social media, mobile computing and the cloud meet insurance regulation

Dewey & LeBoeuf LLPdl.com

Social Media, Mobile Computing and The Cloud: Why You Need a Current and Comprehensive Compliance Program

Presentation to

Insurance Industry Charitable FoundationInsurance Industry Charitable FoundationNovember 9, 2011

Margaret A. Keane415 951 [email protected]

Dewey & LeBoeuf LLP | 2

TABLE OF CONTENTS

A. Issues Specific to the Insurance Sector

1. Use of Social Media by Farmers and some of its Competitors

2. Insurance Regulators and Social Media

3. The NAIC’s draft White Paper on Social Media in Insurance

4. From the States: Social Media as Advertising and Other Perils

5. Social Media as an Investigative Tool

6. Pointers, Perils and the FTC

B. Workplace Issues

1. Overview of Challenges

2. Hiring Concerns

3. Perils and Pitfalls of Mobile Technology

4. FINRA Guidance on Dual Use Devices

5. The NLRA, Non-disparagement Policies and Termination

6. Genetic Information Non-Discrimination Act

7. Parting Thoughts


The Risks and Rewards of Social Media Run Throughout Your Relationships

● Claims

● Community Relations

● Customers

● Employees

● Insurance Regulators

● Other Regulators and Enforcers

● Producers

● Underwriters


Perils of Social Media and Mobile Computing

● Misappropriation of sensitive information due to negligent or intentional security breach

● Reputational damage

● Harassment or bullying of co-workers in social media fora

● Inappropriate and/or defamatory references posted on public sites

● Claims of discriminatory hiring and firing decisions based on information obtained from social media

● Violations of Genetic Information Non-Discriminatory Act (GINA)

● Wrongful termination claims for decisions and policies that may violate the National Labor Relations Act

● Unfair insurance/trade practices exposure for inappropriate or unauthorized endorsements and testimonials


• Offers Zynga’s FarmVille players access to its Farmers-branded Airship, which raised fan base by more than 100,000 in the first week of the promotion.

• Ran a Facebook Contest where People could Enter to Win a Ride on the Farmers Airship, the Zeppelin Eureka.

• Incorporated Hearsay Social, a social media platform designed to address compliance needs, deliver content and provide data analytics; uses the platform to help 15,000 agents nationwide maintain their own Facebook pages.

• Launched iClaim which provides an additional channel to submit claims and communicate with Farmers.

• Manages active Facebook, LinkedIn and Twitter Profiles.

Farmers Insurance Group


● Launched a free mobile application, Driver Feedback, which can turn a cell phone into a pocket-sized driving coach.

● Held a 6-month ad campaign within the game Car Town that included branded missions, virtual item giveaways, and new State Farm-branded promotions.

● Launched State Farm Go to Bat - Users select one of the designated charities on State Farm’s website, then virtually swing. Once a week, for 10 weeks, State Farm will make a donation of $18,000 to the charity with the highest Go To Bat game batting average. Also, an individual winner who goes to bat for the winning charity will be randomly selected for a trip to Games 3 and 4 of the 2011 World Series.

State Farm


Progressive

● Launched Snapshot, which plugs into a car's on-board diagnostic port. Computer chips collect and store the time of day the car is operating, as well as speed. The data are sent to Progressive via wireless technology, and users can view their results almost instantly on a website. Drivers can get discounts of up to 30% in as soon as 30 days.

● Launched mobile application to compare insurance costs; obtain quotes, make payments and manage policies; access insurance information, VINs, policy dates, insurance coverages, and find nearest agents and service centers.

● Progressive Flo, a character in Progressive’s commercials, has a Facebook Page with approximately 3,000,000 likes.


● Launched Digital Locker which makes it easy to create and manage an inventory of personal property, so customers will have the information they need if they ever need to make a claim.

● Launched Tag In by Allstate which allows users to send quick messages and GPS locations to friends.

● Launched Allstate Motor Club, which provides roadside assistance for users nationwide.

● Launched GoodRide by Allstate – helps users plan, track and share all rides, maintenance, and repairs.

● Has its own YouTube channel which includes a section of information and educational videos.

Allstate


Regulators Are Stepping In

● State insurance regulators beginning to address the use of social media in the insurance industry and treating it as advertising.

– Several state insurance regulators have Facebook pages.

– At least 3 states—Virginia, Massachusetts and New York—have provided specific guidance that marketing communications through social media platforms will be considered advertisements.

– At least 6 states—Ohio, New Hampshire, Idaho, Colorado, Arizona, and California—and the NAIC include electronic communications, broadcasting, or transmissions within their definitions of advertisement.

– NAIC has a Social Media Working Group, chaired by Keith Nyhan of New Hampshire Department of Insurance. Draft Working Paper on Social Media issued on July 29, 2011.


NAIC Released Draft White Paper on Use of Social Media in Insurance

● The Social Media Working Group’s White Paper, which borrows heavily from FINRA’s Notice to Members 10-06, has not yet been adopted by the Market Regulation & Consumer Affairs Committee. However, it prescribes methods for insurers to comply with regulatory guidance in their use of social media, and may foreshadow future regulations.

● The White Paper focused on:

– The use of social media in the business of insurance

– Identifying and providing guidance on actual and potential regulatory and compliance issues with the use of social media in insurance


Context: Common Uses of Social Media in the Insurance Sector

Insurers

● Tool to build trust and engagement and convey valuable information for consumers.

● Means to obtain and verify information during the hiring process.

● Forensic tool to investigate potential fraud in the underwriting and claims process.

● Facilitate claims handling.

● Method of more timely addressing public relations crises.

Producers

● Ability to disseminate information. Can be product info or general public service.

● Tool to access networking opportunities.

● Means to engage customers and build personal brand, provide rapid responses to questions.

Consumers

● Learn about products and rates, ask questions, rate insurance companies and producers, and complain about negative experiences with companies/producers.


NAIC White Paper: When is an Insurer Responsible?

“Generally speaking, if the social media communications can be attributed to a carrier, regulators will do so. Thus, protocols and procedures should be developed, in place, and followed regarding social media usage by independent agents, as the regulatory emphasis in regards to social media will be on the “agency” and not the “independence”.


White Paper: When is an Insurer Responsible for Content?

● Insurers will likely be held accountable for social media content posted to or on any of their own directly sponsored sites, and possibly for their producer’s social media content.

● An insurer will likely be held accountable for all social media content, with limited exceptions, posted to/on any of its associated entities’ sponsored sites/spaces

● Static communications are subject to existing advertising, marketing and customer-relation regulatory frameworks. (Static communications remain posted and visible until changed by someone with access to do so. Ex. Biographic materials, backgrounds and wall information.)

● Retention and record keeping requirements do apply to the interactive content on a social media website controlled by an insurer or one of its associated entities.

● Insurers are not responsible for the interactive content of 3rd party, non-associated entities’ contributions

● If 3rd party content is attributable to an insurer because the insurer was involved with the preparation of the content, the insurer will be accountable for the content, per the “entanglement theory.”

● If 3rd party content is explicitly or implicitly endorsed by the insurer it becomes attributable to the insurer per the “adoption theory.”


White Paper: The Many Facets of Compliance

● “As with all forms of communication and interaction between insurance companies and their associated entities and consumers, the insurance company must supervise and monitor communication closely in order to comport with existing regulations.”

● Insurers should adopt comprehensive policies, procedures and controls that comply with relevant State regulatory guidelines, including: – Advertising and marketing laws and regulations – Consumer complaints – Endorsements of and to individuals and companies– Privacy Laws – Federal laws including HIPPA, Gramm-Leach-Bliley (“GLB”),

Children’s On-Line Privacy Protection Act (“COPPA”), State privacy laws such as California’s Insurance Information and Privacy Protection Act (IIPPA)

– Record Retention Requirements– Security Breach Notification Statutes – Supervision, Monitoring and Training– Suitability Requirements


White Paper: Regulatory Guidance

● Insurers should restrict producers from engaging in business communications on unsupervised social media sites.

● Absent policies and procedures to ensure regulatory compliance, producers should be prohibited from using social media to promote an insurer or its products.

● Insurers should adopt policies reasonably designed to ensure that electronic communications or communications attributed to them are accurate and timely, not misleading.

● With regard to recommendations for specific insurance products, insurers should ensure that its communications or communications attributable to it are suitable to all potential recipients. Alternatively, an insurer could prohibit interactive electronic recommendations for specific products.


White Paper:Regulatory Guidance (cont’d.)

● An insurer may employ risk-based principles to determine the extent to which the review of its electronic social media communications is necessary to properly supervise its business.

– Insurers could adopt procedures that require pre-approval of some or all interactive electronic social media communications prior to posting.

– Insurers could alternatively review communications post-use.

● Insurers should have record retention policies and procedures for social media communications, as well as appropriate privacy protections for social media communications.

● Insurers should train their producers in accordance with their developed policies and procedures to guide producers’ social media use (or risk liability for their misuse).


● In Virginia, advertisement in the context of life insurance and annuities includes websites and other Internet displays or communications, social media, or other forms of electronic communications.

● In Massachusetts, marketing or marketing material in the context of health benefit plans includes “Social media sites including networking sites, blog postings and smartphone applications created by or for a Carrier, Insurance Producer or other entity for presentation to or use by the insurance buying public.”

● The use of a Linked-In profile page or a similar website for the promotion of insurance, insurers, or insurance agents or brokers constitutes an advertisement, announcement, or statement under New York Law. OGC Opinion No. 10-11-07 (dated November 22, 2010).

From the States:Social Media Considered Advertisements/Marketing Material


● Ohio, New Hampshire, Idaho, Colorado mirror the NAIC Model Laws’ definition of advertisement in the context of accident and health/sickness insurance - an advertisement shall include printed and published material, . . . web sites and other internet displays or communications, other forms of electronic communications, billboards and similar displays. Ohio Admin. Code 390-8-07; N.H. Code Admin. R. 2601.3; IDAPA 18.01.24 Section 010; 3 CCR 702 Reg. 4-2-3 Section 4.

● In California, in the workers compensation context, advertisements include any form of communication, in writing, photograph or picture, electronic broadcasting or transmission. Cal. Code Regs. tit. 8, Section 9820.

● Because insurers’ use of social media will be regulated akin to traditional insurance marketing or advertising, social media communications must comply with advertising and marketing laws and regulations, among others. Because electronic advertising transcends state boundaries, insurers must be aware of multi-state advertising laws.

From the States:Electronic Communications Considered

Advertisements


More Regulatory Pitfalls

● An insured may attempt to submit a claim or complaint through an insurer’s Facebook page—insurers should consider including a disclaimer regarding the proper reporting of insured claims and a link to the insurer’s claim form and/or other contact information.

● The use of social media is subject to state insurance laws that govern unfair trade practices—insurers should be aware of applicable laws and take great care to follow their own privacy policies.

● As many states, including California, require that marketing be conducted in the insurer’s name, if an insurer is using a Twitter account, compliance professionals should ensure that the account name satisfies this requirement.


Romano v. Steelcase: Are Social Media Postings Discoverable in Personal Injury Cases?

● Injured woman sued furniture company for damages suffered when she fell off a Steelcase chair

● Steelcase sought her Facebook and MySpace postings to show that she had an active lifestyle and was not confined to bed as alleged.

● Court concluded that she had no expectation of privacy as to her Facebook and MySpace postings.

● “Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings. Indeed, that is the very nature and purpose of these social networking sites.”

● Same logic should apply in claims litigation, but case law is evolving.


Practice Pointers: Avoiding Regulatory Pitfalls

● Set clear expectations regarding online privacy when using corporate network

● Establish protocols for monitoring 3rd party posts and use disclosures that adequately inform users.

● Set policies ensuring that insurers are appropriately identifying, monitoring, responding to, tracking, and retaining records of complaints communicated through social media.

● Ensure that personnel communication on behalf of the company is licensed where necessary. Note that often, if an advertisement constitutes a solicitation in a particular state then the advertising-insurer must be licensed in said state.


Practice Pointers: Avoiding Regulatory Pitfalls (cont’d)

● Supervise producers and employees to ensure that

– only approved sites are being used;

– that any restrictions regarding use of approved sites are being followed;

– that static advertising is being pre-approved;

– and that only those permitted to use social media are using it; and

– use of social media in investigations is documented


Geolocation Tracking and Telematics

● FTC: Geographic location is sensitive information

● If a service provider links location to a specific device of a specific person, provider must: – Give notice about how location information

will be used, disclosed and protected,

– State whether the provider will share location information with third parties and identify them,

– Advise users how they can terminate the location-based services, and

– State how long information will be retained

Source: CTIA – The Wireless Association, Best Industry Practices and Guidelines for providers of location based services


The FTC Speaks:Privacy by Design – FTC Proposal, December 2010

● Build privacy protections into everyday business practices:

– Provide reasonable security

– Collect only data needed for specific business purpose

– Retain data only as long as needed for that business purpose

– Safely dispose of data no longer needed

– Implement reasonable procedures to promote data accuracy

● Companies should implement and enforce procedurally sound privacy practices throughout their organizations, including employee training and conducting privacy review when developing new products and services on a systemic basis


● Governs endorsements and testimonials in advertising

● No private right of action; may be enforced by FTC under section 5 of the FTC Act

● Advertisers are subject to liability for false or unsubstantiated statements made through endorsements

● Advertisers subject to liability for failing to disclose material connections between themselves and endorsers

● Endorsements relating the experience of a customer must disclose generally expected performance

The FTC Speaks:FTC Testimonial Guidelines


Social Media Issues In The Workplace


Managing Change in the Workplace:Some of Today’s Challenges

● Lack of clear precedent: courts and legislators lag behind while agencies run ahead

● Social networking: lines between work and life continue to blur

● New communication channels: instant messaging as corporate tool and texting is not just for teens

● Electronic discovery: the document that would not die

● Workplace privacy: does it exist?

● Anywhere, anytime access: security risk and other challenges of mobile computing

● The 24/7 workplace and the FLSA

● Control is a remnant of days gone by

● Generational differences affect communication styles


Social Media Policies 1.5

● 85% of financial services professionals under 50 are using social media. Ledermark survey, April 2010

● 45% of their employees don’t have a social media policy or prohibit its use entirely. Ledermark survey

● 31% completely prohibit employees from visiting social networking sites while at work. Robert Half Technology survey, May 2011


● Facebook has over 700 million users

● Approximately 67 million users per day access Facebook through Android and iPhone apps.

● Linked in – 120 million plus members

● 110 million tweets are sent daily

● Don’t think your employees are out there? Think again. Type your company’s name into the search engine

of any social networking site.

(Source: thenextweb.com/facebook/ 2011/094/23/the-number-growth-and-evolution-of-the-behemoth-that-is-facebook/)

Online Social Networks


● 24% of employers had hired a staff member based on their social networking profile

● 33% decided not to make job offer to candidate after seeing profile (photos of drugs/drinking or inappropriate behavior were the most popular reasons for eliminating candidate)

● 16% of employees changed their web profiles to enhance theirprofessional images

● 22% of companies check candidates' profiles on Facebook/MySpace before deciding to hire them (this has doubled since 2006)

● 9% said they planned to review potential employees' social networking pages in the future

Source: www.Careerbuilder.com/Article/(B-533)

Getting to Know You: Using Social Networking in the Hiring Process

Getting to Know You: Using Social Networking in the Hiring Process


Getting to Know You: Risks of Using Social Networking Websites in the Hiring Process


● Risk of making employment decisions based on inaccurate, irrelevant or false info

● Online social networking profiles often present personal information that would not properly be subject to inquiry during the hiring process

● Potential to eliminate applicants based on protected class status in violation of federal and state anti-discrimination laws

● Need to balance applicant’s rights with employer’s need to screen candidates thoroughly



● Employers must have procedures for use of online data when making employment decisions

– Determine when on-line searches will be used in hiring and promotion process

– Decide whether to inform applicants about on-line searches and whether to ask for email addresses, user names and blog post

– Comply with FCRA if using third parties to conduct search

– Do not engage in unauthorized access of password protected sites


Are You at Work?Mobile Technology Blurs the Line Between Home and Work

● By one estimate, 72% of Americans check their email on weekends and vacations and 42% check email while home sick.

Source: www.kikabink.com/news/most-workers-addicted-to-email-2-out-of-3-u-s-and-u-k-workers-check-mail-outside-business-hours/ (citing Harris Interactive research)

● iPass Mobile Employee Definition: Employee using a mobile device who accesses networks (other than corporate LAN or WLAN) for work purposes

● Average mobile worker works 240 hours per year longer than work force in general

Source: The iPass Global Mobile Workforce Report, August 2011www.mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport-q-3_2011.pdf

● 43% of mobile workers keep smart phone at arm’s reach when they sleep

● 96% of mobile workers under 45 have smart phones

● 35% of mobile workers check email first thing upon awakening


Yours, Mine and Ours: A New World of Sharing

Yours, Mine and Ours: A New World of Sharing

How do you use your smartphone?

Source: The iPass Global Mobile Workforce Report, http://mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport_q3_2011.pdf


Yours, Mine and Ours: A New World of Sharing (Cont’d)

Yours, Mine and Ours: A New World of Sharing (Cont’d)

Do you use your tablet primarily as a personal or work device?


I Owe You What?!Mobile Devices and Wage and Hour Obligations

● The average professional spends 50 minutes a day sending e-mails after work(Source: Cohesive Knowledge Solutions, 2008)

● Companies need to manage risk by:

– Updating policies and handbooks related to use of personal devices

– Don’t give mobile devices to non-exempt employees

– Implement policies that restrict non-exempt workers use of company-issued devices

FAD Media, Inc.


Living Together: The Ongoing Employment Relationship

● Decide whether or not to monitor - virtually all employers retain the right to monitor and address personal use of the employer’s system

● Develop policy on use of personal devices in the workplace

● Put your policies on personal use and privacy rights into clear and unequivocal language and communicate it to your employees (Ex. You have no expectation of privacy in connection …)

● If employees can access the employer’s system remotely, require employees to provide access to remote devices used to access system

● Require employees to provide immediate notice, and consent to remote wipe, is a mobile device is lost

● FOLLOW YOUR POLICY CONSISTENTLY

● Revise policy as technology evolves

● Don’t make employment decisions turn on trivial matters


● Recordkeeping

● Q1: Does determining whether a communication is subject to the recordkeeping requirements of SEA Rule 17a-4(b)(4) depend on whether an associated person uses a personal device or technology to make the communication?

● A1: SEA Rule 17a-4(b)(4) requires a firm to retain records of communications that relate to its "business as such." This analysis does not depend upon the type of device or technology used to transmit the communication, nor does it depend upon whether it is a firm-issued or personal device of the individual; rather, the content of the communication is determinative. For instance, the requirement would apply if the electronic communication was received or sent by an associated person through a third-party's platform or system. A firm's policies and procedures must include training and education of its associated persons regarding the differences between business and non-business communications and the measures required to ensure that any business communication made by associated persons is retained, retrievable and supervised.

FINRA’s Latest Guidance on Dual Use Devices:Regulatory Notice 11:39, August 2011


FINRA’s Latest Guidance

Accessing Social Media Sites From Personal Devices

● Q14: May associated persons use personal communication devices and other equipment, such as a smart phone or tablet computer, to access firm business applications and perform business activity if the firm employs technology that enables the firm to keep records and supervise the activity?

● A14: Yes. Firms may permit their associated persons to use any personal communication device, whether it is owned by the associated person or the firm, for business communications. Of course, the firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.

. . . firms should have the ability to separate business and personal communications, such as by requiring that the associated persons use a separately identifiable [secure] application on the device for their business communications. . . If the firm has the ability to separate business and personal communications, and has adequate electronic communications policies and procedures regarding usage, then the firm is not required to supervise the personal emails made on these devices. Of course, firms also are free to treat all communications made through the personal communication device as business communications.


● Dooced: Termination based on a blog posting; see www.dooce.com (blog of woman who was fired after writing about employer on blog)

● NLRB v. American Medical Response Company, Case No. 34-CA-12576 (Connecticut, 2011). Employee terminated for criticizing her supervisor on Facebook in violation of policies. Important case because it challenged both the firing decision AND the employer’s policies. Case recently settled.

● NLRB v. Hispanics United of Buffalo (“HUB”), September 2, 2011. First ruling by an NLRB Administrative Law Judge, ruled that HUB violated the NLRA when it terminated five employees for criticizing a sixth co-worker on Facebook

“It is irrelevant to this case that the [Facebook posters] were not trying to change their working conditions and that they did not communicate their concerns to HUB”

Breaking Up is Hard to Do: From Dooce to the NLRB


NLRB Position on Social Media Practices and Policies:My Workforce Isn’t Unionized. Why Should I Care?

● Portions of the NLRA apply to ALL private employees.

● Specifically, employers can’t punish employees for discussing working conditions or unionization.

● Agency has taken aggressive stance on terminations as discipline for critical posts on social media.

● NLRA gives employees the affirmative right to engage in concerted action for mutual benefit and protection.


NLRB Acting General Counsel Releases Reporton Social Media Cases: August 18, 2011

● Report provides analysis of 14 cases involving employer’s social and general media policies submitted to NLRB’s Division of Advice.

● Four cases found protected activity where employees posting on Facebook were discussing terms and conditions of employment with fellow employees. Four other cases found activity was not protected.

● In five cases, Division of Advice found that some provisions of employers’ social media policies were unlawfully over-broad.


● Tell employees that their company issued electronic devices will be “scrubbed” or “wiped” in the event of termination and get written acknowledgement.

● Draft non-solicit and non-competes that provide that communications to clients on social networking sites, including but not limited to Facebook, LinkedIn and Twitter, will be deemed a solicitation in breach of covenants.

Breaking Up is Hard to Do: Insurance is a Competitive Business


On Thursday, Bartz said, in a sassy interview with Fortune, that she was staying on as a director. “Ms. Bartz is obligated to resign from the board and we expect her to do so,” the board’s spokesman said after the interview was published. She resigned the next day.

After calling the board members “doofuses” who “f-ked me over,” we have to imagine any future board meetings would have gotten just a wee bit awkward.

www.mogulite.com

Carol Bartz “Quits” Yahoo Board

Breaking Up is Hard to Do


Genetic Information Nondiscrimination Act of 2008 (GINA)

● Illegal to discriminate against employees or applicants because of genetic information

● Employers may not use genetic information in making employment decisions and may not request, require or purchase genetic information

● Any employer that possesses genetic information about an employee must maintain such information in separate files; and must treat it as a confidential medical record and may disclose it only under very limited circumstances

● Prohibition on requesting information defines “request” to include “conducting an internet search on an individual in a way that is likely to result in a covered entity obtaining genetic information.” 29 C.F.R. §1635

● Safe harbor for inadvertent acquisition applies where employer “inadvertently learns genetic information from a social media platform where he or she was given permission to access by the creator of the profile at issue (e.g., a supervisor and employee are connected on a social networking site and the employee provides family medical history on his page).” 29 C.F.R. §1634


Guidelines for All

● Decide whether to permit/prohibit/limit or encourage blogging using company resources or time

● Prohibit disclosure of trade secrets or confidential info and violation of harassment policies

● Direct employees to use disclaimers

– “This post reflects my personal views, not those of the company”

● Be careful about threatening disciplinary action for disparaging statements; consider NLRA implications

● Have employees execute current confidentiality agreements and non-disclosure agreements

● Review non-competes to address use of LinkedIn and other social media sites to evade non-compete and non-solicit obligations


E-Discovery and Privacy

● Sensitive personal information is everywhere…

– Instant messages

– E-mails

– Text messages

– Online registrations

– Social networking

● All of these electronic records could be discoverable in litigation, and could be monitored by an employer

● Privacy concerns are closely related to document management and

e-discovery


QUESTIONS?

3077034.1


Offices Worldwide

Dewey & LeBoeuf LLP 3077034.1