Insurance policies are some of a company’s most valuable assets during times of increased risk and uncertainty. Yet, corporate policyholders often leave money on the table by failing to thoughtfully construct their insurance program to respond to the risks inherent in their business and neglecting to properly manage potential insurance claims. In recent years, data privacy and security has become a growing source of corporate risk for businesses and presenting new, evolving challenges for risk managers and insurers.
Starting January 1, 2020, companies doing business in California that meet certain qualifying criteria will be subject to an entirely new sphere of risk, as California’s sweeping Consumer Privacy Act (the CCPA) goes into effect. The CCPA will apply to any for-profit entity doing business in California that collects personal information about California consumers and meets at least one of three criteria:
- Has annual gross revenue above $25 million;
- Annually buys, sells or, for commercial purposes, receives or shares personal information of at least 50,000 California consumers, households or devices, or
- Derives at least 50% of its annual revenue from selling California consumers’ personal information.
Moreover, if a business is subject to the CCPA, its subsidiaries and affiliates may also be covered if they share common branding, including a shared name, service mark or trademark. For more information about the CCPA, including a diagnostic toolkit to determine whether your business may be subject to the CCPA, click here.
The CCPA provides extensive protections for consumers with respect to the collection, storage, use and disclosure of a broad swath of “personal information.” A failure to comply with the exacting requirements of the CCPA may expose companies to an enforcement action from the California Attorney General or lawsuits from impacted California consumers. The CCPA carries substantial per-violation statutory penalties.
CCPA’s Likely Impact On Corporate Risk Profiles and Insurance Programs
- Increased data breach costs and volume of data privacy litigation
- Heightened scrutiny of Directors and Officers
- Increased insurance premiums, particularly for cyber risk/liability coverage
- Increased cost of settlements and judgments
Major Forms of Insurance Coverage That May Respond To A CCPA Claim
Cyber Risk/Privacy Policies: Provides claims-made “first-party” coverage for losses due to destroyed/damaged data, business interruption, physical damage and/or cyber extortion and “third-party” coverage for data breach investigations and defense of privacy liability actions.
Professional Liability/E&O Policies: Claims-made coverage for wrongful conduct in connection with the delivery of “professional services.”
Directors & Officers Policies: Provides claims-made coverage for liabilities incurred by directors and officers and/or claims made against a company arising out of the conduct of the company’s directors and officers.
Employment Practices Liability: CCPA’s definition of “consumers” may include employees, leaving open the possibility that employees may bring CCPA claims against their employer. Covers “employment practices” claims.
- Commercial General Liability: Provide occurrence-based coverage for “bodily injury,” “property damage,” and/or “personal and advertising injury.”
- Crime Policies: Covers losses due to crime or dishonesty. Property Policies: Provides coverage for property damage resulting from specific events. Typically also covers loss arising from interruption to a business, whether caused by damage to your property or a business partner’s property
Consider The Scope of The CCPA In Negotiating Your Policies and Preparing For A Potential Loss
A company should never accept an off-the-shelf policy. Instead, companies should seek to customize their policies to fit their risks. With respect to the CCPA, a company’s policies must cover more than a data breach or theft. Policies must cover acts arising out of the collection, use, storage and disclosure of “personal information,” a term that is defined broadly in the CCPA. Companies should carefully review this statutory definition and think deeply about how the identified forms of “information” interact with their business. Given the broad scope of the CCPA, there is a high potential for corporate exposure. To prepare for this risk, companies must build the right team, keep good insurance records, audit their policies, and have a robust process in place to promptly report insurance claims in the event that the company is facing a CCPA-related investigation or lawsuit.