More than a year after The General Data Protection Regulation (GDPR), a regulation in EU law on data protection and privacy for all citizens of the European Union, was implemented in May 2018, some U.S. insurers are examining what they can learn as they prepare for the implementation of similar data privacy laws in New York and California.

“With GDPR, too many U.S. insurers may feel like it’s kind of far away and not particularly applicable to them,” said Tim Zeilman, vice president and Cyber and Privacy Risk practice leader at Hartford Steam Boiler. “But it’s really the harbinger of things to come in the United States as states start enacting similar laws that don’t just cover a breach notification and obligations in the event of a breach, but really go into much more detail about how information has to be managed.”

Zeilman said this is one of many reasons why ensuring GDPR compliance is a good idea, as those compliance activities can pay dividends as U.S. states are likely going to enact GDPR-like legislation within the next couple of years.

U.S. Data Privacy Legislation

In fact, The NY Privacy Act – introduced in May of this year by state senator Kevin Thomas – would give New York residents more control over their data than in any other state if passed, according to Wired.

The act, which is currently with the New York Senate’s Consumer Protection Committee, would require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. It also creates a special account to fund a new office of privacy and data protection.

The purpose of the bill is to address how online platform and social media firms process personal data. It will require the companies to attain consent from consumers before they share and/or sell their information by acting as fiduciary entities.

The introduction of the NY Privacy Act comes after California became the first state to pass such a law last year with the California Consumer Protection Act (CCPA). As the nation’s most far-reaching data privacy law to date, CCPA is set to begin Jan. 1, 2020.

The CCPA, which passed last year following massive data breaches at companies like Target and Equifax, requires companies to report to customers upon their request what personal data they’ve collected, why it was collected and what third-parties have received it. This law is similar to Europe’s GDPR, as both aim to give consumers greater control over use of their data as well as punish companies for exposing that data, Insurance Journal previously reported.

Increased Awareness Among Insurers

As the U.S. insurance industry anticipates the beginning of CCPA in January 2020 and future actions related to the NY Privacy Act, James Burns, cyber product leader at CFC Underwriting, believes GDPR can serve as a guide in terms of what to expect.

James Burns

“One thing that we saw early on as a cyber insurer was a level of engagement between our insureds and our cyber claims team that increased dramatically post May 25, 2018,” he said. “We saw a huge uptick in calls to our breach hotline, for example, and I think the passing of legislation in California and New York when that happens might lead to repeat circumstances for insureds that are affected by that legislation.”

Burns added that with the implementation of GDPR and similar proposed data privacy legislation in the U.S., insureds and entities suddenly tend to become more aware of the fact that they might be exposed to this new legislation and begin being hyper cautious in ensuring that they’re letting their insurers know if there have been any potential breaches, as well as accepting guidance and education in relation to notifying the authorities.

This increased level of engagement is seemingly with good reason, as Zeilman stated that “one of the headline grabbing things about GDPR is the potential scope of the fines or size of the fines that can be levied under it.”

Burns stated that although in the past year, the industry has only seen the first developments in relation to fines and penalties being issued as a result of GDPR, “the penalties seen so far are amongst the largest in the history of global privacy regulation.”

“In terms of lessons to be learned from a risk standpoint, I think we’re still discovering that with GDPR and will continue to have to do so with CCPA and the New York privacy law as well,” Burns said, adding, “I think it’s important that everyone stands up and takes note of what’s happening in relation to this very broad and all-encompassing regulation.”

Indeed, Tom Kang, global head of cyber insurance products at Willis Towers Watson, stated that in the U.S., both CCPA and the NY Privacy Act raise the baseline for all companies.

Tom Kang

“One of the traditional complaints within the insurance industry is a lot of companies have not taken some of the most basic fundamental steps in protecting their network, data and network assets,” he said. “But with some of these statutes in place now, cyber risk is not something companies can solely outsource to a third party.”

Collaboration with Insureds

Kang stated that companies have to invest their resources to understand the information they collect, as well as have visibility into the movement of this data throughout their systems and third-party systems and take time to ensure the right level of protection is being applied to their assets. Like Burns, he cited increased collaboration between insurers and insureds as a helpful tool in achieving full compliance.

“Even though some of these statues make the requirements clearer, it really is difficult to understand the specifics and implement all of the necessary controls to be fully compliant with these statutes,” he said. “This sort of compliance takes a lot of investment from the clients.”

Kang explained that insurers have already done a number of things to help their insureds become more compliant by undertaking educational efforts, hosting webinars and providing resources developed by carriers and their partners for their clients to better understand their risk and compliance requirements.

“If carriers can understand the insureds’ evolving needs and provide the right insurance solutions for their insureds…there’s a tremendous amount of opportunity to thrive as we move forward,” Kang said. “There’s an opportunity to solve real problems and challenges being faced by our clients, not just in response to the evolving cyber threat landscape, but also because of the evolving privacy and security regulations coming online.”

Tim Zeilman

Burns stated that he believes cyber insurers need to accept the challenge of offering pre-event services for insureds, whether it’s guidance notes or self-audit questionnaires, to help them identify what their exposure to these data privacy regulations may be.

“I think insureds, particularly on the smaller end, are going to be crying out for help and guidance in this respect, and I think cyber insurers are well placed to help fill that need,” he said.

Ultimately, however, Kang stated that the insurance industry is still in the very early stages of the data privacy regulation conversation.

“There will be a continued evolution of these privacy and security statutes,” he said. “As an industry, we talk about it and understand there’s an evolution of the cyber threat landscape, but we need to be just as aware of the evolution of the regulatory environment and all of the risk management and compliance strategies that need to evolve along with these regulations.”

*This story ran previously in our sister publication Insurance Journal.