November 13, 2019
How CCPA Will—and Won’t—Hit Insurance
by Alex Pezold and Robin Roberson
The California Consumer Protection Act's penalties for data breaches will boost demand for cyber coverage.
When the New Year arrives, so, too, will a new standard for privacy. The California Consumer Privacy Act—and its recent amendments and draft regulations—will soon govern how entities around the world are allowed to collect and process data. Although CCPA is limited to the data of California residents, the ultimate impact is much greater than it at first might seem. California represents the world’s fifth-largest economy and the nation’s first state to pass comprehensive privacy legislation. As a result, CCPA will likely influence privacy laws domestically and abroad, and could even begin the push toward federal regulation.
Much of CCPA is based on the European Union’s General Data Protection Regulation, but the two landmark privacy laws differ on an important issue. While GDPR requires individuals to provide consent before their data can be collected, CCPA instead assumes consent and requires it to be revoked if an individual wishes to opt out. In other words, entities can collect the data of California residents as a default, whereas those same entities would need permission before gathering information about EU residents. This key philosophical difference benefits businesses by putting the onus on consumers to manage their privacy preferences—and that’s not the only way the California law is pro-business.
The “financial institution” exemption
Originally drafted as a ballot initiative by real-estate-developer-turned-privacy-activist Alastair Mactaggart, CCPA was designed to protect the privacy of consumers against the financial interests of large technology corporations. CCPA allows individuals to prevent the selling of their data, creates greater transparency in companies’ data-collection practices and increases penalties for improper data-security measures. However, for some industries—such as financial services and insurance—where the collection and processing of personal information is necessary for operation, the law carves out exemptions for specific data types used in those instances.
See also: Vast Implications of the CCPA
An example is the exemption of data that is considered “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations,” as referenced in Cal. Civ. Code § 1798.145(e). Referred to as personally identifiable financial information (PIFI), this data is addressed specifically by the Gramm-Leach-Bliley Act (GLBA) and subject to its regulation. CCPA finds the controls laid out in GLBA to be sufficient and therefore allows itself to be superseded by the federal law. PIFI is defined as any information:
- Provided by a consumer to acquire a financial product or service
- Used or referenced to perform a financial transaction
- Gathered during the process of provisioning a financial product or service
As one might gather, data that might qualify as PIFI in one instance is not guaranteed to be considered PIFI in another context. For example, only data collected and directly related to the provision of a product or service constitutes PIFI.
So, if that same data is collected solely for the purpose of marketing or business analytics, it would not be considered PIFI. Any non-PIFI data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” would be subject to CCPA, according to Cal. Civ. Code § 1798.140(o)(1).
As one might imagine, this distinction can become cloudy in some applications and results in considerable gray area. To address this uncertainty, it is recommended that organizations work with their legal teams to review all of the data in their possession and re-evaluate their regulatory compliance obligations under both CCPA and GLBA.
So, what is subject to CCPA?
Within the insurance industry, any type of personal information that does not fall within the parameters of PIFI is subject to CCPA—if the entity collecting it meets the law’s established criteria. According to CCPA, any organization that has a gross annual revenue of over $25 million, processes at least 50,000 California residents’ records for commercial purposes or can attribute half of its revenue to the selling of personal information must follow the requirements of CCPA—or risk facing substantial fines and other penalties. This likely includes most decent-sized insurance companies.
Although much of the information processed by providers is shielded against CCPA, the data possessed by policyholders is not. The total cost of cyber insurance premiums worldwide is projected to increase to $7.5 billion next year, and CCPA is a big reason. Because CCPA gives teeth to fines and other penalties for data breaches, many organizations will be looking to expand their cyber insurance coverage or purchase policies if they don’t have one already.
See also: Where to Turn for Cyber Assistance?
As the privacy landscape continues to shift with the development of new laws domestically and abroad, risk minimization must be prioritized by both insurance companies and their policyholders. Whether you’re concerned about CCPA compliance or preparing for the next wave of privacy regulations, we recommend deploying tokenization as a risk-reducing solution to protect sensitive data. When implemented properly, tokenization can significantly reduce the likelihood of a cyber event and, as a result, a claim. It’s an affordable investment that can better protect data and improve an insurer’s ability to provide reliable coverage.