On May 11, 2013, when Governor Hickenlooper signed HB13-1046, Colorado joined a growing number of states with laws restricting employer access to the social media accounts of employees.1 The newly enacted statute prohibits employers from requiring or requesting employees and prospective employees to share user names, passwords, or any other identifying information for social networking sites such as Facebook or Twitter.2 Further, the statute restricts employers from firing, refusing to hire, disciplining, or threatening to discipline an employee or applicant for refusing to provide such information.3
While there are exceptions, the exceptions apply only "based on the receipt of information." Employers may conduct investigations for the purpose of ensuring compliance with securities or other financial laws and regulations, "based on the receipt of information" concerning an employee's use of personal or business internet accounts.4 Employers may investigate an employee's electronic communications "based on the receipt of information" about unauthorized downloads of an employer's proprietary information or financial data. 5 However, the employer may not monitor an employee's use of social media in the absence of the receipt of information.
The Colorado statute fails to address the fact that other Colorado laws require an insurer to monitor the advertising of its agents, including their use of social media. Colorado insurers have affirmative duties under state regulations to monitor employee advertising and marketing activities, and to maintain records of activities for a number of years, regardless of the receipt of information about any allegations of wrongdoing (or lack thereof).6 As a result, insurance companies appear to be precluded from monitoring social media while also being required to do so.
Insurer Duties to Monitor in Colorado
Colorado insurance regulations require all insurers which are subject to market conduct examinations to maintain vast amounts of records, including those concerning marketing efforts, for a period of roughly two calendar years.7 Regulation 1-1-7 includes in its description of marketing materials which are subject to examination by the Commissioner of Insurance the following: sales and advertising, producer communications, marketing policies and procedures, agency management, and producer training materials.8 Noncompliance, or the failure to have such records stored and ready for examination, may result in fines, cease and desist orders, and the suspension or revocation of licenses.9
Regulation 4-1-2, controlling advertising and sales in life insurance and annuities, is explicit in what activities are directly attributable to the insurer. The regulation provides that "all advertisements, regardless of by [sic] who write, created, or presented the advertisement, shall be the responsibility of the insurer whose policies are advertised."10 Additionally, the regulation requires the creation and maintenance of a system "at all times" to control content and dissemination of advertising, including the prior approval of materials.11 Like the market conduct regulation, insurers must maintain copies of all advertising material for five years after use or publication, subject to inspection by the Commissioner of Insurance.12 Failure to comply is considered an unfair or deceptive trade practice, and may result in fines, suspension, or revocation of licensure in the state.
Regulation 4-2-3 imposes similar duties and liabilities on sickness and accident insurers, attributing advertising and marketing to the insurer.13 The insurer is liable for advertising materials regardless of whether or not the material was made directly or indirectly, by or on behalf of the insurer, producer, or solicitor.14 Like Regulation 4-1-2, this regulation also requires a system of maintaining control, and noncompliance is deemed an unfair or deceptive trade practice, punishable by fines, suspension, or revocation of licensure.
Use of Social Media for Advertising
Social media represents a growing means for marketing insurance products. As an early adopter of social media networking,15 the insurance industry is already using social media for sales, marketing, customer service, and even catastrophe response.16 Agents make extensive use of social media, and it is anticipated that use will grow, with the next generation of producers and agents using social media as the proverbial "kitchen table," building relationships in new ways and on new terms.17 As a result, an insurer cannot realistically ban or preclude social media marketing and, more likely, insurers may be promoting its use for sales.
To the extent that an insurer faces exposure for its agents' use of social media, allowing the insurer to control, or at least monitor, the social media, may be critical. However, under Colorado's social media law, insurers may not request or require access to employees' nonpublic social media accounts.18 At most, the social media law would allow an insurer to access accounts reactively "based on the receipt of information" concerning a possible violation. 19 In contrast, Regulation 1-1-7 requires insurers to maintain records of all advertising and marketing activity, or have such available for examination.20 Likewise, Regulations 4-1-2 and 4-2-3 require insurers to establish and maintain a system of control over all advertisements and make the insurer directly responsible for content placed in the market.21 In other words, the insurance regulations require insurers to be proactive, including pre- approval of advertisements.22
As the National Association of Insurance Commissioners (NAIC) notes in its white paper "The Use of Social Media in Insurance," the insurance industry shares many of the same dangers as the securities and financial industries when it comes to employee activities in the pursuit of new business.23 For example, insurers and securities firms may be liable for third-party advertisements or posts on a social media site.24 Under an entanglement or adoption theory, employee content published on a social media site may be attributed to an insurer, simply because the insurer did not object to the publishing of the content.25
Other State Legislation
Insurers face similar conflicts in other jurisdictions. Colorado's statute tracks almost exactly that of Maryland, which had one of the first social media privacy laws.26 Illinois restricts employers from requesting access to social media accounts in much the same manner as Colorado, and although the statute allows for gathering of information already publicly available, it does not carve an exception for investigations of private accounts at all, with or without information regarding possible violations.27 California is similar to Colorado and Maryland, allowing for requests to divulge information pursuant to an investigation, "provided that the social media is used solely for purposes of that investigation or a related proceeding."28
Michigan's "internet privacy protection act"29 contains more specific, enumerated exceptions to its general prohibition of employers requesting access to the social media sites of employees. The statute exempts employers with "a duty to screen employees . . . that is established under federal law or by a self-regulatory organization, as defined in . . . the securities and exchange act of 1934."30 Michigan's act would also allow an employer to require access to an employee's social media if the service was "used for the employer's business purposes."31
Finally, the most recent state to pass a social media law, Washington, created an exception that exempts an insurer with affirmative duties to monitor employee marketing and other activities.32 Washington's statute, effective July 28, 2013, specifically provides that it is not meant to "prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations."33
As a result of HB13-1046, Colorado law creates an apparent conflict for insurers. The new law prohibits insurers from monitoring their employees' social media sites. However, those same insurers are also required to monitor sites that are used for marketing and advertising. While some states have built in exceptions that would allow an insurer to monitor social media sites used for advertising its products, it is not yet clear whether or to what extent Colorado and other states will recognize similar exceptions as they work with the insurers seeking to develop an approach for compliance with both social media privacy laws and duties to monitor social media used for advertising.