Spotting the Pitfalls & Installing the Safety Nets

THE NUMBERS THE SITES

500,000,000 + 100,000,000 +

50,000,000 500,000,000

Facebook Users in 2010 Facebook Mobile Device

Application Users Twitter “Tweets” per day Minutes per month spent

on Facebook

Security Claims Failure of network and information security

Privacy Claims Failure to protect private or confidential information

Media/Content Claims False advertisement, false endorsement and

disparate access to information

Intellectual Property

Claims

Infringement of trademark, copyright and trade

secret information

Employment Claims Breach of employee privacy, failure to protect

employees from online harassment, use of web-

based research in employment decisions and

libel/slander/disparagement

Professional Liability

Claims

Breach of ethical duties and professional standards

(esp. for lawyers, securities brokers, directors and

officers)

Duty to protect private and confidential information

Breach of security or disclosure of this type of information costly

Research to determine the scope of breach

Notice to affected parties

Suits and damages for actual injuries

Highly regulated:

Federal regulation and guidelines

Lanham Act

State consumer protection laws

Three general issues:

False or unsubstantiated advertising

False, misleading or unauthorized endorsements

Disparate access to information

Breach of another’s protected IP Another’s breach of your protected IP Employee disclosure of confidential and

proprietary information

Employee privacy Online harassment of employees Use of web-based research in employment decisions Libel/slander/disparagement

74% of managers believe that SNS put their company’s reputations at risk.

Potential Claims or Issues

Defamation Claims for Statements Made Online Admissions Against Interest in Litigation Providing “Free” Discovery to Opposing Counsel Breach of Employee Privacy by Employers Accessing SNS Sites Violation of Non-Competes through Job or Customer Searches Employee Discrimination and Harassment Claims

Defamatory Statements made about Employer by Employees

Breach of ethical duties For lawyers: unauthorized advertisement; ex

parte communications with court; and disclosure of confidential information

For securities brokers: misrepresentations in sell of securities and disclosure of confidential information

Breach of professional standards Mismanagement and self dealing of directors and

officers

As the means by which we communicate change, old risks evolve and new risks emerge

Brokers :: insurance industry trying to respond to the risk, but has not caught up

Gaps in coverage, ambiguities in terminology create challenges for insureds who want to ensure that they have covered their modern-day risks and liabilities

Social media exposures cut across multiple policies, depending on the exposure issue:

Cyber liability (privacy and data security)

Defamation, libel or slander

Copyright infringement – consider Facebook

Media / content liability

Employment issues

Professional liability

1st Party Coverage 3rd Party Coverage

Direct loss to business from injury to electronic data or systems

Liability to others for financial losses resulting from internet or other electronic activities

Business interruption

Notification costs

Crisis management expenses

Data restoration

Extortion payments

Credit monitoring

Theft of company data & intangible property

Forensic costs/expenses

Network security breaches (e.g., failing to detect and prevent transmission of a virus to third parties)

Privacy violations (e.g., flaw in IT system gives hackers access to patient information)

Media and content practices (e.g., liability for deceptive and misleading advertisements on website)

No standardized policy terms … yet Coverage often (always?) applies only to

protected data (e.g., Social Security number or confidential health data) – does not extend to Twitter, Facebook and other social media sites (which do not gather protected info)

Ambiguity

What = private?

Terminology not uniform

Example: The Hartford launched CyberChoice 2.0 in 2008, describing the policy as a combination of E&O and first-party coverage Third-party liability coverage for data privacy and network

security liability; Internet and electronic media liability; professional services liability

First-party coverage for business interruption; cyber extortion coverage for threats against data and identity theft

IP coverage for advertising and tech products Reimbursement of expenses in event of breach ::

notification costs, crisis management, fines, credit monitoring, experts

Cyber liability coverage designed to address risks associated with storing electronic data via web-based communities

CGL coverage limited to BI, PD, PI & AI No coverage for identity theft, damage to intangible

property May provide coverage for invasion of privacy

Coverage for cyber-specific remedies

Notification costs

Fines & penalties Crisis management (might be covered by endorsement)

Example: Electronic data liability endorsement on CGL policy (2001 form) Modifies definition of “advertisement” to include

“notices placed on the Internet or on similar means of electronic communication”

Regarding websites, only that part of insured’s website about its goods and services = advertisement

Coverage territory = “all other parts of the world” if personal injury through Internet

CGL policies issued after 2001 may cover “personal injury” and “advertising injury” (also “personal and advertising injury”)

Defined terms are important – scope of PI and AI can differ

Personal Injury

Defamation, libel & slander

Misappropriation of likeness, false light

Invasion of privacy, unreasonably publicity

Advertising Injury

Misappropriation of ideas, plagiarism, infringement of copyright, title or slogan, piracy

Defamation, libel & slander

2005 form – amending personal injury and advertising injury coverage

“Coverage territory” defined to include other parts of the world if injury takes place online

Personal & Advertising Injury Exclusions

Knowing violations of rights of another

Material published with knowledge of falsity

Insureds in media or internet businesses (e.g., internet search, access, content or service provider)

Electronic chatrooms or bulletin boards

Early libel case (filed in 2009) involving tweets and MySpace posts

Following an escalating dispute, a fashion designer accused Love of posting “false and malicious” statements about her

The designer sued Love in conjunction with the online rant; Love settled for $430K in March 2011

CGL policy – by endorsement, no coverage for “unsolicited communications” – facsimile, e-mail, posted mail (i.e., snail mail) or telephone

Post-2001 CGL may cover copyright infringement “in your advertisement” – may expressly extend to web-based marketing / advertisements

Professional liability for architects & engineers may cover copyright infringement, piracy, plagiarism, misappropriation of ideas in rendition of professional services

Non-professional services, non-advertising IP claims may not trigger coverage

Employment Liability

Does social media present an enhanced risk?

Sexual harassment :: EPL coverage

Hostile environment :: EPL coverage

Importance of social media & electronic device policies and procedures

Employer Liability

Ensure the policies extend coverage to employees

E&O for a tech company may look a lot like cyber liability

PL or E&O for everyone else is going to be limited to wrongful acts in the rendition of professional services

Does this cover marketing activities regulated by the state bar? How about unauthorized practice of law issues – perhaps arising from answering a question posed by someone in another jurisdiction on AVVO?

Ethical issues

This architects & engineers PL policy excluded coverage for “copyright infringement” – but by endorsement added coverage for plagiarism, piracy or misappropriation of ideas under implied contract

Insurer covered lawsuit against architect alleging copyright infringement

CGL policy issued to a tech company – by endorsement, no coverage for computer software errors and omissions Acts, errors or omissions in

design, licensing, selling, etc.

Actual or alleged unauthorized duplication or unauthorized use

Social media policy Training and monitoring on appropriate social

media use Educate the C-suite Data breach incident response plan Firewalls? Block social media use during

business hours?

Are underwriters, brokers & insureds using the same words to convey the same concepts

Answer: No. Part of the challenge is the new, increasingly

global economy, which stems in part from global access via the web. Exposures differ from country to country – in the UK, privacy is protected; in the US, the right to privacy is more limited.

R U covered? According to brokers, the insurance industry hasn’t caught up with the risks.

Amy E. Davis Rose Walker LLP

Amy Elizabeth Stewart Amy Stewart PC