An Uber and Lyft driver who live-streamed passengers in his vehicle to a channel on the video streaming website Twitch is part of a growing number of practices that challenge privacy rights in today’s surveillance society.
Since March, hundreds of St. Louis-area passengers have been streamed online without their knowledge by their driver, Jason Gargac. The live-streams are technically legal because Missouri is one of nearly 40 states where in most situations only one party to a conversation needs to consent to a recording. However, since the story was first reported by the St. Louis Post-Dispatch in late July, Uber and Lyft dropped Gargac as a driver and Twitch removed his channel.
Gargac’s actions raise legal and ethical questions about privacy in a gray area of the law. Passengers said they would not have consented to being live-streamed if they had been asked. If lawsuits are filed, courts would decide whether ride-sharing vehicles have a reasonable expectation of privacy. While in general, companies are responsible for the actions of their employees; this incident brings to the forefront the need for all organizations to have proper Cyber and Privacy Insurance to protect themselves, given that anyone with a mobile phone can live-stream, or collect audio or video recordings.
“Organizations are constantly grappling with balancing an individual’s privacy rights against the power of data collection and use of new technology,” said David Derigiotis, Certified Information Privacy Professional (CIPP), Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox, Detroit/Farmington Hills, Mich.
“Lawsuits, regulatory investigations, and other issues can arise that threaten an organization financially and no organization is immune.” – David Derigiotis, Burns & Wilcox
“We’re a socially connected world and even if a person is operating within the parameters of the law, it doesn’t mean they are operating ethically. Lawsuits, regulatory investigations, and other issues can arise that threaten an organization financially and no organization is immune.”
Cyber and Privacy Insurance can cover legal costs associated with privacy violations, lawsuits, business interruption, public relations, crisis management, regulatory fines and penalties and more. The average cost of a data breach in the United States has increased to $7.91 million, but you do not need to experience a major breach to accumulate expenses or negative publicity quickly due to the actions of your employees or affiliates, Derigiotis said.
The evolution of live-streaming
An ever-growing surveillance society is evident with the popularity of live-streaming. About 78 percent of online audiences watch video on Facebook Live. Video on social media produces 1,200 percent more shares than text and images combined, according to Talk Point.
Online influencer Neil Patel indicates that individuals spend three times more time watching live-streamed content than they do watching non-live videos. Twitch, the platform that Gargac used and one that is popular for gaming, brings in more than 10 million active users each day. YouTube and Periscope are two other free platforms where individuals can engage in live-streaming.
“Live PD” is a television series on the A&E network that broadcasts police patrols in real time with a slight delay. It was the most DVR’d show of 2017, according to a Vizio survey.
“All organizations should have security and privacy policies in place that are communicated to employees and stakeholders, including vendors.” – Jon Kovach, Afirm
Gargac reportedly used dash cams in his vehicle to record Uber and Lyft passengers. Such technology is readily available online or in retail stores. Until recently dash cams were used mostly by law enforcement agencies and with public transportation systems. But built largely on consumer purchases, dash cams are expected to become a nearly $32 billion industry by 2022.
It comes back to data collection
So what does this mean for organizations that need Cyber and Privacy insurance? Risk mitigation should be top-of-mind, according to Derigiotis. Organizations of all sizes need to know what data they are collecting and what parties such data is being shared with.
“All organizations should have security and privacy policies in place that are communicated to employees and stakeholders, including vendors. Adequate training should also be offered on such policies on a regular basis. This is for the organization’s own protection,” said Jon Kovach, President, Afirm, a leading provider of audits, lost control inspections and risk services.
Accountability is the rule of the day, Derigiotis said. When a privacy incident occurs, the public is more likely to stick by an organization that demonstrates due diligence in protecting data, full transparency and keeps promises to consumers. Consumer watchdogs such as the Federal Trade Commission will work with your organization rather than against it. Employees should be aware of policies surrounding live-streaming while on the job. It’s not clear whether Uber or Lyft have a formal policy on live-streaming.
“Many insurance policies will have unlawful surveillance exclusions that relate to unauthorized video recordings, wiretapping and more,” Derigiotis said.
Derigiotis believes companies should ask three common questions:
2.How does your policy relate to unauthorized audio and video recordings? This brings to light what type of “surveillance” violations a policy will cover.
3.How does your policy respond to personal injury and media issues such as misappropriation of a person’s likeness, false light, potential libel or slander?
An insurance broker or agent can help determine the most complete coverage, but every policy is different, Derigiotis said. “The average employer may not have the necessary resources, time, or funds to properly deal with privacy or security incidents when they occur,” he added.
Many policies come equipped with risk management resources, such as access to privacy and security advisors, employee training tools, assistance with creating privacy and incident response policies, and legal counsel. Exposures such as marketing and advertising activities, libel, defamation and certain intellectual property rights infringements can be addressed with the proper coverage as well.
In Canada and the European Union, there are generally stricter and more comprehensive privacy regulations in place. A Privacy Insurance policy purchased in the U.S. can also cover actions in other parts of the world, and vice versa, Derigiotis said.
“These policies address worldwide exposure since electronic data has no boundaries,” he said.
As with any coverage need, an insurance broker or agent must be consulted. Click here to forward this article to your insurance broker or agent to ask if you need this coverage, or share this with clients to start the conversation and ensure proper protection.