Get documents about "Social Media Risk
Document Sample
Risk Managers:
Is Your Company Rolling the Dice?
Social Media Risk Strategies
Ken Wood, Knowledge Universe, U.S.
Karl Pedersen, Willis Executive Risks 1
Social Media Defined
“An umbrella term that defines the various
activities that integrate technology, social
interaction, and the construction of words,
pictures, videos and audio.”
Source: Wikipedia
2
Social Media Defined
Social media includes full suite of Web 2.0
tools –enables interaction to engage the user:
•Blogs
•Video logs (Vlogs)
•Social networking, bookmarking, tagging
•Wikis
•Asking for your comments
•Letting you vote on preferences
•Recommending content to you
3
Social Media Outlets
4
5
6
7
8
Employee Use – Striking a Balance
• Whether to ban, control or monitor use
• Interests of employer
– Engage with customers and increase
awareness of brand
– Protect company brand and reputation
– Avoid potential liability for unlawful conduct
of employees
– For its employees to be “brand evangelists”
• Interests of employee
– Right to a private life
– Right to freedom of expression
9
Employee Use – Main Areas of Risk
Employee damaging brand/reputation
• The morning before his presentation to FedEx, a major client,
the VP of Ketchum, tweeted about his impressions of
Memphis, TN.
FedEx Response:
We do not know the total millions of dollars FedEx Corporation pays Ketchum
annually for the valuable and important work your company does for us around
the globe. We are confident however, it is enough to expect a greater level of
respect and awareness from someone in your position as a vice president at a
major global player in your industry.
10
Risk – Real or Imagined?
• Personal Injury (libel, defamation, advertising injury liability) ‐
former customer posts untrue and unflattering remarks.
• Breach of confidential or proprietary information ‐
anonymous person posts confidential information on
company.
• Invasion of privacy ‐ employer snoops on employee’s
Facebook page.
• Prospective employer looks up candidate on LinkedIn which
displays candidates photo. Candidate not hired alleges
discrimination.
• Reputational injury ‐ accumulation of negative posts caused
prospective customers to stay away.
11
Avoiding a Social Media Crisis
Steps to Avoiding a Social Media Crisis:
1. Develop awareness
2. Implement policies & procedures
3. Educate yourself, staff and associates
4. Communicate the expectations
5. Engage your associates
6. Monitor what is said
7. Manage the process
8. Prepare for mishaps
12
Avoiding a Social Media Crisis
• Step #1: Develop awareness
– Become familiar with tools and sites
– Ask your employees which sites and tools they
use
– Check out competitors
• Step #2: Implement policies & procedures
– Current P & P might be inadequate
– Check E & O, liability policies
– Seek legal counsel
13
Avoiding a Social Media Crisis
• Step #3: Educate
– Yourself, staff, associates
– Don’t leave it to learning through casual use
• Step #4: Communicate
– Make it a topic of meetings
– Write about it
– Distribute it
14
Avoiding a Social Media Crisis
• Step #5: Engage
– Connect with associates and staff on social
networking sites
– Subscribe to your associates’ blogs
• Step #6: Monitor
– Set up Google Alerts and key word usage
mentioning company name
– Consider degree to which company will monitor
employee internet usage while at work or using
company laptops
15
Avoiding a Social Media Crisis
• Step #7: Manage
– Address violations of internal company policies
and procedures consistently
– Evaluate external providers for monitoring and
crisis support
• Step #8: Prepare
– Even the best laid out and managed plan can go
wrong
– What is your strategy if problems arise?
16
Mitigating a Social Media Crisis
• Time is your enemy
– Act fast!
– Twitter can spread bad news faster than TV, and
YouTube is more viral
• Don’t take a knife to a gun fight
– Don’t use traditional media (solely) to counter
social media gaffes
– Respond in kind
17
Mitigating a Social Media Crisis
• Brandjacking
– Is your brand being used properly?
– Is it being used by those authorized to use it?
• Reputation management
– Are you researching your new hires?
• The Malicious Web
– What happens when consumers become so
dissatisfied that they take extreme measures?...
18
Complaint that goes …viral
• “united breaks guitars”
19
Organizational Privacy Risks
Customer/Personal Data Corporate Data
• Credit card • Customer lists
• Medical • Price lists
• SSNs/Gov’t IDs • Confidential 3rd party
information (NDA)
• Student transcripts
• eDiscovery / litigation
• HR/Payroll
• Merger/Acquisition targets /
• Loyalty programs plans
• Motor vehicle • Financial records
• Insurance claims • Marketing / advertising plans
• Financial transactions • Contracts
• Financial records • New product development plans
• Contracts / release dates
• Network architecture
• Emergency response / Disaster
recovery plans
• Restructuring / RIF plans
• Critical Infrastructure Assurance
data
20
2009 Ponemon Study:
Cost of a Data Breach
• The total average costs of a data breach grew to $204 per record
• Third‐party data breaches increase, and cost more:
• Breaches by third‐party organizations such as outsourcers and
business partners were reported by 44 percent of respondents up
from 40 percent in 2007, up from 29 percent in 2006 and 21 percent
in 2005.
• Per‐victim cost for third party related is $52 higher (e.g., $231 vs.
$179) than if the breach is internally caused
• First time breaches cost more ‐ $243 vs. $192 for experienced
companies
• Insider negligence is cited as a factor in 88% of all cases.
21
Notification Laws
• It all started in California…..
– California led the way (Civil Code Section 1798.81.5(b))
• “A business that owns or licenses personal information about
a California resident shall implement and maintain reasonable
security procedures and practices appropriate to the nature
of the information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure”
• 46 Other States Have Data Security Laws:
– Most Mandate “Reasonable” data security measures and proper
data disposal
– Others are More specific:
• Connecticut, Michigan, New Mexico, Texas (SSN Policies)
• Nevada (encryption for external electronic communications)
• Minnesota (Minn. Stat. 365E.64 ‐ card magnetic stripe data)
• Massachusetts Regulations
22
Other Requirements
Industry Self‐Regulation and Federal Law
• PCI DSS:
• Entities that store, process, or transmit cardholder data must comply
with standards designed to prevent attacks that involve theft of assets
• FACTA Red Flags Rule (4th Time the Charm??):
• Covered entities that hold customer accounts must implement
programs to identify, detect and respond to “Red Flags” signaling
possible ID theft. Covered entities are financial institutions and
creditors, broadly defined
• Significant flexibility to determine which Red Flags are relevant to
detect identity theft, but covered entities must account for the overall
effectiveness of their Programs
23
Vendor Contractual Requirements
IT/Software Companies
Request Tech E&O, plus Privacy/Network Coverage
Some Tech E&O policies have security/privacy exclusions
Breach could occur without “wrongful act” being committed
Business Services – Payroll, Auditors, Counsel
Request appropriate E&O coverage
Request Privacy/Network coverage
Credit Card Processors/Acquiring Banks
Request Privacy/Network Coverage (Gaps in Bond or Professional
Liability coverage)
Other Vendors that transport, touch, interact with your systems or
sensitive information
Request Privacy/Network coverage
24
Traditional Insurance Gaps
• Theft or disclosure of third party information (GL)
• Security and privacy – “Intentional Act” exclusions (GL)
• Data is not “tangible property” (GL, Prop, Crime)
• Bodily Injury & Property Damage triggers (GL)
• Value of data if corrupted, destroyed, or disclosed (Prop, GL)
• Contingent risks (from external hosting, etc.)
• Commercial Crime policies require intent, only cover money,
securities and tangible property.
• Territorial restrictions
• Sublimit or long waiting period applicable to any virus coverage
available (Prop)
25
Privacy & Network Coverage
• Liability Coverage
– Privacy Liability
– Network Security Liability
– Media, IP and Content Liability
– Technology Services Liability (if required)
• Direct (Loss Mitigation) Coverage
– Data Breach Expenses
– Public Relations expenses, consumer notification and credit
monitoring costs (sub‐limit)
– Forensics/Investigations
• Direct (First Party) Coverage
– Revenue Loss
– Data Reconstruction
– Extortion Costs
26
Privacy Enhancements
• Privacy Liability Enhancements
– Broad cover for “failure to protect confidential
information”
– Cover for credit remediation and credit monitoring
– Cover for vicarious liability when control of information is
outsourced
– Cover for PR expenses
– Cover for regulatory defense, fines and penalties costs
– Cover for notification costs
– Cover for physical theft of hardware or firmware
27
Privacy and Network
Security Marketplace
• Rates continue to go down but reductions are
limited – usually between 0% and 5%
– New London carriers: Aspen, Barbican, Kiln
– Several lead carriers have decreased capacity from $25M
to $10M in last 12 months with Hiscox being the latest and
most notable
– “AIG effect” has released E&O/Cyber risks into
marketplace for the first time in many years
• Coverage Developments
– Increase/Decrease in cover for credit monitoring
– Willingness to provide cover for fines and penalties
– Forensics
28
CONSEQUENCES: Forrester Research
Estimate of the Costs of a Personal Data Breach Per Compromised
Record
LOW-PROFILE BREACH HIGH-PROFILE BREACH
IN A NON-REGULATED LOW-PROFILE BREACH IN IN A HIGHLY
Category and Description INDUSTRY A REGULATED INDUSTRY REGULATED INDUSTRY
Discovery, Notification and Response: Outside
legal counsel; mail notification, calls, call $50 $50 $50
center and discounted product offers
Lost employee productivity: Employees
$20 $25 $30
diverted from other tasks
Opportunity cost: Customer churn and
$20 $50 $100
difficulty in getting new customers
Regulatory fines: FTC, PCI, SOX $0 $25 $60
Restitution: Civil courts may require you to
$0 $0 $30
put this money aside
Additional security and audit requirements:
The security and audit requirements levied $0 $5 $10
as a result of a breach
Other liabilities: Credit card replacement
costs; civil penalties if specific fraud can $0 $0 $25
be traced to the breach
TOTAL COST PER COMPROMISED
$90 $155 $305
RECORD
SOURCE: "Calculating the Cost of a Security Breach," Forrester Research April 10, 2007. Based on a survey of 28 companies that suffered data breaches.
29
Average Premiums
• Third‐party liability only: $10K‐$14K per
million in liability limit
• Add ~5‐25% premium for first‐party
protection
• Every risk underwritten to its specific merits
• Available capacity $250M+
30
GUIDELINES
Social Media Response Process (Overview) Follow these guidelines for engaging with consumers
and other audiences on the Internet, and escalating
issues internally.
LISTEN GOALS: PRIORITY
Listen • Awareness of brand Internet Internet 1. KinderCare Facebook
2. KinderCare Twitter,
Actively aware daily. perceptions
YouTube, etc.
• Avoid being surprised by
3. Third-party blogs
issues
• Opportunity to help solve
EXAMPLES
problems
EXAMPLES EXAMPLES
• Concerns
• Appreciation • Questions • Criticisms
Positive • Testimonials Topical or • Enrollment interest Negative
• Disagreements
Sentiment • Recommending us Neutral • Products or Sentiment
• Allegations
• Defending us spammers • Personnel
• Job seekers issues
Favorable blogs Spam or product Testimonial Upset parent(s),
Policy questions Job inquires Employee issues
or web comments recommendations email inbox people or vendors
Engage
Respond appropriately.
1. Digital thanks user, 1. Digital reminds user that 1. Digital refers job 1. Digital team receives 1. Digital alerts Customer Care 1. Digital alerts HR at
explains we will provide we don’t endorse products seekers to Monster.com emails, checks daily team employeehotline@klcorp.co
PROCESS
answers ASAP, asks them 2. Digital will remove job board online, “Jobs” 2. Digital sends to 2. Customer Care initiates m
1. Digital replies to reach us at Customer unsolicited commercial info tab on Facebook or Customer Care team to CARES service request, if 2. If issue also involves risk
expressing Care or CRC (depends on from Facebook and forums kindercare.com/careers respond needed to a child, Digital alerts Risk
gratitude for their whether enrolled) 3. Digital will block user on 2. Digital alerts Robyn 3. Digital responds to user with at
comments 2. Digital alerts Customer third “spam” posting Dold in Recruiting re: pre-approved response: We incidentreport@klcorp.com
2. Send positive Care or CRC team to ongoing inquiries by a job don’t discuss personal info or 888-525-2475 option 1 to
content to PR as respond seeker online, please reach us at 888- initiate CARES request
FYI 3. Digital tracks our 525-2780 or 3. Digital responds to user:
3. Continue responses for reporting care@kindercare.com Please contact HR at
posting more 4. Other departments alerted employeehotline@klcorp.co
original content
ENGAGE GOALS: RULES OF ENGAGEMENT: by CARES and engage as m or 888-525-2475 option 5
AFTER HOURS RISK MANAGEMENT: ALERT
needed PUBLIC RELATIONS:
• Identify potential brand ambassadors • Always disclose our role as
• Get positive testimonials representatives of KinderCare or KLC • If after hours, and incident including allegations of sex • If injury, safety, employee terminations, licensing, CPS
• Use positive people in Public Relations (transparency) abuse, child abuse, threats of violence or other significant or police email – or, if media involvement is specifically
capacity • Be a first or early responder threats to brand or reputation call mobile phones for K. threatened – email media@klcorp.com and Kaitlin Stewart
• Incent active, positive parents to Refer a • Engage in the conversation to provide Wood (503) 358-4426 or T. Hall at (503) 270-7210 or • If after hours, dial PR hotline at (503) 539-9595
Friend solutions make a positive change Legal after-hours hotline (503) 784-1543
• Provide web badges for most active
people
RESOLVE GOALS:
Resolve Other No response Remove post Block user
Satisfy the stakeholders.• Improve relations with parents & other Miscellaneous.
audiences
• Reinforce messages that we care and • Arguments between online • Proprietary KinderCare • Allegations of abuse • Clearly illegal activity (death
serve users info • Ongoing investigations threat,
• Retain existing enrolled families • References to Milken • Threats of violence posted inappropriate photos,
• Avoid negative media attention family (IMMEDIATE) etc.)
• Improve brand perceptions & thought • Inappropriate content 31
• Third spam posting
leadership incl. foul language,
Updated vAug13 lewd/nude, etc.
Credits
• TaylorWessing. June 29, 2010. Social Media:A Guide for Employers
• Espresso. What the F**k is Social Media Now?
http://www.brandinfiltration.com/dailygrind/category/wtf
• Brad Hanks Seminars. Wisconsin Realtors Association Management
Conference. December 11, 2008. www.bradhanksseminars.com.
32
Open Discussion / Questions
33
