Social Media Risk

Document Sample
Social Media Risk Powered By Docstoc
					          Risk Managers:
Is Your Company Rolling the Dice?




   Social Media Risk Strategies
        Ken Wood, Knowledge Universe, U.S.
        Karl Pedersen, Willis Executive Risks   1
Social Media Defined


“An umbrella term that defines the various 
activities that integrate technology, social 
interaction, and the construction of words, 
pictures, videos and audio.”
                                          Source: Wikipedia




                                                         2
Social Media Defined
Social media includes full suite of Web 2.0
tools –enables interaction to engage the user:
•Blogs
•Video logs (Vlogs)
•Social networking, bookmarking, tagging
•Wikis
•Asking for your comments
•Letting you vote on preferences
•Recommending content to you


                                                 3
Social Media Outlets




                       4
5
6
7
8
Employee Use – Striking a Balance
• Whether to ban, control or monitor use
• Interests of employer
   – Engage with customers and increase 
     awareness of brand
   – Protect company brand and reputation
   – Avoid potential liability for unlawful conduct 
     of employees
   – For its employees to be “brand evangelists”
• Interests of employee
   – Right to a private life
   – Right to freedom of expression
                                                       9
 Employee Use – Main Areas of Risk
Employee damaging brand/reputation
• The morning before his presentation to FedEx, a major client, 
  the VP of Ketchum, tweeted about his impressions of 
  Memphis, TN.




FedEx Response:
We do not know the total millions of dollars FedEx Corporation pays Ketchum
annually for the valuable and important work your company does for us around
the globe. We are confident however, it is enough to expect a greater level of
respect and awareness from someone in your position as a vice president at a
major global player in your industry.

                                                                             10
          Risk – Real or Imagined?
• Personal Injury (libel, defamation, advertising injury liability) ‐
  former customer posts untrue and unflattering remarks.
• Breach of confidential or proprietary information ‐
  anonymous person posts confidential information on 
  company.
• Invasion of privacy ‐ employer snoops on employee’s 
  Facebook page.
• Prospective employer looks up candidate on LinkedIn which 
  displays candidates photo. Candidate not hired alleges 
  discrimination.
• Reputational injury ‐ accumulation of negative posts caused 
  prospective customers to stay away.

                                                                    11
Avoiding a Social Media Crisis
Steps to Avoiding a Social Media Crisis:
1. Develop awareness
2. Implement policies & procedures
3. Educate yourself, staff and associates
4. Communicate the expectations
5. Engage your associates
6. Monitor what is said
7. Manage the process
8. Prepare for mishaps

                                            12
Avoiding a Social Media Crisis
• Step #1: Develop awareness
  – Become familiar with tools and sites
  – Ask your employees which sites and tools they 
    use
  – Check out competitors

• Step #2: Implement policies & procedures
  – Current P & P might be inadequate
  – Check E & O, liability policies
  – Seek legal counsel
                                                     13
Avoiding a Social Media Crisis
• Step #3: Educate
  – Yourself, staff, associates
  – Don’t leave it to learning through casual use

• Step #4: Communicate
  – Make it a topic of meetings
  – Write about it
  – Distribute it


                                                    14
Avoiding a Social Media Crisis
• Step #5: Engage
  – Connect with associates and staff on social 
    networking sites
  – Subscribe to your associates’ blogs

• Step #6: Monitor
  – Set up Google Alerts and key word usage 
    mentioning company name
  – Consider degree to which company will monitor 
    employee internet usage while at work or using 
    company laptops
                                                      15
Avoiding a Social Media Crisis
• Step #7: Manage
  – Address violations of internal company policies 
    and procedures consistently
  – Evaluate external providers for monitoring and 
    crisis support

• Step #8: Prepare
  – Even the best laid out and managed plan can go 
    wrong
  – What is your strategy if problems arise?
                                                       16
Mitigating a Social Media Crisis
• Time is your enemy
  – Act fast!
  – Twitter can spread bad news faster than TV, and 
    YouTube is more viral
• Don’t take a knife to a gun fight
  – Don’t use traditional media (solely) to counter 
    social media gaffes
  – Respond in kind

                                                       17
Mitigating a Social Media Crisis
• Brandjacking
  – Is your brand being used properly?
  – Is it being used by those authorized to use it?
• Reputation management
  – Are you researching your new hires?
• The Malicious Web
  – What happens when consumers become so 
    dissatisfied that they take extreme measures?...

                                                       18
Complaint that goes …viral



             • “united breaks guitars”




                                         19
Organizational Privacy Risks
 Customer/Personal Data       Corporate Data
 •   Credit card              • Customer lists
 •   Medical                  • Price lists
 •   SSNs/Gov’t IDs           • Confidential 3rd party 
                                information (NDA)
 •   Student transcripts
                              • eDiscovery / litigation
 •   HR/Payroll 
                              • Merger/Acquisition targets / 
 •   Loyalty programs           plans
 •   Motor vehicle            • Financial records
 •   Insurance claims         • Marketing / advertising plans
 •   Financial transactions   • Contracts
 •   Financial records        • New product development plans 
 •   Contracts                  / release dates
                              • Network architecture
                              • Emergency response / Disaster 
                                recovery plans
                              • Restructuring / RIF plans
                              • Critical Infrastructure Assurance 
                                data
                                                                     20
               2009 Ponemon Study: 
               Cost of a Data Breach
• The total average costs of a data breach grew to $204 per record

•   Third‐party data breaches increase, and cost more: 

• Breaches by third‐party organizations such as outsourcers and 
  business partners were reported by 44 percent of respondents up 
  from 40 percent in 2007, up from 29 percent in 2006 and 21 percent 
  in 2005. 

    • Per‐victim cost for third party related  is $52 higher (e.g., $231 vs.        
      $179) than if the breach is internally caused  
    • First time breaches cost more ‐ $243 vs. $192 for experienced 
      companies
    • Insider negligence is cited as a factor in 88% of all cases.

                                                                                21
                   Notification Laws
•   It all started in California…..
      – California led the way (Civil Code Section 1798.81.5(b))
            • “A business that owns or licenses personal information about 
              a California resident shall implement and maintain reasonable 
              security procedures and practices appropriate to the nature 
              of the information, to protect the personal information from 
              unauthorized access, destruction, use, modification, or 
              disclosure”
•   46 Other States Have Data Security Laws:
      – Most Mandate “Reasonable” data security measures  and proper 
         data disposal 
      – Others are More specific: 
            • Connecticut, Michigan, New Mexico, Texas (SSN Policies)
            • Nevada (encryption for external electronic communications)
            • Minnesota (Minn. Stat. 365E.64 ‐ card magnetic stripe data)
            • Massachusetts Regulations 
                                                                               22
                 Other Requirements
       Industry Self‐Regulation and Federal Law
•   PCI DSS:
     • Entities that store, process, or transmit cardholder data must comply 
        with standards designed to prevent attacks that involve theft of assets

•   FACTA Red Flags Rule (4th Time the Charm??):
     • Covered entities that hold customer accounts must implement 
       programs to identify, detect and respond to “Red Flags” signaling 
       possible ID theft. Covered entities are financial institutions and 
       creditors, broadly defined
     • Significant flexibility to determine which Red Flags are relevant to 
       detect identity theft, but covered entities must account for the overall 
       effectiveness of their Programs



                                                                              23
Vendor Contractual Requirements
    IT/Software Companies
         Request Tech E&O, plus Privacy/Network Coverage
         Some Tech E&O policies have security/privacy exclusions
         Breach could occur without “wrongful act” being committed

    Business Services – Payroll, Auditors, Counsel
        Request appropriate E&O coverage
        Request Privacy/Network coverage

    Credit Card Processors/Acquiring Banks
        Request Privacy/Network Coverage (Gaps in Bond or Professional 
        Liability coverage)

    Other Vendors that transport, touch, interact with your systems or 
    sensitive information
         Request Privacy/Network coverage

                                                                          24
      Traditional Insurance Gaps
• Theft or disclosure of third party information (GL)
• Security and privacy – “Intentional Act” exclusions (GL)
• Data is not “tangible property” (GL, Prop, Crime)
• Bodily Injury & Property Damage triggers (GL)
• Value of data if corrupted, destroyed, or disclosed (Prop, GL)
• Contingent risks (from external hosting, etc.) 
• Commercial Crime policies require intent, only cover money, 
  securities and tangible property.
• Territorial restrictions
• Sublimit or long waiting period applicable to any virus coverage
  available (Prop)



                                                                     25
       Privacy & Network Coverage
• Liability Coverage
   –   Privacy Liability
   –   Network Security Liability
   –   Media, IP and Content Liability
   –   Technology Services Liability (if required)
• Direct (Loss Mitigation) Coverage
   – Data Breach Expenses
   – Public Relations expenses, consumer notification and credit 
     monitoring costs (sub‐limit)
   – Forensics/Investigations
• Direct (First Party) Coverage
   – Revenue Loss
   – Data Reconstruction
   – Extortion Costs
                                                                    26
           Privacy Enhancements
• Privacy Liability Enhancements
   – Broad cover for “failure to protect confidential 
     information”
   – Cover for credit remediation and credit monitoring
   – Cover for vicarious liability when control of information is 
     outsourced
   – Cover for PR expenses
   – Cover for regulatory defense, fines and penalties costs
   – Cover for notification costs
   – Cover for physical theft of hardware or firmware

                                                                 27
              Privacy and Network 
              Security Marketplace
• Rates continue to go down but reductions are 
  limited – usually between 0% and 5%
   – New London carriers: Aspen, Barbican, Kiln
   – Several lead carriers have decreased capacity from $25M 
     to $10M in last 12 months with Hiscox being the latest and 
     most notable
   – “AIG effect” has released E&O/Cyber risks into 
     marketplace for the first time in many years
• Coverage Developments
   – Increase/Decrease in cover for credit monitoring
   – Willingness to provide cover for fines and penalties
   – Forensics
                                                              28
                      CONSEQUENCES: Forrester Research
 Estimate of  the Costs of a Personal Data Breach Per Compromised
                                Record
                                                        LOW-PROFILE BREACH                                                                       HIGH-PROFILE BREACH
                                                        IN A NON-REGULATED                        LOW-PROFILE BREACH IN                               IN A HIGHLY
      Category and Description                                INDUSTRY                            A REGULATED INDUSTRY                           REGULATED INDUSTRY
Discovery, Notification and Response: Outside
legal counsel; mail notification, calls, call                           $50                                          $50                                          $50
   center and discounted product offers
  Lost employee productivity: Employees
                                                                        $20                                          $25                                          $30
        diverted from other tasks
  Opportunity cost: Customer churn and
                                                                        $20                                          $50                                         $100
   difficulty in getting new customers
 Regulatory fines: FTC, PCI, SOX                                         $0                                          $25                                          $60
Restitution: Civil courts may require you to
                                                                         $0                                          $0                                           $30
            put this money aside
 Additional security and audit requirements:
The security and audit requirements levied                               $0                                          $5                                           $10
          as a result of a breach
 Other liabilities: Credit card replacement
costs; civil penalties if specific fraud can                             $0                                          $0                                           $25
          be traced to the breach

TOTAL COST PER COMPROMISED
                                                                       $90                                         $155                                         $305
          RECORD
               SOURCE: "Calculating the Cost of a Security Breach," Forrester Research April 10, 2007. Based on a survey of 28 companies that suffered data breaches.




                                                                                                                                                                        29
           Average Premiums
• Third‐party liability only: $10K‐$14K per 
  million in liability limit
• Add ~5‐25% premium for first‐party 
  protection
• Every risk underwritten to its specific merits
• Available capacity $250M+



                                                   30
                                                                                                                                                                               GUIDELINES
                                Social Media Response Process (Overview)                                                                                                       Follow these guidelines for engaging with consumers
                                                                                                                                                                               and other audiences on the Internet, and escalating
                                                                                                                                                                               issues internally.

                                LISTEN GOALS:                                                                                          PRIORITY
        Listen                  • Awareness of brand                                        Internet    Internet                       1. KinderCare Facebook
                                                                                                                                       2. KinderCare Twitter,
        Actively aware daily.   perceptions
                                                                                                                                               YouTube, etc.
                                • Avoid being surprised by
                                                                                                                                       3. Third-party blogs
                                issues
                                • Opportunity to help solve
                                                                                                                                                                                                                             EXAMPLES
                                problems
                                EXAMPLES                                                                                EXAMPLES
                                                                                                                                                                                                                             • Concerns
                                • Appreciation                                                                          • Questions                                                                                          • Criticisms
          Positive              • Testimonials                                             Topical or                   • Enrollment interest                                                           Negative
                                                                                                                                                                                                                             • Disagreements
         Sentiment              • Recommending us                                           Neutral                     • Products or                                                                  Sentiment
                                                                                                                                                                                                                             • Allegations
                                • Defending us                                                                          spammers                                                                                             • Personnel
                                                                                                                        • Job seekers                                                                                          issues




       Favorable blogs                                                  Spam or product                                                              Testimonial                    Upset parent(s),
                                         Policy questions                                                      Job inquires                                                                                          Employee issues
      or web comments                                                  recommendations                                                               email inbox                   people or vendors




           Engage
            Respond appropriately.
                                 1. Digital thanks user,       1. Digital reminds user that        1. Digital refers job                        1. Digital team receives   1. Digital alerts Customer Care 1. Digital alerts HR at
                                 explains we will provide      we don’t endorse products           seekers to Monster.com                       emails, checks daily       team                             employeehotline@klcorp.co
    PROCESS
                                 answers ASAP, asks them       2. Digital will remove              job board online, “Jobs”                     2. Digital sends to        2. Customer Care initiates       m
    1. Digital replies           to reach us at Customer       unsolicited commercial info         tab on Facebook or                           Customer Care team to      CARES service request, if        2. If issue also involves risk
    expressing                   Care or CRC (depends on       from Facebook and forums            kindercare.com/careers                       respond                    needed                           to a child, Digital alerts Risk
    gratitude for their          whether enrolled)             3. Digital will block user on       2. Digital alerts Robyn                                                 3. Digital responds to user with at
    comments                     2. Digital alerts Customer    third “spam” posting                Dold in Recruiting re:                                                  pre-approved response: We        incidentreport@klcorp.com
    2. Send positive             Care or CRC team to                                               ongoing inquiries by a job                                              don’t discuss personal info      or 888-525-2475 option 1 to
    content to PR as             respond                                                           seeker                                                                  online, please reach us at 888- initiate CARES request
    FYI                          3. Digital tracks our                                                                                                                     525-2780 or                      3. Digital responds to user:
    3. Continue                  responses for reporting                                                                                                                   care@kindercare.com              Please contact HR at
    posting more                                                                                                                                                           4. Other departments alerted     employeehotline@klcorp.co
    original content
    ENGAGE GOALS:                                      RULES OF ENGAGEMENT:                                                                                                by CARES and engage as           m or 888-525-2475 option 5
                                                                                                    AFTER HOURS RISK MANAGEMENT:                                             ALERT
                                                                                                                                                                           needed PUBLIC RELATIONS:
    • Identify potential brand ambassadors             • Always disclose our role as
    • Get positive testimonials                        representatives of KinderCare or KLC         • If after hours, and incident including allegations of sex              • If injury, safety, employee terminations, licensing, CPS
    • Use positive people in Public Relations          (transparency)                               abuse, child abuse, threats of violence or other significant             or police email – or, if media involvement is specifically
    capacity                                           • Be a first or early responder              threats to brand or reputation call mobile phones for K.                 threatened – email media@klcorp.com and Kaitlin Stewart
    • Incent active, positive parents to Refer a       • Engage in the conversation to provide      Wood (503) 358-4426 or T. Hall at (503) 270-7210 or                      • If after hours, dial PR hotline at (503) 539-9595
    Friend                                             solutions make a positive change             Legal after-hours hotline (503) 784-1543
    • Provide web badges for most active
    people
                                   RESOLVE GOALS:
         Resolve                                                                           Other                        No response                                    Remove post                                  Block user
         Satisfy the stakeholders.• Improve relations with parents & other                 Miscellaneous.
                                  audiences
                                  • Reinforce messages that we care and                                            • Arguments between online           • Proprietary KinderCare    • Allegations of abuse • Clearly illegal activity (death
                                  serve                                                                            users                                info                        • Ongoing investigations threat,
                                  • Retain existing enrolled families                                                                                   • References to Milken      • Threats of violence    posted inappropriate photos,
                                  • Avoid negative media attention                                                                                      family                      (IMMEDIATE)              etc.)
                                  • Improve brand perceptions & thought                                                                                 • Inappropriate content                                               31
                                                                                                                                                                                                             • Third spam posting
                                  leadership                                                                                                            incl. foul language,
Updated vAug13                                                                                                                                          lewd/nude, etc.
                               Credits
•   TaylorWessing. June 29, 2010. Social Media:A Guide for Employers

•   Espresso. What the F**k is Social Media Now? 
    http://www.brandinfiltration.com/dailygrind/category/wtf

•   Brad Hanks Seminars. Wisconsin Realtors Association Management 
    Conference. December 11, 2008. www.bradhanksseminars.com.




                                                                       32
Open Discussion / Questions




                              33

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:30
posted:8/5/2011
language:English
pages:33