The California Consumer Privacy Act (CCPA) is a game-changer. Taking effect on January 1, 2020, the data privacy law creates new statutory rights governing the handling, storage, and sale of personal information. It broadens significantly the definition of “personally identifiable information” over prior statutory enactments. It reaches companies inside and outside of California based on revenue or the number of consumers whose personal information is bought, sold, shared, or received by a company. It creates private rights of action permitting the potential recovery of statutory or actual damages for consumers, and a new public form of action for the assessment of fines by the state attorney general.
Will typical cyber-related liability insurance policies respond to actions initiated under the CCPA? In their current form, many likely will not. This post suggests enhancements to existing cyberliability policies to maximize their potential responsiveness to CCPA actions.
1. The CCPA permits actions to be filed, and liability imposed, to prevent future harm from happening. Actual harm is not required to sue. Liability insurance policies, however, typically indemnify insureds against damages paid on account of injury or damage. Preventive measures usually are not covered because they do not result from the accident, happening, or event to which the policy responds.
A couple of tweaks—in bold—to typical cyberinsurance provisions can address this problem:
Expand the definition of the types of “wrongful acts” to which the policy responds so that it reads: “Loss, theft, failure to protect, failure to secure, or unauthorized acquisition of personally identifiable information . . . .”
Expand the definition of the type of regulatory action to which the policy responds so that it reads: “A written demand for compliance with data protection law, a civil investigative demand, a civil investigative proceeding, or civil proceeding brought by or on behalf of a governmental or regulatory entity alleging a violation of data protection law.”
2. The CCPA’s expansive definition of “personally identifiable information” may escape the definition of this term in typical cyber-related liability policies. Any attempt to list the many types of information encompassed by the CCPA is fraught with potential exclusions that could doom an insurance coverage claim from the outset. It is better to be all encompassing, so that the definition of “personally identifiable information” includes the following:
Information concerning an individual or household that would be considered “personal information” or “personally identifiable information” within the meaning of the California Consumer Privacy Act, any amendments thereto, or any associated regulations promulgated by the attorney general of the State of California.
3. The CCPA permits the attorney general to seek to impose penalties on potential violators, with the proceeds remitted to a consumer privacy fund. Many cyber-related liability policies do not indemnify the insured against its payment of penalties. “Penalties” are not seen as “damages” to which a policy should respond, but instead are viewed as imposed punishment for noncompliance with the law.
Some insurers, however, are willing to offer coverage for the imposition of “penalties.” A potential expansion of the liability coverage afforded under a cyber-related policy could read as follows:
The Insurer will pay on behalf of an Insured claims expenses, regulatory damages, privacy regulatory fines or penalties . . . that the Insured is legally obligated to pay because of a privacy regulatory action . . . alleging a wrongful act as defined in this policy.
The policy can then define “privacy regulatory fines or penalties” as “a civil monetary fine or penalty payable by an Insured to a governmental or regulatory entity or to the Consumer Privacy Fund established under the California Consumer Privacy Act.”
These suggestions are not revolutionary. Insurers and insureds have been grappling with related issues arising under the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018. Some insurance policies have been amended to address the GDPR’s unique challenges.
Insureds and their brokers should examine existing cyber-related liability policies in advance of January 1, 2020, and work with their insurers to address the potential shortfalls in coverage discussed in this post, along with those discussed in a forthcoming companion post.