Anxiety, Policy Limits Rising Ahead of California’s Sweeping Data Privacy Law

By | July 1, 2019

Robert L. Wallan’s clients are keeping him quite busy as they fret about the implementation next year of the nation’s most far-reaching data privacy law, which gives California consumers more control over their personal data.

Wallan, a partner in Pillsbury Winthrop Shaw Pittman LLP in Los Angeles, Calif., handles class actions, insurance recovery and business-related litigation.

He has been working with clients who want to determine the language they should have in their cyber insurance policies to protect themselves before California Consumer Privacy Act kicks in.

Anxiety is on the rise and a sense of urgency has set in for his clients – and things may get more intriguing when the Legislature reconvenes on July 12 and starts to take up numerous bills that could alter or add more teeth to the CCPA.

“I have clients, we’re in negotiations now,” Wallan said of his work on policy language. “We don’t have final wording yet, we’re not done.”

Insurance Journal solicited opinions on the ramifications of CCPA from more than a dozen experts. Continue reading to the bottom or scroll down to see what they had to say.

Wallan is looking at just about everything that can be examined in a cyber policy – with emphasis on matters like coverages, and whether to get more coverage, as well as waiting periods.

And he believes it won’t be long to wait until the first lawsuits related to the new law begin to be filed.

“You’re going to see some class-action litigation, my prediction is, pretty early,” Wallan said.

Paula Miller, a senior vice president and a leader in the cyber practice for Marsh, is also spending more time talking with clients about the new law.

Both existing and prospective clients are approaching the global insurance broker with concerns about the new law as the time for its implementation draws near, according to Miller.

“I would say it’s coming up pretty frequently,” she said.

CCPA Rules

The CCPA, which passed last year following massive data breaches in recent years at companies like Target and Equifax, requires companies to report to customers upon their request what personal data they’ve collected, why it was collected and what third-parties have received it.

This law is similar to Europe’s General Data Protection Regulation. Both GDPR and CCPA aim to give consumers greater control over use of their data as well as punish companies for exposing that data.

The new California law provides for its enforcement by the state’s attorney general, who is empowered to assess businesses a fine of $7,500 per record for CCPA violations. That could amount to a hefty sum in a breach like the one announced last month by First American Financial Corp., which reportedly exposed about 885 million files dating back to 2003 on its website.

The CCPA is set to take effect Jan. 1, 2020. However, the attorney general must still draft rules to enforce the act, which could take much longer.

The law specifies that the attorney general must adopt most of the rules for the CCPA by July 1, 2020.

According to the attorney general’s press office, he is on track to have the rules drafted by then.

“Attorney General Becerra and our team are currently working on the draft regulations,” an emailed response to a request for comment for this story states. “We plan to publish the initial draft rules in a timeframe within the confines of the law.”

However, the response from the attorney general’s office noted, beginning Jan. 1, 2020, the CCPA grants consumers a right to request that businesses disclose the categories and specific pieces of personal information being collected about them, as well as the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

This is why Wallan is working now with his clients, and he believes those who are not yet in compliance should be concerned.

“(The law) has a lookback period where data goes back for a year,” he said. “Things that people are doing today…could fall within the scope of information that they’re going to have to ID under the provisions of the CCPA.”

The CCPA applies to any for-profit entity that does business in California and collects personal data, and has annual gross revenues over $25 million, or possesses personal information on 50,000 or more consumers.

Limits

Neither of the aforementioned minimums exempt very many clients at a brokerage the size of New York-based Marsh.

“The threshold for the application of the new law is pretty low,” Miller said. “That certainly impacts all of our clients at Marsh.”

She said the pending arrival of the new law is driving sales for Marsh, and it has prompted companies that already buy cyber insurance to reach out to their brokers to ensure their policies are compliant with the new law.

“This is prompting them to not only reevaluate their coverage, but the overall insurance limits that they purchase,” Miller said. “In some cases, this law will increase sales in the form of increased limits for existing buyers.”

Limits being sought depend on the type of industry, size of revenues and how they feel about their cyber security exposure, according to Miller.

“The average limit for a business of up to $2 or $3 billion in annual revenue is going to be on the magnitude of $5 million to $25-$30 million,” Miller said.

Clients at San Francisco, Calif.-based Woodruff Sawyer, are also considering higher limits, according to Dan Burke, the firm’s national cyber practice leader.

“I would say that it is driving some increased purchasing from a limit perspective for us,” Burke said, adding that something similar occurred just before Europe’s GDPR kicked in last year. “A lot of that buying activity happened right up until the regulation went into effect.”

He expects a similar experience up to and beyond the Jan. 1 implementation of the new law.

“We’ll see an increase in those six months right prior to that,” Burke said.

Following California

Tony Dolce, vice president and cyber lead for Chubb NA, is responsible for the technical aspects of his company’s cyber line of business in the financial lines claim department as well as handling complex cyber matters.

Dolce believes that what the attorney general does to promulgate more regulations to interpret the law and govern its oversight may be as important as the law itself.

“A large carrier in the cyber space like Chubb, we’re closely monitoring the situation,” Dolce said.

The Zurich-based carrier’s interest goes beyond just following the California law, because Dolce believes the rest of the nation will be watching the rollout of the CCPA and he expects other states may follow the lead.

“I think it’s an interesting bellwether to see whether other states follow,” Dolce said. “I think the rest of the country is going to pay close attention to that.”

Beside the wait on the attorney general’s rules, there’s no certainty the CCPA will look like it does now. Several bills were introduced this Legislative session to alter, beef up or water down the CCPA. Many died, including a bill that would have expanded a consumer’s rights to bring a civil action for damages.

However, numerous bills are still alive that would alter the CCPA in some way. They include:

  • Assembly Bill 25 – Would exclude job applicants.
  • Assembly Bill 846 – Provides that certain prohibitions in the CCPA would not apply to loyalty or rewards programs.
  • Assembly Bill 873 – Excludes from the definition of personal information consumer information that is deidentified, or aggregate consumer information.
  • Assembly Bill 874 – Excludes publicly available information from the definition of “personal information,” and defines the term “publicly available” to mean information that is lawfully made available from federal, state or local government records.
  • Assembly Bill 981 – Would eliminate a consumer’s right to request a business to delete or not sell a consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction.
  • Assembly Bill 1130 – Would close a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.
  • Assembly Bill 1146 – Would exempt the right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
  • Assembly Bill 1202 – Would require data brokers to register with the attorney general. Defines a data broker as a business that collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Would also require the attorney general to make the information provided by data brokers available on its website.
  • Assembly Bill 1355 – Would exclude consumer information that is deidentified or aggregate consumer information from the definition of personal information.
  • Assembly Bill 1416 – Would establish an exception to the CCPA for a business that provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.
  • Assembly Bill 1564 – Would require a business to make available a toll-free telephone number or an email address and a physical mailing address for submitting requests for information required to be disclosed.

Not on the list is Senate Bill 561. State Sen. State Sen. Hannah-Beth Jackson, D-Santa Barbara, introduced SB 561 during the session. The bill would have expanded a consumer’s rights to bring a civil action for damages.

The current version of the CCPA, set to go into effect in 2020, enables a limited private right of action. Individuals can bring a lawsuit if there’s been a data breach and a company isn’t using reasonable security measures to protect information being gathered.

SB 561 would have enabled individuals a private right of action for any CCPA violation.

The bill was killed, which may have caused those in the insurance industry who were paying attention to breathe a sigh of relief.

“That would have really opened the floodgates,” Miller said.

Burke offered a similar take.

“That one would have been, in my eyes, disastrous,” he said.

Rates

While many of Burke’s conversations with clients as of late center around him giving his opinion on how the law will ultimately look, the most common question he is getting on the CCPA, of course, goes to the bottom-line.

“How’s this going to impact my insurance?” is a question Burke is getting a lot.

The impact of the CCPA on carrier profitability will ultimately have a big hand in determining rates.

That’s the best answer Burke can give his clients right now.

“The CCPA has the ability to significantly impact the claims that carriers feel,” he said. “I think you’re going to start seeing settlements in those cases become bigger. As the claims severity increases, there’s really two things going to happening from a coverage standpoint: either premiums are going to have to go up to deal with severity or coverages are going to have to be reduced to deal with those losses.”

He added: “I really think that there’s going to be some significant claim payment that happens. I do think there’s going to be a pretty significant impact.”

Miller, on the other hand, believes rates hikes may take some time to wend their way down to buyers.

“I don’t think it will affect the premium rates at the outset,” Miller said, adding that rates weren’t immediately impacted with the implementation of GDPR. “Those by and large came without any premium changes. And I expect the same here.”

The severity of claims, at least for now, is uncertain.

However, Dolce believes that an increase in frequency is a good bet.

“I think the jury’s still out on the severity piece,” Dolce said. “I think the frequency piece is definitely a possibility.”

While Wallan and his clients wait, many of these companies he does business with have set up special task forces made of several employees to consider a host of CCPA-related issues – from compliance to legal matters – and what they can proactively do about them. The task forces are typically reaching out and working with departments all over the companies, making them a key part of many operations, he added.

“That’s what’s really recommended here as a best practice,” Wallan said. “You better have one, two or more people who are experts on CCPA to make sure you are in compliance.”

Related:

Following is what experts had to say about California’s new data privacy law and pending Legislation to alter or enhance it.

Celine Guillou

an attorney in the Palo Alto, Calif., office of Hopkins & Carley

In July 2018, California passed the California Consumer Privacy Act (CCPA), effective January 2020. By far the strictest data privacy law to date in the United States, CCPA applies to certain companies doing business in California that collect or sell the personal information of California consumers (and households) and meet a number of other thresholds.

With this, CCPA has effectively provided plaintiffs’ attorneys newfound incentive to more actively pursue large class actions, which they have historically shunned with respect to businesses experiencing “smaller scale” security incidents due to the difficulty of demonstrating actual damages and the small likelihood of a substantial recovery. Thanks to CCPA, a data breach affecting just 10,000 consumers could easily exceed $1 million at a minimum. For plaintiffs’ attorneys, this is rather enticing, and the anticipated rise in lawsuits could have broad implications on cyber insurance industry. And if many companies – small to midsize, especially – have typically based their cyber insurance needs on the costs associated with investigating a security incident and notifying affected regulators and/or customers, they will now have to weigh in litigation costs, which are more significant and highly unpredictable.

Kathryn Rock

director of financial services for Navigant Consulting

CCPA’s language, as drafted, is oftentimes ambiguous. The committee recently began clarifying some of the language although formal passage is still pending. Of particular interest to the insurance industry is AB 981. This bill exempts regulated insurance companies from CCPA, but has been amended to add new privacy requirements to the Insurance Code and restrict the exemptions to consumers’ rights to the deletion of their personal information and to opt out of the sale of their personal information in certain scenarios. Notably, AB 981 does not seek to exempt these insurance companies from the consumers’ right to private action.

David Stauss

partner, Husch Blackwell LLP

Any business that is subject to the CCPA should start their compliance efforts as soon as possible. Although there have been many amendments proposed to modify the CCPA, none of them are going to change the basic rights provided to California residents under the law. CCPA compliance may be a daunting task for many entities, and there are still some issues that need to be clarified, but businesses can start driving compliance by preparing data inventories and tracking third party disclosures of personal information.

Judy Selby

principal at Judy Selby Consulting LLC an insurance and privacy advisory services firm

One of the reasons the CCPA will be a big game changer is because it applies to an unexpectedly broad range of data, even when compared with other privacy regulations. For example, under the CCPA, personal information is defined as information that can be linked, directly or indirectly, with a particular consumer or household. That information includes browsing history, products and services purchased or considered, inferences that create a profile reflecting personal abilities, aptitudes and attitudes, audio, electronic, visual, thermal, olfactory information and a variety of other types of information not previously captured by US privacy laws.

In short, if one can learn something about someone that is useful for marketing purposes, chances are, it’s “personal information” covered by the CCPA. As a take away, companies that typically aren’t overly concerned about privacy regulations can’t simply assume that the CCPA will not apply to them. Instead, they should carefully review the types of information they control or process and compare that against the Act to determine if they fall within the scope of the new law.

Batya Forsyth

chair of litigation section and co-chair of the privacy, data security and information governance group for Hanson Bridgett

Insurance companies and brokers in California are already subject to the Insurance Information Privacy Protection Act (IIPPA) so some of what the CCPA requires may feel familiar. But the CCPA’s requirements are more stringent and the exceptions narrower, than the IIPPA’s.

The California Assembly passed legislation that would exempt insurers from the consumer’s rights to delete and opt-out of the sale of personal information. Even so, they will still be subject to the consumer’s right to request information about those transfers, and the proposed law would require insurers to implement a comprehensive written information security program. Whether the amendment to CCPA passes or not, insurance companies will have to work significantly to align their existing IIPPA compliance processes to meet the CCPA’s standards.

Jeff Dennis

Head of Newmeyer & Dillion's privacy and data security practice

The CCPA may have a massive impact on the cyber insurance industry. Two thoughts – one is a warning, and one is a proactive suggestion. Given the $100 – $750 automatic damage figure which applies to any data breach where reasonable security was not in place, insurers must understand that this may lead to potentially massive damage awards against insureds. For instance, a data breach of 50,000 pieces of personal information would lead to a class action damage award of $5 million to $37.5 million. This may have an impact on what carriers agree to cover, and the levels of coverage needed.

In addition, given the numerous technical requirements of the CCPA, cyber insurers would be well-suited to consider incentivizing their insureds to comply with CCPA. This may be accomplished through discounting premiums or lowering retentions if an insured works with local counsel to become CCPA compliant.

Rob Rosenzweig

national cyber risk practice leader for insurance brokerage Risk Strategies

The main thing is CCPA establishes a private right of action and statutory damages ranging between $100-$750 per individual per incident. Previously, plaintiffs’ attorneys were reluctant to bring an action against organizations experiencing smaller scale incidents as it has been difficult to prove injury in fact and demonstrate actual damages. Now, at $100 minimum per individual incident, there will be an uptick in class action lawsuits following data breaches, even for relatively small breaches.

This litigation impact is going to move further downstream. The inevitable onslaught of lawsuits could have implications on how cyber insurance is underwritten in terms of pricing and profitability, particularly with the small and middle market. And as more claims are paid out, premiums could go up. Additionally, many clients historically have based their desired limits on the likely costs associated with the investigation of an incident and the notification of affected individuals. However, litigation costs are much more variable and potentially catastrophic.

KJ Dearie

product specialist and privacy consultant for Termly

The fate of the insurance community under the CCPA hangs in the air right now — dependent upon the passing or rejection of Assembly Bill 981. AB 981 proposes to exempt insurance institutions that fall under the purview of the Insurance Information and Privacy Protection Act (IIPPA) from complying with certain CCPA requirements.

For example, the CCPA grants users the right to request that businesses don’t sell or share the user’s personal information to third parties. If AB 981 comes to pass, this CCPA statute would not apply to insurance companies that need to exchange personal information with third parties in order to complete an insurance transaction.

If this bill is successful, the insurance community will likely see little difference in how it operates compared to present day. Since AB 981 defers to IIPPA to set the standards for how insurance-related data is handled, practices will remain largely the same.

However, in the event that AB 981 is rejected, insurance institutions will be subject to the same standards, rules, and consequences as any other business under the CCPA. Given the new rights of data subjects — particularly rights regarding user control of data sharing and sale — insurance companies will be forced to create and navigate new methods of exchanging personal information for insurance transactions. Whether this will help or hurt insurance companies and insureds is yet to be determined.

Attila Tomaschek

Digital Privacy expert with ProPrivacy.com

With the effective date of the California Consumer Privacy Act (CCPA) rapidly approaching, insurance companies serving customers in the state of California should already be putting the finishing touches on their preparations to be in compliance with the strict consumer privacy law. But as it stands currently, compliance for insurance companies, in particular, will be quite a bit more complicated due to the overlapping consumer privacy regulations between the CCPA and the Insurance Information and Privacy Protection Act (IIPPA). Proposed amendments to the law include Assembly Bill 981, which is of specific interest to the insurance industry. Should the amendment pass, it would effectively exempt insurance companies that are bound by the IIPPA from the CCPA, except for its provisions related to data breaches or for any business operation not subject to the IIPPA. The bill would also amend the IIPPA to mirror certain elements from the CCPA for the insurance industry.

Though the amendment is meant to clear up and simplify the situation with regards to how insurance providers would be subject to both laws, it may ultimately complicate matters even further for both insurers and the insured. Amending certain parts of the existing law to mirror certain parts of the new law, while exempting the entire insurance industry from other parts of the new law is an endeavor that is sure to induce a fair amount of confusion in all parties involved. Any effort to protect the sensitive personal data of consumers is a step in the right direction, but these efforts should strive to make compliance with privacy laws more straightforward for insurance companies instead of allowing them to get mired in a complicated patchwork of regulations.

Alan Friel

partner in BakerHostetler

There are a number of bills that have advanced into the last two months of the California legislative session before the August break. When the legislature returns in September, there are only two weeks left to pass any then remaining bills. Accordingly, by the middle of September, which is also when the proposed regulations are expected from the Attorney General, companies should know what their 2020 CCPA obligations will be.

The most significant bill pending that will affect the insurance industry is AB 981. This bill, amended on April 30, and ordered to the Senate on May 22, would implement the Legislature’s intent to harmonize the consumer privacy protections contained in the CCPA with the requirements of conducting the business of insurance and long-established protections set forth in the Information and Privacy Protection Act (IPPA).

Also significant is AB 25. This bill proposes to amend the definition of a “consumer” to exclude job applicants, employees, contractors (engaged by written agreement) and agents. AB 25 passed the Assembly and was ordered to the Senate on May 29. It is currently in the Judiciary committee. There does not seem to be any meaningful opposition to the amendment so it stands a strong chance of passing.

Josephine Cicchetti

partner in Drinker Biddle & Reath's Washington, D.C., office

Jan. 1, 2020 is fast approaching and insurance entities should not be delaying their review and preparation for compliance with the CCPA. While exemptions for certain data such as information collected pursuant to GLBA, HIPAA, and the FCRA should be considered, insurance entities should not expect any last-minute reprieve from the application of the law for the industry.

Continuing legislative activity may provide more detail on the final contours of the CCPA. But now is the time to put data mapping activities, including inventorying of relationships with third parties with whom data is shared, reviewing and revising consumer facing privacy policies, and reviewing existing processes for responding to consumer requests on the front burner.

Anush Emelianova

associate with King & Spalding

Insurers who do business in California are in an awkward situation: they will have to conduct a detailed data inventory to figure out what information is not covered by the federal GLBA and therefore subject to the CCPA in 2020. For example, information provided by consumers is GLBA-covered and CCPA-exempt, but information about consumers obtained from other sources, or information identifying a “household” but not a “person,” is subject to CCPA. These and other uncertainties are likely to drive up compliance (and insurance) costs.

Insurance entities are also likely to have certain, risky types of personal information—such as SSNs—that can trigger a costly class action in the event of a breach caused by the breached entity’s lack of “reasonable” and “appropriate” security measures. It’s a good time to conduct a risk assessment and make sure that security practices are reasonable, appropriate, and persuasively documented.

Jonathan Fairtlough

a managing director with Kroll's Cyber Risk practice

The key to being ready for the CCPA is simple: get permission, make a map, and be ready to show your work on request. Make sure you have permission to keep the data you have about CA residents. Create a map of the data you are keeping – use your workflow to help identity data. Have a process to respond to a data request, linked to your website and tied to the data.

This statute will apply to the data you have on both prospective and actual clients. It will cover not just the policy holder- but their family as well. It applies not only to the data in your files, but also the data your vendors and third-party groups are keeping as well.

Show MoreShow Less

Was this article valuable?

Here are more articles you may enjoy.