Internet-based social networking services and platforms, or “social media,” are rapidly becoming the ultimate way to communicate instantly with friends and contacts around the world. As one expert has observed, “The field of marketing communications is rapidly moving to a new model in which online communication plays a dominant role, and social media are the latest development in that trend.”1 While Facebook, Twitter, LinkedIn and MySpace are some of the best-known social media, there are, in fact, hundreds of social media sites. Furthermore, the technology of social networking is rapidly evolving as users create their own innovations and conventions that modify how the social media sites are used.2
Insurance companies have only recently begun using social media, and their adoption of this new form of communication has been relatively limited and experimental to date. However, there is little doubt that, as with other businesses, social media will become mainstream in the insurance industry. This will be driven by the simple fact that younger and older generations alike are using social media heavily,3 and if insurers are not participating, their messages will not be heard, and they will not hear what their insureds and employees are saying about them.
Those insurers who have begun using social media are communicating with insureds to provide news and information about coverages, rates, ratings, jobs, etc. Much of what we are seeing still amounts to marketing. However, it is changing from the traditional one-way marketing of insurer to insured to the two-way and “multi-directional” interaction on social media among insurers and their followers. Social media are often referred to as powerful communication tools, but this power can be a two-way street. Just as social media greatly enhance the ability of insurers to convey their messages, they also make it possible for consumers to rapidly convey their thoughts and opinions about insurers on a large scale and even launch grass roots protests.4
Current laws do not specifically contemplate the technology of social networking, and it will take time for regulators, courts and legislators to address new issues that arise. However, the speed and expanded reach of social media communication greatly magnify the chances that insurers could violate existing laws that potentially apply to the use of social media. This Client Alert outlines some of those laws as well as initial steps insurers can take to protect themselves.
Some insurers have decided that they will not participate in using social media because they view the legal and communication risks as too great. Others have blocked their employees’ access to Facebook and Twitter on company systems. However, in reality insurers will not be able to avoid social media. Their employees and agents are using these networking sites and can freely access them on their own mobile communication devices. Furthermore, they are setting up their own company- related Web sites to communicate with each other and even former employees.5 Agents are setting up their own Web sites as well with advertising and company logos and trademarks on them.6
Key Areas of Law that Potentially Apply to Insurers Using Social Media
Litigation and E-Discovery
As we have seen in recent years, e-mails have become prime sources of evidence as lawyers focus on them to make their cases. We can expect that the insurance industry’s use of social media will be even more fruitful sources of litigation discovery by lawyers. Such impromptu and informal communications by insurers’ employees with each other and with insureds will be subjected to the same level of scrutiny as e-mails have been, and they are likely to be even richer sources of information. As one commentator observed, “Lawyers ... love these sites, which can be evidentiary gold mines.”7 Domestic relations and family lawyers now actively scrutinize MySpace and Twitter for revealing and helpful information to make their clients’ cases in divorce situations.8 We can expect these same tactics to be used against insurers by plaintiffs’ lawyers.
With social media, the potential damage is even greater than with e-mails because by nature social media communications are often real time. People typically express themselves “in-the-moment”9 without any thought to how their comments can later be used against them and their companies. It is this immediate nature of the communications that can be very revealing and, therefore, extremely valuable or damaging, depending on one’s position. As a result, social media postings can become self-inflicted wounds. Put another way, “It’s permanent. It’s indexed. It’s searchable. If it’s inappropriate or even illegal, you’ve shot yourself in the foot.”10
Further complicating matters is the challenge of complying with litigation hold orders. Where a company’s business is conducted through the alternative channels of social media using company-provided or company-supported hand-held devices, these records may fall within the scope of a litigation hold order and the company may be required to prevent such records from being lost. Companies should, at the very least, consider their litigation hold order forms.
Market Conduct and Insurance Trade Practices; Advertising
Many provisions of state insurance trade practices and advertising laws arguably apply to social media communications such as “tweets” by company employees as well as the posting of photos and videos. Among the insurance trade practice laws most likely to be applied to social media communications are those proscribing misleading and false statements (e.g., misrepresentations of benefits, advantages, and terms of coverage or insurance products), defamation (e.g., making disparaging comments about competitors), and unfair claims practices.
Furthermore, a number of states have laws and rules governing marketing and advertising by insurers. For example, one state requires that advertising be truthful, complete, and clear.11 If an insurance company sponsors a Facebook page, that is likely to be considered “marketing” or “advertising,” and such a company has an obligation to monitor this and make sure it is accurate.
Record and Document Retention
State insurance codes usually require insurers to maintain their records and documents for a specified period of time. This allows regulators to examine companies’ operations for both their financial condition and their business conduct in the market. These laws very broadly define which records and documents must be retained, and insurers must assume that such laws apply to their communications via social media. It follows that regulators would therefore be entitled to access social media communications engaged in by insurers. However, there are questions of who owns or has custody and control of the information.12
Numerous state and federal laws governing privacy potentially apply when insurers use social media. Insurers should recognize that these laws are generally triggered when there is a transmission of unencrypted non-public personal information (NPI). So tweeting, even over a private channel of Twitter, could be subject to scrutiny under the law.
One of the principal laws in this area is the Gramm-Leach-Bliley Act (GLBA) enacted by Congress in 1999. Insurers must beware of communicating individuals’ names in combination with personal information related to those persons. For example, an individual’s name and driver’s license number or Social Security number generally would be considered sensitive information protected by statute.
Privacy laws can be triggered when insurers’ employees and agents use social media to communicate with insureds in claims situations. For example, using unsecured Web sites or unencrypted e-mail to exchange personally identifiable data (such as name, address, drivers license number and account/policy number) could subject insurers to the privacy laws.
Some states have adopted the National Association of Insurance Commissioners (NAIC) Insurance Information and Privacy Protection Model Act of 1982. This Act regulates all “personal information” which is broadly defined and includes virtually all individually identifiable information about insureds.13
Personal health information also is protected by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996. Title IV of this Act protects the privacy of patient information. While it currently may seem unlikely that such information would be disclosed through social media, as insurers and employees expand their use of social media, the potential for inadvertent disclosure increases. Insurers should ensure that their current systems for accessing and using patient information are adequate to cover such communications. Insurers may, for example, opt to totally prohibit the communication of any patient information by employees over social media networks.
A number of states, such as Nevada and Massachusetts, also have security breach laws which require NPI transmissions to be encrypted.
The federal Fair Credit Reporting Act (FCRA) may also apply. For example, when an auto insurer obtains an insured’s driving history or credit report for underwriting purposes, the FCRA restricts the subsequent use and distribution of such information. The insurer cannot share that information with others, including the insured. A careless employee who inadvertently discloses information obtained from a credit report via a tweet could subject the company to liability under the FCRA.
Employers need to address concerns about employees’ use of social media. For example, insurance company employees who make comments about their fellow employees or employers can potentially expose themselves and their employers to liability. This includes the exchange of comments between supervisors about the character and conduct of their subordinates. Problems can arise when employees use social media outside of work if they mention the company in their postings.
Insurers should review their employment policies on electronic communications and revise them to cover the use of social media, just as they have adopted policies on the use of cell phones, e-mail and the Internet. They should consider including guidelines prohibiting comments that are defamatory, harassing, disparaging or discriminatory, or which disclose confidential company information. In addition, they should to provide guidance about employees’ use of social media at work.
Specifically, employers may also choose to address employees’ use of social media for personal matters while on the job. Social media have the potential to be far more time-consuming than just e-mailing and occasionally surfing the Web. As employees compulsively check their iPhones and Blackberries for news of other people’s lives, their use of social media can consume large amounts of time and adversely affect their productivity.
Privilege and Trade Secrets
The unintentional loss of privileged information and trade secrets can occur as a result of careless disclosures employees make when using social media to communicate with outsiders, including friends and even regulators. Companies need to make sure their employees are educated about this risk and instructed on how to avoid it. Insurers’ employees must be aware of and assume that a communication containing sensitive information that is intended for one person could be subsequently redistributed to others, thereby resulting in a loss of protection and a waiver of privilege through public disclosure.
Company guidelines should specifically inform employees that information transmitted using company hardware and software is the property of the company.
There can be issues of ownership and rights to the use of material that is generated by employees and third parties and posted on social media sites such as Twitter, Facebook and MySpace. This includes copyrighted material, patented designs or material, trademarks, trade names, trade dress, trade secrets, and trade slogans and phrases. The use of third parties’ trademarks, copyrighted material or other intellectual property in postings or other communications on social media sites could infringe third parties’ intellectual property rights. Licensing issues may also arise. If employees engage in such actions while performing their jobs, whether in the context of a company-sponsored Web page or otherwise, their employers could be liable for any infringement caused by such actions.
The fact that many social media sites allow for the creation of customized Web pages on a variety of topics, coupled with the informal nature of much of the use of such social media sites, may result in employees or third parties creating pages about an insurer which utilize trademarks, copyrighted material and other intellectual property of the insurer that the insurer will want to control. Accordingly, insurers should take steps to ensure that Web pages on social media sites which appear to be authorized by the insurer are, in fact, authorized and controlled by the insurer.
When creating authorized “fan pages” or other media channels on social media sites, insurers will need to address issues similar to those arising in other media channels. For example, like any other Web page, if company trademarks, copyrighted material or other intellectual property are placed on a social media site, there is a risk that such material may be subsequently redistributed and used by third parties in ways that the company does not want and cannot control.
Insurers must be constantly vigilant about violating state and federal antitrust laws when it comes to the use of social media. Member insurers of trade associates who communicate with each other via social media about matters of mutual interest and concern could end up violating antitrust laws if they discuss rates and pricing.
Statements by insurance agents/producers in social media communications with insureds regarding insurance products could be used as the basis for arguing that a modification of the insurance contract occurred as a result of representations about the scope and nature of coverage.
What to do? Initial Steps Insurers Can Take to Protect Themselves
With so many potential legal issues and risks, the task of protecting against violations and resulting liability can be daunting. Insurers may well ask, “How can we afford the time and cost of covering all of the bases?” However, doing nothing places a company at risk for larger costs down the road in the form of damages and legal fees.
The first and most important step an insurer can take is to adopt policies and guidelines, or review and revise existing ones, on the use of social media in communicating with insureds and the public. Insurers who adopt a clear social media plan that incorporates such guidelines will be in a much better position to successfully meet the operating and legal challenges of this new communications environment.
Second, insurers should implement those policies and guidelines. This includes educating and training employees about those policies and guidelines.
Third, insurers should monitor and enforce compliance with the policies and guidelines. While there are differences of opinion about this, with some arguing that monitoring adversely affects employee morale and productivity, a company that adopts guidelines and does nothing to implement and monitor their compliance leaves itself vulnerable to attack.
An insurer will never have a perfect compliance program. However, taking immediate steps to adopt company policies and guidelines on social media will provide strong protection (and a defense) in the future if the insurer is sued or charged with violating the law.