Originally published by Anderson Kill's Policyholder Advisor, September/October 2017
While high-profile cyber breaches of major government and corporate databases continue to dominate headlines, less consideration has been paid to the ever-increasing cyber risks associated with the use of personal mobile devices and their apps, including those connected to social media.
The use of mobile apps and social media has nevertheless created new, evolving risks for businesses that interact with customers through these platforms. Policyholders need to be aware of such risks. Importantly, policyholders also must scrutinize the insurance coverage options available to cover any potential liabilities.
An Explosion of Apps and Social Media
A growing number of transactions — ranging from the personal to the commercial — are performed in the palm of our hands using mobile apps installed on our now-ubiquitous smartphones and other portable devices.
More than 2 million apps are available for download on the iPhone alone. Some might help you find love with one swipe, while others can help you transact multimillion dollar international trades with one click. According to eMarketer, time spent with smartphones and tablets increasingly skews toward apps rather than the mobile web. In-app usage is expected to account for 89.2% of smartphone time and 76.8% of tablet time in 2017. Analysts estimate that in 2016 mobile phone users downloaded some 90 billion apps and spent 900 billion hours using them.
The average person now spends nearly two hours on social media every day. A study by Mediakix recently calculated that Facebook users will spend an average of 35 minutes a day on the platform. Sixty percent of the time spent on social media is facilitated by a mobile device.
It is only a matter of time before all companies are either utilizing their own mobile apps or relying on third-party apps to service customers or enable transactions. Most companies already have some social media presence or are figuring out how to best use the technology to their benefit. Social media ad spend alone is expected to reach $36 billion in 2017.
A Risky Business
But as with any new technology, there are risks involved in the use of mobile apps and social media platforms.
More than 1.5 million new incidents of mobile malware were detected by McAfee Labs in just the first quarter of 2017. While big mobile players such as Apple and Android continue to improve their platforms, it is impossible to keep up with the plethora of malicious actors that speedily evolve and constantly introduce new pernicious forms of malware. A RiskIQ study found that every 60 seconds 818 pieces of unique malware are deployed, along with 1,214 ransomware attacks, and more than 100,000 phishing emails.
At a recent presentation by the FBI, a special agent involved with the U.S. Secret Service’s Electronic Crimes Task Force noted that malware in mobile devices may become mainstream in the next five years. When performing transactions using mobile apps, users often input highly sensitive data, including personal financial and confidential health details. Yet security is still not a top priority in app design, with some apps allowing users to store or pass credentials in the clear or by using weak encryption.
A Changing Legal Landscape
Mobile app and social media use by companies has triggered new waves of regulatory actions, as well as civil litigation.
The Food and Drug Administration has provided insight on its views and specific examples of how its authority may apply to mobile medical apps, while the Federal Trade Commission and other regulators have already brought app-related enforcement actions based upon alleged violations of privacy. Mobile app users have brought their own suits too. Tech giant Google has faced litigation from its Google Wallet users alleging violations of the Stored Communications Act and consumer protection laws.
Companies also now face growing legal repercussions, such as lawsuits for defamation and copyright infringement, related to their social media presence. For instance, while the parties ultimately settled, the entity that owns the famous photograph of firemen raising a flag above Ground Zero in the hours after the September 11, 2001, attacks sued Fox News for posting a slightly altered version of the photograph to Facebook.
In addition, as noted by Emy Donavan, global head of Cyber for Allianz, “Any cyber event that significantly impacts a company’s reputation and its share price could result in shareholder action.”
Insurance Coverage Implications
In the face of the changing regulatory landscape and the increased potential for liability, policyholders need to review the insurance coverage options available under both traditional commercial liability and developing cyber insurance policies that may cover the risks associated with mobile apps and social media.
Policyholders may be able to look to traditional commercial general liability insurance policies, which often provide coverage for personal and advertising injury and might afford coverage for claims such as libel and copyright infringement stemming from a company’s social media presence.
Policyholders can also look to their directors and officers coverage and errors and omissions coverage. Shareholders now expect that good corporate governance and oversight must include safeguarding a company’s cybersystems and data. As such, policyholders should maintain responsive D&O insurance coverage for potential cyber claims that might affect the most senior levels of their companies. D&O policies may respond to a variety of cyber-related allegations because such claims can qualify as a “wrongful act” under D&O policies. Another potential source of coverage is E&O policies, which provide coverage for claims associated with a company’s errors or omissions in rendering its professional services.
While standard commercial liability policies, D&O, and E&O policies are potential sources of coverage, these policies might have exclusions meant to disclaim coverage for cyber-related events. Further, insurance companies have become increasingly aware of the risks related to mobile apps and social media, and are now inserting exclusions meant to limit coverage for liabilities connected to such activities. This trend has made it important for policyholders to consider buying separate cyber insurance policies.
The landscape for cyber-specific policies is still emerging, with little consistency between the cybersecurity programs offered by the major insurance companies, including various exclusions specific to mobile devices. For example, some cyber policies include an exclusion barring coverage when a breach occurs through an unencrypted mobile device. Other cyber policies exclude coverage where the policyholder fails to follow “minimum required security practices,” employ “best security practices,” or comply with its own security policy. Insurance companies already have relied on such exclusions in cyber policies to disclaim coverage, and no doubt will continue to do so. Litigation has ensued where these types of exclusions were at issue, and surely will continue in the future as companies face unexpected liabilities related to mobile apps and social media. See Columbia Casualty Co. v. Cottage Health System, no. 2:15-cv-03432, (C.D.Cal 2015).
Policyholders must be mindful of these evolving exclusions in order to maximize coverage and to avoid the gaps in coverage that such exclusions create.
A Path Forward
According to Christine Marciano, president of Cyber Data Risk Managers, “As technology risks continue to evolve, many carriers are starting to pull back on the types of industries and risks they will cover.” While policyholders might be able to look to traditional policies such as those for general liability, D&O, and E&O as potential sources of coverage, policyholders still must remain ever-vigilant and consider insurance options specifically tailored to liabilities arising from their use of mobile apps and social media platforms. Because such coverage is far from standardized, and full of potential pitfalls, tapping the expertise of a good broker or outside counsel is advisable. In particular, policyholders and their advisers need to carefully vet current and future policies to ensure they do not contain exclusions that might limit coverage in the event of a claim.