Social Marketing & Liability Fred E. Karlinsky, Esq. Co-Chair, Insurance Regulatory & Transactions Practice Shareholder, Greenberg Traurig Louisiana Insurers Conference Insurance Compliance Seminar August 6, 2015 GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2014 Greenberg Traurig, LLP. All rights reserved.
Disclaimer The information in this presentation is intended to provide a general overview of the issues contained herein and is not intended, nor should it be construed, to provide specific legal or regulatory guidance or advice. If you have any questions or issues of a specific nature, you should consult with appropriate legal or regulatory counsel to review the specific circumstances involved. 2
Agenda > General Overview > Marketing Compliance Issues > Data Collection 3
Part One General Overview 4
Use Statistics > Usage continues to grow and change 73% of online adults use social networking sites 64% of users visit social sites at least once per day More and more users are accessing via mobile vs. computer 5
Primary Platforms Cheat sheet? 6
Primary Platforms 7
Most Commonly Used by Marketers 8
Legal Challenges > Social Media blurs our personal and professional lives Most sites encourage sharing of personal information Difficult to separate work from personal events Expectation to share many details of our lives, both personal and professional > Ethical issues: Social media interactions with clients Friend your clients? Establishing appropriate boundaries for professional relationships 9
Regulatory and Legal Issues > Sources of law: State Law and Federal Law National Association of Insurance Commissioners (NAIC) 10
State and Federal Law > The states are the primary insurance regulators State laws effect social media use Advertising/marketing laws Customer information use, handling, storage, etc. > Federal laws often mandate that the states adopt laws implementing certain standards Gramm Leach Bliley Act Health Insurance Portability and Accountability Act Health Information Technology for Economic and Clinical Health Act Trademark 11
NAIC > NAIC has adopted several Model Laws and Regulations: Unfair trade practices Advertising and marketing 2012 NAIC White Paper The Use of Social Media in Insurance > The White Paper focuses on the following key points: Insurance company and producer uses of social media Regulatory and compliance issues associated with the use of social media Guidance for addressing identified regulatory and compliance issues 12
Part Two Marketing Compliance Issues 13
Benefits of Social Media According to Marketers: 14
Objectives and Strategy > Social media is an incredible opportunity to humanize an insurance company s brand > As such, these companies want to translate their brand to social media: Define its personality and voice Develop guidelines for how, when and what topics you will engage in for social media What matters to your customers 15
Advertising > Promoted posts/tweets in Facebook, Instagram and Twitter help their brand get more visibility in news feeds > Able to geo-target, get hyper local Set audience requirements (gender, age, interests) > Set budget and duration 16
Examples of Social Media Advertising > Likes for Donations to Charities > Retweet positive messages > Farmville > Youtube Channel 17
Advertisement Defined > Information that is: Designed to create public interest in insurance, an insurer, or a producer or Induce the public to purchase, increase, modify, reinstate, or retain an insurance policy 18
Advertising Compliance > State advertising laws apply to electronic marketing the same way they apply to traditional forms of advertising Statutes may specifically provide for this, or laws may be interpreted to include electronic communications > Social media advertising can transcend state borders Creates additional issues 19
Advertising Compliance: Florida > The Florida Office of Insurance Regulation definition of advertisement includes communications containing any assertion, representation, or statement with respect to the business of insurance Excludes material not meant for public dissemination and communications with policyholders not meant to encourage renewal or expansion of coverage 20
Advertising Compliance: Louisiana > Material designed to create public interest... or to induce the public to purchase, increase, modify, reinstate, borrow on, surrender, replace, or retain a policy Excludes communications or materials used within the organization and not intended for dissemination to the public 21
Liability > The party responsible for traditional advertising content is easy to identify > Social media posts can be anonymous Difficult to identify the party responsible for such content > Competing theories related to identifying the party responsible for social media content: Adoption and Entanglement Theories Communication Decency Act of 1996 22
Liability > Adoption Theory Social media hosts can be found responsible for third party content if the host re-posts or forwards the content from their own social media platform Can also include the failure to remove content > Entanglement Theory An entity can be considered responsible for third party content if the entity was involved in the development of the content 23
Liability > Communications Decency Act of 1996 Subject to certain conditions, provides that internet users cannot be found liable for the posts of third parties Meant to promote development of the internet > Difficult to reconcile the Adoption and Entanglement Theories with the Communications Decency Act 24
Liability > Adoption Theory Tested: Swift v. Zynga Game Network, Inc. Rebecca Swift seeks to hold Facebook and Zynga liable for content produced by a third party offered in connection with Zynga games accessed through Facebook Filed in 2009, the class action lawsuit is still ongoing 25
Producer Content > Insurers can be liable for the posts of appointed agents The insurer is responsible for the posts of appointed agents that are attributed to the insurer The insurer is not responsible for posts not attributed to it > Social media policies should recognize and define these issues 26
Social Media Policies > Social media policies provide guidelines to mitigate risks associated with the use of social media platforms All employees should be familiar with the policy > Social media policies should include: Prohibitions on revealing confidential or proprietary information Disclaimers when necessary Guidance on the use of company logos or trademarks Respect for copyright, privacy, fair use, financial disclosure, and other applicable laws 27
Social Media Policies > Policies should broadly define what electronic communications are covered by the policy Should cover all hardware, software and communications activity > Employees participating in social media for business purposes should be appropriately trained and supervised Prohibit employees from engaging in business communications that are not subject to the company s supervision > Employees should have separate business and personal accounts 28
Social Media Policies > Set meaningful limits on who may engage in what activity during work hours on company systems > Require employees to identify themselves Employees should make clear that the opinions they express are their own, and not those of the company > Prohibit discriminatory or harassing posts > Instruct employees not to endorse company products until the message has been reviewed and approved 29
Social Media Policies > Keep creativity in check Do not sacrifice content for fanfare > Prohibit individual communications on wall postings > Do not be lazy with grammar and spelling > Do not friend strangers > When necessary, submit content for prior approval with state regulators > Acknowledge and respond to consumer complaints > Maintain compliant record retention policies 30
Producer Policies > Compliance professionals should ensure that personnel communicating on behalf of the company are licensed when necessary Establish controls over who may respond to social media posts Monitor producers, venders and other partners linked to social media sites to ensure compliance > Many states require that marketing be conducted in the insurer s name Social media accounts must satisfy this requirement 31
Agent Agreements > Insurers should enter into agreements with their agents to: Provide for prior approval for advertisements Define approved content Provide for training on website and social media maintenance and tools > Review agreements with agents to ensure they contain compliance responsibility, prior approval and hold harmless provisions Contracts should clearly define the rights and obligations of each party with regards to social media use 32
Crisis Planning > The speed and reach of social media mean that crises WILL happen There is little time to react Reining things in is difficult > Identify a response team and establish a plan of action before a crisis occurs 33
Records Retention > Most states require maintenance of records of advertisements disseminated to the public > Maintenance of records of social media content is not as simple as maintenance of traditional advertisements Social media sites change constantly 34
Records Retention > It is unclear whether just an initial post must be retained, or whether the initial post and all responses must be retained > Users of social media may have to retain content posted by third parties > Retaining posts made and received on personal electronic devices should be considered 35
Part Three Data Collection & Data Breaches 36
Social Data > There is little privacy on social media Individuals can control who sees their social media pages, but not who markets to them > This data is useful to marketers More targeted advertising Measure social media performance Learn what is important to customers > Collecting customer information carries risks The company becomes liable for unauthorized release of personal information 37
Sources of Law > Gramm Leach Bliley Act (GLBA) > Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) > State standards 38
Gramm Leach Bliley > Deals with the use and disclosure of consumers nonpublic personal information (NPI) NPI is individual s personally identifiable information collected in connection with providing an insurance product or service, unless the information is publicly available > Prohibits disclosure of a consumer s information to nonaffiliated third parties unless certain requirements are met 39
State Enforcement > GLBA requires the states to enact legislation implementing the GLBA privacy protection provisions > State insurance regulators enforce its provisions > Variation between the states 40
NAIC Model 673 > 2002: the NAIC adopted Model 673, Standards for Safeguarding Customer Information Advises states on how to implement GLBA > Establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information 41
HIPAA > HIPAA provides guidelines for disclosure of patient health information Applies to covered entities and their business associates > Covered entities: A health plan A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with certain transactions > Business associates of covered entities: Entities that, on behalf of a covered entity, assist with activities involving the disclosure of individually identifiable health information Includes agents 42
HIPAA > Nonpublic personal health information (PHI): Identifies an individual who is the subject of the information; or Reasonable basis to believe that the information could be used to identify an individual > Security Rule > Privacy Rule 43
HITECH > When there is a data breach, HITECH requires health care providers and other HIPAA covered entities to promptly notify affected individuals, the Secretary of Health and Human Services (HHS), and in some cases the media Annual reporting requirements to HHS > Provides a safe harbor for following the guidelines to secure information 44
HIPAA/HITECH Example > Data breach with in a hospital system resulted in $4.8M HIPAA settlements > Breach was caused when a physician employed by the hospital, who developed applications for the hospital attempted to deactivate a personally-owned computer server on the network containing patient ephi. > Because of a lack of technical safeguards, deactivation of the server resulted in ephi being accessible on internet search engines. 45
Notification of Data Breach > Almost every state has laws that govern notification of security breaches Must notify affected parties of the breach > Know what not and when to disclose > Safe harbor laws 46
Notification: Louisiana > Database Security Breach Notification Law > Notification Trigger requires a risk of harm analysis No reasonable likelihood of harm to customers Only applies if information was not encrypted or redacted > Notice to Citizens and to Attorney General Received within 10 days of notice to citizens > Permits a private cause of action 47
Notification: Florida > The Florida Information Protection Act of 2014 took effect on July 1, 2014 Imposes requirements on covered entities that experience data breaches It is more stringent than previous Florida laws > Applies to any commercial entity that uses personal information Also covers third-party agents who process personal information on behalf of a covered entity > Generally, covered entities must provide notice to the Department of Legal Affairs and the affected individuals within 30 days of discovering the breach Safe harbor for encrypted data 48
Record Disposal > Under the Uniform Electronic Transactions Act (UETA), if a law requires retention of a record, the record may be stored electronically > How long to retain records? The more you have, the more you can lose > Laws on disposal, redaction, destruction of records 49
Key Points > Must determine how much personally identifiable information will be collected about insureds and potential insured through social media platforms > Privacy policies are critical for insurance entities Set forth the terms by which the company will handle personal information collected from consumers Needed to comply with applicable law 50
Questions? 51