select
This is a tooltip for the edit command button
Sean McEneaney
SNR Denton US LLP
(415) 882-5026

SOCIAL MEDIA BEST PRACTICES

Navigating Regulatory and Compliance Risks

I.     INTRODUCTION1

The use of social media platforms such as Facebook, Linked-In and Twitter is growing exponentially.  Many businesses - including insurers and insurance agents - have taken notice and are utilizing social media to reach new customers and improve interactions with current ones.  In addition to the many insurers and agents now utilizing social media, insurance regulators are also using social media to communicate to the public.  Indeed, numerous state insurance departments currently have a Facebook and/or Twitter account.

This article addresses some of the legal and regulatory issues accompanying the use of social media in the insurance context.  First, we assess the current regulatory environment and identify some of the existing guidance applicable to social media use.  Next, we address a number of legal and operational issues that insurers should consider when using social media.  Finally, we discuss best practices and outline some fundamental aspects of an effective social media policy.

II.     CURRENT REGULATORY ENVIRONMENT

To date, there has been very little insurance regulatory activity directly addressing the use of social media. While some may argue that current laws make such specific regulation unnecessary, the tremendous growth in social media use portends that such tailored regulation is inevitable.

        A.     Application of Current Laws to Social Media Platforms

In the meantime, little doubt exists that an insurer's use of social media will be viewed as traditional insurance marketing/advertising and regulated as such.  While there may be other uses for social media, it would be hard for an insurer or agent to deny that a Facebook/Linked-In page or Twitter account has no relation to the "promotion of" or "creating an interest in" an insurer or insurance product, the terms commonly used in defining an insurance advertisement.2  Indeed, at least one state has indicated that its advertising rules apply to social media platforms in the same way they apply to any other medium:

The use of a Linked-In profile page or a similar website for the promotion of insurance, insurers, or insurance agents or brokers constitutes an advertisement, announcement, or statement under the New York Insurance Law.  (OGC Opinion No. 10-11-07, dated November 22, 2010.)

Virginia has also recently passed legislation, which will be effective July 1, 2011, specifically including "social media" as a form of advertising.3  Accordingly, in the absence of social medial specific regulation, insurers and agents utilizing these platforms should adhere to the core rules applicable to insurance marketing generally, including those governing print advertising.  These can include, inter alia, doing business in the insurer's own name, making sure that required disclosures are present, and avoiding improper inducements, tie-ins, or rebates.

In addition to marketing and advertising, use of social media platforms could also lead to regulatory scrutiny with respect to other typically regulated activities, including:  licensing and jurisdictional issues, consumer complaints, compensation and referral fees, insurer supervision responsibilities, and record retention.

        B.     Guidance Issued by the Financial Industry Regulatory Authority (FINRA)

The Financial Industry Regulatory Authority or "FINRA" is one of the few regulatory bodies that has actually promulgated social media specific regulatory guidance:  FINRA Regulatory Notice 10-06 "Guidance on Blogs and Social Networking Websites" (January 2010).  While FINRA applies to securities firms, some insurance producers are registered broker-dealers subject to FINRA.  Moreover, FINRA's policies on social media are likely to inform future insurance regulation in this area.  Ultimately, consideration of the core elements of the FINRA Guidance should help insurers and insurance agents better manage the regulatory risks inherent in the use of social media.

The FINRA Guidance addresses five key elements:  (1) firm supervision of social media; (2) personal use of social media by representatives and employees; (3) different approaches to static versus dynamic content; (4) third party posts on social media sites; and (5) record retention responsibilities.  We discuss each of these elements below.

               1.     Supervision of Social Media Sites

First, FINRA requires that firms supervise social media communications in a manner designed to ensure they do not violate content requirements imposed by advertising rules.  This includes, inter alia, (a) ensuring that persons who participate in social media for business purposes are appropriately trained and supervised and (b) prohibiting any person from engaging in business communications on a social media site where such communications are not subject to the firm's supervision.  This is an ongoing requirement as FINRA requires that the firm supervise the extent to which its representatives and other employees are complying with the firm's policies and procedures with respect to the use of social media.

               2.     Personal Use of Social Media by Representatives and Employees

Next, FINRA also requires that firms establish clear internal policies regarding the personal use of social media sites by representatives and employees.  Specifically, if the social media site is used for both personal and business purposes, then the site and the representatives or employees' usage must be supervised by the firm.  This may mean, practically speaking, that the firm's policy insists that representatives and employees have separate business and personal social media pages or accounts.

               3.     Interactive Capabilities - Static v. Dynamic Content

FINRA also recognizes that social media sites typically contain both static (i.e., the content that is voluntarily included in the social media platform by the entity) and dynamic (or interactive) content.  As one might expect, the static content that is generated directly by the firm must be in compliance with advertising rules and be approved in advance, according to firm policy.

As for the dynamic content, while it may not be possible for a firm to approve dynamic content in advance, the firm is still responsible for supervising such content.  This is obviously somewhat tricky given the logistics of having to track and monitor content that could change by the minute.  However, it is also important given that, in many instances, it may be hard for the consumer to differentiate the content provided by the firm versus the content that may be originating from other sources (including other consumers).  Firms must also be careful not to adopt, or make "attributable" to themselves as described below, any undesired content that may be originating from unrelated sources.

               4.     Third Party Posts on Social Media Sites Established by the Firm or its Representatives

Under FINRA's guidance, a post by a consumer or other third party is not generally considered a communication of the firm, unless it becomes "attributable" to the firm.  According to FINRA, a post is attributable when the firm is involved in preparation of the content or explicitly or implicitly endorses or approves the content.  This situation, where the firm can be viewed as adopting the content, is referred to as "entanglement."  With respect to third party posts, FINRA recommends establishing the process for screening third party content, disclosing firm policies regarding responsibility for third party posts, and using disclaimers.

               5.     Record Retention Responsibilities

Finally, FINRA also requires that all social media use be in compliance with record retention responsibilities. While this is not surprising given the various supervision and other advertising monitoring obligations imposed by FINRA, actual compliance may be somewhat onerous given the dynamic nature of social media.  FINRA acknowledges that firms may use vendors to satisfy these obligations; however, ultimate responsibility for compliance remains with the firms.

        C.     Insurance Regulators/National Association of Insurance Commissioners ("NAIC")

At present, there is very little in the way of social media specific state insurance regulation.  It should only be a matter of time, however, before states become more active in this area.  The NAIC has previously held meetings on the use of social media in the insurance context, and a NAIC Working Group has reportedly been created in order to draft a white paper addressing and raising awareness of social media issues in the insurance industry.

In the meantime, however, these ever-evolving social media platforms will pose regulatory challenges not only for insurers but also for insurance regulators.  In addition to having to come up to speed with the myriad ways insurers are using social media platforms, insurance regulators will likely need to increase staff and resources to conduct monitoring and review.

From a market regulation standpoint, insurers should assume that regulators will begin to include social media use in market analysis reviews and enforcement investigations.  This could include a whole range of questions regarding the insurer's use of social media stretching beyond advertising or marketing practices.  For instance, examiners may question whether, where necessary, the insurer is using licensed professionals to communicate with consumers.  State regulators may also examine whether the insurer is monitoring its business partners' compliance with such requirements.

III.     POTENTIAL LEGAL AND OPERATIONAL ISSUES

In this section we highlight some of the potential legal and operational issues which could impact an insurer using social media, including:  (1) marketing/advertising; (2) operations and (3) privacy/intellectual property.

               1.     Marketing/Advertising Issues

The most obvious area of concern for insurers should be in the context of insurance marketing.  The main thing to emphasize here is that the medium does not change the rules when it comes to marketing prohibitions.

First, compliance professionals must recognize that social media is a fluid and interactive platform.  Typically, a compliance officer has the ability to preview advertisements.  And, while the same type of review would be available with respect to web pages or "static" social media, such review is harder to conduct with respect to social media marketing which occurs in real time (i.e., if there are direct interactions with consumers).  Nevertheless, such activity should be supervised to the extent it can be construed as advertising.

Second, compliance professionals should ensure that personnel communicating on behalf of the company is licensed where necessary.  For instance, issues may arise if adequate controls are not implemented over who may respond to Facebook posts, tweets, etc.  This review should extend to business partners.  If the insurers' vendors and other business partners are linking to the company's social media site, care should be given to licensing compliance.

Third, issues may arise if the insurer's social media activities could cause confusion as to the entity actually marketing.  Here, it might be easy to fall into some pitfalls.  For example, many states require that marketing be conducted in the insurer's name.4  Thus, to the extent that an insurer is using a Twitter account, compliance professionals will want to ensure that the account name satisfies this requirement.  The insurer should also make sure that if any advertisements direct account followers back to a particular web page, the advertisement and the web page properly identifies the company and otherwise complies with marketing rules.

Finally, compliance professionals will want to make sure that the dynamic content distinguishes between company posts and consumer posts.  Not only could this cause confusion, but the insurer needs to be careful not to adopt comments made by unlicensed third parties that could be viewed as improper endorsements.

               2.     Operational Issues

There are also operational issues that may arise from the use of social media.  For instance, is the insurer properly identifying, monitoring and responding to complaints that may be communicated by consumers through the insurer's social media platforms?  At the same time, is the insurer tracking and retaining records of these complaints?

There may also be claims implications.  For instance, it is possible that an insured may attempt to submit a claim through the insurer's Facebook page.  Here, including a disclaimer regarding the proper reporting of insured claims should be considered.  Even with a disclaimer, however, insurers should consider monitoring social media platforms for claims activity and establishing policies regarding same.

Social media use will likely be encompassed in future market regulation activity.  Either way, record retention protocols are important.  Not only is this consistent with the FINRA guidance discussed above, but also with certain state department of insurance bulletins reminding insurers of the need to retain records with respect to electronic transactions.5

Indeed, record retention may also be applicable in litigation.  In some cases, a policyholder's social media use could provide information or evidence in connection with a claim or lawsuit.  However, social media is a two-way street.  Specifically, litigants may also try to subject an insurer's social media platforms to discovery in litigation.

               3.     Privacy/Intellectual Property Issues

While a full treatment of the privacy and intellectual property issues accompanying the use of social media is beyond the scope of this article, we address three issues here.

First and foremost, insurers need to assess how much personally identifiable information they may be collecting about their insureds and potential insureds through social media platforms.  In short, from a privacy standpoint, insurers need to take care that they do not improperly utilize or disclose such information.

From a trade secret perspective, insurers must also be mindful of how their employees and representative use social media.  Specifically, that when using social media, representatives are not disclosing too much information about the company (either on behalf of the company or on a personal page).

Finally, most insurer websites contain "terms of use."  Given the relationship between social media sites and the insurer's own website, insurers should make sure that social media usage is either encompassed by or is not inconsistent with, existing terms of use.

IV.     SUMMARY OF SOCIAL MEDIA BEST PRACTICES

The issues associated with the use of social media are not confined to just "Regulatory" or "Compliance" matters.  At the end of the day, an insurer's social media presence speaks for the company and, therefore, also poses some reputational risk.  Below we identify some best practices and fundamentals of a social media policy aimed at mitigating this risk.

Initially, those in charge of insurer compliance need to assess how the organization uses social media.  Once an assessment of the current practice has been determined, the insurer should then develop or update its social media policy.  The bottom line is that whatever form regulation and examination takes, insurance regulators will be more comfortable if the insurer has a reasonable policy to which it adheres.  The following are a number of important components to such a policy: 

  • Establish protocols for the creation of static content to ensure it is compliant with advertising laws and acknowledging and responding to consumer complaints;
  • Set clear expectations regarding online privacy when using corporate network access;
  • Prohibit any use of social media for business purposes that can not be supervised or retained by the   company;
  • Ensure that persons who participate in social media for business purposes are appropriately trained and supervised;
  • Consider restriction of continued social media use if an individual poses a compliance risk;
  • Establish protocols for monitoring third party posts on sponsored social media sites; and
  • Use disclosures that sufficiently inform users of the company's position regarding third party posts.

Finally, whether or not made part of the social media policy, the insurer should maintain a compliant record retention practice.  While this could include use of a vendor, the insurer should find a technology with which it is comfortable.

V.     CONCLUSION

While social media platforms create tremendous opportunities for insurers to better connect with their customers, these platforms pose some risks and challenges.  Compliance professionals should ensure that any accompanying risks are managed by adopting social media best practices and policies, even in the absence of direct regulations.

 

References

1. The authors would like to thank Stephanie Duchene and Douglas Freeman, also both of SNR Denton US LLP, for their assistance with this article.

2. See e.g., Iowa Administrative Code 191-15.2 ("'Advertisement' for the purpose of these rules shall be material designed to create public interest in insurance or an insurer, or to induce the public to purchase, increase, modify, reinstate or retain a policy...").

3. See 14 Virginia Administrative Code 5-41-20 ("'Advertisement' means any marketing communications...used by an agent or insurer...including, but not limited to:  (1) printed or published material, audiovisual material...websites and other Internet displays or communications, social media, or other forms of electronic communications...") (emphasis added).

4. See e.g., Washington Insurance Code section 48.05.190 which requires that "every insurer shall conduct business in its own legal name."

5. See e.g., Arkansas Insurance Bulletin 6-2002 ("Electronic record keeping is generally subject to the same timelines and other standards as record keeping in other media.  This state finds that a regulated entity is in compliance with the state's record keeping requirements if it can reassemble the original information upon request.  For example, in cases where there is no paper document, a regulated entity shall be in compliance if it can produce the information or data that accurately represents the record of communication between the policyholder and the regulated entity").