Attorney: Scrutinize terms of insurance policies as California Privacy Law comes into force
January 2, 2020
By: Mariam Baksh
As organizations consider insuring themselves in the advent of the California Privacy Protection Act — which became enforceable Wednesday — they should do their research, and those who have insurance should reassess their current policies’ privacy coverage, according to a lawyer who represents policy holders.
“2019 has been called the ‘Year of Ransomware,’ and while ransomware will likely continue to pose a threat to businesses next year, 2020 may be the ‘Year of Privacy,’” Peter Halprin, a partner at the insurance recovery firm Pasich LLP, said in an email to Inside Cybersecurity.
Under the CCPA, residents of the state are granted a private right of action in cases where “nonencrypted or nonredacted personal information,” as defined by the law’s provisions, “is subject to unauthorized access and exfiltration, theft or disclosure.” In other words, if there’s a breach, and certain measures weren’t taken to protect the data, consumers can sue.
The private right of action is a major sticking point for top Republican lawmakers debating national privacy legislation with their Democratic counterparts. They say it will swamp organizations with frivolous lawsuits and chiefly serve to enrich lawyers.
But House and Senate leaders are not much closer to reaching a compromise than when they first started deliberations over a federal standard that would pre-empt state laws like California’s. Major players, like the U.S. Chamber of Commerce, are taking their campaign for a federal law to the states, and plan to build support among key constituents on the ground.
Meanwhile, Halprin is noting the emergence of new laws in states like New York, and his firm is analyzing the implementation of other state, and international, laws to highlight the statutory damages entities might want to negotiate coverage for, and how they might ensure it’s delivered.
“Some have referred to the CCPA as America’s [General Data Protection Regulation],” Halprin said. “Those looking for insurance to protect against liabilities arising under statutory privacy regimes such as CCPA and GDPR will want to work with their insurance professionals to scrutinize insurance policy wording to ensure coverage.”
Halprin said 2019 saw “corporations of all sizes [incurring] massive GDPR liabilities,” with some of the largest known potential liabilities including over €204 M against British Airways, €110 M against Marriott, and €50 M against Google.
Insurance companies have sought to assure the “soft market” that they pay claims amid skepticism brought on by exclusions for cases such as those potentially involving nation-state actors, as they could be deemed an “act of war.”
Pasich is specifically promoting a survey the firm has taken of case law pertaining to the Illinois Biometric Privacy Act, which took effect in 2008 and, Halprin notes, is the “oldest U.S. state statutory regime.” The analysis highlights ways in which insurance companies argued they were not obligated to defend or indemnify their policy holders in specific cases under provisions such as the “Recording and Distribution of Material or Information in Violation of Law exclusion,” for example.
“This survey of BIPA case law is particularly important for policyholders, risk managers, brokers, in-house counsel and other corporate stakeholders and decision makers as they may foretell the future for insureds seeking coverage the under the CCPA, GDPR, and future privacy statutes,” Halprin said.
— Mariam Baksh (firstname.lastname@example.org)