Tuesday, May 8, 2012

SNOPA (HR 5050) May Protect Insurance Companies From Schools and Businesses That Demand Access To Personal Password Protected Social Media Accounts

I have written how the Social Networking Online Protection Act (HR 5050) may benefit employees, job applicants, employers, students, student applicants, and schools. Now, I am going to explain how HR 5050 may benefit insurance companies.

Does the insurance industry realize that multiple schools are creating a massive database of their students' password protected social media content and activities? With access to all of this data these schools may become responsible for everything their students do online and everything that is referenced online and/or inferred online that may occur in the real world.

The Universities of North Carolina, Texas, Nebraska, and Oklahoma may not only be violating the Stored Communications Act with their student-athlete social media policies but also may be creating tremendous insurability problems for their academic institutions.

Each of the above mentioned schools have engaged a company called Varsity Monitor. In order for students to keep their scholarships and play intercollegiate sports at these public institutions, they must Facebook Friend Varsity Monitor and provide unfettered access to their password protected social media/digital content. Varsity Monitor downloads the students' social media content and creates detailed reports about all of the students' digital activities. Requiring a student to provide access to their password protected social media/digital content may violate FERPA and/or other federal and/or state laws

Varsity Monitor along with above schools are compiling vast amounts of personal data on thousands of students. What happens when there is a data breach? In Varsity Monitor's agreements and policies it clearly states that by using their service they are indemnified against any legal issues that may arise. Therefore, when a data breach occurs who will be left paying for it? The schools' insurance companies.

According to the latest Ponemon Data Breach Study, the average cost of a data breach is $194 per record and the overall average organizational cost is $5.5 million dollars. These figures appear to be focused on what I would call traditional data breach issues (compromised social security numbers, dates of births, addresses, etc...) and not personal social media data breach issues (which may include traditional issues plus a list of friends, professional contacts, personal photographs, confidential interactions, potential blackmail information, etc...). Furthermore, according to Ponemon the biggest threat to data breach are those who have access to the data. Therefore, when a student-athlete becomes famous and his social media content contains embarrassing information will Varsity Monitor and/or school employees who have access to the data leak the password protected personal content for personal gain?

Are schools prepared for the increase in legal discovery requests that will accompany all of the data they have accumulated on their students? Are schools telling their insurance companies that they are accumulating all of this unneeded personal data on their students? Do the schools that engage Varsity Monitor or similar service providers such as UDiligence, or Centrix Social know that a data breach at Ohio State a couple years ago may have cost the University $4 million dollars to resolve. These costs included: investigative consulting, notification of the breach, and a calling center to answer questions or concerns.

Ohio State's insurance company may have covered the entire cost of this incident. However, will the insurance industry be willing to cover an incident when a school and/or Varsity Monitor mishandles personal password protected social media content and/or when a school is sued for negligent social media monitoring? This type of lawsuit may contain some of the same arguments as the recent $30 million dollar lawsuit against UVA by the family of Yardley Love. However, because of digital evidence a jury in a negligent social media monitoring lawsuit may award $100 million dollars plus to a plaintiff. If you don't think this could happen you may want to ask Dharun Rhavi's lawyer about the power of social media evidence.

If the insurance industry wants to be protected from having to pay out claims against schools and/or businesses who are requiring their students and/or employees to provide access to their password protected digital content they will support the Social Networking Online Protection Act (HR 5050).

(Full Disclosure: I am working pro bono with Rep. Engel's office on the Social Networking Online Protection Act

To learn more about these issues you may contact me at

Copyright 2012 by the Law Office of Bradley S. Shear, LLC. All rights reserved.