information was exposed inappropriately, they know that means answering not just to customers but also answering to a regulator. That increases the risk of being visited by a government auditor to look into privacy and security.”

He believes the issue will expand beyond the U.S. into a global issue as more countries adopt these types of privacy regulations.