The European Union’s sweeping Global Data Protection Regulation (GDPR), which took effect on May 25, 2018, dramatically expanded the compliance obligations of companies collecting or using European Union citizens’ personal information. It also substantially increased regulatory exposure for companies due to its strict requirements and draconian penalties for non-compliance, including potential fines of greater than 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. See Perkins Coie’s GDPR Resources for an overview of the regulation, and Will Your Cyber Policy Provide Coverage for GDPR Violations? for a discussion of insurance coverage issues arising from the regulation. Yet the new regulatory landscape facing companies that collect, use, or manage consumers’ personal information has expanded far beyond the GDPR, and many United States jurisdictions have enacted or are in the process of enacting regulations governing the collection, storage, and use of consumer information. As a result, any company that handles consumer personal information must have a thorough understanding of these regulations and must make sure that its insurance program aligns with its regulatory exposure in order to effectively manage the risks arising out of burgeoning cybersecurity and privacy regulations.
One of the most prominent recently enacted cybersecurity and data protection law is California’s Consumer Privacy Act of 2018 (CCPA), sometimes dubbed “the US GDPR,” which will take effect on January 1, 2020. A company need not have a brick-and-mortar presence in California to be subject to the CCPA: for-profit companies that collect and control personal information of California residents must meet the CCPA’s requirements if they (1) have annual gross revenues in excess of $25 million; (2) receive or disclose the personal information of 50,000 or more California residents; or (3) derive 50 percent or more of their gross annual revenue from selling the personal information of California residents. The CCPA also applies to corporate affiliates of these businesses that share their branding. As a result, many companies across the country and even outside the United States who count California residents among their customers will be subject to the CCPA.
The CCPA provides consumers with specific rights and choices concerning the use of their information and requires businesses to provide notices and disclosures to consumers in various circumstances. For instance, businesses must disclose to consumers, at or before the point of collection, the categories of personal information to be collected and the purposes for which the information will be used. Businesses must also notify consumers that they have the right to opt out of the sale of their personal information. Upon customer request, a business must disclose what information it has collected about the consumer, the sources of this information, the business purpose for the collection, and any third parties to whom the information has been sold. Businesses must also delete information collected about a consumer when requested, and direct service providers to delete that customer’s information as well. Businesses in violation of the CCPA are subject to a remedial injunction and penalties of up to $2,500 per violation, and $7,500 for each intentional violation. Notably, in addition to these penalties, the CCPA also gives consumers a private right of action for data breaches arising from “a violation of the duty to implement and maintain reasonable security procedures and practices.”
Other states have also enacted legislation protecting the personal information of their residents. For example, Massachusetts has enacted amendments, effective April 11, 2019, to its already comprehensive data protection and privacy law — 201 C.M.R. 17, Standards for the Protection of Personal Information of Massachusetts Residents, or “Massachusetts Standards.” The Standards provide robust data-security-program and encryption requirements, including the obligation to contractually bind a business’s third-party service providers to meet the Standards. Penalties include injunctive relief and fines up to $5,000 per violation, and violators will incur the costs of investigation and litigation. The Standards also require that, in the event of a data breach, companies must provide specific details to the state attorney general and the Office of Consumer Affairs and Business Regulation. If individuals’ Social Security numbers are disclosed, the company must offer credit monitoring services at no cost for 18 months. The amendments expressly prohibit delaying notice in order to determine the number of individuals affected, requiring instead that notices be sent out on a rolling basis.
Colorado likewise strengthened its consumer data protection law with amendments that went into effect on September 1, 2018. The new amendments require businesses that collect personal information of Colorado residents to “implement and maintain reasonable security procedures and practices,” and to contractually require service providers to do the same. Businesses must also develop written policies for the destruction or disposal of personal information once it is “no longer needed.” The amendments impose stringent data-breach-notification obligations: notice letters to Colorado residents must contain specified details, and companies must notify the state attorney general if notice of a security breach is given to 500 or more Colorado residents. Colorado also joins Florida as the only other state to require notification of a security breach within 30 days.
Cybersecurity regulations specific to particular industries have also recently been enacted in many states. For instance, New York’s comprehensive cybersecurity regulations for financial institutions, NY CYCRR 500 went into full effect on March 1, 2019, after phased implementation. The law requires financial institutions to designate a “Chief Information Security Officer,” to implement a cybersecurity policy, to provide an annual cybersecurity report to the institution’s full board of directors, and to monitor third-party service providers under quite stringent standards. Vermont’s new law requires “data brokers” to implement specific security measures and to register with and provide certain disclosures to the state attorney general as of January 1, 2019. After the National Association of Insurance Commissioners (NAIC) promulgated a model cybersecurity regulation for insurance carriers in 2017, South Carolina, Ohio, and Michigan all adopted the law in 2018.
Given the rapidly expanding universe of cybersecurity regulations and the extra-territorial reach of the GDPR and many state regulations, businesses should regularly re-assess their cybersecurity insurance programs to make sure they are adequately covered in the event of regulatory actions. Below is a non-exhaustive list of issues to consider when analyzing a company’s coverage for regulatory risk:
Policy Definitions vs. Regulatory Definitions: Many state regulations define key terms such as “personal information” or “personal data,” “data breach,” and “security event,” which are typically also defined in cybersecurity policies. A cyber policy definition that is narrower than a regulator’s definition of a term could leave a policyholder exposed in the event of regulatory action, or, at minimum, could introduce ambiguity and potentially costly uncertainty into coverage questions. The policy definition of “regulatory action” should also encompass the various actions pertinent regulators are empowered to take, such as seeking injunctive relief or ordering particular remediation efforts.
Insurability of Fines and Penalties: Many European Union countries and a number of United States jurisdictions prohibit insurance coverage for fines and penalties. The jurisdiction specified in any choice of law provision in the policy should permit coverage for fines and penalties. In addition, policyholders should look carefully at any provision specifying that penalties are covered “as allowed by law” in order to foreclose the argument that insurability is determined by the law of the jurisdiction imposing the penalty, rather than the jurisdiction governing the policy. Ideally, the policy should clearly provide that fines and penalties are covered to the fullest extent possible under the law of the most favorable jurisdiction.
Coverage for Non-Penalty Expenses: Regulatory risk encompasses more than just fines and penalties and may not necessarily arise in connection with a data breach. Many regulators are empowered to seek injunctive relief, forcing a business to take specific actions in order to come into compliance with the regulations. Policyholders should make sure that their cyber policies do not limit regulatory coverage when the pertinent regulators take action without an actual breach. Policyholders should also look closely at the policy definitions of “claims expenses,” “damages,” and “loss” to make sure they are broad enough to encompass the costs associated with regulatory action, such as investigation costs, remediation costs (for instance, providing free credit monitoring when required), and compliance with notice requirements.
Intentional Acts Exclusions: Cyber policies may contain exclusions for intentional acts. These exclusions are particularly problematic with respect to regulatory coverage, as some regulations, such as the CCPA, impose heightened penalties for “intentional” violations of the regulations. While the conduct necessary for a regulator to find intentional conduct may differ from the traditional understanding of the term in the insurance context, the presence of this exclusion potentially leaves cyber policyholders exposed.
Imputation Provisions: Policyholders should also look carefully to see whose conduct can be imputed to the policyholder. For instance, actions by a rogue employee who deliberately sabotages an organization’s cybersecurity or misuses consumers’ personal information may create liability for the organization under a respondeat superior theory or even potentially give rise to a regulatory finding of “intentional violation” of cybersecurity regulations. Ideally cybersecurity policies would have a strong non-imputation provision strictly limiting whose acts can be imputed to the company for coverage purposes.
As more United States and foreign jurisdictions adopt and expand regulations governing cybersecurity and data privacy, and as cyber insurance claims arising out of regulatory enforcement actions are assessed and resolved or adjudicated, new trends and issues are bound to arise. Companies handling personal consumer information should continue to monitor their expanding regulatory exposure and reassess their cyber insurance program in light of these developing trends in order to manage their regulatory risk.