The age of privacy legislation is upon us, and while 2018 might have been the year of the General Data Protection Regulation (GDPR), 2020 will certainly be the year of the California Consumer Privacy Act (CCPA), set to come into effect in January.
For those new to CCPA, the law permits any California consumer to see all the information a company has saved on them, in addition to a full list of all the third parties with whom that data is then shared. Should the privacy guidelines be violated, the California law also allows consumers to sue companies, even if no breach has taken place.
Not all companies will be impacted by the new law, as it only pertains to those that serve California residents and have at least $25 million in annual revenue, or companies of any size that have personal data on at least 50,000 people, or those that collect more than 50% of their revenues from the sale of personal data.
If a company does fall into these categories, they and their brokers shouldn’t be wasting any time making preparations to get into compliance with this law, which some experts say takes a broader view of what constitutes private data than GDPR. Nonetheless, many companies are lagging in taking the right compliance measures.
“It’s the same exact thing we saw with organizations trying to prepare for the General Data Protection Regulation. The majority of companies and organizations are not in compliance, and it takes a lot longer than they probably anticipate,” said David Derigiotis, corporate vice president and national professional liability practice leader at Burns & Wilcox. “I think that once 2020 comes, the majority of companies still will not be in compliance, just like we saw with surveys that came out with regards to GDPR. It’s a big investment, it takes a lot of time, and you have to divert from your traditional business operating practices. For organizations to be able to do that, it seems to be very difficult.”
It doesn’t help that there might still be some confusion around the sharing and selling of data under the law.
“We know that the organization is not allowed to sell data if a consumer specifically opts out of that process, but I think there’s still a gray area around if you’re sharing that information,” explained Derigiotis. Companies like Facebook, for example, do not sell information, but they do provide companies with access to that data, so it’s unclear if people will be allowed to opt out of data-sharing, versus only data-selling.
CCPA’s impacts on cyber insurance are also likely to be significant. First of all, the law is going to expand what is considered consumers’ personal information, which in many cyber policies is defined as personally identifiable information.
“That’s very important because cyber policies will address that topic differently. Many of them today still narrowly define personally identifiable information or private information as the initial [of a] first name, account number, financial information – anything that can uniquely identify someone,” said Steven Robinson, area president, technology and cyber for Risk Placement Services (RPS). “But oftentimes, they’ll say that a breach of private information is defined by a particular state law, and so the question starts to come around what happens if there’s a breach of what we would consider to be confidential information that maybe doesn’t meet a certain state’s statutory definition, and how does the cyber policy deal with that? What this does is it expands beyond what has been considered the foundational covered philosophy of a lot of cyber insurance policies, by expanding what they define as consumers’ personal information.”
Biometric information could now fall under that definition, as could a user’s activity on a network, their geolocation data, and information on professional employment or education, if it’s not publically available.
“What’s most concerning from an insurance perspective and how this could tie into insurance policies would be the private right of action,” he told Insurance Business, pointing to proposed amendment SB 561 that would expand the private right of action provision, enabling individuals to bring a civil lawsuit for any violations of this law, even if the company in question didn’t get hacked.
“That expansion of consumer rights, and how it could play out in the courts could start to give rise to more of the third party privacy claims that haven’t so far, in many cases, been able to stand,” said Robinson.
Read more: The need for ever-evolving cyber policies
The expert has a few tips for brokers whose clients could be impacted by the California law. Those include ensuring that a client has a standalone cyber policy in the first place, and not just an endorsement. Checking how the particular policy addresses definitions of personal information will also be crucial, as well as highlighting exclusions that could cause problems down the road, such as an unauthorized collection and use exclusion, sometimes called a gathering and distribution of information exclusion.
“What I’m cautious of is getting insurers to endorse a cyber policy every time a new privacy law comes down the pike because they’re happening all the time,” added Robinson. “Your hope is that their policy wording is sufficiently broad to what we call ‘future-proof’ that, and if it’s not, then they’re going to find themselves in a position of constantly having to update their policies every time a new law comes out, and an insured wants to see this acronym on there.
“My preferred way of dealing with it is to have the policy form be broad enough that that’s not even necessary, and that requires really working with a broker who knows the things to look out for.”