Tag Archives: ccpa

Keeping an Eye on Consumer Privacy

The pandemic has caused many predictions for 2020 to be spectacularly wrong. One exception is that data privacy and compliance will become even more important, specifically because of the introduction of the California Consumer Privacy Act (CCPA). 

For carriers that work with consumers in California, the legislation created a list of compliance considerations. Californians now have the right to know what information companies have, request that it not be sold and request that it be deleted unless it is in conflict with another law (very important to note that last piece for our highly regulated industry). Businesses must also provide a link that says, “Do Not Sell My Information,” which enables the consumers to make their opt-out request. 

Let’s take a look at three of the many concerns related to CCPA:

  • Data Breaches: Protecting a consumer’s private and sensitive information should be a top priority, as data breaches have become more common and have resulted in damaging headlines and expensive settlements. Given the nature of our industry and the amount of personal information exchanged, insurers are a prime target for cyber attacks, and we will certainly see them fall victim to data breaches.
  • Identify Theft: Insurers need to be certain that they are not responding to these consumer requests without reasonable verification that the consumer making the request is the actual consumer in question and not a bad actor trying to steal consumer information.  
  • Compliance: Carriers should consider hiring a compliance vendor or outside counsel well-informed on CCPA to make these situations more navigable. These partners act as a referee, offering valuable third-party input to verify that a safe and compliant process is in place. This partnership can provide a paper trail (if needed) to document that the required data usage and privacy notices were communicated to consumers. If trouble arises, it can be advantageous to have an independent third party defending you.

See also: CCPA: First of Many Painful Privacy Laws  

Working With Technology Partners

Since CCPA’s initial rollout on Jan. 1, insurance carriers that conduct business with Californians have been trying to reach full compliance before enforcement actions are scheduled to begin on July 1. For most, working with a technology partner, especially a data-as-a-service (DaaS) company, can be monumental in navigating the ins and outs of the new compliance standards. Here at Jornaya, we recently extended our compliance product suite to assist companies in meeting the requirements of the CCPA, as well as potential future state and federal regulations.

As CCPA goes into effect, plenty of other states are looking to it as a blueprint for creating their own data privacy laws. Nevada, New York, Texas and Washington are just a few states where legislators are starting to follow California’s lead by introducing privacy bills.

Creating Better Customer Experience

These laws are trying to provide transparency about what data is being collected on a consumer and how it is being collected and allowing the consumer to be in the driver’s seat as to how that data is going to be used. 

Privacy regulations, like the CCPA, are simply about doing the right thing for the consumer. And the consequences of not paying attention and not doing the right thing by consumers with regard to their privacy can be devastating, not only in terms of potential legal action but also in the loss of consumer trust and associated sales. 

Disclaimer: Any and all content provided (material, information, graphics, etc.), and any other versions and variations of the content (e.g. in .pdf via email or otherwise) is provided only for general information. It is not intended to serve as, or as a substitute for, legal or compliance recommendations; to advise or infer to be used in any particular way by you or your company, and not intended to be used as a basis for making business/commercial decisions.

4 Trends in Insurance in the New Year

The pace of technical innovation continues to be top of mind in the insurance industry. About 96% of insurance executives say innovation at their companies has increased over the past three years. And global investment in insurtechs hit a record $3.26 billion through the first three quarters of 2019, according to Deloitte.

It’s clear 2020 will see a continuation of technology advancement within the industry. Following are four trends we are seeing on the horizon:

1. User Experience — Carriers, agents and consumers all want the same thing: for the insurance buying process to be fast and easy. Consumers want to research plans, compare options and buy insurance products when they need them on the device(s) they choose, often on their mobile phone (more than half of all search queries in 2019 came from mobile, Google says). And consumers prefer a tailored experience.

According to Accenture, 90% of insurance executives say that integration of customization and real-time delivery is the next big wave and competitive advantage. Additionally, nine out of 10 insurance executives believe a tailored approach will give companies a competitive edge. The firm says the ability to fulfill consumers’ needs at the “speed of now” will be the way to stay competitive, with the world available at consumers’ fingertips via smartphones.

Digital expectations have evolved, and there’s an opportunity to deliver a much better customer experience in the insurance industry. Technology has enabled a world of extreme customized and on-demand experiences. The insurance industry must harness this technology to deliver the superior customer experience that consumers are quickly coming to expect, to stay competitive.

This mobile-first, real-time delivery approach has influenced our marketing, design and development teams to focus on a highly mobile-optimized user experience in every aspect of our operation. We expect a mobile-focused push for the insurance industry in 2020, from both the carrier and broker/agent sides.

See also: Insurance Innovation’s Growth Challenge  

2. Analytics — Data analytics is growing across industries, given its potential to help businesses get ahead. Data-driven organizations are 23 times more likely to acquire customers, six times more likely to retain them and 19 times more likely to be profitable, McKinsey Global Institute says. The insurance industry is no different.

The one constant across all our largest and most successful partners is their obsession with data and reliance on specialized technology. One such example is with customer relationship management (CRM) companies. CRM companies (Salesforce, and others) are developing industry-specific integrations, such as conversion endpoints, to track performance metrics, allowing for more real-time recording of important metrics. Insurance companies that take advantage of these tools have a major competitive advantage over those that do not, due to their ability to accurately measure and track important metrics like customer long-term-value (LTV), conversion rates of lead data and marketing return on investment (ROI).

3. Sales Enablement — Increasingly, carriers and agents are seeking more information, content and tools to engage buyers and help them to move to purchase, as well as address future needs post-purchase. Use of sales-enablement tools is on the rise, with only 20% of organizations reporting using them in 2013 and over 60% using them in 2019, according to CSO Insights. Agents want to understand who the lead is, what the person needs and how agents can best help drive more effective communications and fuel analytics and future programs. Agents also need these systems to work with other technologies—from mobile app, to CRM—to enable access to real-time information and a more seamless process.

4. Compliance — Compliance will and should remain a top priority for the industry. As consumer data protection becomes more of a focus in the media, we can expect to see more states moving toward a more European GDPR type data protection policy. California is one of the first states to adopt such a policy with the recently adopted California Consumer Privacy Act (CCPA), which came into effect Jan. 1, 2020. With more legislation focused on protecting consumers, we expect a stronger push toward industry-standard software to verify a company’s right to contact consumers.

See also: Blurring Boundaries Drive Innovation  

In a world that is moving toward better technology solutions daily, it is important for carriers, brokers and agents to keep up with these changes and constantly look for ways to interact the way that digitally savvy consumers want to interact.

What CCPA Press Release SHOULD Say

On Jan. 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) is in effect. So, too, is the law governing so-called data brokers. To understand the CCPA, it is sometimes important to suspend belief. What follows is a parody, a form of communicating that seems particularly appropriate for the CCPA and its $55 billion compliance price tag.

California Attorney General Announces Issuance of Subpoenas Over Privacy Law Violations

Feb. 1, 2020

SACRAMENTO – The California Department of Justice today announced that North Pole Enterprises, LLC, dba “Santa Claus” has been issued an investigative subpoena to address concerns over widespread misuse and improper collection of personal information. The potential numerous violations of the California Consumer Privacy Act of 2018 (CCPA) include:

Improper collection of biometric data. Santa Claus is alleged to know when consumers are sleeping and when they are awake. When this biometric data, as defined in Civil Code § 1798.140(b) to include, “an individual’s physiological, biological or behavioral characteristics” is collected, upon information and belief, Santa Claus has shown a pattern and practice of failing to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used as required by Civil Code § 1798.100(b).

The violations of this part of the CCPA may also extend to biometric information indicating when California consumers are naughty or nice, are bad or good or are pouting or crying.

Improper collection of geolocation data. Santa Claus delivers gifts on Christmas Eve to consumers throughout California. To do this, Santa Claus has developed a comprehensive data base of consumers’ residential locations. This is within the definition of “personal information” as defined in Civil Code § 1798.140(o)(1)(G). Santa Claus obtains this personal information through soliciting and receiving “Christmas Lists” from California consumers, which generally contain attestations that the consumer has been “nice,” which is, and noted above, also biometric information.

See also: Vast Implications of the CCPA  

To the extent these lists and the personal information contained therein are generated by traffic through the Santa Claus website, upon information and belief there are no posted online privacy policies to advise consumers of their rights under the CCPA. This is a violation of Civil Code § 1798.130(a)(5).

Failure to provide notice of right to opt out. The gifts Santa Claus delivers on Christmas Eve are allegedly crafted in a workshop at the North Pole. Upon information and belief, the workshop is a cooperative corporation, “Santa’s Co-op Workshop” (SCW), located just outside Alturas in Humboldt County. As such, Santa Claus is selling personal information, as defined in Civil Code § 1798.140(t), to a third party without giving California consumers notice of their rights to opt out of the sale of their personal information. This is a violation of Civil Code § 1798.120 and Civil Code § 1798.130.

In addition, if Santa Claus is selling the personal information of California consumers to third parties, it is acting as a data broker and as such has failed to register with the Department of Justice as required by Civil Code § 1798.99.82.

To the extent Santa Claus is selling the personal information of minors to third parties, additional violations of the CCPA may have taken place. The Department of Justice reserves the right to revise its charges once there is compliance with the subpoena.

It should be noted that there is an allegation by the members of SCW that they are operating exclusively for and under the control of Santa Claus and as such are employees of Santa Claus per Assembly Bill 5 (Gonzalez). (See: “Potential Labor Law Violations”, below)

Denial of goods or services. Upon information and belief, Santa Claus may be engaged in a pattern of discrimination against California consumers who have not attested to being “nice” in their Christmas Lists as noted above. If Santa Claus is discriminating against California consumers because they have exercised their right not to disclose personal information, this may be a violation of Civil Code § 1798.125.

Potential labor law violations. Upon information and belief, SCW may not be a bona fide business, as that term is used in Labor Code § 2750.3(e). As such, per the Supreme Court’s decision in Dynamex Operations West, Inc. v. Superior Court of Los Angeles (2018) 4 Cal.5th 903, and Assembly Bill 5 (Gonzalez), the Division of Labor Standards Enforcement (DLSE) has opened a concurrent investigation of Santa Claus for possible wage and hour violations and failure to maintain workers’ compensation insurance.

See also: How CCPA Will—and Won’t—Hit Insurance  

California takes its consumers’ privacy seriously, as it does the violations of its laws protecting workers. Potential penalties under the CCPA, if not cured, could reach $2,500 per violation. Because each California resident has had its personal information collected by Santa Claus, total penalties could be as high as $100 billion, assuming no violations were intentional.

We will keep you informed as events develop.

How CCPA Will—and Won’t—Hit Insurance

When the New Year arrives, so, too, will a new standard for privacy. The California Consumer Privacy Act—and its recent amendments and draft regulations—will soon govern how entities around the world are allowed to collect and process data. Although CCPA is limited to the data of California residents, the ultimate impact is much greater than it at first might seem. California represents the world’s fifth-largest economy and the nation’s first state to pass comprehensive privacy legislation. As a result, CCPA will likely influence privacy laws domestically and abroad, and could even begin the push toward federal regulation.

Much of CCPA is based on the European Union’s General Data Protection Regulation, but the two landmark privacy laws differ on an important issue. While GDPR requires individuals to provide consent before their data can be collected, CCPA instead assumes consent and requires it to be revoked if an individual wishes to opt out. In other words, entities can collect the data of California residents as a default, whereas those same entities would need permission before gathering information about EU residents. This key philosophical difference benefits businesses by putting the onus on consumers to manage their privacy preferences—and that’s not the only way the California law is pro-business.

The “financial institution” exemption

Originally drafted as a ballot initiative by real-estate-developer-turned-privacy-activist Alastair Mactaggart, CCPA was designed to protect the privacy of consumers against the financial interests of large technology corporations. CCPA allows individuals to prevent the selling of their data, creates greater transparency in companies’ data-collection practices and increases penalties for improper data-security measures. However, for some industries—such as financial services and insurance—where the collection and processing of personal information is necessary for operation, the law carves out exemptions for specific data types used in those instances.

See also: Vast Implications of the CCPA  

An example is the exemption of data that is considered “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations,” as referenced in Cal. Civ. Code § 1798.145(e). Referred to as personally identifiable financial information (PIFI), this data is addressed specifically by the Gramm-Leach-Bliley Act (GLBA) and subject to its regulation. CCPA finds the controls laid out in GLBA to be sufficient and therefore allows itself to be superseded by the federal law. PIFI is defined as any information:

  • Provided by a consumer to acquire a financial product or service
  • Used or referenced to perform a financial transaction
  • Gathered during the process of provisioning a financial product or service

As one might gather, data that might qualify as PIFI in one instance is not guaranteed to be considered PIFI in another context. For example, only data collected and directly related to the provision of a product or service constitutes PIFI.

So, if that same data is collected solely for the purpose of marketing or business analytics, it would not be considered PIFI. Any non-PIFI data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” would be subject to CCPA, according to Cal. Civ. Code § 1798.140(o)(1).

As one might imagine, this distinction can become cloudy in some applications and results in considerable gray area. To address this uncertainty, it is recommended that organizations work with their legal teams to review all of the data in their possession and re-evaluate their regulatory compliance obligations under both CCPA and GLBA.

So, what is subject to CCPA?

Within the insurance industry, any type of personal information that does not fall within the parameters of PIFI is subject to CCPA—if the entity collecting it meets the law’s established criteria. According to CCPA, any organization that has a gross annual revenue of over $25 million, processes at least 50,000 California residents’ records for commercial purposes or can attribute half of its revenue to the selling of personal information must follow the requirements of CCPA—or risk facing substantial fines and other penalties. This likely includes most decent-sized insurance companies.

Although much of the information processed by providers is shielded against CCPA, the data possessed by policyholders is not. The total cost of cyber insurance premiums worldwide is projected to increase to $7.5 billion next year, and CCPA is a big reason. Because CCPA gives teeth to fines and other penalties for data breaches, many organizations will be looking to expand their cyber insurance coverage or purchase policies if they don’t have one already.

See also: Where to Turn for Cyber Assistance?

As the privacy landscape continues to shift with the development of new laws domestically and abroad, risk minimization must be prioritized by both insurance companies and their policyholders. Whether you’re concerned about CCPA compliance or preparing for the next wave of privacy regulations, we recommend deploying tokenization as a risk-reducing solution to protect sensitive data. When implemented properly, tokenization can significantly reduce the likelihood of a cyber event and, as a result, a claim. It’s an affordable investment that can better protect data and improve an insurer’s ability to provide reliable coverage.

Where to Turn for Cyber Assistance?

Virtually every company owns, licenses or maintains personal information and other sensitive data. Until recently, companies were not legally required to implement cybersecurity policies, procedures or controls specifically designed to protect personal and other sensitive information. Some companies might even have decided not to comply because of perceived high implementation costs and complex operational changes. However, recent expansions in a number of laws have changed this dynamic. Across the U.S., state regulations are being promulgated that require companies to implement and maintain a reasonable level of cybersecurity controls. Some of these laws provide for significant penalties in cases of non-compliance. As companies begin to take steps toward compliance with these regulations, one significant source of assistance is the cyber insurance market.

New Privacy and Cybersecurity Regulations

As of the writing of this article, at least 25 state laws impose obligations on their corporate citizens to have reasonable data and information security practices to protect sensitive data from unauthorized disclosure. Some laws go even further and prescribe specific standards that corporate citizens must follow to protect the privacy rights of those states’ residents.

Two of the most stringent regulations currently in effect are in New York and Massachusetts, while a third, which may very well be the most stringent regulation, becomes effective in California on Jan. 1, 2020.

New York state’s recently passed, “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, applies to businesses that maintain private information of New York residents, regardless of whether such entities actually conduct business within New York. SHIELD requires covered entities to implement “reasonable safeguards,” taking into account administrative, technical and physical safeguards such as training, risk assessments, regular testing of key controls and procedures and the disposal of private information within a reasonable time after it is no longer needed. Similar requirements exist in Massachusetts, Ohio, Oregon and Vermont.

See also: Hidden Dangers for Cybersecurity  

SHIELD also allows for possible fines for violations of the notification requirements up to $250,000. Notably, the imposition of the “reasonable safeguards” requirements brings the new law closer to New York’s 2017 Department of Financial Services’ Cybersecurity Regulation, which prescribes holistic security measures applicable to a broad swath of financial services companies operating under New York’s banking, insurance and financial services laws.

In addition, many of New York’s small and medium-sized businesses in industries unaccustomed to the regulations applicable to the financial sector will now be required to address their security measures and implement controls, including risk assessments, to protect sensitive information and systems from unauthorized use or access.

Massachusetts’ current regulation, 201 CMR 17.00, et seq., establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The regulations apply to all persons who own or license personal information about a resident. 201 CMR 17.03 and 17.04 impose obligations on covered entities to implement prescribed safeguards, including (this is a small sample from the list set forth in the statute):

  • A comprehensive, written information security program that contains administrative, technical and physical safeguards.
  • Designation of one or more employees to maintain the information security program.
  • Identification and assessment of reasonably foreseeable internal and external risks, and evaluation of the effectiveness of current safeguards for limiting such risks.
  • Continuing employee education and training.
  • Measures to oversee third-party service providers, including requiring such vendors by contract to implement and maintain appropriate security measures for personal information.
  • Password management and controls.

California’s much discussed California Consumer Privacy Act, see oag.ca.gov/privacy/ccpa, Assembly Bill 375 (CCPA) becomes effective on Jan. 1, 2020. The CCPA is a significant expansion of privacy rights granted to consumers and shifts the burden of compliance regarding consent and the collection, use, storage and destruction of personal data to businesses. The CCPA’s expansive requirements placed on businesses relative to the collection and use of personal data bring California much closer in line with the privacy culture of the European Union and its GDPR.

While California, Massachusetts and New York have been at the forefront of imposing affirmative obligations on businesses requiring implementation of comprehensive cybersecurity policies and protocols, more than 25 states in total have laws that address data security practices of private-sector entities. Most of these data security laws require businesses that own, license or maintain personal information concerning a resident of that state (in several cases, including even entities who maintain such personal information but who are not doing business in the state) to implement and maintain “reasonable security procedures and practices,” taking into account the size and resources of the entity and the nature of the information it holds.

Accordingly, businesses with personal information in their systems – for example, unencrypted combinations of names with Social Security numbers, driver’s license numbers, account numbers, PINs, biometrics, etc. – are required, by law, to adopt, implement, maintain and regularly update their information security programs. The conjunction of new obligations imposed by states like Massachusetts and New York, with the expansion in privacy rights granted to California residents in the CCPA, leaves companies with little choice but to take cyber security and corporate privacy with the utmost seriousness and spend time and resources in advance of any type of occurrence.

The Role of Cyber Insurers

It is clear now that instituting and managing cybersecurity protections are no longer merely options for companies in all industry sectors. One key resource for any business in developing and deploying a cybersecurity program is its cyber insurer.

In today’s environment, businesses of all sizes should purchase cyber insurance. Cyber insurance is designed to cover numerous risks associated with both privacy and technology. Moreover, cyber insurance is there to respond after an incident occurs.

See also: It’s Time for the Cyber 101 Discussion  

Most traditional insurance policies do not cover measures like those contemplated by the various regulations. However, a few cyber insurers provide value-added risk control services along with free or reduced-cost access to cyber security vendors that can help an insured through this process. These services are available to the policyholder upon binding coverage with the insurer in advance of any actual cyber occurrence.

CNA, for example, recently launched a suite of cyber security services. CNA CyberPrep is a program of cyber risk services designed to aid cyber policyholders in cyber threat identification, mitigation and response.

  • Identifying cybersecurity posture is a critical beginning. Services include detailed analyses from a network of free or reduced-cost cybersecurity experts, reports that provide a snapshot of policyholder security posture and numerous recommendations for improvement.
  • Working in collaboration with their broker, CNA Risk Control, and Cyber Underwriting, policyholders execute the cybersecurity experts’ recommendations to mitigate their cyber risks and improve their cybersecurity posture.
  • CNA CyberPrep continues to benefit policyholders. In the event of a cyber breach, CNA’s panel of experienced incident response vendors provide guidance and strategies to help expedite recovery and minimize loss.

Offering these types of services is in the best interests of both insurers and policyholders, as an ounce of prevention is worth a pound of cure. Also, given the regulatory developments across the U.S., companies should, more than ever, take advantage of their cyber insurer’s ability to help facilitate this process.

Simply put, companies can no longer fail to implement cybersecurity policies, procedures and controls. Failure to comply with the state and federal laws and regulations can easily result in substantial fines and mandated corrective action. Some states also permit individuals to sue when failures result in loss of their personal information, potentially resulting in treble damages under unfair competition laws.

Given the staggering costs of non-compliance, businesses must implement appropriate cybersecurity policies and procedures, keep them current, train their employees and use the latest technical protections. When selecting your cyber insurer, look for one that can help supply the requisite resources for a comprehensive – and compliant – cybersecurity program.