There are 1.3 billion people on Facebook, half a billion “tweets” every day, and countless other ways to communicate that did not even exist five years ago. In response to this social media revolution, smart companies are increasingly unleashing social media strategies to reach their customers, while their employees are using social media to ”stay connected” twenty-four hours a day.
Despite the many ways in which social media can improve a business’s bottom line, social media also creates the potential for new types of liability. From discrimination claims when hiring decisions are based on information gleaned from an applicant’s Facebook page, to vicarious liability for cyber- bullying or defamation, social media in the workplace presents new risks that were unheard of just a few years ago. In response to these new risks, the insurance industry is still in the process of creating new products—and policy exclusions. Further, there are few court decisions to guide risk managers on whether social media claims are covered under the traditional suite of commercial general liability (“CGL”), errors & omissions (“E&O”), and employment practices liability (“EPL”) policies, not to mention newer media liability policies that purportedly were designed with social media exposures in mind.
This client alert outlines several types of risks that employers increasingly face due to the use of social media in the workplace, and discusses various insurance coverage issues that companies and their risk managers should consider to reduce their exposure.
Social Media Policies, Labor & Employment Liabilities, and Potential Gaps in Coverage
The recent explosion in the use of social media in the workplace has created a labor and employment liability minefield. For example, managers that “friend” their direct reports may inadvertently expose themselves and their company to harassment claims, and hiring decisions based on information gleaned from Facebook pages can lead to discrimination claims—and in some states, statutory liability. Standard employers’ liability insurance policies increasingly contain “social media” exclusions that bar or limit coverage for these types exposures, highlighting the need for in-house counsel, risk managers, and human resource managers to work together to create effective corporate social media policies and training programs to minimize these risks.
In crafting social media policies, companies are understandably focused on finding ways to protect their online reputation by policing the content on their social media pages. But when companies overreach and terminate employees based on their online communications, or innocently implement “zero-tolerance” policies for certain types of online communications, they could risk running afoul of labor laws like the National Labor Relations Act (“NLRA”).
Section 7 of the NLRA states that “employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection . . .” 29 U.S.C. § 157. Correspondingly, Section 8 of the Act prohibits employers from engaging in unfair labor practices, among which is “to interfere with, restrain, or coerce employees in the exercise of the rights guaranteed in section 7.” Id. § 158. A recent decision by the National Labor Relations Board (“NLRB”) illustrates the potential pitfalls that may arise out of restricting employees’ online communications.
In Hispanics United of Buffalo, Inc., Case 03–CA–027872, 359 N.L.R.B. No. 37, slip op. (Dec. 14, 2012), an employee who worked for an organization that helped victims of domestic violence posted that one of her co-workers felt that she and other employees did not work hard enough to help their clients, and that the co-worker was going to complain to management. Id. at 1–2. In response, several additional co-workers commented on the posts, and “objected to the assertion that their work performance was substandard.” Id. at 2. The co-worker who was the subject of the posts then reported them to her supervisor and complained of “bullying and harassment.” Id. Because the organization had a zero- tolerance policy toward such behavior, all of the co-workers who posted were fired. Id. When the termination decision was challenged, however, the NLRB held that because the employees “were taking a first step towards taking group action to defend themselves against the accusations they could reasonably believe [the employee] was going to make to management,” they were engaging in concerted activity protected by Section 8 of the Act. Id. The NLRB’s decision highlighted that a crucial distinction is whether the employees’ use of social media is a vehicle for concerted activity or whether it is simply an expression of dissatisfaction. The former is protected under the Act, while the latter is not.
In addition to addressing termination based on employees’ use of social media, the NLRB also has recently issued decisions concerning the legality of companies’ social media policies that purport to bar employees from making defamatory statements about their employer. See Costco Wholesale Corp., Case 34–CA–012421, 358 NLRB No. 106, slip op. (Sept. 7, 2012); Karl Knauz Motors, Case 13-CA-046452, 358 NLRB No. 164, slip op. (Sept. 28, 2012). Under these decisions, the NLRB has held that social media policies cannot be so broad as to result in a policy that “would reasonably tend to chill employees in the exercise of their Section 7 rights.” Costco Wholesale Corp., Case 34–CA– 012421, 358 NLRB No. 106, slip op. at 2 (Sept. 7, 2012).
By and large, EPL insurance policies do not cover violations of the NLRA, except for retaliation claims that may fall within a “retaliation carve-back,” which carves back coverage for claims arising out of retaliatory treatment. Therefore, because of the limited coverage available for NLRB claims, when companies develop social media policies to address reputational and cyber-bullying related risks, they should be careful to avoid creating a social media policy that inadvertently creates potentially uncovered NLRA exposure.
Advertising Injury Coverage for Claims Arising Out of Social Media Advertising and Marketing
Another new exposure arising out of social media relates to online advertising and marketing. As advertising and marketing campaigns move away from traditional websites controlled by a company and toward social media where companies do not control the messaging, more and more companies allow—and even expect—their employees to be a part of their online advertising platforms. In fact, many companies allow third-party users, unassociated with the company, to play a role in their marketing and advertising. The dark side of this trend is that although companies may have no control over who comments on their social media, they may be found vicariously liable for defamatory posts on interactive websites, Facebook pages, and Twitter feeds.
Companies do have some protection against defamatory third party posts, even on their own platforms under the Communications Decency Act (“CDA”) of 1996, which grants providers and users of “interactive computer service[s]” legal immunity from liability. 47 USC § 230(c)(1). That means that an owner of a website or a creator of a Facebook page cannot be held liable for defamatory comments published on its site. However, if the interactive computer service provider or user becomes an “information content provider” by editing a post in issue or responding to it in a defamatory manner, then legal immunity under the CDA ceases.
Moreover, even if a company has a strong social media policy in place, well-intentioned employees who respond to disparaging comments about the company for whom they work may inadvertently create liability for their employer when they respond to third party posts. For instance, employers may be found vicariously liable for employees’ defamatory comments on social media against other companies or competitors. While there is little case law concerning this issue, under the common law doctrine of vicarious liability, an employer is generally liable for an employee’s defamation if it was done within the scope of employment, a risk which may be heightened when employers encourage their employees to help implement social media marketing strategies.
Defamation-related risks traditionally have been covered under standard commercial general liability (“CGL”) policies, which provide broad coverage for “personal and advertising injury,” which includes coverage for, among other things, libel, slander, invasion of privacy, and certain types of trademark and copyright infringement risks. In response to the growing use of social media, however, insurers have increasingly limited the scope of coverage for advertising injury exposure arising out of the use of the internet and social media. For instance, insurers are increasingly attempting at renewals to insert an “electronic chat-room or bulletin board” exclusion, if not more broadly worded exclusions, to limit their liability for advertising injuries arising out of social media.
Similarly, while insurers have for many years attempted to limit their liability for invasion of privacy claims arising under the Telephone Consumer Protection Act of 1996 (“TCPA”) and the CAN-SPAM Act of 2003, in response to the recent proliferation of state privacy protection statutes, insurers increasingly are using a broader, so-called “Violation of Statutes” exclusion in an attempt to eliminate any coverage under CGL policies for statutory privacy claims. To date, insurers attempting to enforce this type of exclusion have obtained mixed results, with some courts interpreting these types of exclusions broadly and other courts applying the exclusions more narrowly in keeping with pro-policyholder rules of insurance construction applicable in most jurisdictions. Compare National Union Fire Insurance Company of Pittsburgh, PA v. Coinstar, Inc., No. C13-1014-JCC, 2014 WL 868584 (W.D. Wash. Feb. 28, 2014) (holding that “Violation of Statutes” exclusion in CGL policies precluded coverage for allegations that the policyholder disclosed customers’ personal information in violation of the Video Privacy Protection Act), with Hartford Casualty Insurance Co. v. Corcino & Associates, CV 13-03728-GAF, 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013) (holding that a general liability policy covered data breach claims alleging violations of California patients’ right to medical privacy when medical information of the underlying plaintiffs was posted on a public website, “Student of Fortune”—an online tutorial marketplace for students who need help with their homework—and rejecting insurers’ attempted application of exclusion for liabilities resulting from a violation of rights created by state or federal acts). A company’s use of social media increases the opportunity—and, therefore, the danger—that the company or its employees will post information on a social media forum that implicates a federal or state privacy statute, and therefore insurers may argue that a “Violation of Statutes” exclusion bars insurance coverage for any liability under such statute. Healthcare and financial professionals must be particularly careful, since consumers in both of those fields are protected by privacy statutes. See, e.g., Gramm-Leach-Bliley Financial Modernization Act of 1999; Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
In tandem with the emergence of new exclusions, insurers are increasingly offering stand-alone insurance coverage to address advertising injury exposures arising out of the use of social media. Indeed, policyholders in media and internet related businesses generally must buy stand-alone media liability policies to obtain any coverage for advertising injury exposure, and insurers are increasingly offering insurance products specifically tailored to cover social-media based liabilities, such as defamation claims arising out of an employee’s social media use at work. While the new insurance products may address a need in the marketplace for this type of coverage, these new products, when coupled with broader exclusions to CGL advertising injury coverage, create the potential for coverage gaps.
Tips For Reducing Social Media Exposure
- Because insurance coverage for social media exposure is often uncertain, but staying off social media is not an option, every company should craft a social media policy to reduce the risk of claims arising out of the use of social media at work. These policies should be tested and regularly audited and updated as new social media outlets continually emerge.
- While social media policies are often drafted in silos by marketing, IT, or human resources departments, the best approach is to form a team consisting of human resources professionals, IT professionals, marketing departments, in-house counsel, and corporate risk managers to ensure that an appropriate balance is struck between the important goal of engaging with potential and existing customers via social media and the need to protect the company against social media exposures.
- Companies should develop a social media crisis management plan to avoid miscues when responding to social media trends that may threaten the company’s reputation, and train the employees principally responsible for social media marketing to protect the company’s brand and to minimize the company’s exposure in the event of a social media crisis.
- Because newer social media insurance coverage products and emerging social media exclusions in CGL, EPL, and E&O policies are largely untested in the courts, any company with social media exposure should carefully review its existing coverage at renewal with its broker and outside counsel, and beware of new endorsements containing hidden social media exclusions that may limit coverage.