Beginning January 1, 2020, companies doing business in California that meet certain criteria will be subject to a new regulation, as the sweeping California Consumer Privacy Act (CCPA) goes into effect. The CCPA provides extensive protections for consumers with respect to the collection, storage, use and disclosure of a broad swath of personal information. Failure to comply with the act’s exacting requirements may expose companies to enforcement action from the state’s attorney general or lawsuits from impacted California consumers.
To further complicate matters, the CCPA arrives on the heels of the European Union’s General Data Protection Regulation (GDPR), and many companies think they are experiencing déjà vu. However, companies must be careful as the added restrictions in the two acts are not identical and insurance coverage for violations of one does not ensure coverage for both.
Every year, insurance policy forms change, new exclusions are added to existing policies and new insurance products are introduced into the market. As new statutes, acts and regulations create novel areas of liability, it is critical to know what insurance coverage your business has and what is available. Thus, to prepare for the CCPA with respect to insurance coverage, companies should work closely with their coverage counsel and conduct a comprehensive cyber breach and privacy liability coverage audit of the company’s insurance portfolio. This will allow them to evaluate their current cyber and privacy coverage, determine whether the program meets their needs and identify any potential coverage gaps. Firms can then eliminate any coverage gaps the audit discovers, negotiate changes to their current insurance coverage policy language, and revise corporate practices if necessary.
The following three steps are critical in conducting a successful audit:
STEP 1: Interview company stakeholders.
Before analyzing any insurance policies, in-house counsel, members of risk management and key executives should meet to discuss the company’s current IT department, privacy policies, and how the company collects, uses, stores and discloses information. To determine a company’s insurance needs, counsel must understand which individuals, departments and systems have access to company data, as well as the policies and procedures that are in place and how these controls are checked and documented.
In addition, the interviews should include discussion of historic and current cyber and privacy liabilities and potential exposures, business needs and the overall corporate strategy with respect to data, as well as the extent to which the company provides or receives additional insured status.
STEP 2: Analyze the insurance policies.
An analysis conducted by coverage counsel significantly differs from and complements a broker’s policy analysis. For example, issues like personal information vs. confidential information, theft of data vs. negligence, “other insurance” clauses, number of occurrences, trigger and allocation, batch clauses, and exhaustion language may significantly affect any ultimate insurance recovery and require a level of legal sophistication in the analysis of their potential impact.
The primary place to locate insurance coverage for a CCPA violation will be under the company’s cyber breach privacy liability insurance policy. An audit of this policy should start with how it defines “confidential information” and “personal information.”
The CCPA broadly defines “personal information” as “information that: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Off-the-shelf cyber policies do not define personal or confidential information as broadly, nor do they contain other coverage grants that are necessary to insure against CCPA violations.
To obtain coverage for CCPA violations, a company’s cyber policy must be negotiated to cover more than the typical data breach, theft and publication. Policies should also cover acts arising out of the collection, use, storage and disclosure of “personal information,” as defined in the CCPA. Other critical points for coverage grants under cyber policies include ensuring the following are covered:
- Violations of privacy laws, regulatory actions, and fines and penalties (even when not triggered by a breach)
- Failures to delete information upon request or after a certain time limit
- Punitive damages (with a most favored jurisdiction clause)
- Statutory damages
- Vendor errors
- Forensic costs
- Crisis management/public relations
- Intentional acts of employees
- Brand damage/reputation costs
In addition to analyzing the coverage grants, the audit should also analyze all the following provisions through a legal lens:
- A review of definitions, extensions, exclusions, endorsements, notice and discovery provisions, defense costs, duty to cooperate and right to settle claims, and state variations
- “Other insurance” clauses to determine whether cyber/privacy coverage is primary
- Choice of law and dispute resolution provisions
- Deductibles, self-insured retentions and retrospective premium provisions in light of the company’s business needs, overall objectives and strategy
- Trigger and discovery provisions and the company’s policies for providing notice to insurers
- Underwriting requirements and disclosures provided to insurers regarding current IT procedures
While a cyber policy should provide the company’s most robust coverage in the event of a CCPA violation, a cyber breach or privacy claim may also trigger additional insurance policies including: errors and omissions/professional liability, directors and officers, employment liability, commercial general liability, fidelity/crime, and property. Finally, it may also trigger policies purchased by another company but where your company has been provided additional insured status via contract. All of these policies should be analyzed in the same manner as the company’s cyber policy.
STEP 3: Negotiate away the gaps in coverage and create a list of other options to reduce risk.
The last step in the cyber insurance policy audit is compiling a list of all identified gaps in coverage and policy revisions to be requested and negotiated with your insurance carrier. Since attorney-client privilege may not extend to your company’s broker, do not share the full legal insurance coverage audit with them. Instead, create a separate checklist of policy language revisions requested that your broker can use in negotiations, but do not include any reasoning or comments.
If certain coverage is unavailable or limited, counsel should provide the company with other options for reducing risk, such as implementing policy changes to data handling or adding indemnity or additional insured contractual requirements for customers or vendors.
With the CCPA taking effect January 1, 2020, companies that have not already assessed their insurance coverage in light of the new liability should quickly prepare. A comprehensive audit will provide your company with the necessary tools to properly assess its risk, current insurance coverage and any key coverage gaps and corporate practices that should change to mitigate both the data security and regulatory risks of the CCPA.