“There’s no such thing as too much surveillance,” says Brian Smith. “I wouldn’t want one square inch not covered.”
That’s not surprising to hear, given that Smith is in the business of providing surveillance camera service to retail operations.
What’s equally important, however, are the measures he takes or recommends to protect himself and his clients from general liability arising from his firm’s surveillance activities.
Smith installs independent servers at each of his clients’ sites that they can control, and he requires that they sign a statement releasing him and his firm from liability for use or misuse of the information gathered.
Furthermore, Smith advises his clients “to be upfront about what they’re doing.
“Tell [customers] that you’re recording, including audio, but don’t tell them specifically where or how they’re being recorded.”
Despite all that, Smith finds that he’s facing more questions when it’s time to renew liability insurance for his operation, Digital Surveillance Consultants, Windham, N.H.
According to Smith, the question of when and whether to conduct surveillance and gather information on individuals is increasingly a “legal gray area” whose boundaries vary from state to state.
To illustrate, Smith says that he knows of a doughnut shop employee who successfully sued an oil company because its surveillance system (not one of Smith’s) made audio recordings of her conversations in the space the doughnut shop shared with a gas station. (Presumably it was a general liability claim,
as the woman was not an employee of the
gas station chain.)
In another case, he relates that one company opted to take down its surveillance cameras after an individual was attacked in
a remote section of a parking lot.
According to Smith, the company faced questions about its response to indications of threats captured on video, and reasoned that it would protect itself from charges of negligence if it did not use surveillance at all.
For someone like Smith-and, apparently, his insurance underwriters-it is increasingly difficult to know what constitutes an actionable violation of privacy in our age of surveillance-or, as some say, “dataveillance.”
Ours is an age when our daily activities are tracked and recorded, perhaps forever, by our use of credit cards, tollway passes, computers, cell phones, and other personal conveniences. Consciously or not, willingly or not, we “consent” to surveillance in public places by closed circuit television cameras and other means used by private and public organizations.
To cite one example of how technology has progressed in this regard, Digital Surveillance Consultants now provides the capability to combine video surveillance and data collection at a point of sale. Retrievable records are made of the products being purchased and the prices paid for them while the customer and clerk are being recorded.
This information is typically captured to help control theft and illegal sales of alcohol and tobacco, as well as employee collusion in these illicit activities. But the process conceivably can capture and preserve information on an individual’s medications, reading habits, and other personal matters.
Such information has been available for some time through credit card records, but the significance of new surveillance and information-gathering methods is that control over the information collected shifts from financial institutions that are well-schooled in privacy protection to smaller operations.
“Privacy laws are not keeping up with technological developments,” says Thomas Wilkinson, a member (partner) of Cozen O’Connor, a Philadelphia-based law firm prominent in insurance defense.
“Privacy protection is a big topic,” Wilkinson says,” because companies, including insurers, can acquire a great deal of information about people much more readily than in the past, and the consequences are wide-ranging.”
Most legal sources readily acknowledge that the careless release or dissemination of personal information usually violates a statute or constitutes a tort. What’s becoming less clear is whether it can be an offense to collect information or conduct surveillance at all.
“It’s definitely moving in that direction,” says Larry Ponemon, founder and president of the Ponemon Institute, an organization dedicated to advancing responsible privacy and information management practices.
“The greater the public concern, the greater the risk that [members of] the public and their advocates will bring a case against an organization,” he says. “From an insurance point of view, [information gathering] becomes a higher risk proposition.”
Wilkinson emphasizes two principles when advising companies about the collection and management of personal information.
First, limit your information activities to the minimum needed to accomplish reasonable objectives.
“If you don’t have a legitimate plan to [use] the data you receive, then is it wise to collect it at all?” he asks. “I think it’s best not to secure information and data you have no purpose for, and when you have no intention of following up on it.”
“Once you acquire all this personal information about clients, customers, and third parties, then there’s a much greater chance of inadvertent disclosures of that information to people who are anxious to have it for marketing or identity theft purposes.”
Ponemon agrees: “The more information you collect, the more risk you bring into your organization. You only want to collect the information that is necessary and nothing more than that.”
Given that, Wilkinson’s second maxim is that organizations should not collect any information on people unless they are committed to safeguarding it.
“Many companies have well-written data storage and retention policies, but fewer companies actually follow their policies in that regard,” he says. They typically don’t follow up.
“From an insurance underwriting standpoint, you want to know to what extent you have liability coverage in force against intentional, improper, or inadvertent disclosure of personal information.”
Given the risks arising from data leaks and violations of privacy, it might seem advisable to counsel insureds to simply avoid gathering information and conducting surveillance. But it’s not that easy, because the possibility exists that an organization could be found negligent if it engages in too little surveillance.
For example, certain types of businesses could be found negligent if they fail to implement adequate surveillance of their premises.
“Convenience stores, fast food restaurants, any type of entity that has a history or potential for robberies is probably remiss if it does not have a video surveillance system,” Wilkinson says. “The easier and less expensive it is to install a system, the more likely it’s going to be deemed negligent not to have such a system in place.”
The standard of care expected when screening employees and applicants will also test the limits of “privacy.”
“If you see through a social networking site that [an employee or applicant] is engaged in criminal conduct, what is your obligation?” Wilkinson asks.
“I don’t think that case law has caught up with that, but there’s a general trend in liability law to do away with old notions of privity and find potential for third party liability” for injurious acts of employees to members of the public.
While rights and responsibilities regarding surveillance and information gathering have been well-explored under employment law, there are more unanswered questions regarding organizations’ general liability toward the public in this regard.
Insurers are watching legal developments carefully to see if there is an increase in exposure under general liability policies for violations of privacy related to the increase
in surveillance and information gathering.
“I think we’re going to see lots of litigation over privacy,” says Charles Kingdollar, vice president of the emerging issues unit for General Reinsurance, Stamford, Conn. “That doesn’t mean we’re going to see lots of coverage actions, however.”
“Insurance coverage for this will depend on all the facts, including if the private information is made public.”
Randy Maniloff, an attorney who specializes in policy analysis, agrees.
“Any potential CGL coverage for violation of the right of privacy typically requires oral or written publication of material,” he says.
It is telling that, for Jewelers Mutual Insurance Company in Neenah, Wis., concern for control of first-party property losses is still the paramount consideration related to information gathering and surveillance.
Jewelers Mutual is a niche writer that specializes in insuring all types of jewelry businesses, as well as personal jewelry.
According to Andrew Indermuehle, product manager, Jewelers Mutual has seen no litigation concerning violations of privacy arising from information-gathering and surveillance, even though its clients necessarily employ surveillance to protect their valuable property.
“Appropriate video surveillance is often necessary,” he says. “We both require and recommend security measures, but we make no guarantee that such security will prevent a loss.”
Jewelers Mutual gathers some information about individuals in the jewelry operations that it insures,
but the information is limited to individuals’ past work experience and loss experience related to the coverage being sought.
“We expect the insured to have completed background checks for employment purposes, as we have no say as to whether someone is hired or not,” he says.
For the time-being, at least, commercial insurers, appear to be shielded from expanded general liability exposure for surveillance and information-gathering activities--as long as their insureds are not careless with the information they collect.
That could change, of course, with one breakthrough lawsuit. Given the level of public concern over privacy and surveillance, insurers should not become complacent.
Liability
in the 
