Legal Bytes : Advertising & Media Lawyer & Attorney : Reed Smith Law Firm : Marketing & Intellectual Property : Legal Bytes Law Blog

Social Media in Action in Data Privacy & Security

Personal data collected by social media companies is at risk from all sides. Thieves want to profile, steal and resell personally identifiable information and data. Employees are tempted to misuse customer data, for monetary gain or to satisfy idle curiosity, perhaps with no malicious purpose at all.[5]  Even standard business processes pose risks to personal data. Not forgetting that social media companies themselves want to gain commercial leverage from the data collected.

Social media enterprises collect, store, use, share, and dispose of personal data every day, including eCommerce-related non-public financial information (for example, credit, banking and payment information). Each of these inflection points is an opportunity for something to go wrong, for a law to be broken or a data subject put at risk. This chapter explains some things social media companies and companies that use social media should know.

Company Obligations Set Forth in the User Agreement

User agreements are private agreements between the publisher and its users, and they define the rights and obligations of each party. Typically, user agreements have at least two components: (1) a privacy policy and (2) a terms of use. While there is no legal distinction between putting them into one document rather than splitting them, social media and web-based services recognise the increased importance privacy and data protection play—not only in law and regulation, but also to consumers. In Europe, regulatory guidance suggests separating terms of use and terms relating to data protection and privacy. Creating a separate document, page or display makes these terms conspicuous, and in a visual and distinctive manner create a better “notice and disclosure” or transparency and consent argument, should a consumer or a regulator challenge the efficacy of notice to consumers.

Privacy policies are statements made by companies about their practices regarding personal information. Companies on the Internet, social media or otherwise, post privacy policies to disclose information practices in accordance with federal and state statutes.[6] Terms of use, on the other hand, describe the terms and conditions governing the relationship between the user and the publisher or operator of the service. Because privacy policies are effectively part of the terms and conditions—the rights and obligations—between the parties, we may simply refer to them as the “agreement” in these materials.

Because these agreements run between and among publishers and users (and sometimes a company that is using a service or website), a company’s obligation with respect to personal data will change depending upon whether it is the social media service (e.g., Facebook, MySpace or Twitter), a company-sponsored fan site (e.g., a Starbucks sponsored fan site on MySpace) or an unrelated third-party fan site.

Social Media Companies

Social media companies, as authors of these agreements, have the primary responsibility to ensure all personally identifiable information that is collected, used, stored and shared, is used in accordance with the user agreement (and, of course, law and regulation). But, this does not mean that social media companies must be overly conservative in their user agreements. Most social media companies do not charge any recurring user fees for use of their site or service. So, access to and data from users in the community is a social media company’s primary commodity to monetise the site.

This ability to commercially exploit data is tempered by data protection and privacy laws. The need for ‘information monetisation’ can create in an adversarial relationship between the site user and the social media company. As a result, many consumer advocacy organisations are analysing and notifying consumers of updates to social media website user agreements.[7] These consumer watchdog organisations can generate considerable controversy; take for example, Facebook’s Terms of Service update in February 2009. At that time, The Consumerist flagged a series of changes to the Facebook Terms of Service, including deletion of the following text:[8]

You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

From this deletion, The Consumerist author, Chris Walters, opined that: “Now, anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later,” Walters wrote. “Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your own content.” Ultimately, The Consumerist blog created a firestorm, which caused Facebook to repeal its Terms of Service changes three days after the blog was posted.

The Terms of Service change is not the only example of the tension created over the use of consumer information and consumer disclosures. In the early days of 2007, Facebook launched its Beacon advertisement system that sent data from external websites to Facebook, ostensibly for the purpose of allowing targeted advertisements. Certain activities on partner sites were published to a user’s News Feed. Soon after Beacon’s launch, civic action group, MoveOn.org, created a Facebook group and online petition demanding that Facebook not publish their activity from other websites without explicit permission from the user.[9] In less than ten days, this group gained 50,000 members. Beacon amended its Terms of Service as a result.[10] A class action lawsuit was filed against Facebook as a result of Beacon. The lawsuit was ultimately settled in September 2009[11], and the Beacon advertisement service was shut down.

Facebook has, nonetheless, continued to press on the outside of the envelope with respect to consumer privacy. At the F8 Conference this April, Facebook announced a series of changes to its privacy policies sure to draw considerable attention.[12] The changes include:

Allowing external websites to add a “Like” button. If the user of that external website clicks the “Like” button, that user’s Facebook page will be modified to reflect information about the user’s use of that external site. The user’s Facebook friends will be able to view such information.

Partnering with sites like Pandora and Yelp! to provide for “instant personalization.” This means that when a Facebook user visits those sites, unless she has taken specific elections on her Facebook privacy settings, those sites will download “can pull in information from your Facebook account, which includes your name, profile picture, gender and connections (and any other information that you've made visible to the public). If you visit Pandora, for example, the site could also pull in your favorite music artists, create playlists accordingly, and then notify your Facebook friends.”[13]

In the immediate aftermath of the Facebook changes, members of the United States Congress have already expressed intent to pass laws putting the onus on companies like Facebook to get specific consent from consumers before rolling out new information sharing platforms.[14]

Compared to the United States, Europe has traditionally taken a more stringent approach to data protection. Article 8 of the Charter of Fundamental Rights of the European Union explicitly provides a fundamental right to protection of personal data within the EU. There is also a greater focus on raising awareness. For example, Europe even organised a “European data protection day”, held annually on 28 January.[15] As a result, social networking sites tend to be the subject of far greater public scrutiny than in the United States. Privacy groups and thorough press coverage ensure that any changes to the privacy policies of service providers and any risks or abuses related to these services are comprehensively discussed and brought to the attention of social media users. The Guardian story covering the changes to Facebook’s Privacy Policy in 2009 titled “Facebook privacy change angers campaigners”[16] and a headline from The Sun titled “Teen Weapons Shock On Bebo”,[17] are just two examples of the press coverage social networking sites receive.

Company or Third-Party Sponsored Fan Site or Portal

Many companies, however, do not own or operate a social media website, and thus, do not author the social media user agreement. Instead, these companies are monitoring content regarding their products and services on fan sites/portals run by another company. For example, Starbucks does not operate its own social media website, but operates portals on MySpace, Facebook, Twitter and YouTube. The key for removing information that may be detrimental to Starbucks or any brand is to know where the content lies (on a company or third-party sponsored portal), and the user agreement of the social media website the offending information lies upon.

For portals or fan sites that are sponsored by the marketing company, it is simple for the company to remove offending information. Facebook, MySpace and YouTube offer page administration options for content removal on company-sponsored portals. For these services, the company can directly control content posted to the portal by designating in its administrative options to pre- or post-screen user-generated content. Twitter, however, works differently. On the company-sponsored Twitter profile, the company can control what “Tweets”[18] it sends to its followers, but the company cannot directly control what is “retweeted”[19] by others from the company-sponsored tweets.[20]

For portals or fan sites that are not sponsored, it is more difficult to administer content and remove known privacy violations. Removal of third-party content involving your company or brand is governed by the respective social media site’s user agreement. These will be different depending on the site or service. Take, for example, if one of your employees records a confidential session (a health care visit, tax preparation, loan application meeting, etc.) between the employee and one of your customers. Could the company seek removal of the confidential video? The question of whether a corporation could remove this content on behalf of its customer is different depending upon what social media service is used.

• On YouTube the answer is no. On YouTube, the remedy for removing content is flagging it for removal. Under the YouTube privacy policy, YouTube will not permit privacy flagging on behalf of other people.[21] Alternatively, companies could issue cease-and-desist e-mails directly to the employee posting the content on YouTube.
• On Facebook the answer is possibly. On Facebook, the remedy for removing content is reporting abuse of Facebook’s Statement of Rights and Responsibilities (the “Terms”).[22] In Section 5 of the Terms, Facebook will not permit posting of “anyone’s identification documents or sensitive financial information on Facebook.”[23] Depending on the content of the private information disclosed in the videotaped confidential meeting, a company could report a violation on behalf of its customer.
• On MySpace the answer is yes. On MySpace, the remedy for removing content is submitting a request to delete inappropriate content that violates the website’s Terms of Use Agreement.[24] Under the Terms of Use Agreement in Section 8, any postings that would violate the privacy and/or contractual rights of another party are prohibited.[25] In this scenario, there would be both an individual privacy right on behalf of the customer and a contractual confidentiality right of the company (provided a proper confidentiality provision is in place with the employee).

Notwithstanding the removal of some content by social network providers from the service, it may still surprise some users how their data is stored and used by social networking sites, even in some cases after it has been removed or the user is no longer a member of the site. In addition, social media sites employ technological measures that recognise a user’s computer. For example, according to Twitter’s terms of use, Twitter can collect and use a user’s “automatic” information, such as a user’s IP address or cookies. Whether these provisions will be sufficient to satisfy the upcoming changes in law which will require Twitter to obtain European users’ consent before using their cookies remains to be seen.[26]

Notwithstanding the contractual user agreement rights and obligations on social media, a number of national and international laws also govern this area.

Company Obligations Set Forth in National and International Law

U.S. position

Today, businesses operate globally with technology that knows no national boundaries. Nothing comes more naturally than sharing and sending information halfway around the world. Social media epitomises that modern, global ethos.

Every jurisdiction in the world can claim the right to protect its citizens–and information about them. The United States has a very different concept of “personal information” and adequate protection of it than the European Union; the European laws are not necessarily across all of its Member States. And so it goes, in every part of the world. A social media company can be completely compliant with United States law and still run afoul of legal mores elsewhere. By way of example, Facebook experienced a culture clash with Canada’s privacy commissioner with respect to the disposal of personal information. Facebook had been retaining data on subscribers who quit, so that they could more easily rejoin should they choose to do so later. Canada’s privacy commissioner determined that Facebook’s retention of data was a violation of Canada’s Personal Information Protection and Electronic Documents Act, and negotiated a settlement that provides that, “Collected personal information can be kept only for a specified time and must be deleted or destroyed when no longer needed.”[27]

Europe position

Social media services accessible in Europe will also have to comply with the relevant legislation, the implementation of which may differ between Member States. They may also be subject to any additional national measures.

The EU’s Article 29 Data Protection Working Party has set forth an opinion on online social networking.[28] This Opinion, adopted June 12, 2009, opines that “social networking services” or “SNS” are generally data controllers, and SNS subscribers are generally data subjects. In the view of these authors, even those SNS located outside the EU are bound to respect EU strictures on data processing and onward transfer as to residents of EU member countries. Where a subscriber’s information is only available to a self-selected circle of friends, the Opinion posits that the exception allowing sharing of personal information within households applies. However, when access to the subscriber’s information is shared more broadly, with or without that subscriber’s consent, “the same legal regime will then apply as when any person uses other technology platforms to publish personal data on the web.”[29] The Working Paper goes on to state a number of other positions regarding marketing by SNS, complaint procedures, and (advocating) the availability of pseudonyms.

United Kingdom position

The UK has its own domestic data protection law in place which implements the EU Data Protection Directive.[30] The Data Protection Act 1998 (‘Act’) requires organisations processing personal data to comply with eight distinct data protection principles. The UK also has in place domestic legislation implementing the EU e-Privacy Directive.[31]

The UK Government is currently at odds with the European Commission for failing to properly implement the Data Protection Directive and e-Privacy Directive at national level. The European Commission commenced infringement proceedings against the UK for its failure to guarantee the confidentiality of electronic communications (such as emails and internet browsing) which protection is otherwise enshrined in European legislation. This action was triggered by secret trials conducted in 2006-2007 by the UK telecommunications provider, British Telecom, of a behavioural advertising technology being developed by the company Phorm. This technology enabled the monitoring of an individual’s Internet use without the user’s consent or knowledge, the results of which enabled companies to more effectively target advertising to users. In a failed attempt to bypass data protection laws, Phorm matched a user’s IP address with a unique identifier which was then provided to advertisers, together with profiling information about browsing history. If the UK fails to change its domestic legislation to ensure the privacy of online communications, this action may result in a hearing before the European Court of Justice.[32]

Privacy Policies/Notices: Guidance and General Principles

On both sides of the Atlantic surveys have been carried out to assess whether privacy policies sufficiently and clearly inform users of how their personal data will be used and for what purposes. Although in the UK privacy policies are not a legal requirement under the Act, a privacy policy is a simple way to satisfy the fair processing requirement, which is one of the data protection principles under the Act. Regulatory guidance supports the use of clear and simple privacy policies which adapt a “layered” approach, with the most important information highlighted in a clear manner.

Nonetheless, the surveys have highlighted a need for existing privacy notices to be clearer and more user-friendly. As a means to an end, organisations should make sure that their privacy policies focus primarily on informing the consumer and not on protecting the entity.[33]

Privacy policies should be reviewed regularly to make sure that they continue to comply with any changes in the data processing activities of an organisation and the relevant data protection and privacy laws applicable.

There are obvious benefits to ensuring privacy policies are transparent. Not only will consumers be less likely to complain, it may also provide a competitive advantage from consumers having more confidence in the organisation and how their personal data is being processed. This may lead to consumers entrusting the organisation with further personal data it would not otherwise have received. This seems to be one of the most important trends in social media today – do users trust the site operator?

The Next Direction in Privacy Law [34]

The main challenge for social media companies is that the regulatory privacy obligations seem to be developing on-the-fly in this area. There was no US law clearly forbidding Facebook from partnering with several dozen other sites to share information regarding subscriber usage of affiliate sites. There was no law clearly forbidding Facebook from making such activity logs visible to the subscribers’ friends. Facebook even provided a pop-up, opt-out mechanism to help respect subscriber privacy choices. Yet following a class action lawsuit, discussed above, Facebook shut down its Beacon program and donated $9.5 million to a non-profit foundation to promote online safety and security.[35] Clearly, as important as existing laws are the developing sensibilities of both consumers and privacy officials. The predominant theme appears to be a profound antipathy toward the aggregation and use of information of consumer behavior, however well disclosed. Social media companies need to proceed very carefully in capitalising on the wealth of information that they are assembling, developing subscriber and policymaker support for programs in the works, and adequately disclosing program information to consumers, at a minimum, in the user agreement. Moreover, companies need to realise that even where the law has been slow to catch up, consumer reaction and the threat of regulatory or legal action has often shaped privacy practices in social media. Keeping on top of those trends is critical.

Take, for example, the 2009 global industry initiative to address concerns over behavioral advertising. In 2009, the American Association of Advertising Agencies, Association of National Advertisers, Interactive Advertising Bureau, Direct Marketing Association and the Better Business Bureau, completed a joint business initiative and released the “Self-Regulatory Principles for Online Behavioral Advertising”.[36] The trade groups worked closely with the Council of Better Business Bureaus in crafting the principles. The initiative was in response to urging by the FTC that unless the industry adopted polices, government regulators would step in.

The industry effort covers the categories the FTC identified as the key areas of concern: education, transparency, consumer control, data security, material changes, sensitive data and accountability. The Council of Better Business Bureaus, along with the Direct Marketing Association, are now developing additional policies to implement accountability programs to give some teeth to the self-regulatory rules and to foster widespread adoption of the principles.

This initiative appears to have now crossed over to Europe and there is discussion of a special “behavioural” advertising logo that will be displayed in all behavioural advertising. Looking forward, privacy and data protection law will continually be outpaced by technological developments. To take a recent example, the Google Buzz social networking service that was launched in February 2010 has been at the centre of a torrent of criticism by users and privacy groups who claim that the new service has violated rights to privacy. Google Buzz was an attempt by the search giant to convert its Gmail service into a social network. A particularly controversial feature was that Gmail users were automatically signed up to Buzz and a ‘ready-made’ social network of ‘friends’ for them to follow was created using information from Gmail accounts of the contacts with whom they most frequently email and chat.

Following the ferocity of public reaction, Google has been forced to adapt many of the features of Buzz, including removing the automatic links between Buzz and content posted by users on other Google services (e.g., Picasa photo albums), making the option to opt-out of Buzz altogether more prominent in the email facility and adopting an ‘auto suggest’ rather than an ‘auto-follow model’. In April 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of the data protection authorities in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom sent a strongly-worded letter to the chief executive officer of Google Inc. to express their concerns about privacy issues related to Google Buzz.[37]. The authorities noted that:

“While your company addressed the most privacy-intrusive aspects of Google Buzz in the wake of this public protest and most recently (April 5, 2010) you asked all users to reconfirm their privacy settings, we remain extremely concerned about how a product with such significant privacy issues was launched in the first place.” And, in a statement seemingly directed at every company looking to launch innovative products in this space, the regulators warned, “It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.”

Whilst legal action by users who feel their rights have been infringed is inevitable (for example, a woman in Florida has already instructed lawyers regarding the misuse of her personal data), the problem for Google may spread far wider. In trying to make the “getting started experience as quick and easy as possible”[38] to compete with other social networking services, they have potentially alienated users and may now have a harder task convincing the millions of users on Facebook and Twitter to migrate to Buzz instead.

Another social media phenomenon is the exploitation of geo-location technology. Four Square is a location-based game which can be downloaded onto a user’s phone and which turns city maps into a game board. Users can “check-in” via their phones and this information is fed to Twitter, where the user’s location is made public. By “checking in,” the application is able to recommend places to go, things to do nearby and tips from other users for that location. Whilst this application clearly has its benefits, users appear undeterred by the implications of revealing their whereabouts, or, indeed, where they are not; this could pave the way for a new wave of privacy concerns.

Company Engagement in (or Avoidance of) Third-party Legal Disputes

Increasingly, information gathered by social media sites is at the center of legal controversies to which social media companies themselves are strangers.

• Social media sites are routinely used for sting operations seeking out sexual predators.[39]
• On the other hand, one criminal defendant in a forcible rape case tried to enter into evidence the victim’s Facebook status page. He claimed that this social media showed that the victim’s complained-of bruising resulted from heavy drinking on other occasions.[40]
• A Canadian court allowed discovery of a Facebook profile in a motor vehicle accident suit, despite the document being subscriber-designated as limited access.[41]
• If an employer terminates an employee for cause, recommendations that the employers had made regarding that employee on a site like LinkedIn may be evidence of pretext.[42]
• Subscribers’ posts may violate their own company’s privacy policies, or even reveal their own company’s trade secrets.[43]
• Subscribers may later regret their social media postings, but the evidence that those posts were made can be crucial and published if there is a public interest justification.[44] One MySpace subscriber posted an article heavily critical of her hometown. Six days later she removed it. But, in the meantime, it had been republished in her hometown newspaper, arousing the ire of her community to the extent her family had to close its business and move. The subscriber sued the paper who republished the article. The court held that the initial MySpace publication made any subsequent republication fair game, and non-actionable.[45]
• Presenting perhaps even additional complications, courts in some countries, like New Zealand and Australia, have allowed official court process to be served over social medial sites.[46] The UK Courts are following New Zealand and Australia having recently allowed an injunction to be served on a defendant through Twitter for the first time.[47]

Both the social media enterprise and individual companies on social media can protect themselves. As stated above, each social media enterprise already has (or should have) a detailed suite of policies, reflected in the user agreement, to determine how the company fits in to the substance and process of third-party legal actions. Likewise, all companies should put policies in place governing employees’ actions on social media to avoid company vicarious liability.

Ultimately, subscribers should also take steps to protect themselves because regulators can do only so much to protect subscribers’ personal data and privacy.

Children

The popularity of social networking with young people makes the issue of data protection and privacy more acute. A central concern is that young people lack the awareness of the associated risks of these services and the potential for abuse when revealing personal data. Online risks for young users include illegal and age-inappropriate content, improper contact and conduct, including victimisation or grooming and potentially risky behaviors. Whilst the United States has laws and regulations to protect the privacy of children online, the FTC has announced plans to accelerate review of its regulations with an eye towards imposing more stringent standards.[48]

The impact of digital media on privacy issues for young people has been a key focus in both the UK and throughout Europe. In the UK, for example, the Information Commissioner has published numerous good practice notes for website operators whose sites are directed at children. The Home Office Task Force on Child Protection on the Internet has also published in 2008 good practice guidance for providers of social networking and other interactive services[49].

Whilst a focus of legislators has been to raise awareness amongst users of the risks associated with social networking (for example, through the annual EU “Safer Internet Day”), more recently there has been a focus on the contribution that service providers can make to security in the online environment. Following almost a year of discussions, in February 2009 the European Commission and major social networking companies, including Facebook, Bebo, and MySpace, agreed the “Safer Social Networking Principles for the EU”[50]. These principles were aimed at giving young people extra protection from violations of their privacy and the potential abuse of their personal information. Key principles include: ensuring services are age-appropriate for the intended audience[51]; empowering users through tools and technology to manage the service[52]; providing easy-to-use mechanisms for users to report conduct or content that violates the Terms of Service of the provider; encouraging users to employ a safe approach to personal information and privacy; and assessing the means for reviewing illegal or prohibited content.

However, a year on, the review of the implementation of the principles published by the European Commission on 9 February 2010 suggests that whilst the principles have been a step forward in tackling online risks for young people, more still needs to be done. According to the Commission less than half of social networking companies make profiles of users aged under 18 visible only to friends by default, and only one-third replied to user reports requesting assistance.[53] Whilst currently the Commission is in favor of a multi-stakeholder collaboration with providers and adopting a ‘best practice approach’ to manage potential risks, if providers do not toe the line, the consequence may be regulatory intervention.

Protections To Deter Criminal Activity

Data security class action litigation usually focuses not on the (often judgment-proof) criminal wrongdoers themselves, but on the companies those wrongdoers happened to work for, with, or through. Moreover, governments around the world have drafted businesses into the war against identity theft. Hefty fines can result from a lack of due diligence.

The penalties for breaches of the Data Protection Act 1998 in the UK are currently under review.[54] The UK Government has proposed to put in place tougher sanctions to act as deterrents, for example, up to two years imprisonment and maximum fines of £500,000, the latter of which is expected to take effect in April 2010.[55] The UK, as well as other European countries, is taking data protection law seriously, and service providers should bear this in mind.

In social media enterprises, an even greater risk than identity theft or financial fraud exists. Users of social media have been exposed to emotional abuse[56] and have been sexually assaulted,[57] among other crimes. Attempts have been made to hold the social media enterprises themselves liable for not doing more to stop these abuses. Whilst legal actions have generally not resulted in recovery against social media enterprises, the attendant bad publicity and subscriber concern carry a cost of their own.

Where there is a pre-existing protective order in place, even the simple act of making a friend request via a social media service can rise to the level of criminal contempt.[58] And, especially where the social media environment involves the creation or accumulation of some artificial currency, subscribers can also abuse the system to achieve property crimes or tax evasion.[59]

Precautions to detect likely criminal activity, to the extent practicable, and having social media employment agreements to establish company expectations, are essential for any business’s self-preservation. Typically, companies can take actions such as routine audits and establishing human resources notification policies for crimes involving employees in the workplace. Social media employment agreements are now essential for individuals doing work for your business. We recommend evaluating all of the types of individuals employed by your company and developing a social media agreement that will fit for: employees, contractors, hired talent (representing the company in an endorsement/marketing context), and outsourcing contracts, where applicable. (See Chapter 6 – Employment.)

Addressing Traditional Data Security Concerns

Every social media enterprise needs a comprehensive written information security program. The very open architecture that allows social media enterprises to thrive also allows information security threats to multiply. For example, the Twitter worm, “StalkDailey,” “can gain access to unsuspecting Twitter users by masquerading as the family, friends, and co-workers of the user.”[60] In fact, 19 percent of all hacking attacks were directed at social media enterprises in the first half of 2009, “ranging from simple defacement of sites, placing malware on them or using them to spread smear campaigns.”[61] Social media enterprises need to enlist not just their employees, but also their subscribers, in rapid response to developing privacy threats based on well-understood policies and procedures. Failing to do so may result in dilution of a brand’s value as regulators and consumers react to lapses in security.

A written policy is necessary, but not sufficient to ensure compliance. A written policy without implementation and adherence is a dead letter. Plain language review, easy-to-follow training materials, employee testing, vendor auditing, security breach drills, and the like are indispensible to making sure policy is part of day-to-day procedure.

At the same time, outreach to subscribers to let them know what to expect (and not expect) from the company will help subscribers defend themselves from spoofers, phishers, and similar would-be attackers.

Also, like every company, social media companies should have plans for: the protection and secure disposal of personal data (including in hard copy); the implementation of major litigation holds; and response to the loss or theft of personal data (including, where required or appropriate, through notice to data subjects).

Is the Company Properly Insured against Data Privacy Incidents?

The last risk you need to plan for is the risk that all other mitigation will, ultimately, not be sufficient. As noted above, no system is perfect. Data privacy and security lawsuits can cost millions or tens of millions of dollars to resolve. The right level of coverage, either under general policies or specific endorsements, is something that every company needs to determine on an ongoing basis.

Bottom Line—What You Need to Do

Understand the sensitive nature of information that flows through social media. Recognise the serious compliance and litigation risks that the collection and distribution of such information entails. Consider contractual tools to mitigate these risks, including properly drafted privacy policies and terms of use. Know your obligations under all applicable data privacy and security laws, and have a nuts-and-bolts plan to meet those obligations. Stay ahead of developments in data and privacy security law, so that, to the extent possible, the compliance program put in motion today will be deemed adequate even under the standards of tomorrow. Lastly, know your coverage position with respect to data privacy and security incidents, and properly adjust that coverage in light of known and suspected risks.