In June 2018, California passed the most stringent data privacy law in the United States. Companies with business in California will likely have to request fundamental changes to their insurance programs to protect against the risks created by the statute.
The California Consumer Privacy Act of 2018 ["CCPA"] forces companies to make full disclosures about their data collection and sharing practices. It also requires companies to fulfill consumer requests to remove personal information or cease sharing it. Companies could face statutory liability under the CCPA when poor security measures cause the disclosure of personal information from a data breach or other event. Consumers may sue for statutory damages of $100 to $750 per person per violation. This could get expensive!
This new statutory damages provision could lead to a surge in data breach lawsuits. Even relatively minor cyber incidents may attract the attention of plaintiffs’ class action counsel, given the amount of potential damages.
The CCPA has implications for insurance coverage. Certain firms—even those with cyber insurance—will find that their current insurance programs may not adequately protect them against the new statutory liabilities. This is important because:
- Many cyber insurance policies currently available may exclude claims for violating the CCPA’s disclosure requirements or for failing to delete data upon request. Policyholders may have to amend their policies to cover such claims. Some insurers do provide defense coverage and where permitted by law, cover fines and penalties. You should check with your agent.
- Firm’s should check to see if their cyber policies contain language excluding statutory damages.
- The CCPA may increase the likelihood of data breach litigation and drive up the cost of settlements. Under cyber insurance policies, defense costs erode policy limits. Firms should determine whether they have adequate coverage limits to defend and settle data breach claims.
- Cyber insurers may not include coverage for regulatory claims in their standard form. Regulatory coverage becomes more crucial in light of the CCPA’s civil penalties and the California attorney general’s enforcement authority.
- Other States will likely enact similar legislation so it is wise to be prepared for these new regulations.
The CCPA becomes effective on January 1, 2020—which means firm’s cyber insurance policies will go through at least one renewal cycle before the law takes effect. Firms should use this window of opportunity to review their insurance policies and make changes as necessary to address the new exposures under the CCPA.
Inspired by the following article from Jones day.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org