As the nation’s most far-reaching data privacy law, California Consumer Privacy Act (CCPA), is set to begin Jan. 1, 2020, businesses and their insurers are preparing for a new era in cyber liability.
Anxiety is on the rise and a sense of urgency has set in for Robert L. Wallan’s clients. Wallan, a partner in Pillsbury Winthrop Shaw Pittman LLP in Los Angeles, Calif., handles class actions, insurance recovery and business-related litigation.
Executive SummaryA new era in cyber liability begins with the launch of California’s Consumer Privacy Act on Jan. 1, 2020. Businesses and their insurers are preparing for the new law, which could be an industry game-changer, writes Don Jergler in this Insurance Journal Magazine story.
He has been working with clients who want to determine the language they should have in their cyber insurance policies to protect themselves before CCPA kicks in.
“I have clients; we’re in negotiations now,” Wallan said of his work on policy language for the law which is still subject to modification by lawmakers and regulators. “We don’t have final wording yet; we’re not done.”
And he believes it won’t be long until the first lawsuits related to the new law begin to be filed.
“You’re going to see some class-action litigation, my prediction is, pretty early,” Wallan said.
Judy Selby, principal at Judy Selby Consulting LLC, an insurance and privacy advisory services firm, believes like many others that the CCPA represents a sea change in the area of privacy laws.
“One of the reasons the CCPA will be a big game-changer is because it applies to an unexpectedly broad range of data, even when compared with other privacy regulations,” she said. For example, under the CCPA, personal information is defined as information that can be linked, directly or indirectly, with a particular consumer or household. “That information includes browsing history, products and services purchased or considered, inferences that create a profile reflecting personal abilities, aptitudes and attitudes, audio, electronic, visual, thermal, olfactory information and a variety of other types of information not previously captured by US privacy laws,” Selby said.
In short, if one can learn something about someone that is useful for marketing purposes, chances are, it’s “personal information” covered by the CCPA, she explained.
Tony Dolce, vice president and cyber lead for Chubb NA, is responsible for the technical aspects of his company’s cyber line of business in the financial lines claim department as well as handling complex cyber matters. Dolce says Chubb, a large carrier in the cyber space, is closely monitoring CCPA’s rollout.
The Zurich-based carrier’s interest goes beyond just following the California law, because Dolce believes the rest of the nation will be watching the rollout and he expects other states may follow the lead.
“I think it’s an interesting bellwether to see whether other states follow,” Dolce said. “I think the rest of the country is going to pay close attention to that.”
The CCPA, which passed last year following massive data breaches at companies like Target and Equifax, requires companies to report to customers upon their request what personal data they’ve collected, why it was collected and what third parties have received it.
This law is similar to Europe’s General Data Protection Regulation. Both GDPR and CCPA aim to give consumers greater control over use of their data as well as punish companies for exposing that data.
The CCPA applies to any for-profit entity that does business in California and collects personal data, and has annual gross revenues over $25 million, or possesses personal information on 50,000 or more consumers.
The new California law provides for its enforcement by the state’s attorney general, who is empowered to assess businesses a fine of $7,500 per record for CCPA violations. That could amount to a hefty sum in a breach like the one announced last month by First American Financial Corp., which reportedly exposed about 885 million files dating back to 2003 on its website.
The CCPA is set to take effect Jan. 1, 2020. However, the attorney general must still draft rules to enforce the act, which could take much longer.
The law specifies that the attorney general must adopt most of the rules for the CCPA by July 1, 2020.
Paula Miller, a senior vice president and a leader in the cyber practice for Marsh, is spending more time talking with clients about the new law as well.
Both existing and prospective clients are approaching the global insurance broker with concerns about the new law as the time for its implementation draws near, according to Miller.
“I would say it’s coming up pretty frequently,” she said.
Neither of the aforementioned minimums (annual gross revenues less than $25 million, or possession of personal information on less than 50,000 consumers) exempt very many clients at a brokerage the size of New York-based Marsh.
“The threshold for the application of the new law is pretty low,” Miller said. “That certainly impacts all of our clients.”
She said the pending arrival of the new law is driving sales for Marsh, moving companies that already buy cyber insurance to reach out to their brokers to ensure their policies are compliant with the new law.
“This is prompting them to not only reevaluate their coverage, but the overall insurance limits that they purchase,” Miller said. “In some cases, this law will increase sales in the form of increased limits for existing buyers.”
Limits being sought depend on the type of industry, size of revenues and how they feel about their cyber security exposure, according to Miller.
“The average limit for a business of up to $2 or $3 billion in annual revenue is going to be on the magnitude of $5 million to $25-$30 million,” Miller said.
Clients at San Francisco, Calif.-based Woodruff Sawyer are also considering higher limits, according to Dan Burke, the firm’s national cyber practice leader.
“I would say that it is driving some increased purchasing from a limit perspective for us,” Burke said, adding that something similar occurred just before Europe’s GDPR kicked in last year. “A lot of that buying activity happened right up until the regulation went into effect.”
He expects a similar experience up to and beyond the Jan. 1 implementation of the new law.
“We’ll see an increase in those six months right prior to that,” Burke said.
While many of Burke’s conversations with clients as of late center around him giving his opinion on how the law will ultimately look, the most-asked question from clients who are concerned about costs and coverage is, “How’s this going to impact my insurance?”
Burke has his answer already.
“The CCPA has the ability to significantly impact the claims that carriers feel,” he said. “I think you’re going to start seeing settlements in those cases become bigger. As the claims severity increases, there’s really two things going to be happening from a coverage standpoint: either premiums are going to have to go up to deal with severity, or coverages are going to have to be reduced to deal with those losses.”
He added: “I really think that there’s going to be some significant claim payment that happens. I do think there’s going to be a pretty significant impact.”
Marsh’s Miller, on the other hand, believes rate hikes may take some time to wend their way down to buyers. “I don’t think it will affect the premium rates at the outset,” Miller said, adding that rates weren’t immediately impacted with the implementation of GDPR. “Those by and large came without any premium changes. And I expect the same here.”
The severity of claims, at least for now, is uncertain.
However, Dolce believes that an increase in frequency is a good bet.
“I think the jury’s still out on the severity piece,” Dolce said. “I think the frequency piece is definitely a possibility.”
Rob Rosenzweig, national cyber risk practice leader for insurance brokerage Risk Strategies, believes future litigation will trickle downstream.
“The inevitable onslaught of lawsuits could have implications on how cyber insurance is underwritten in terms of pricing and profitability, particularly with the small and middle market,” Rosenzweig said.
Rosenzweig said that as more claims are paid out, premiums could go up.
“Additionally, many clients historically have based their desired limits on the likely costs associated with the investigation of an incident and the notification of affected individuals,” he said. “However, litigation costs are much more variable and potentially catastrophic.”
While it may take some time for the CCPA’s influence to be felt in the cyber liability sector, Jeff Dennis, Head of Newmeyer & Dillion’s privacy and data security practice, believes the impact will be major.
He advises the industry to consider two thoughts—one is a warning, and one is a proactive suggestion.
“Given the $100–$750 automatic damage figure which applies to any data breach where reasonable security was not in place, insurers must understand that this may lead to potentially massive damage awards against insureds,” Dennis said. For instance, a data breach of 50,000 pieces of personal information would lead to a class action damage award of $5 million to $37.5 million. “This may have an impact on what carriers agree to cover, and the levels of coverage needed.”
In addition, given the numerous technical requirements of the CCPA, cyber insurers would be wise to consider incentivizing their insureds to comply with CCPA.
“This may be accomplished through discounting premiums or lowering retentions if an insured works with local counsel to become CCPA-compliant,” he said.
How to Prepare
The key to being ready for the CCPA is simple: Get users’ permission, make a map, and be ready to disclose this work and reply upon request, Jonathan Fairtlough, a managing director with Kroll’s Cyber Risk practice, told Wells Media.
“Make sure you have permission to keep the data you have about California residents,” he said. “Create a map of the data you are keeping—use your workflow to help identity data. Have a process to respond to a data request, linked to your website and tied to the data.”
This statute will apply to the data on both prospective and actual clients, he added. “It will cover not just the policyholder—but their family as well. It applies not only to the data in your files, but also the data your vendors and third-party groups are keeping as well.”
Celine Guillou, an attorney in the Palo Alto, Calif., office of Hopkins & Carley, says CCPA has effectively provided plaintiffs’ attorneys newfound incentive to more actively pursue large class actions, which they have historically shunned with respect to businesses experiencing “smaller scale” security incidents due to the difficulty of demonstrating actual damages and the small likelihood of a substantial recovery.
Now, the CCPA is by far the strictest data privacy law to date in the United States. “Thanks to CCPA, a data breach affecting just 10,000 consumers could easily exceed $1 million at a minimum,” she said.
“For plaintiffs’ attorneys, this is rather enticing, and the anticipated rise in lawsuits could have broad implications on cyber insurance industry,” she said. “And if many companies—small to midsize, especially—have typically based their cyber insurance needs on the costs associated with investigating a security incident and notifying affected regulators and customers, they will now have to weigh in litigation costs, which are more significant and highly unpredictable.”
*This story ran previously in our sister publication Insurance Journal.