Social Marketing & Liability

Transcription

1 Social Marketing & Liability Fred E. Karlinsky, Esq. Co-Chair, Insurance Regulatory & Transactions Practice Shareholder, Greenberg Traurig Louisiana Insurers Conference Insurance Compliance Seminar August 6, 2015 GREENBERG TRAURIG, LLP ATTORNEYS AT LAW Greenberg Traurig, LLP. All rights reserved.

2 Disclaimer The information in this presentation is intended to provide a general overview of the issues contained herein and is not intended, nor should it be construed, to provide specific legal or regulatory guidance or advice. If you have any questions or issues of a specific nature, you should consult with appropriate legal or regulatory counsel to review the specific circumstances involved. 2

3 Agenda > General Overview > Marketing Compliance Issues > Data Collection 3

4 Part One General Overview 4

5 Use Statistics > Usage continues to grow and change 73% of online adults use social networking sites 64% of users visit social sites at least once per day More and more users are accessing via mobile vs. computer 5

6 Primary Platforms Cheat sheet? 6

7 Primary Platforms 7

8 Most Commonly Used by Marketers 8

9 Legal Challenges > Social Media blurs our personal and professional lives Most sites encourage sharing of personal information Difficult to separate work from personal events Expectation to share many details of our lives, both personal and professional > Ethical issues: Social media interactions with clients Friend your clients? Establishing appropriate boundaries for professional relationships 9

10 Regulatory and Legal Issues > Sources of law: State Law and Federal Law National Association of Insurance Commissioners (NAIC) 10

11 State and Federal Law > The states are the primary insurance regulators State laws effect social media use Advertising/marketing laws Customer information use, handling, storage, etc. > Federal laws often mandate that the states adopt laws implementing certain standards Gramm Leach Bliley Act Health Insurance Portability and Accountability Act Health Information Technology for Economic and Clinical Health Act Trademark 11

12 NAIC > NAIC has adopted several Model Laws and Regulations: Unfair trade practices Advertising and marketing 2012 NAIC White Paper The Use of Social Media in Insurance > The White Paper focuses on the following key points: Insurance company and producer uses of social media Regulatory and compliance issues associated with the use of social media Guidance for addressing identified regulatory and compliance issues 12

13 Part Two Marketing Compliance Issues 13

14 Benefits of Social Media According to Marketers: 14

15 Objectives and Strategy > Social media is an incredible opportunity to humanize an insurance company s brand > As such, these companies want to translate their brand to social media: Define its personality and voice Develop guidelines for how, when and what topics you will engage in for social media What matters to your customers 15

16 Advertising > Promoted posts/tweets in Facebook, Instagram and Twitter help their brand get more visibility in news feeds > Able to geo-target, get hyper local Set audience requirements (gender, age, interests) > Set budget and duration 16

17 Examples of Social Media Advertising > Likes for Donations to Charities > Retweet positive messages > Farmville > Youtube Channel 17

18 Advertisement Defined > Information that is: Designed to create public interest in insurance, an insurer, or a producer or Induce the public to purchase, increase, modify, reinstate, or retain an insurance policy 18

19 Advertising Compliance > State advertising laws apply to electronic marketing the same way they apply to traditional forms of advertising Statutes may specifically provide for this, or laws may be interpreted to include electronic communications > Social media advertising can transcend state borders Creates additional issues 19

20 Advertising Compliance: Florida > The Florida Office of Insurance Regulation definition of advertisement includes communications containing any assertion, representation, or statement with respect to the business of insurance Excludes material not meant for public dissemination and communications with policyholders not meant to encourage renewal or expansion of coverage 20

21 Advertising Compliance: Louisiana > Material designed to create public interest... or to induce the public to purchase, increase, modify, reinstate, borrow on, surrender, replace, or retain a policy Excludes communications or materials used within the organization and not intended for dissemination to the public 21

22 Liability > The party responsible for traditional advertising content is easy to identify > Social media posts can be anonymous Difficult to identify the party responsible for such content > Competing theories related to identifying the party responsible for social media content: Adoption and Entanglement Theories Communication Decency Act of

23 Liability > Adoption Theory Social media hosts can be found responsible for third party content if the host re-posts or forwards the content from their own social media platform Can also include the failure to remove content > Entanglement Theory An entity can be considered responsible for third party content if the entity was involved in the development of the content 23

24 Liability > Communications Decency Act of 1996 Subject to certain conditions, provides that internet users cannot be found liable for the posts of third parties Meant to promote development of the internet > Difficult to reconcile the Adoption and Entanglement Theories with the Communications Decency Act 24

25 Liability > Adoption Theory Tested: Swift v. Zynga Game Network, Inc. Rebecca Swift seeks to hold Facebook and Zynga liable for content produced by a third party offered in connection with Zynga games accessed through Facebook Filed in 2009, the class action lawsuit is still ongoing 25

26 Producer Content > Insurers can be liable for the posts of appointed agents The insurer is responsible for the posts of appointed agents that are attributed to the insurer The insurer is not responsible for posts not attributed to it > Social media policies should recognize and define these issues 26

27 Social Media Policies > Social media policies provide guidelines to mitigate risks associated with the use of social media platforms All employees should be familiar with the policy > Social media policies should include: Prohibitions on revealing confidential or proprietary information Disclaimers when necessary Guidance on the use of company logos or trademarks Respect for copyright, privacy, fair use, financial disclosure, and other applicable laws 27

28 Social Media Policies > Policies should broadly define what electronic communications are covered by the policy Should cover all hardware, software and communications activity > Employees participating in social media for business purposes should be appropriately trained and supervised Prohibit employees from engaging in business communications that are not subject to the company s supervision > Employees should have separate business and personal accounts 28

29 Social Media Policies > Set meaningful limits on who may engage in what activity during work hours on company systems > Require employees to identify themselves Employees should make clear that the opinions they express are their own, and not those of the company > Prohibit discriminatory or harassing posts > Instruct employees not to endorse company products until the message has been reviewed and approved 29

30 Social Media Policies > Keep creativity in check Do not sacrifice content for fanfare > Prohibit individual communications on wall postings > Do not be lazy with grammar and spelling > Do not friend strangers > When necessary, submit content for prior approval with state regulators > Acknowledge and respond to consumer complaints > Maintain compliant record retention policies 30

31 Producer Policies > Compliance professionals should ensure that personnel communicating on behalf of the company are licensed when necessary Establish controls over who may respond to social media posts Monitor producers, venders and other partners linked to social media sites to ensure compliance > Many states require that marketing be conducted in the insurer s name Social media accounts must satisfy this requirement 31

32 Agent Agreements > Insurers should enter into agreements with their agents to: Provide for prior approval for advertisements Define approved content Provide for training on website and social media maintenance and tools > Review agreements with agents to ensure they contain compliance responsibility, prior approval and hold harmless provisions Contracts should clearly define the rights and obligations of each party with regards to social media use 32

33 Crisis Planning > The speed and reach of social media mean that crises WILL happen There is little time to react Reining things in is difficult > Identify a response team and establish a plan of action before a crisis occurs 33

34 Records Retention > Most states require maintenance of records of advertisements disseminated to the public > Maintenance of records of social media content is not as simple as maintenance of traditional advertisements Social media sites change constantly 34

35 Records Retention > It is unclear whether just an initial post must be retained, or whether the initial post and all responses must be retained > Users of social media may have to retain content posted by third parties > Retaining posts made and received on personal electronic devices should be considered 35

36 Part Three Data Collection & Data Breaches 36

37 Social Data > There is little privacy on social media Individuals can control who sees their social media pages, but not who markets to them > This data is useful to marketers More targeted advertising Measure social media performance Learn what is important to customers > Collecting customer information carries risks The company becomes liable for unauthorized release of personal information 37

38 Sources of Law > Gramm Leach Bliley Act (GLBA) > Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) > State standards 38

39 Gramm Leach Bliley > Deals with the use and disclosure of consumers nonpublic personal information (NPI) NPI is individual s personally identifiable information collected in connection with providing an insurance product or service, unless the information is publicly available > Prohibits disclosure of a consumer s information to nonaffiliated third parties unless certain requirements are met 39

40 State Enforcement > GLBA requires the states to enact legislation implementing the GLBA privacy protection provisions > State insurance regulators enforce its provisions > Variation between the states 40

41 NAIC Model 673 > 2002: the NAIC adopted Model 673, Standards for Safeguarding Customer Information Advises states on how to implement GLBA > Establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information 41

42 HIPAA > HIPAA provides guidelines for disclosure of patient health information Applies to covered entities and their business associates > Covered entities: A health plan A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with certain transactions > Business associates of covered entities: Entities that, on behalf of a covered entity, assist with activities involving the disclosure of individually identifiable health information Includes agents 42

43 HIPAA > Nonpublic personal health information (PHI): Identifies an individual who is the subject of the information; or Reasonable basis to believe that the information could be used to identify an individual > Security Rule > Privacy Rule 43

44 HITECH > When there is a data breach, HITECH requires health care providers and other HIPAA covered entities to promptly notify affected individuals, the Secretary of Health and Human Services (HHS), and in some cases the media Annual reporting requirements to HHS > Provides a safe harbor for following the guidelines to secure information 44

45 HIPAA/HITECH Example > Data breach with in a hospital system resulted in $4.8M HIPAA settlements > Breach was caused when a physician employed by the hospital, who developed applications for the hospital attempted to deactivate a personally-owned computer server on the network containing patient ephi. > Because of a lack of technical safeguards, deactivation of the server resulted in ephi being accessible on internet search engines. 45

46 Notification of Data Breach > Almost every state has laws that govern notification of security breaches Must notify affected parties of the breach > Know what not and when to disclose > Safe harbor laws 46

47 Notification: Louisiana > Database Security Breach Notification Law > Notification Trigger requires a risk of harm analysis No reasonable likelihood of harm to customers Only applies if information was not encrypted or redacted > Notice to Citizens and to Attorney General Received within 10 days of notice to citizens > Permits a private cause of action 47

48 Notification: Florida > The Florida Information Protection Act of 2014 took effect on July 1, 2014 Imposes requirements on covered entities that experience data breaches It is more stringent than previous Florida laws > Applies to any commercial entity that uses personal information Also covers third-party agents who process personal information on behalf of a covered entity > Generally, covered entities must provide notice to the Department of Legal Affairs and the affected individuals within 30 days of discovering the breach Safe harbor for encrypted data 48

49 Record Disposal > Under the Uniform Electronic Transactions Act (UETA), if a law requires retention of a record, the record may be stored electronically > How long to retain records? The more you have, the more you can lose > Laws on disposal, redaction, destruction of records 49

50 Key Points > Must determine how much personally identifiable information will be collected about insureds and potential insured through social media platforms > Privacy policies are critical for insurance entities Set forth the terms by which the company will handle personal information collected from consumers Needed to comply with applicable law 50

51 Questions? 51