Tag Archives: tokenization

How CCPA Will—and Won’t—Hit Insurance

When the New Year arrives, so, too, will a new standard for privacy. The California Consumer Privacy Act—and its recent amendments and draft regulations—will soon govern how entities around the world are allowed to collect and process data. Although CCPA is limited to the data of California residents, the ultimate impact is much greater than it at first might seem. California represents the world’s fifth-largest economy and the nation’s first state to pass comprehensive privacy legislation. As a result, CCPA will likely influence privacy laws domestically and abroad, and could even begin the push toward federal regulation.

Much of CCPA is based on the European Union’s General Data Protection Regulation, but the two landmark privacy laws differ on an important issue. While GDPR requires individuals to provide consent before their data can be collected, CCPA instead assumes consent and requires it to be revoked if an individual wishes to opt out. In other words, entities can collect the data of California residents as a default, whereas those same entities would need permission before gathering information about EU residents. This key philosophical difference benefits businesses by putting the onus on consumers to manage their privacy preferences—and that’s not the only way the California law is pro-business.

The “financial institution” exemption

Originally drafted as a ballot initiative by real-estate-developer-turned-privacy-activist Alastair Mactaggart, CCPA was designed to protect the privacy of consumers against the financial interests of large technology corporations. CCPA allows individuals to prevent the selling of their data, creates greater transparency in companies’ data-collection practices and increases penalties for improper data-security measures. However, for some industries—such as financial services and insurance—where the collection and processing of personal information is necessary for operation, the law carves out exemptions for specific data types used in those instances.

See also: Vast Implications of the CCPA  

An example is the exemption of data that is considered “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations,” as referenced in Cal. Civ. Code § 1798.145(e). Referred to as personally identifiable financial information (PIFI), this data is addressed specifically by the Gramm-Leach-Bliley Act (GLBA) and subject to its regulation. CCPA finds the controls laid out in GLBA to be sufficient and therefore allows itself to be superseded by the federal law. PIFI is defined as any information:

  • Provided by a consumer to acquire a financial product or service
  • Used or referenced to perform a financial transaction
  • Gathered during the process of provisioning a financial product or service

As one might gather, data that might qualify as PIFI in one instance is not guaranteed to be considered PIFI in another context. For example, only data collected and directly related to the provision of a product or service constitutes PIFI.

So, if that same data is collected solely for the purpose of marketing or business analytics, it would not be considered PIFI. Any non-PIFI data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” would be subject to CCPA, according to Cal. Civ. Code § 1798.140(o)(1).

As one might imagine, this distinction can become cloudy in some applications and results in considerable gray area. To address this uncertainty, it is recommended that organizations work with their legal teams to review all of the data in their possession and re-evaluate their regulatory compliance obligations under both CCPA and GLBA.

So, what is subject to CCPA?

Within the insurance industry, any type of personal information that does not fall within the parameters of PIFI is subject to CCPA—if the entity collecting it meets the law’s established criteria. According to CCPA, any organization that has a gross annual revenue of over $25 million, processes at least 50,000 California residents’ records for commercial purposes or can attribute half of its revenue to the selling of personal information must follow the requirements of CCPA—or risk facing substantial fines and other penalties. This likely includes most decent-sized insurance companies.

Although much of the information processed by providers is shielded against CCPA, the data possessed by policyholders is not. The total cost of cyber insurance premiums worldwide is projected to increase to $7.5 billion next year, and CCPA is a big reason. Because CCPA gives teeth to fines and other penalties for data breaches, many organizations will be looking to expand their cyber insurance coverage or purchase policies if they don’t have one already.

See also: Where to Turn for Cyber Assistance?

As the privacy landscape continues to shift with the development of new laws domestically and abroad, risk minimization must be prioritized by both insurance companies and their policyholders. Whether you’re concerned about CCPA compliance or preparing for the next wave of privacy regulations, we recommend deploying tokenization as a risk-reducing solution to protect sensitive data. When implemented properly, tokenization can significantly reduce the likelihood of a cyber event and, as a result, a claim. It’s an affordable investment that can better protect data and improve an insurer’s ability to provide reliable coverage.

CCPA: First of Many Painful Privacy Laws

The California Consumer Privacy Act (CCPA), which becomes law on New Year’s Day, is to this point the most important and influential piece of privacy legislation in the U.S. It’s designed to protect the privacy of consumers, and its effects far exceed the borders of the nation’s largest state—and the country, for that matter—by dictating how organizations around the world are allowed to collect and handle the data of Californians. Specifically, the law will give Californians the right to know what data of theirs is being collected and with whom it is being shared. It also gives them the right to refuse or opt out of any agreement that would allow their data to be collected (with a few exceptions) and to request that their data be deleted in the event that they do so.

Beyond those general considerations, the law aims to address demands for stricter regulations for businesses that collect customer information and stronger enforcement practices when those businesses improperly handle sensitive personal data. In this regard, the law is not unique but rather only the beginning of what’s become a nationwide crackdown on data collection and privacy. Nearly 20 states have passed or are in the process of passing comprehensive privacy legislation. Once enacted, these regulations will create a veritable minefield of privacy measures that vary from state to state, and the organizations whose business purposes compel them to trudge through it will need to protect themselves against the possibility of fines and other penalties. As a result, the need for cyberinsurance, specifically as it relates to fines for regulatory noncompliance, has never been higher.

Although organizations are exempt from the California law when “assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions”—thanks to Assembly Bill 981, which was passed in May—organizations are still subject to its requirements when the scope and use of personal data exceeds those specific operations. In many cases, the compliance concerns of insurance companies will be solely with that of their policyholders, so it is in the best interest of both parties to ensure steadfast organizational compliance with an emphasis on reducing risk and anticipating future regulations.

See also: Blockchain, Privacy and Regulation  

Of particular importance to these insurers and their insureds is the controversial concept of private right of action, which allows individuals whose privacy has been violated to bring civil suits against noncompliant parties. Originally, this portion of the California law could have exponentially increased the financial consequences of a breach by subjecting violators to class-action claims of damages from victims, on top of the compliance-related fines levied by the state. It has since been limited to injunctive or declaratory relief, but other developing statutes include language similar to the original bill’s treatment of private right of action. Louisiana, Massachusetts, New York, North Dakota and Rhode Island all are working on bills that include a private right of action, with New York’s being especially expansive and potentially heavy-handed toward violators. In addition to including a private right of action, New York’s proposal has no minimum gross revenue requirement, meaning all companies—regardless of size—will be subject to the law’s rules and penalties. This has led critics to question the feasibility of fairly enforcing what they deem to be overly broad regulations aimed at punishing well-meaning organizations that cannot keep up with the evolving privacy space.

In terms of its impact on the insurance industry, the resulting legislative inconsistency will hit the big names the hardest, but it still does no favors for mid-size carriers struggling to keep up with their state or regional laws. In addition to meeting their own compliance obligations, they will have to accurately gauge the risk and potential penalties presented by the difficulty policyholders will have satisfying theirs. Insurers might not have to walk through the minefield, but they will have to clean up the mess inside it once something goes wrong.

As we discussed in a previous post, the difficulty insurance companies already experience when attempting to create reliable cyberinsurance policies is inhibiting the industry’s ability to provide much-needed coverage. The private right of action and other uncertain aspects of these laws further complicate the task of accurately estimating and pricing the cost of cyberinsurance coverage by expanding the potential recompense for breach victims. When coupled with the fact that no federal privacy law exists—allowing each state to establish its own set of rules for what constitutes personal data and how it should be protected—offering cyberinsurance can seem like an almost untenable prospect. However, a risk-reducing, compliance-enabling solution exists in the marketplace: tokenization.

See also: Mobile Apps and the State of Privacy  

Tokenization, such as that offered by the TokenEx Cloud Security Platform, especially excels at reducing risk through its use of pseudonymization and secure data vaults. Pseudonymization, also known as deidentification, is the process of desensitizing data to render it untraceable to its original data subject. It does so by replacing identifying elements of the data with a nonsensitive equivalent, or token, and storing the original data in a cloud-based data vault. This virtually eliminates the risk of theft in the event of a data breach, and, as a result, tokenization is recognized as an appropriate technical mechanism for protecting sensitive data in compliance with the CCPA and other regulatory compliance obligations. Because tokenization satisfies controls concerning the processing of sensitive data, it can prevent losses stemming from fines and other penalties as a result of noncompliance.

As new laws emerge and the privacy landscape in the U.S. continues to shift, it is crucial for both insurance companies and their policyholders to prioritize risk minimization. And tokenization is an essential tool for significantly reducing the likelihood of a cyber event, and as a result, a claim.

Tokenization: Key to Cyber Insurance

Despite the troubling persistence of cybercrime, many organizations are not doing everything they can to protect themselves from the serious threat of data breaches and other cyberattacks. A Spiceworks survey of 581 IT professionals showed that 62% of organizations did not have cyber insurance policies. This can be attributed to a slew of reasons, but perhaps the most perplexing one is a lack of reliable policy offerings.

As demonstrated by the percentage of uninsured organizations, the market for cyber insurance is essentially untapped. According to the Insurance Journal, 71% of the market for cyber insurance belonged to just 10 writers in 2018, and the National Association of Insurance Commissioners reported that only 500 companies offered cyber insurance in 2016, compared with nearly 6,000 offering commercial insurance. Additionally, a Ponemon Institute study of more than 1,000 IT professionals showed 80% of those surveyed said they believed it was likely that a successful cyberattack on their organization would occur within 12 months. Clearly, the need for cyber insurance exists. It just isn’t being addressed.

The reason for this is that cyber insurance is a relatively new policy area. In fact, it’s still so new that it lacks the standardized terms and pricing that are so essential for creating baselines for policies in other markets. And even when those policies are created, it can be difficult to determine what qualifies as cyber coverage. If a breach occurs due to a stolen password, for example, is that considered cyber, crime, theft or general liability? This confusion also can lead to insureds making cyber-loss claims under different policies, even if the insurer doesn’t offer cyber insurance—underlining the importance of creating well-defined cyber policies to protect policyholders and insurers alike.

This lack of established policy structure leads to uncertainty about how policies should be written, making it difficult for companies to confidently guard themselves against losses. As a result, many companies don’t offer cyber insurance because they’re unsure how to properly quantify risk and, in turn, price policies. This apprehension is understandable. It’s difficult and risky to try to provide estimates without a sufficient amount of credible information from which to infer.

See also: Quest for Reliable Cyber Security  

Still, cyber insurance is quickly becoming one of the most profitable and fastest-growing lines of coverage. Premiums increased by 8% in 2018 to $2 billion, and the market is projected to reach $14 billion by 2022. So, how does an insurance company find a way to understand cyber risks, calculate their costs and reliably predict the frequency of losses? By significantly reducing the likelihood of an event resulting in a claim.

As obvious as it might sound, it’s important to remember that insurance ultimately comes down to risk, and when that risk is significantly reduced—or virtually eliminated—it benefits both the provider and the policyholder. To accomplish this in the cybersecurity arena, companies should recommend insurers use risk-reducing technology, such as tokenization and encryption, to better guard the sensitive data they are trying to protect and to reduce the risk and likelihood of a data breach or other cyberattack. By leveraging these additional security processes, insurance companies can more accurately build policies, knowing the risk of damages from a data breach is effectively nonexistent.

Tokenization, such as that offered by the TokenEx Cloud Security Platform, especially excels at reducing risk through its use of pseudonymization and secure data vaults. Pseudonymization, also known as deidentification, is the process of desensitizing data to render it untraceable to its original data subject. It does so by replacing identifying elements of the data with a nonsensitive equivalent, or token, and storing the original data in a cloud-based data vault.

This does two things. First, it allows tokens to be stored in a business system for future use without interrupting crucial business-as-usual processes. Second, it virtually eliminates the risk of theft in the event of a data breach. Because there is no mathematical relationship between the token and its original data, tokens cannot be returned to their original form. Instead, when detokenization is required, the token is exchanged for the original data, which can be done only by the original tokenization system—there is no other way to obtain the original data from the token alone. So if a breach occurs, the exposed data is worthless to cybercriminals. The original, sensitive data sits undisturbed in a secure cloud data vault. In effect, no loss occurs.

Additionally, tokenization can further reduce risk by addressing many international regulatory compliance obligations. Influential privacy regulations such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act refer to tokenization specifically as an appropriate technical mechanism for protecting sensitive data. It also reduces the scope of Payment Card Industry Data Security Standard compliance by removing payment card information from organizations’ cardholder data environments. Because tokenization satisfies controls concerning the processing of sensitive data, it can prevent losses stemming from fines and other penalties as a result of noncompliance.

See also: Paradigm Shift on Cyber Security  

So when determining how your company should write its cyber insurance policies, consider recommending tokenization as a risk-reducing step for policyholders. It’s a small upfront investment for them that can better protect their data, their policy and your ability to provide reliable coverage.