Tag Archives: privacy law

Keys to California’s Consumer Privacy Act

On June 26 of this year, Connecticut Gov. Ted Lamont signed HB 7424, the state budget bill. Among the provisions in this over 200-page piece of legislation: “The bill repeals the state’s information security program law, replacing it with provisions substantially similar to the National Association of Insurance Commissioners (NAIC) insurance data security model law.”

This is remarkable for two reasons. The first is Connecticut doing something no state west of the Mississippi has done – adopt the NAIC Model Law. The second is the Connecticut legislature actually repealed outdated laws before it adopted the new ones. Clearly, these people have never been to California.

Which brings us to the California Consumer Privacy Act of 2018, or what is now affectionately known as the CCPA. Insurance companies are anxiously anticipating the outcome of several assembly bills amending the CCPA that are awaiting action by the Senate, now that the legislature has returned from summer recess. Regardless of the changes, it remains likely – even though unnecessary – that the CCPA will “go live” on Jan. 1, 2020.

Given the number of cans kicked down the road by the legislature this year on important CCPA issues, it will be difficult for regulators to provide much needed clarity by the July 1, 2020 rule-making deadline. What regulations are adopted will likely be subject to quick change once the Jan. 1, 2021, iteration of the CCPA takes shape during next year’s legislative session. It will also be difficult for the attorney general to provide advice to businesses or third parties on how to comply with the CCPA, a requirement the attorney general feels, correctly, is a bit at odds with his obligation to enforce the CCPA. Maybe that, too, will be part of the 2020 agenda.

In the meantime, insurance companies are faced with an increasing number of privacy and data security requirements not associated with the CCPA. For insurers doing business in New York or states that have adopted a form of the NAIC Insurance Data Security Model Law, compliant practices are being developed right now. In the case of New York and its Cybersecurity Requirements for Financial Institutions, 23 NYCRR 500, the “go-live” date was March 1 of this year. The New York regulation became effective one year after publication but also had a two-year transitional period before full compliance was required. That implementation process could have been emulated for the CCPA. Instead, there appears to be a hard effective date of Jan. 1, 2020 even as key amendments are still being negotiated.

And remember, while the attorney general cannot bring an enforcement action until the earlier of July 1, 2020, or the adoption of regulations, lawsuits can happen right away. More accurately, lawsuits can commence after the 30-day notice and right-to-cure provisions are triggered.

The CCPA has a series of “data exceptions” that are evolving. While entities such as insurance companies are not exempt from the new law, certain personal information (PI) of “consumers” is. Among those exemptions is PI collected that is also subject to the Gramm-Leach-Bliley Act (GLBA), 1999 legislation that ushered in privacy protections and rules for the safeguarding of PI by financial institutions when the merger of banks, investment firms and insurance companies became authorized. GLBA also required states to undertake certain actions in terms of privacy of PI; if they did not, the information practices of insurers (and others) would be subject to federal regulation. States could provide greater protections than the federal law but not diminish them.

See also: First of Many Painful Privacy Laws  

So, the NAIC and the California Department of Insurance sprang into action. California adopted portions of NAIC model regulations governing privacy of financial and health information, and additional regulations governing the safeguarding of that information. While the Department of Insurance was adopting portions of these models, it also provided additional privacy protections and conformed the new privacy regulations to already existing statutory protections in the Insurance Information and Privacy Protection Act (IIPPA). In addition, the legislature adopted the California Financial Information Privacy Act (CFIPA) as part of providing greater privacy protections for California residents and customers of financial institutions (including insurers) than required under GLBA.

As part of the expansion of privacy protections beyond those contained in the federal law was the characterization of a workers’ compensation claimant as a “consumer” under certain circumstances. While this activity was going on, the Federal Trade Commission (FTC) adopted the Privacy Rule – relating to information practices and providing the ability for consumers to “opt out” of having their information shared. It also adopted the Safeguards Rule, requiring a financial institution to develop, implement and maintain a comprehensive information security program.

After this great rush of legislative and regulatory activity in Sacramento and Washington, D.C., during 2000-2002, the pace of new regulation of privacy practices of insurers slowed. Newer iterations of the NAIC model regulations were not adopted in California, and neither was the later iteration of the IIPPA. The legislature continued to push out privacy-related bills at a dizzying pace, including the California Online Privacy Protection Act (COPPA), 2003 legislation requiring operators of websites and online services that collect PI about the users of their site to conspicuously post their privacy policies on the website and comply with them. The COPPA has been amended several times to keep up with technology. It is not in conflict with the existing requirements of entities that fall under GLBA. Indeed, analyses of Assembly Bill 68 (Simitian), 2003 legislation creating the COPPA, suggest that part of the intent of this legislation was to have other businesses operating on the internet adopt the same policies and practices as financial institutions under GLBA.

The CCPA does not amend the COPPA, or even refer to it. Instead, the CCPA adds even more content on business’ websites so the new rights allowed under it can be exerted by consumers. Both the CCPA and COPPA want their notices to be “conspicuous” and on the business’ home page. It’s going to get crowded on home pages.

In March of this year, the Federal Trade Commission (FTC) announced it was proposing to revisit both the Privacy Rule and the Safeguards Rule under GLBA. The changes as they relates to the Safeguards Rule will closely track the NAIC Insurance Data Security Model Law and the New York Cybersecurity Regulation. Once adopted, the changes may result in more action from the NAIC. None of this will occur in 2019, and maybe not even in 2020, but the landscape for privacy protection and data security for insurers and insurance organizations will be in a state of flux at least through 2021.

The authors of the CCPA acknowledged that, within the patchwork of state and federal laws governing PI, some safeguards are adequate. The initiative measure upon which the CCPA is based provided data exceptions for PI covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These data exceptions were expanded to include other laws, including GLBA and the CFIPA, during the legislative negotiations in 2018 that resulted in the initiative being withdrawn. In the rush to forestall an initiative and pass something to send to then-Gov.r Jerry Brown before the end of June last year, the California legislature did what it all too often does: add new laws without regard to existing ones addressing the same issues but in a different way.

Because only certain PI is exempted from the requirements of the CCPA, businesses that collect and disclose exempt data must nevertheless maintain the architecture of the CCPA for non-exempt data. Consumers who seek to exercise their rights – assuming they will read properly crafted notices on business websites – will access a series of links only to be told that the PI they are seeking to control or delete really isn’t PI, even though it includes the consumer’s name, address, Social Security number, etc. It’s just not CCPA PI. Well, that’s certainly enlightened public policy, isn’t it?

See also: In Race to AI, Who Guards Our Privacy?  

It is difficult to claim the current and evolving laws and regulations governing consumer control over and data security of PI collected by insurers is inadequate. Yes, there have been security breaches among financial institutions covered by GLBA. That, however, is not the exclusive measure of effective security. The CCPA acknowledges that “reasonable” security efforts will protect a business from liability if unencrypted or unredacted PI is improperly accessed. Clearly, that also sends a message as to what the legislature thinks is a minimum standard for what is “reasonable.”

Not good enough.

The IIPPA, GLBA, the Privacy and Safeguards Rules of the FTC, the Department of Insurance Privacy Regulation and continuing initiatives by the FTC and the NAIC demonstrate a decades-long history of developing strong laws to protect the privacy of insurance consumers. Advocates for the CCPA would do well to remember that not every business is unregulated when it comes to information practices and give the IIPPA and subsequent laws a level of earned deference in today’s digital debate. Or, to quote Jacob McCandles (John Wayne) in the movie “Big Jake,” “If you can’t respect your elders, I’ll just have to teach you to respect your betters.”

The CCPA gathers headlines because it is intended to empower individuals and their efforts to control their own PI. When PI is shared, policymakers want to make certain it is shared transparently and securely regardless of where the PI goes. This is a response to the use of PI by very large international companies that occupy an outsized space in what is purported to be a competitive digital marketplace. They are also the companies most able to afford the increasingly complex data security environment throughout the world and who can pay very large penalties for non-compliance. Good for them. This new and complex environment is where policymakers in Sacramento should focus for the remainder of 2019 and next year, when CCPA 3.0 will roll out. Unfortunately, they won’t.

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.