CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘Federal Trade Commission’

Could Facebook’s $5 Billion FTC Fine for Privacy Violations be Covered by Cyber Insurance?

Posted on: August 14th, 2019

By: Isis Miranda

A similar question was posed to me recently at a conference where I was speaking about the GDPR (European General Data Protection Regulation): “Could my company just buy insurance instead of worrying about whether our China-based venders are complying with the GDPR?” The audience chuckled. But the question raises important and complex issues, one of which is whether civil fines are insurable and, more importantly, whether they should be.

Record-breaking fines recently announced by the FTC (Federal Trade Commission), including $5 billion against Facebook and up to $700 million against Equifax, and proposed fines by the ICO (the UK’s Information Commissioner’s Office), including £183 million against British Airways and £99 million against Marriott, combined with the advent on the horizon of the CCPA (California Consumer Privacy Act), a sweeping GDPR-like privacy law, has increased anxiety over the insurability of these fines.

Traditional insurance policies generally do not cover regulatory fines, but many cyber policies do. These insuring provisions, which typically provide coverage for civil fines and penalties levied by any regulator worldwide arising from a data breach “where insurable by law,” have yet to be scrutinized by a court. Uncertainty over whether courts may void these policy provisions as being contrary to public policy prompted the Global Federation of Insurance Associations to request assistance from the OECD (Organisation for Economic Co-operation and Development), explaining that “there is international confusion as to the insurability of fines and penalties” and stating that “OECD work to clarify this issue would benefit consumer and insurer contract certainty.”

Answering this question is no easy task. Starting with the question of whether these fines are insurable, one immediately finds that there are no legislative pronouncements or court decisions addressing the issue in the context of a cyber policy that expressly provides coverage for regulatory fines. And efforts to predict how a court might rule once the issue is raised, as it inevitably will be, are stymied by the disarray of the current case law in the related areas of punitive and statutory damages. This diversity of opinion reflects the complexity of the underlying question – whether such fines should be insurable. Courts struggle with questions, such as who should decide – legislators, judges, insurance companies? And what criteria should be applied in making the decision? Should the decision apply to all civil fines and penalties issued pursuant to a given regulation or should the issue be decided on a case-by-case basis for each violation?

In the U.S. the decisions of courts across the country regarding the insurability of punitive damages are, well, all over the map. These decisions vary in their approach to reconciling the language of the insurance policy at issue with public policy considerations in the approximately 20 states that prohibit insurance for directly assessed punitive damages, including decisions that:

  1. prohibit insurance for punitive damages, even if the policy expressly provides coverage;
  2. prohibit insurance for punitive damages, unless the policy expressly provides coverage;
  3. do not prohibit insurance for punitive damages but do not interpret policies as covering them, unless expressly included; and
  4. do not prohibit insurance for punitive damages and interpret policies as covering them, unless expressly excluded.

It is unclear whether courts will address coverage for fines and penalties in similar fashion. States that do not prohibit punitive damages could, nonetheless, place restrictions on insurance for civil fines and penalties beyond existing limits on insuring intentional conduct. And vice versa. Thus far, a few courts have applied the prohibition on punitive damages to civil fines and penalties without addressing the distinctions between the two. For example, in City of Fort Pierre v. United Fire and Casualty Company, 463 N.W.2d 845 (S.D. 1990), the federal government sued the City of Fort Pierre seeking civil penalties due to violations of the Clean Water Act of 1977. The South Dakota Supreme Court held that the civil penalties were punitive in nature and thus precluded from being covered under the City’s insurance policy. A dissenting justice disagreed, stating: “Before punitive damages may be awarded, malice on the part of the party from whom the punitive damages are sought must be shown. No similar requirement exists for the imposition of the civil penalty. Therefore, the civil penalty the United States sought to have imposed upon the City of Ft. Pierre cannot be equated to punitive damages.” Similarly, in Bullock v. Maryland Casualty Company, 85 Cal. App. 4th 1435 (Ct. App. 2001), the California Court of Appeal held that civil fines are not insurable without addressing the fact that the public policy prohibiting insurance for punitive damages was expressly limited to punitive damages that were assessed upon a finding of fraud, oppression or malice. City Products Corporation v. Globe Indemnity Company, 88 Cal. App. 3d 31 (Ct. App. 1979). It will be interesting to watch how the case law evolves as coverage battles involving cyber policies that expressly provide coverage for fines and penalties percolate through the courts.

Now to the question we started with. Without knowing the contents of Facebook’s insurance policy, we can only speculate as to its terms, including which state’s laws would apply to interpret the policy. But we would not be going out on a limb by saying that the $5 billion FTC fine likely exceeds policy limits. Facebook will not garner much sympathy, given that it inarguably violated the FTC’s 2012 order and can readily afford the $5 billion fine. And there is concern that allowing companies to obtain insurance to cover civil penalties for violating data privacy and security statues would discourage them from making the investments necessary for compliance. But the reality is more nuanced. Small- and medium-sized businesses, in particular, benefit from the data security assessments, cyber risk consulting services, and preferred vendors that are made available by many cyber insurance carriers, which serves to increase compliance with related statutes. See, e.g., Kyle D. Logue & Omri Ben-Shahar, “Outsourcing Regulation: How Insurance Reduces Moral Hazard” (Coase-Sandor Institute for Law & Economics Working Paper No. 593, 2012). These issues will, no doubt, continue to be debated for many years to come.

Amidst all this uncertainty, one thing is sure: the future will be fascinating.

If you have any questions or would like more information, please contact Isis Miranda at [email protected].

 

Countries Around the World Are Investigating Facebook’s Cambridge Analytica Event

Posted on: April 26th, 2018

By: Allen E. Sattler

On March 18, 2018, news broke of the Cambridge Analytica event where the data of an estimated 87 million Facebook users was disclosed to the UK-based political consulting firm.  The breach of user data resulted in several U.S. investigations, including by Congress and by the Federal Trade Commission (“FTC”).  Facebook entered into a consent decree with the FTC in 2011, where Facebook agreed to never make deceptive claims concerning users’ privacy and to obtain users’ informed consent before changing the way in which it shares their data.  The FTC is investigating whether Facebook violated the terms of this agreement which carries a possible $40,000 per-violation fine.

On April 10 and 11, Mark Zuckerberg appeared before Congress where he testified that Facebook failed to protect its users’ data and that Facebook “didn’t take a broad enough view” of its responsibility in ensuring the privacy of its users following its initial discovery of the Cambridge Analytica event.  He also accepted personal responsibility for the matter as the company’s founder and CEO.

What might have been lost in the flurry of domestic activity is the amount of scrutiny Facebook is receiving by nations around the globe.  This breach involved users from many countries, with over 1 million affected users in each of four different countries.

The European Union launched an investigation into Facebook on March 19, and the United Kingdom and Australia quickly followed.  Under Australian privacy laws, the government has the authority to issue fines against Facebook of up to $1.6 million if it determines that Facebook violated those laws.

Countries of southeast Asia soon followed with investigations of their own.  Indonesia, which is home to over 115 million Facebook users, 1 million of whom were affected by this breach, launched an investigation on April 6.  Under Indonesian law, the government can assess fines against Facebook representatives personally of up to $870,000.  Singapore has opened an investigation as well, where it has already questioned Facebook executives located in their country.

The Philippines announced its investigation into Facebook on April 13.  The county was rated as the biggest user of social media several years running.  Research indicates that Filipinos spend almost four hours per day on various social media platforms.   This breach affected nearly 1.2 million Filipinos, and news reports indicate that Cambridge Analytica might have helped President Rodrigo Duterte in his successful 2016 campaign.  The event therefore has enormous significance to Filipinos.

On Friday, April 20th, Germany became the latest country to open an official investigation into the Facebook.  Germany’s data privacy regulator said fines could be levied against Facebook in the amount of 300,000 euros ($366,000).

Facebook had revenues of more than $40 billion last year, so the fines that each country might assess against the company seem relatively insignificant.  The investigations launched against Facebook can nevertheless have a big impact on the company and on the entire industry.  This event has garnered the attention of countries around the world, and it has already led to a greater awareness of privacy concerns that exist on social media platforms.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].

 

FTC Guidance for Online Protection for Children

Posted on: May 14th, 2013

By: Matt Foree

A byproduct of widespread use of the internet is its inevitable use by young children. Today, children have access to the internet through computers, smartphones and countless other electronic devices. To protect the privacy of children online, Congress enacted the Children’s Online Privacy Protection Act (“COPPA”), which provides rules for operators of commercial websites and online services directed to or knowingly used by children under 13. COPPA required the Federal Trade Commission (“FTC”) to issue and enforce regulations concerning children’s online privacy. The FTC’s original COPPA Rule became effective on April 21, 2000.

Significantly, the FTC issued new, stricter rules under COPPA on December 19, 2012, the first time the rules have been amended since COPPA was enacted in 1998. (See video of Chairman John D. Rockefeller IV’s remarks regarding the amendment and the modernization of COPPA here.) Obviously, much of the relevant technology has evolved since COPPA was enacted. The new rules go into effect on July 1, 2013. The new rules can be found here. on the FTC’s website.

The stricter rules under COPPA came shortly after the FTC issued a report entitled “Mobile Apps For Kids: Disclosures Still Not Making the Grade” on the state of mobile app privacy protections for children in December 2012. This report characterized the results of its recent survey on mobile apps as “disappointing,” and noted that the mobile app industry “appears to have made little or no progress in improving its disclosures” since the FTC’s previous report.

Generally, COPPA applies to operators of commercial websites and online services, such as mobile apps, directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. COPPA also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. “Personal information” includes, among other things, first and last name, a home or other physical address, a screen or user name, a telephone number, certain geolocation information, a social security number, and a photograph, video, or audio file that includes a child’s image or voice.

The rules provide that operators covered by COPPA must, among other things, post a clear and comprehensive policy describing their information practices for personal information collected online from children, provide direct notice to parents and obtain verifiable parental consent, with some exceptions, before collecting personal information online from children, and give parents access to their child’s personal information to review and/or have the information deleted.

The FTC has recently released a document providing further COPPA guidance.  Entitled “Complying with COPPA:  Frequently Asked Questions, a Guide for Business and Parents and Small Entity Compliance Guide” (the FAQ), this compliance document sets forth 92 frequently asked questions related to COPPA.  As stated in the document, the “primary goal of COPPA is to place parents in control over what information is collected from their young children online.”  The FAQ provides specific guidance about obligations regarding use or disclosure of previously collected information that will be deemed personal information once the amended rule goes into effect on July 1, as well as an explanation of the differences between the new and old COPPA rules.

The new COPPA rules provide pitfalls for covered operators of commercial websites and online services. Covered businesses should review COPPA and the FTC guidance to ensure compliance with COPPA, which authorizes civil penalties of up to $16,000 per violation. COPPA gives states and certain federal agencies authority to enforce compliance.