Security Fail

“Love a quick #DuaneReade run? Even @KatieHeigl can’t resist shopping #NYC’s favorite drugstore.”

This tweet could cost New York pharmacy chain Duane Reade $6 million. In April, former Grey’s Anatomy actress Katherine Heigl filed a lawsuit against the pharmacy chain for the tweet, which linked to a picture of the celebrity exiting one of its stores. Heigl’s suit alleges that the drugstore exploited her image for commercial gain.

Lawsuits such as this are becoming increasingly common as more and more individuals and organizations log onto social media and networking sites. “With the increased use and the enhanced utility of these technologies comes increased potential for misuse,” says Phaedra Andrusiak, practice leader for professional and financial risks at HUB International in Vancouver.

For all the benefits social media offers its users, it also presents them with a wide array of ever-evolving risks. More importantly, though, it no longer matters whether organizations use social networks or not; all companies can be exposed to social media risks. “As an organization you can decide that you don’t want to be engaged in social media, but that’s actually not going to stop your clients, and possibly your employees, from communicating [about you] anyways,” says Michael Petersen, managing director and national leader for the communications, media and technology practice in Canada at Marsh.

An organization’s best defence, industry experts say, is to tackle social media exposures head-on by developing an effective risk management and transfer plan. “By ignoring the risks,” Andrusiak says, “a company’s exposure is arguably the greatest.”

#TheRisks

According to GlobalWebIndex’s Stream Social: Quarterly Social Platforms Update report, Canada saw a 17.96% increase in Twitter users between the second quarter of 2012 and the first quarter of 2013. Canadian businesses are increasingly turning to social networks too. A recent BMO report found that 57% of small business owners now use social media, up from 40% in 2012.

“Social media is not, in my mind, just limited to Facebook or Twitter or LinkedIn; it’s the much broader way that we all communicate with each other over the Internet,” says Matthew Davies, director of professional, media and cyber liability at Chubb Insurance Company of Canada. Websites, blogs, social networking groups, even emails, all present companies with significant exposures.

Today, anyone that posts content online is effectively a publisher and faces the same host of media liability risks that a newspaper or magazine would. One such risk is publishing defamatory content. If an employee uses social media to disparage a competitor, for example, the company could potentially be liable. Likewise, if a company allows people to converse on its corporate Facebook page or other corporatesponsored chat rooms, the company is essentially publishing those remarks and can be held responsible for anything libelous as the “publisher.” “The problem is, sometimes these comments are anonymous,” says Eric Dolden, a partner at the Vancouver office of Dolden Wallace Folick LLP, a firm specializing in cyber liability insurance. “You don’t know where the comment originates from and you have to get a court order from the IP server to figure out what the name of the person is that said [the defamatory remark]. So some find it easier to just sue the company, saying ‘On your chat room an untrue statement was posted and a lot of people read it.’”

Organizations using social networks also face copyright violations and trademark infringement exposures for posting content that does not belong to them. “Users, including businesses, may inadvertently use copyrighted material without proper attribution. Posting protected words, names or symbols may also result in the user falsely identifying oneself, and allegations of misrepresentation,” explains Andrusiak.

Another major exposure falls under employment practices liability. If an employer uses social media to pre-screen a candidate and makes an unfavourable decision based on age, gender, race or other protected classes, the employer could face a discrimination lawsuit. Similarly, if an employer uses information obtained from an employee’s social media account to terminate that employee—Andrusiak gives the example of a woman announcing her pregnancy on Facebook and being fired soon after—that company has a chance of seeing the inside of a courtroom. “If a plaintiff can establish that an employer used information collected from social networking to terminate her employment or eliminate her from the selection process on the basis of a protected ground, the employer may in fact be held liable under relevant statutes,” explains Andrusiak. To avoid these types of costly legal battles, California has recently passed a law preventing employers from requesting access to social media accounts as a condition of employment.

In an age when almost everyone has a smartphone and uses it to announce on Facebook or Twitter every bad experience they’ve ever had, organizations also face a whole host of risks that are seemingly outside of their control. Reputational risk is one good example. A recent video of two Air Canada employees dropping passengers’ luggage into bins several feet below has been viewed more than 2.8 million times on YouTube. When a passenger posted the video online it caused a social media firestorm, ultimately forcing the
airline to respond and terminate the two baggage handlers.

This spread of negative information can lead to significant, tangible losses for organizations. “There have been some interesting things happening where inaccurate or false information about a company is released through social media ahead of the corporate earnings report,” explains Marsh’s Petersen. “That can seriously impact earnings or stock prices. And then you can get that resulting Twitter wildfire where everything spreads, especially negatively, and it can impact the business very seriously.”

Though we’re all aware of the email 2013 2012 scams that ask us to provide our banking information in order to receive “a large sum of money,” many are unaware that social media is also being used for phishing attacks. “What happens on these social media sites [is that cyber criminals send] a link to something that looks very familiar to you, and you click on that link, and it’s not actually a harmless URL—it’s redirecting you to a site that has malicious content. And before you can shut it down and get out of there, they’re in your system,” says Petersen. As the recent Heartbleed scandal or Target debacle demonstrate, data breaches can have far-reaching and costly consequences. The 2013 Cost of Data Breach Study by the Ponemon Institute found that the average cost of a data breach to US organizations was $5.4 million.

As social media continues to evolve, so too will the risks. But, for now, there are a number of important insurance coverages and risk management tools that clients can use to protect against these unique exposures.

#ProtectionPlan

“Every day you see an article in the paper about cyber risk…But a lot of organizations haven’t really brought that to the next level, where they’re seeing social media, social networking and cyber risk in the same light,” says Petersen. Chubb’s Davies agrees. “I think a lot of organizations that have a social media footprint may not be aware that there is insurance available to cover their liability exposures,” he says.

But as more and more companies use social media more frequently, and as more and more Duane Reade-type lawsuits emerge, this should change.

“A lot more companies are going to focus on social media, and I think the focus is coming very, very soon as well, because almost every business that I speak to now is beginning to use social media a lot,” says Petersen.

For brokers, ensuring their clients recognize the risks their organizations face is the first step; ensuring their clients have proper coverage is the next. “Traditional insurance, like a commercial general liability policy, isn’t going to provide enough coverage,” says Petersen. There are multiple insurance products that provide security against the exposures arising from social media. “Some allegations, such as defamation, misappropriation of ideas or copyright infringement could be covered under a media liability policy,” says Andrusiak. Employment practice liability coverages can protect against discrimination or wrongful dismissal exposures, while cyber liability policies can mitigate risks arising from network security and privacy breaches that result in data theft, or the release of personal or third party information.

More important than insurance, however, is an effective social media policy. “The most important item that we can discuss with our clients, in terms of ensuring that they have good protection for themselves, is that they have to have a social media policy, which is outlined and communicated clearly,” says Andrusiak.

According to a study by Proviti, however, only 53% of companies have social media strategies in place— meaning brokers have more work to do when it comes to educating their clients.

“As an underwriter, the kinds of things that I like to see a prudent organization have include an Internet usage policy, so that employees understand what the appropriate use of the Internet is at work and at home,” says Chubb’s Davies.

Ensuring employees are properly using their own personal social media accounts can be as equally important as ensuring an organization is using social media effectively. The line between personal and professional has long been blurred, and this is where many companies get into trouble, says Petersen. Employees that post publicly about their companies, and also their personal lives, need to be educated on what is acceptable and what isn’t.

“Organizations need to create a very clear corporate philosophy that defines their attitudes towards social networking, and they actually have to tell their employees whether or not they’re allowed to identify themselves as representatives of Marsh or [whatever company] on their personal sites,” says Petersen. As it turns out, those “All tweets are my own” disclaimers on Twitter users’ accounts could protect an organization against a costly legal battle, Andrusiak says.

Though time-consuming, companies must also actually monitor their social feeds for inappropriate content—and they must do this consistently and frequently. “If people are going onto a social chat room for Starbucks, advertising a competing coffee place…that’s problematic, so you’ve actually got to look at the content,” says Dolden. He recommends that a specific person, such as a chief information officer, be given primary responsibility for policing sites.

Davies adds, however, that all company employees need to be educated not only on social media usage, but on cyber security practices too. “Certainly, we’d like to see companies that train their employees on their privacy and network security policies so that employees are empowered to help the company protect its information and protect its secrets.”

Social media usage policies should also be reviewed by legal counsel and updated continuously as case law and social media usage evolves, adds Andrusiak.

For brokers, it’s important that they follow their own advice. As more and more insurance professionals turn to social media to build their personal brands or reach out to new clients, they must put these risk management tools and tips into practice too. “The broker’s legal liability is not much different than their clients’,” says Dolden. So, #BeCarefulOutThere.

___________________________________________________________________________
Copyright 2014 Rogers Publishing Ltd. This article first appeared in the May 2014 edition of Canadian Insurance Top Broker magazine

This story was originally published by Canadian Insurance Top Broker.