Virtually every company owns, licenses or maintains personal information and other sensitive data. Until recently, companies were not legally required to implement cybersecurity policies, procedures or controls specifically designed to protect personal and other sensitive information. Some companies might even have decided not to comply because of perceived high implementation costs and complex operational changes. However, recent expansions in a number of laws have changed this dynamic. Across the U.S., state regulations are being promulgated that require companies to implement and maintain a reasonable level of cybersecurity controls. Some of these laws provide for significant penalties in cases of non-compliance. As companies begin to take steps toward compliance with these regulations, one significant source of assistance is the cyber insurance market.
New Privacy and Cybersecurity Regulations
As of the writing of this article, at least 25 state laws impose obligations on their corporate citizens to have reasonable data and information security practices to protect sensitive data from unauthorized disclosure. Some laws go even further and prescribe specific standards that corporate citizens must follow to protect the privacy rights of those states’ residents.
Two of the most stringent regulations currently in effect are in New York and Massachusetts, while a third, which may very well be the most stringent regulation, becomes effective in California on Jan. 1, 2020.
New York state’s recently passed, “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, applies to businesses that maintain private information of New York residents, regardless of whether such entities actually conduct business within New York. SHIELD requires covered entities to implement “reasonable safeguards,” taking into account administrative, technical and physical safeguards such as training, risk assessments, regular testing of key controls and procedures and the disposal of private information within a reasonable time after it is no longer needed. Similar requirements exist in Massachusetts, Ohio, Oregon and Vermont.
See also: Hidden Dangers for Cybersecurity
SHIELD also allows for possible fines for violations of the notification requirements up to $250,000. Notably, the imposition of the “reasonable safeguards” requirements brings the new law closer to New York’s 2017 Department of Financial Services’ Cybersecurity Regulation, which prescribes holistic security measures applicable to a broad swath of financial services companies operating under New York’s banking, insurance and financial services laws.
In addition, many of New York’s small and medium-sized businesses in industries unaccustomed to the regulations applicable to the financial sector will now be required to address their security measures and implement controls, including risk assessments, to protect sensitive information and systems from unauthorized use or access.
Massachusetts’ current regulation, 201 CMR 17.00, et seq., establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The regulations apply to all persons who own or license personal information about a resident. 201 CMR 17.03 and 17.04 impose obligations on covered entities to implement prescribed safeguards, including (this is a small sample from the list set forth in the statute):
- A comprehensive, written information security program that contains administrative, technical and physical safeguards.
- Designation of one or more employees to maintain the information security program.
- Identification and assessment of reasonably foreseeable internal and external risks, and evaluation of the effectiveness of current safeguards for limiting such risks.
- Continuing employee education and training.
- Measures to oversee third-party service providers, including requiring such vendors by contract to implement and maintain appropriate security measures for personal information.
- Password management and controls.
California’s much discussed California Consumer Privacy Act, see oag.ca.gov/privacy/ccpa, Assembly Bill 375 (CCPA) becomes effective on Jan. 1, 2020. The CCPA is a significant expansion of privacy rights granted to consumers and shifts the burden of compliance regarding consent and the collection, use, storage and destruction of personal data to businesses. The CCPA’s expansive requirements placed on businesses relative to the collection and use of personal data bring California much closer in line with the privacy culture of the European Union and its GDPR.
While California, Massachusetts and New York have been at the forefront of imposing affirmative obligations on businesses requiring implementation of comprehensive cybersecurity policies and protocols, more than 25 states in total have laws that address data security practices of private-sector entities. Most of these data security laws require businesses that own, license or maintain personal information concerning a resident of that state (in several cases, including even entities who maintain such personal information but who are not doing business in the state) to implement and maintain “reasonable security procedures and practices,” taking into account the size and resources of the entity and the nature of the information it holds.
Accordingly, businesses with personal information in their systems – for example, unencrypted combinations of names with Social Security numbers, driver’s license numbers, account numbers, PINs, biometrics, etc. – are required, by law, to adopt, implement, maintain and regularly update their information security programs. The conjunction of new obligations imposed by states like Massachusetts and New York, with the expansion in privacy rights granted to California residents in the CCPA, leaves companies with little choice but to take cyber security and corporate privacy with the utmost seriousness and spend time and resources in advance of any type of occurrence.
The Role of Cyber Insurers
It is clear now that instituting and managing cybersecurity protections are no longer merely options for companies in all industry sectors. One key resource for any business in developing and deploying a cybersecurity program is its cyber insurer.
In today’s environment, businesses of all sizes should purchase cyber insurance. Cyber insurance is designed to cover numerous risks associated with both privacy and technology. Moreover, cyber insurance is there to respond after an incident occurs.
See also: It’s Time for the Cyber 101 Discussion
Most traditional insurance policies do not cover measures like those contemplated by the various regulations. However, a few cyber insurers provide value-added risk control services along with free or reduced-cost access to cyber security vendors that can help an insured through this process. These services are available to the policyholder upon binding coverage with the insurer in advance of any actual cyber occurrence.
CNA, for example, recently launched a suite of cyber security services. CNA CyberPrep
is a program of cyber risk services designed to aid cyber policyholders in cyber threat identification, mitigation and response.
- Identifying cybersecurity posture is a critical beginning. Services include detailed analyses from a network of free or reduced-cost cybersecurity experts, reports that provide a snapshot of policyholder security posture and numerous recommendations for improvement.
- Working in collaboration with their broker, CNA Risk Control, and Cyber Underwriting, policyholders execute the cybersecurity experts’ recommendations to mitigate their cyber risks and improve their cybersecurity posture.
- CNA CyberPrep continues to benefit policyholders. In the event of a cyber breach, CNA’s panel of experienced incident response vendors provide guidance and strategies to help expedite recovery and minimize loss.
Offering these types of services is in the best interests of both insurers and policyholders, as an ounce of prevention is worth a pound of cure. Also, given the regulatory developments across the U.S., companies should, more than ever, take advantage of their cyber insurer’s ability to help facilitate this process.
Simply put, companies can no longer fail to implement cybersecurity policies, procedures and controls. Failure to comply with the state and federal laws and regulations can easily result in substantial fines and mandated corrective action. Some states also permit individuals to sue when failures result in loss of their personal information, potentially resulting in treble damages under unfair competition laws.
Given the staggering costs of non-compliance, businesses must implement appropriate cybersecurity policies and procedures, keep them current, train their employees and use the latest technical protections. When selecting your cyber insurer, look for one that can help supply the requisite resources for a comprehensive – and compliant – cybersecurity program.