CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘Facebook’

Could Facebook’s $5 Billion FTC Fine for Privacy Violations be Covered by Cyber Insurance?

Posted on: August 14th, 2019

By: Isis Miranda

A similar question was posed to me recently at a conference where I was speaking about the GDPR (European General Data Protection Regulation): “Could my company just buy insurance instead of worrying about whether our China-based venders are complying with the GDPR?” The audience chuckled. But the question raises important and complex issues, one of which is whether civil fines are insurable and, more importantly, whether they should be.

Record-breaking fines recently announced by the FTC (Federal Trade Commission), including $5 billion against Facebook and up to $700 million against Equifax, and proposed fines by the ICO (the UK’s Information Commissioner’s Office), including £183 million against British Airways and £99 million against Marriott, combined with the advent on the horizon of the CCPA (California Consumer Privacy Act), a sweeping GDPR-like privacy law, has increased anxiety over the insurability of these fines.

Traditional insurance policies generally do not cover regulatory fines, but many cyber policies do. These insuring provisions, which typically provide coverage for civil fines and penalties levied by any regulator worldwide arising from a data breach “where insurable by law,” have yet to be scrutinized by a court. Uncertainty over whether courts may void these policy provisions as being contrary to public policy prompted the Global Federation of Insurance Associations to request assistance from the OECD (Organisation for Economic Co-operation and Development), explaining that “there is international confusion as to the insurability of fines and penalties” and stating that “OECD work to clarify this issue would benefit consumer and insurer contract certainty.”

Answering this question is no easy task. Starting with the question of whether these fines are insurable, one immediately finds that there are no legislative pronouncements or court decisions addressing the issue in the context of a cyber policy that expressly provides coverage for regulatory fines. And efforts to predict how a court might rule once the issue is raised, as it inevitably will be, are stymied by the disarray of the current case law in the related areas of punitive and statutory damages. This diversity of opinion reflects the complexity of the underlying question – whether such fines should be insurable. Courts struggle with questions, such as who should decide – legislators, judges, insurance companies? And what criteria should be applied in making the decision? Should the decision apply to all civil fines and penalties issued pursuant to a given regulation or should the issue be decided on a case-by-case basis for each violation?

In the U.S. the decisions of courts across the country regarding the insurability of punitive damages are, well, all over the map. These decisions vary in their approach to reconciling the language of the insurance policy at issue with public policy considerations in the approximately 20 states that prohibit insurance for directly assessed punitive damages, including decisions that:

  1. prohibit insurance for punitive damages, even if the policy expressly provides coverage;
  2. prohibit insurance for punitive damages, unless the policy expressly provides coverage;
  3. do not prohibit insurance for punitive damages but do not interpret policies as covering them, unless expressly included; and
  4. do not prohibit insurance for punitive damages and interpret policies as covering them, unless expressly excluded.

It is unclear whether courts will address coverage for fines and penalties in similar fashion. States that do not prohibit punitive damages could, nonetheless, place restrictions on insurance for civil fines and penalties beyond existing limits on insuring intentional conduct. And vice versa. Thus far, a few courts have applied the prohibition on punitive damages to civil fines and penalties without addressing the distinctions between the two. For example, in City of Fort Pierre v. United Fire and Casualty Company, 463 N.W.2d 845 (S.D. 1990), the federal government sued the City of Fort Pierre seeking civil penalties due to violations of the Clean Water Act of 1977. The South Dakota Supreme Court held that the civil penalties were punitive in nature and thus precluded from being covered under the City’s insurance policy. A dissenting justice disagreed, stating: “Before punitive damages may be awarded, malice on the part of the party from whom the punitive damages are sought must be shown. No similar requirement exists for the imposition of the civil penalty. Therefore, the civil penalty the United States sought to have imposed upon the City of Ft. Pierre cannot be equated to punitive damages.” Similarly, in Bullock v. Maryland Casualty Company, 85 Cal. App. 4th 1435 (Ct. App. 2001), the California Court of Appeal held that civil fines are not insurable without addressing the fact that the public policy prohibiting insurance for punitive damages was expressly limited to punitive damages that were assessed upon a finding of fraud, oppression or malice. City Products Corporation v. Globe Indemnity Company, 88 Cal. App. 3d 31 (Ct. App. 1979). It will be interesting to watch how the case law evolves as coverage battles involving cyber policies that expressly provide coverage for fines and penalties percolate through the courts.

Now to the question we started with. Without knowing the contents of Facebook’s insurance policy, we can only speculate as to its terms, including which state’s laws would apply to interpret the policy. But we would not be going out on a limb by saying that the $5 billion FTC fine likely exceeds policy limits. Facebook will not garner much sympathy, given that it inarguably violated the FTC’s 2012 order and can readily afford the $5 billion fine. And there is concern that allowing companies to obtain insurance to cover civil penalties for violating data privacy and security statues would discourage them from making the investments necessary for compliance. But the reality is more nuanced. Small- and medium-sized businesses, in particular, benefit from the data security assessments, cyber risk consulting services, and preferred vendors that are made available by many cyber insurance carriers, which serves to increase compliance with related statutes. See, e.g., Kyle D. Logue & Omri Ben-Shahar, “Outsourcing Regulation: How Insurance Reduces Moral Hazard” (Coase-Sandor Institute for Law & Economics Working Paper No. 593, 2012). These issues will, no doubt, continue to be debated for many years to come.

Amidst all this uncertainty, one thing is sure: the future will be fascinating.

If you have any questions or would like more information, please contact Isis Miranda at [email protected].

 

Next Up Libra: Regulating Cryptocurrency

Posted on: July 23rd, 2019

By: David Molinari

Reluctance to accept cryptocurrency as a medium of exchange continues to focus, in substantial part, on the inability to regulate a virtual form of currency.

Cryptocurrencies were originally meant to be stateless entities, not beholden to legal frameworks of any state or country.  Such intent was/is short-sighted if the goal is to function as an alternative currency.  Regulation is the doorway through which cryptocurrency must pass to be considered a viable system of currency for everyday transactions.  The word “regulation” has taken on a negative meaning.  “Regulation is bad for (fill in the blank)” is a familiar refrain.  However, regulation, at least concerning currency markets and exchanges, establishes rules and order.  When the currency alternatives are defined by the term “virtual,” proponents of cryptocurrency will face skepticism.  In the absence of federal directives on the cryptocurrencies, some states have tried to take matters into their own hands.  The result is a patchwork approach trying to meld old currency regulations to control the new frontier of cryptocurrencies.  Perhaps as a nod to the inevitable choice of government regulation or irrevocable stamp of “outlaw,” Facebook’s executive, David Marcus, in recent statements before the Senate Banking Committee noted that Libra will get “appropriate approvals” from regulatory agencies and be subject to regulatory oversight and review.

But what does regulatory oversight look like in a virtual currency world? How can any state or the Federal Government regulate a system where any major corporation with international reach can create their own form of cryptocurrency.  Cryptocurrencies raise concerns of national security because virtual currencies have the potential for illicit activities such as money laundering or facilitating other unlawful behavior.  The virtual currency market was created so digital asset service providers can operate in the shadows of no regulation.  Also, cryptocurrencies are highly volatile because exactly what backs the currency?  What is the value of any cryptocurrency at any time?  How can the system be protected from fraud?

There are three aspects that should be covered when attempting to establish a system of regulation for virtual currency: The use of cryptocurrencies as legal tender in business transactions, imposing authority on operation of cryptocurrency exchanges as money transmitters; and the status of smart contracts and Ethereum Tokens.

The first two factors seem amendable to the type of regulatory framework of establishing a commissioner or government arm that is responsible to evaluate whether the crypto/digital currency has capital enough to ensure safety and soundness of the currency for consumer protection.  A minimum amount of capital should be maintained by the cryptocurrency provider measured by total assets, total liabilities, the expected value of the virtual business activity, the amount of leverage employed and liquidity.

A difficult factor is determining a definition of “digital unit” to be used as a form of stored value.  Further, should there be carve-outs for online gaming platforms, digital units used exclusively as part of a consumer affinity or rewards program; or, digital units redeemable for goods, services or purchases exclusively with the issuer or designated merchant.

Libra is the latest threat to an old guard established financial system.  Where Facebook’s Libra allegedly differs is it is not intended to compete with the US or other countries’ sovereign currency; and therefore, won’t interfere with central banks on monetary policy. Yet by the very nature of being an alternative currency, Libra like other cryptocurrencies are competitors and disruptors of established currency markets.  A competitor is seen as a threat in most environments; when the environment is a financial system, competitors are a threat that raise serious concerns.  Libra, like other cryptocurrencies were designed to be independent of legal frameworks.  Regulation is the opposite to cryptocurrency’s design.  While such opposites in another environment or market would cripple any new product or service, cryptocurrency as a technology, is an idea whose development isn’t tied to or halted by government oversight.  While it is quaint to conclude cryptocurrency will be forced to adjust to government’s brand of regulation, that may not be accurate in this situation.  Cryptocurrencies are operating and will go on and continue to be unregulated. It is the regulating bodies that are playing catch-up.

If you have questions or would like more information, please contact David Molinari at [email protected].

Facebook And Association Criticism: How To Address Unfounded Allegations Against An Association And Its Board

Posted on: October 12th, 2018

By: Jonathan Romvary

How far can a Board go in fighting against what they believe is unfair homeowner criticism? Can they publish a formal response to unfounded allegations? How should Associations address online criticism on unofficial Facebook groups created by dissatisfied homeowners?

These issues were partially addressed in a recent unpublished California Appeals Court decision in Kulick v. Leisure Village Association (2018). Kulick involved two consecutive lawsuits between a homeowner who was anonymously publishing an unofficial newsletter that was highly critical of his Homeowner’s Association, the Association’s Board and its attorneys. Unfortunately for the homeowner, the HOAs rules specifically prohibited the dissemination of anonymous publications to the Association’s members and the Association successfully filed suit against the homeowner for breaching the Association’s covenants, conditions and restrictions (CC&Rs) and was awarded more than $125,000.00 including punitive damages.

After losing his appeal, and apparently not learning from the prior lawsuit, the homeowner began republishing his anonymous newsletter criticizing the Association’s Board, this time asserting that the Board and its officers committed perjury, extortion, obstruction of justice, racketeering, and lying and cheating. The Association’s attorneys responded to the most recent allegations by distributing an official letter to all of the homeowners addressing the allegations as a “reckless communication” containing “unfounded, inaccurate, and spiteful allegations” against the Association and detailing the prior lawsuit against the homeowner. Feeling attacked by the HOA, the homeowner filed a lawsuit against the Association for, among other things, defamation. The HOA defended itself saying its actions were protected under California’s anti-SLAPP laws which are designed to protect defendants who have been sued for acts in furtherance of a constitutionally protected right of free speech or petition. The trial court agreed, finding that the Association’s letter constituted “protected activity” as a public writing relating to an issue of public interest to the Association’s homeowners’, i.e. the lawsuit between the Association and homeowner. Ultimately the California Appellate Court upheld the trial court’s ruling.

From Kulick, it is clear that Associations may respond to individual criticisms that are not legally permissible (e.g. false assertions of fact, etc.) and have certain rights against defamation published by its members. However, it remains unclear to what extent Associations can restrict alternative forms of publications, such as Facebook community groups or anonymous Twitter accounts. In the age of Facebook, where publishing and distribution is free and easy, Associations must remain vigilant. False accusations and anonymous publications can cause significant disruption to the operation and reputation of an Association. Associations should be alert for publications containing false assertions or publications that purport to be official communication and should address any statements that defame the association, its board of directors, managing agent, or employees.

If you have any questions on how your Association can be proactive and protect itself against unofficial homeowner publications or would like more information, please contact Jonathan Romvary at [email protected].

If You Don’t Have Anything Nice To Say….You Probably Shouldn’t Post It!

Posted on: August 22nd, 2018

By: Shaun DaughertySamantha Skolnick

Mothers all over the world have admonished their children: “if you don’t have anything nice to say, don’t say anything at all.”  It may lose something when translated into some obscure dialects, but the sentiment was still there.  Now that we live in the age of technology, it appears that the old saying could use a facelift.  “If you don’t have anything nice to say, you should not type it anywhere on the internet.”  That is especially true if you are criticizing doctors and hospitals.

A wave of litigation has been emerging involving doctors and hospitals, but in these instances, they are not the targets, they are the plaintiffs.  Doctors and hospitals are starting to sue their patients for negative reviews on social media. The most recent example earned itself an article in USA Today where retired Colonel David Antoon had to pay $100 to settle felony charges for emailing his surgeon articles that the doctor found threatening as well as posting a list on Yelp of the surgeries the urologist had scheduled for the same time as his own.  Antoon alleged that his surgery left him incontinent and impotent and he had tried to appeal to the court of public opinion.

In other news, a Cleveland physician sued a former patient for defamation after the negative internet reviews of her doctor reached the level of deliberately false and defamatory statements. The case may be headed to trial in August. Close by, a Michigan hospital sued three relatives for Facebook posts and picketing which amounted to defamation, tortious interference and invasion of privacy. The family claimed that the hospital had mistreated their deceased grandmother.

We live in a country that ensures freedom of speech, and that right is exercised more than ever with the advent of social media and an ever-growing audience of participants.  However, there can be consequences if the speech is inaccurate or defamatory in nature.  While some attorneys, like Steve Hyman, cite the law in stating that “[t]ruth is an absolute defense. If you do that and don’t make a broader conclusion that they’re running a scam factory then you can write a truthful review that ‘I had a bad time with this doctor.’”  Other commentators, like Evan Mascagni from the Public Participation Project, tout avoiding broad generalizations, “If you’re going to make a factual assertion, be able to back that up and prove that fact.” That is defense against defamation claims 101.

The world of non-confrontational criticism on social medial makes it easy and tempting to post an emotionally fueled rant.  But beware!  You want to avoid a situation like that of Michelle Levine who has spent nearly $20,000 defending herself against a suit filed by her Gynecologist over defamation, libel, and emotional distress. The 24-hour rule is still a viable alternative to hitting “send” or “post.”  Type it out, let it sit and ruminate for a bit, and then decided if you are going to post the negative comments for the world to see.  Some opinions are worth sharing, or you may decide…. don’t say anything at all.

If you have any questions or would like more information please contact Shaun Daugherty at [email protected] or Samantha Skolnick at [email protected].

Facebook and Twitter: More Transparency for Political Ads

Posted on: June 4th, 2018

By: Amy Bender

In the wake of the alleged Russian interference with the U.S. presidential election through targeted Facebook ads, both Facebook and Twitter now have imposed conditions for political campaign advertisements. Since there currently are no legal requirements for posting political content on private social media platforms, the platforms have the freedom – and, some say, the responsibility – to create their own policies in order to regulate the content delivered to their users. Facebook and Instagram (which Facebook owns) now require that political ads be labeled with information such as who funded the ad, the campaign budget, the number of viewers, and their demographics. The information also will be stored in a searchable archive. Twitter will require advertisers of political campaigns for federal elections to identify themselves and prove they are located in the U.S. Further, it will not allow foreign nationals to target political ads to U.S. residents. Both platforms have cited increased transparency as the basis for these changes. Facebook also has been under scrutiny since the Cambridge Analytica/user data breach incident, as we reported here.

It remains to be seen if these measures will help regulate political content and if more social media platforms will follow suit.

If you have any questions or would like more information, please contact Amy Bender at [email protected].