Robert L. Wallan’s clients are keeping him quite busy as they fret about the implementation next year of the nation’s most far-reaching data privacy law, which gives California consumers more control over their personal data.
Wallan, a partner in Pillsbury Winthrop Shaw Pittman LLP in Los Angeles, Calif., handles class actions, insurance recovery and business-related litigation.
He has been working with clients who want to determine the language they should have in their cyber insurance policies to protect themselves before California Consumer Privacy Act kicks in.
Anxiety is on the rise and a sense of urgency has set in for his clients – and things may get more intriguing when the Legislature reconvenes on July 12 and starts to take up numerous bills that could alter or add more teeth to the CCPA.
“I have clients, we’re in negotiations now,” Wallan said of his work on policy language. “We don’t have final wording yet, we’re not done.”
Insurance Journal solicited opinions on the ramifications of CCPA from more than a dozen experts. Continue reading to the bottom or scroll down to see what they had to say.
Wallan is looking at just about everything that can be examined in a cyber policy – with emphasis on matters like coverages, and whether to get more coverage, as well as waiting periods.
And he believes it won’t be long to wait until the first lawsuits related to the new law begin to be filed.
“You’re going to see some class-action litigation, my prediction is, pretty early,” Wallan said.
Paula Miller, a senior vice president and a leader in the cyber practice for Marsh, is also spending more time talking with clients about the new law.
Both existing and prospective clients are approaching the global insurance broker with concerns about the new law as the time for its implementation draws near, according to Miller.
“I would say it’s coming up pretty frequently,” she said.
The CCPA, which passed last year following massive data breaches in recent years at companies like Target and Equifax, requires companies to report to customers upon their request what personal data they’ve collected, why it was collected and what third-parties have received it.
This law is similar to Europe’s General Data Protection Regulation. Both GDPR and CCPA aim to give consumers greater control over use of their data as well as punish companies for exposing that data.
The new California law provides for its enforcement by the state’s attorney general, who is empowered to assess businesses a fine of $7,500 per record for CCPA violations. That could amount to a hefty sum in a breach like the one announced last month by First American Financial Corp., which reportedly exposed about 885 million files dating back to 2003 on its website.
The CCPA is set to take effect Jan. 1, 2020. However, the attorney general must still draft rules to enforce the act, which could take much longer.
The law specifies that the attorney general must adopt most of the rules for the CCPA by July 1, 2020.
According to the attorney general’s press office, he is on track to have the rules drafted by then.
“Attorney General Becerra and our team are currently working on the draft regulations,” an emailed response to a request for comment for this story states. “We plan to publish the initial draft rules in a timeframe within the confines of the law.”
However, the response from the attorney general’s office noted, beginning Jan. 1, 2020, the CCPA grants consumers a right to request that businesses disclose the categories and specific pieces of personal information being collected about them, as well as the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
This is why Wallan is working now with his clients, and he believes those who are not yet in compliance should be concerned.
“(The law) has a lookback period where data goes back for a year,” he said. “Things that people are doing today…could fall within the scope of information that they’re going to have to ID under the provisions of the CCPA.”
The CCPA applies to any for-profit entity that does business in California and collects personal data, and has annual gross revenues over $25 million, or possesses personal information on 50,000 or more consumers.
Neither of the aforementioned minimums exempt very many clients at a brokerage the size of New York-based Marsh.
“The threshold for the application of the new law is pretty low,” Miller said. “That certainly impacts all of our clients at Marsh.”
She said the pending arrival of the new law is driving sales for Marsh, and it has prompted companies that already buy cyber insurance to reach out to their brokers to ensure their policies are compliant with the new law.
“This is prompting them to not only reevaluate their coverage, but the overall insurance limits that they purchase,” Miller said. “In some cases, this law will increase sales in the form of increased limits for existing buyers.”
Limits being sought depend on the type of industry, size of revenues and how they feel about their cyber security exposure, according to Miller.
“The average limit for a business of up to $2 or $3 billion in annual revenue is going to be on the magnitude of $5 million to $25-$30 million,” Miller said.
Clients at San Francisco, Calif.-based Woodruff Sawyer, are also considering higher limits, according to Dan Burke, the firm’s national cyber practice leader.
“I would say that it is driving some increased purchasing from a limit perspective for us,” Burke said, adding that something similar occurred just before Europe’s GDPR kicked in last year. “A lot of that buying activity happened right up until the regulation went into effect.”
He expects a similar experience up to and beyond the Jan. 1 implementation of the new law.
“We’ll see an increase in those six months right prior to that,” Burke said.
Tony Dolce, vice president and cyber lead for Chubb NA, is responsible for the technical aspects of his company’s cyber line of business in the financial lines claim department as well as handling complex cyber matters.
Dolce believes that what the attorney general does to promulgate more regulations to interpret the law and govern its oversight may be as important as the law itself.
“A large carrier in the cyber space like Chubb, we’re closely monitoring the situation,” Dolce said.
The Zurich-based carrier’s interest goes beyond just following the California law, because Dolce believes the rest of the nation will be watching the rollout of the CCPA and he expects other states may follow the lead.
“I think it’s an interesting bellwether to see whether other states follow,” Dolce said. “I think the rest of the country is going to pay close attention to that.”
Beside the wait on the attorney general’s rules, there’s no certainty the CCPA will look like it does now. Several bills were introduced this Legislative session to alter, beef up or water down the CCPA. Many died, including a bill that would have expanded a consumer’s rights to bring a civil action for damages.
However, numerous bills are still alive that would alter the CCPA in some way. They include:
- Assembly Bill 25 – Would exclude job applicants.
- Assembly Bill 846 – Provides that certain prohibitions in the CCPA would not apply to loyalty or rewards programs.
- Assembly Bill 873 – Excludes from the definition of personal information consumer information that is deidentified, or aggregate consumer information.
- Assembly Bill 874 – Excludes publicly available information from the definition of “personal information,” and defines the term “publicly available” to mean information that is lawfully made available from federal, state or local government records.
- Assembly Bill 981 – Would eliminate a consumer’s right to request a business to delete or not sell a consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction.
- Assembly Bill 1130 – Would close a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.
- Assembly Bill 1146 – Would exempt the right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
- Assembly Bill 1202 – Would require data brokers to register with the attorney general. Defines a data broker as a business that collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Would also require the attorney general to make the information provided by data brokers available on its website.
- Assembly Bill 1355 – Would exclude consumer information that is deidentified or aggregate consumer information from the definition of personal information.
- Assembly Bill 1416 – Would establish an exception to the CCPA for a business that provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.
- Assembly Bill 1564 – Would require a business to make available a toll-free telephone number or an email address and a physical mailing address for submitting requests for information required to be disclosed.
Not on the list is Senate Bill 561. State Sen. State Sen. Hannah-Beth Jackson, D-Santa Barbara, introduced SB 561 during the session. The bill would have expanded a consumer’s rights to bring a civil action for damages.
The current version of the CCPA, set to go into effect in 2020, enables a limited private right of action. Individuals can bring a lawsuit if there’s been a data breach and a company isn’t using reasonable security measures to protect information being gathered.
SB 561 would have enabled individuals a private right of action for any CCPA violation.
The bill was killed, which may have caused those in the insurance industry who were paying attention to breathe a sigh of relief.
“That would have really opened the floodgates,” Miller said.
Burke offered a similar take.
“That one would have been, in my eyes, disastrous,” he said.
While many of Burke’s conversations with clients as of late center around him giving his opinion on how the law will ultimately look, the most common question he is getting on the CCPA, of course, goes to the bottom-line.
“How’s this going to impact my insurance?” is a question Burke is getting a lot.
The impact of the CCPA on carrier profitability will ultimately have a big hand in determining rates.
That’s the best answer Burke can give his clients right now.
“The CCPA has the ability to significantly impact the claims that carriers feel,” he said. “I think you’re going to start seeing settlements in those cases become bigger. As the claims severity increases, there’s really two things going to happening from a coverage standpoint: either premiums are going to have to go up to deal with severity or coverages are going to have to be reduced to deal with those losses.”
He added: “I really think that there’s going to be some significant claim payment that happens. I do think there’s going to be a pretty significant impact.”
Miller, on the other hand, believes rates hikes may take some time to wend their way down to buyers.
“I don’t think it will affect the premium rates at the outset,” Miller said, adding that rates weren’t immediately impacted with the implementation of GDPR. “Those by and large came without any premium changes. And I expect the same here.”
The severity of claims, at least for now, is uncertain.
However, Dolce believes that an increase in frequency is a good bet.
“I think the jury’s still out on the severity piece,” Dolce said. “I think the frequency piece is definitely a possibility.”
While Wallan and his clients wait, many of these companies he does business with have set up special task forces made of several employees to consider a host of CCPA-related issues – from compliance to legal matters – and what they can proactively do about them. The task forces are typically reaching out and working with departments all over the companies, making them a key part of many operations, he added.
“That’s what’s really recommended here as a best practice,” Wallan said. “You better have one, two or more people who are experts on CCPA to make sure you are in compliance.”
- California Bills Would Add More Punch to Consumer Data Protection Law
- California’s Data Privacy Law a Concern, Opportunity for Insurance Industry
- The State of NAIC’s Data Security Model Law
an attorney in the Palo Alto, Calif., office of Hopkins & Carley
With this, CCPA has effectively provided plaintiffs’ attorneys newfound incentive to more actively pursue large class actions, which they have historically shunned with respect to businesses experiencing “smaller scale” security incidents due to the difficulty of demonstrating actual damages and the small likelihood of a substantial recovery. Thanks to CCPA, a data breach affecting just 10,000 consumers could easily exceed $1 million at a minimum. For plaintiffs’ attorneys, this is rather enticing, and the anticipated rise in lawsuits could have broad implications on cyber insurance industry. And if many companies – small to midsize, especially – have typically based their cyber insurance needs on the costs associated with investigating a security incident and notifying affected regulators and/or customers, they will now have to weigh in litigation costs, which are more significant and highly unpredictable.
director of financial services for Navigant Consulting
partner, Husch Blackwell LLP
principal at Judy Selby Consulting LLC an insurance and privacy advisory services firm
In short, if one can learn something about someone that is useful for marketing purposes, chances are, it’s “personal information” covered by the CCPA. As a take away, companies that typically aren’t overly concerned about privacy regulations can’t simply assume that the CCPA will not apply to them. Instead, they should carefully review the types of information they control or process and compare that against the Act to determine if they fall within the scope of the new law.
chair of litigation section and co-chair of the privacy, data security and information governance group for Hanson Bridgett
The California Assembly passed legislation that would exempt insurers from the consumer’s rights to delete and opt-out of the sale of personal information. Even so, they will still be subject to the consumer’s right to request information about those transfers, and the proposed law would require insurers to implement a comprehensive written information security program. Whether the amendment to CCPA passes or not, insurance companies will have to work significantly to align their existing IIPPA compliance processes to meet the CCPA’s standards.
Head of Newmeyer & Dillion's privacy and data security practice
In addition, given the numerous technical requirements of the CCPA, cyber insurers would be well-suited to consider incentivizing their insureds to comply with CCPA. This may be accomplished through discounting premiums or lowering retentions if an insured works with local counsel to become CCPA compliant.
national cyber risk practice leader for insurance brokerage Risk Strategies
This litigation impact is going to move further downstream. The inevitable onslaught of lawsuits could have implications on how cyber insurance is underwritten in terms of pricing and profitability, particularly with the small and middle market. And as more claims are paid out, premiums could go up. Additionally, many clients historically have based their desired limits on the likely costs associated with the investigation of an incident and the notification of affected individuals. However, litigation costs are much more variable and potentially catastrophic.
product specialist and privacy consultant for Termly
For example, the CCPA grants users the right to request that businesses don’t sell or share the user’s personal information to third parties. If AB 981 comes to pass, this CCPA statute would not apply to insurance companies that need to exchange personal information with third parties in order to complete an insurance transaction.
If this bill is successful, the insurance community will likely see little difference in how it operates compared to present day. Since AB 981 defers to IIPPA to set the standards for how insurance-related data is handled, practices will remain largely the same.
However, in the event that AB 981 is rejected, insurance institutions will be subject to the same standards, rules, and consequences as any other business under the CCPA. Given the new rights of data subjects — particularly rights regarding user control of data sharing and sale — insurance companies will be forced to create and navigate new methods of exchanging personal information for insurance transactions. Whether this will help or hurt insurance companies and insureds is yet to be determined.
Digital Privacy expert with ProPrivacy.com
Though the amendment is meant to clear up and simplify the situation with regards to how insurance providers would be subject to both laws, it may ultimately complicate matters even further for both insurers and the insured. Amending certain parts of the existing law to mirror certain parts of the new law, while exempting the entire insurance industry from other parts of the new law is an endeavor that is sure to induce a fair amount of confusion in all parties involved. Any effort to protect the sensitive personal data of consumers is a step in the right direction, but these efforts should strive to make compliance with privacy laws more straightforward for insurance companies instead of allowing them to get mired in a complicated patchwork of regulations.
partner in BakerHostetler
The most significant bill pending that will affect the insurance industry is AB 981. This bill, amended on April 30, and ordered to the Senate on May 22, would implement the Legislature’s intent to harmonize the consumer privacy protections contained in the CCPA with the requirements of conducting the business of insurance and long-established protections set forth in the Information and Privacy Protection Act (IPPA).
Also significant is AB 25. This bill proposes to amend the definition of a “consumer” to exclude job applicants, employees, contractors (engaged by written agreement) and agents. AB 25 passed the Assembly and was ordered to the Senate on May 29. It is currently in the Judiciary committee. There does not seem to be any meaningful opposition to the amendment so it stands a strong chance of passing.
partner in Drinker Biddle & Reath's Washington, D.C., office
Continuing legislative activity may provide more detail on the final contours of the CCPA. But now is the time to put data mapping activities, including inventorying of relationships with third parties with whom data is shared, reviewing and revising consumer facing privacy policies, and reviewing existing processes for responding to consumer requests on the front burner.
associate with King & Spalding
Insurance entities are also likely to have certain, risky types of personal information—such as SSNs—that can trigger a costly class action in the event of a breach caused by the breached entity’s lack of “reasonable” and “appropriate” security measures. It’s a good time to conduct a risk assessment and make sure that security practices are reasonable, appropriate, and persuasively documented.
a managing director with Kroll's Cyber Risk practice
This statute will apply to the data you have on both prospective and actual clients. It will cover not just the policy holder- but their family as well. It applies not only to the data in your files, but also the data your vendors and third-party groups are keeping as well.
Was this article valuable?
Here are more articles you may enjoy.