Facebook privacy breach reveals important risk management and insurance issues
The lead story in the Wall Street Journal today reports Facebook in Privacy Breach. The article describes how several of the applications available on Facebook transmit identifying information to Internet tracking and advertising companies. The breach affects millions of users. An especially resonant sentence in the article notes that “The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.”
A casual reader of the article might understandably think that the Facebook breach has little relevance to the risks that most companies confront in the collection and handling of confidential information. While it is true that most don’t have 500 million customers or embed third-party applications in their websites, several important aspects of Facebook seemingly sui generis situation can have analogues for almost all companies.
Some important questions raised by the Facebook matter could also arise for any other company that collects confidential personal information. These include, for example:
- What information do we really need to collect from our customers?
- What personal information do we really need to store for future use?
- What personal information about our customers do we really need to make available to third-party vendors/service providers so that they can properly do their jobs?
- What contractual arrangements do we have with third-party vendors/service providers to ensure that they will handle and protect our customers’ confidential information in accordance with our own policies and with applicable law?
- Are the indemnification arrangements we have with third-party vendors/service providers consistent with our own obligations and exposures?
- What do diligence have we performed on third-party vendors/service providers to make sure that they will be able to honor their obligations with respect to confidential personal information or their financial obligations in the event of a breach?
- Are the different departments in our company (IT, legal, sales, etc.) properly communicating with each other to make sure that data security issues don’t fall through the cracks?
And as usual, insurance coverage issues lurk with respect to several aspects of the Facebook matter. Under many policies being sold in today’s marketplace, none of the substantial costs incurred by Facebook in connection with this breach would be covered especially if there is no lawsuit filed against it. Under other policies, varying degrees of the costs would be covered, with vastly different financial implications for the insured company.
Insurance is available to cover many of the exposures caused by privacy breaches, but it is not a given that any particular policy will cover the exposures that a company actually faces. When we work with companies to help them insure their data security exposures, there is no simple cookie-cutter approach that works equally well in all circumstances. Two of the bedrocks of a good placement are (1) understanding the full range of the company’s business activities and practices that could reveal data security risks, (2) making sure that the policy’s coverage terms properly reflect the full range of exposures that the company faces.