Don’t Get Caught in the Web!
Be aware of and mitigate E&O exposures from your website
by Sabrena Sally, CPCU
Over 40% of agencies insured through the IIABA-Swiss Re E&O program now have their own website, having grown from 19% in 2006. Having a good website, with robust functionality, has become a core tool for agencies with a modern marketing strategy. Agencies are moving to more complex websites to respond to consumers and clients who increasingly want to shop online and be able to handle basic service needs when convenient for them.
Virtually all agency websites provide basic advertising for the agency, showing the agency name, logo, phone number, address and email link. Over the past eighteen months, however, applications for E&O show a clear trend toward agency websites expanding beyond standard advertising information, as might be expected from expanding consumer online behavior and the services being offered by competitors and other industries.
Let’s first examine what errors and omissions exposures an agency can face from the more traditional type of website. Many of the exposures on these sites are the same that exist in the ‘paper’ world. Advertising liability can arise out of the use or misuse of a trademark, or from the copyrighted material of others, and statements regarding the services available through the agency may be subject to regulatory requirements. At least one state, New York, makes this clear in Circular Letter No. 5 (2001), “Advertisements, Referrals and Solicitations on the Internet,” where it states that “Advertisements that appear on the Internet are subject to all applicable existing statutory and regulatory guidelines and restrictions applicable to advertisements in any other medium.”
E&O Tip: The same level of care in creating ‘paper’ advertising is appropriate for the agency advertising contained on the website. If in doubt, a quick consultation with your qualified legal counsel is well worth the cost.
Websites commonly provide a button allowing a site visitor to contact the agency via email. One could certainly expect questions about what services the agency provides, hours open for business or even driving directions. Keep in mind, however, that there is no way to control what a visitor might choose to include in the content of their email. The visitor might decide to include confidential personal information (such as a name coupled with a social security, drivers license or credit card number) in the unprotected email, creating an exposure to breach of data privacy.
E&O Tip: To help mitigate the liability exposure from this common website feature, posting an appropriate disclaimer is a best practice. A sample disclaimer is provided at the end of this article for agents to use as a starting point and to customize to their agency’s situation.
Posting Website Content
As a simplified case study, let’s view the stages a hypothetical agency might follow in expanding its website over time, and how these changes can affect the agency’s E&O exposure. After constructing a basic website, the next step an agency often takes is to add articles that will be of interest to site visitors. Articles of interest can range widely in subject matter and may be available for viewing only or also as a download. “What is an umbrella policy,” “How to implement an employee wellness plan,” and “Where to find information on OSHA requirements” are examples of topics seen on agency websites. Content can be general in nature or become more technical and specific to certain types of exposures. The options are practically endless.
Posting informative articles on the agency website can draw visitors, generate stickiness with existing customers, and lead people to contact the agency for additional information. In addition to these positive benefits, there are risks that accompany posting information.
E&O Tip: If the content is original material created by the agency, practicing due diligence to ensure accuracy of the information is a key preventative measure. The more specific the information provided, the higher the risk of generating allegations against the agency for misrepresentation or providing inaccurate advice.
There is one significant difference between content posted on a website and content published in more traditional forms. Posting content online makes the information available to anyone regardless of their physical location. This instantaneous world-wide availability raises the issue of jurisdiction. It is not yet clear how legal jurisdiction might be applied to content published on a website. Including an appropriate legal disclaimer as part of posted information is for now one’s most effective tool in mitigating the jurisdictional risk.
E&O Tips: If the content is obtained from another source, the first step in risk management is to verify the expertise of the information’s source. This step helps minimize the exposure to allegations of misrepresentation or inaccurate advice. The information is also most likely copyrighted, creating exposure to allegations of copyright infringement. Obtaining written permission from the owner or licensor of the material prior to posting and giving appropriate credit of authorship can help mitigate the copyright exposure. If the content is obtained under a licensing agreement, explore what options may exist to protect the agency via contractual indemnification. As with information authored by the agency, it is recommended that appropriate legal disclaimers be clearly posted with information obtained from other sources.
As agencies often receive requests from customers for referrals to other service vendors, it is a natural next step for the agency website to include links to these types of service vendors. Windshield repair services, CPAs for tax preparation, and disaster recovery solutions firms, are just a few examples of service vendor links seen on agency websites. Linking to vendors on the agency website can create the same exposure to negligent referral that exists when the referral takes place verbally, through email or snail mail. Regardless of how a referral is provided, the best practice recommendation is to provide at least two referrals, leaving it to your customer to choose which vendor to use. If the agency site links directly to a vendor, there also may be exposure to allegations of trademark infringement or unfair use of cyber marks from the vendor.
E&O Tips: The best practices to follow to mitigate allegations of negligent referral for vendor referrals, including linking, are to:
obtain written permission from the vendor or site to which the link leads
provide always more than one selection for each type of service
ensure there are appropriate disclaimers regarding the services being provided by these vendors.
Interactive and Web-based Transactions
Agencies are increasingly adding interactive website features to increase the effectiveness and efficiency of the agency. When interactive features are included on an agency website, more unique E&O exposures can quickly develop. The most rapidly growing exposure we have seen is the number of agency websites that are accepting application information.
As part of the underwriting process on a recent renewal, we reviewed an agency website. The site opened to a very professionally designed home page. The site had clearly written text, eye-pleasing graphics, was well-organized, and quick-loading. At the bottom of the first page, a link to the agency privacy statement was prominently posted. Following the various tabs, one could easily find informative articles which clearly showed authorship and contained appropriate disclaimer language. So far, so good.
We then clicked on a button titled Personal Lines, on through the Auto Insurance button, to “Submit Application.” The Submit Application button led to a page where a full spectrum of personally identifiable information can be submitted, including: name, address, date of birth, social security number, drivers license number – basically all the information one needs to carry out identity theft. There was no indication of security being enabled by an ‘https’ displayed before the URL (evidence of creation of an SSL connection), and nothing contained within the web page itself referred to secure transmission of this data.
An agency has the duty to protect personally identifiable information and a myriad of both state and federal laws apply. Violations of these laws carry significant financial penalties, not to mention the extreme damage that can be done to the agency’s reputation. One state, for example, specifically requires “encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information transmitted wirelessly.” At the most recent count, forty-six states have some type of law or regulation addressing the protection of personal information.
E&O Tips: Agencies that collect personally identifiable information (whether on their websites or not) should take the necessary steps to be knowledgeable about state and federal laws and regulations that protect such personal information and provide the level of data security required by them.
A best practice is that the agency website create an SSL connection with the visitor’s browser before the visitor is asked to enter an id or password or any personal information, such as that included on insurance applications, so that this information cannot be read by unintended parties over the Internet.
Many agencies are now expanding their online presence to include social media as a part of their advertising and customer interaction. ACT has an article and webinar on the E&O exposures arising from the use of social media which can be found at www.iiaba.net/act at the “Website & Social Media” link.
Key activities for mitigating E&O exposures generated by a web presence
It’s an exciting time as agencies become more creative in using the opportunities that websites can provide. Be creative, but not naive. Keep in mind that with every opportunity, there is risk. Consider the following quick tips to help mitigate your agency’s exposure to errors and omissions that may arise from your agency’s website:
Review website advertising with the same level of legal scrutiny toward copyright and trademark issues as the agency’s more traditional advertising
Post an appropriate Privacy Statement prominently on the website
Review original content posted on the website for accuracy and post appropriate disclaimers
Obtain written permission for content obtained from other parties, be confident they are a knowledgeable source, credit their authorship, obtain the author’s indemnification (if feasible) and post appropriate disclaimers
If you decide to refer to other service providers, provide more than one provider name, obtain written permission to link to them and post appropriate disclaimers regarding the services provided by the vendors
If the website has interactive features that collect personally identifiable information, comply with all state and federal privacy and data breach notification laws and regulations and create an SSL connection with the visitor’s browser before the visitor is asked to enter an id or password or any personal information.
Sample Website Disclaimers
Agents should consult with their local counsel to customize these sample disclaimers so that they fit their website, are positioned at the appropriate places on the site and comply with all of the federal and state laws and regulations that apply to them. These disclaimers are in addition to the Privacy Statement that the agency should include at the bottom of its website setting out its privacy policies.
Please review carefully!
“This information is not an offer to sell insurance. Insurance coverage cannot be bound or changed via submission of this online form/application, e-mail, voice mail or facsimile. No binder, insurance policy, change, addition, and/or deletion to insurance coverage goes into effect unless and until confirmed directly with a licensed agent. Note any proposal of insurance we may present to you will be based upon the values developed and exposures to loss disclosed to us on this online form/application and/or in communications with us. All coverages are subject to the terms, conditions and exclusions of the actual policy issued. Not all policies or coverages are available in every state.”
“Please contact our office at 555.555.5555 to discuss specific coverage details and your insurance needs. In order to protect your privacy, please do not send us your confidential personal information by unprotected email. Instead, discuss that personal information with us by phone or send by fax.”
“Statements on this website as to policies and coverages and other content provide general information only and we provide no warranty as to their accuracy. Clients should consult with their licensed agent as to how these coverages pertain to their individual situation. Any hypertext links to other sites or vendors are provided as a convenience only. We have no control over those sites or vendors and cannot, therefore, endorse nor guarantee the accuracy of any information provided by those sites or the services provided by those vendors.”
“Information provided on this website does not constitute professional advice. If you have legal, tax or financial planning questions, you need to contact a qualified professional.”
This article is intended only for educational or illustrative purposes and should not be construed to communicate legal or professional advice. You should consult legal or other professionals with respect to any specific questions you may have. Further, the statements and/or opinions contained are those only of the author and do not constitute and should not be construed to constitute any statement, opinion or position of Swiss Re, IIABA or ACT.
Sabrena Sally, CPCU is Senior Vice President of Westport Insurance Corporation, a Swiss Re company, and manages the Big “I” Agency Professional Liability Program, which is endorsed by IIABA and 51 Big “I” state associations. Sabrena can be reached at firstname.lastname@example.org. Sabrena produced this article for the Agents Council for Technology (ACT), a part of the Independent Insurance Agents & Brokers of America. For more information about ACT, visit www.independentagent.com/act or contact Jeff Yates, ACT Executive Director at email@example.com. This article reflects the views of the author and should not be construed as an official statement by ACT or IIABA.