Insurance Journal
Don Jergler
July 1, 2019

Robert L. Wallan’s clients are keeping him quite busy as they fret about the implementation next year of the nation’s most far-reaching data privacy law, which gives California consumers more control over their personal data.

Wallan, a partner in Pillsbury Winthrop Shaw Pittman LLP in Los Angeles, Calif., handles class actions, insurance recovery and business-related litigation.

He has been working with clients who want to determine the language they should have in their cyber insurance their policies to protect themselves before California Consumer Privacy Act kicks in.

Anxiety is on the rise and a sense of urgency has set in for his clients – and things may get more intriguing when the Legislature reconvenes on July 12 and starts to take up numerous bills that could alter or add more teeth to the CCPA.

“I have clients, we’re in negotiations now,” Wallan said of his work on policy language. “We don’t have final wording yet, we’re not done.”

Insurance Journal solicited opinions on the ramifications of CCPA from more than a dozen experts. Continue reading to the bottom or scroll down to see what they had to say.

Wallan is looking at just about everything that can be examined in a cyber policy – with emphasis on matters like coverages, and whether to get more coverage, as well as waiting periods.

And he believes it won’t be long to wait until the first lawsuits related to the new law begin to be filed.

“You’re going to see some class-action litigation, my prediction is, pretty early,” Wallan said.

Paula Miller, a senior vice president and a leader in the cyber practice for Marsh, is also spending more time talking with clients about the new law.

Both existing and prospective clients are approaching the global insurance broker with concerns about the new law as the time for its implementation draws near, according to Miller.

“I would say it’s coming up pretty frequently,” she said.

CCPA Rules

The CCPA, which passed last year following massive data breaches in recent years at companies like Target and Equifax, requires companies to report to customers upon their request what personal data they’ve collected, why it was collected and what third-parties have received it.

This law is similar to Europe’s General Data Protection Regulation. Both GDPR and CCPA aim to give consumers greater control over use of their data as well as punish companies for exposing that data.

The new California law provides for its enforcement by the state’s attorney general, who is empowered to assess businesses a fine of $7,500 per record for CCPA violations. That could amount to a hefty sum in a breach like the one announced last month by First American Financial Corp., which reportedly exposed about 885 million files dating back to 2003 on its website.

The CCPA is set to take effect Jan. 1, 2020. However, the attorney general must still draft rules to enforce the act, which could take much longer.

The law specifies that the attorney general must adopt most of the rules for the CCPA by July 1, 2020.

According to the attorney general’s press office, he is on track to have the rules drafted by then.

“Attorney General Becerra and our team are currently working on the draft regulations,” an emailed response to a request for comment for this story states. “We plan to publish the initial draft rules in a timeframe within the confines of the law.”

However, the response from the attorney general’s office noted, beginning Jan. 1, 2020, the CCPA grants consumers a right to request that businesses disclose the categories and specific pieces of personal information being collected about them, as well as the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

This is why Wallan is working now with his clients, and he believes those who are not yet in compliance should be concerned.

“(The law) has a lookback period where data goes back for a year,” he said. “Things that people are doing today…could fall within the scope of information that they’re going to have to ID under the provisions of the CCPA.”

The CCPA applies to any for-profit entity that does business in California and collects personal data, and has annual gross revenues over $25 million, or possesses personal information on 50,000 or more consumers.

Limits

Neither of the aforementioned minimums exempt very many clients at a brokerage the size of New York-based Marsh.

“The threshold for the application of the new law is pretty low,” Miller said. “That certainly impacts all of our clients at Marsh.”

She said the pending arrival of the new law is driving sales for Marsh, and it has prompted companies that already buy cyber insurance to reach out to their brokers to ensure their policies are compliant with the new law.

“This is prompting them to not only reevaluate their coverage, but the overall insurance limits that they purchase,” Miller said. “In some cases, this law will increase sales in the form of increased limits for existing buyers.”

Limits being sought depend on the type of industry, size of revenues and how they feel about their cyber security exposure, according to Miller.

“The average limit for a business of up to $2 or $3 billion in annual revenue is going to be on the magnitude of $5 million to $25-$30 million,” Miller said.

Clients at San Francisco, Calif.-based Woodruff Sawyer, are also considering higher limits, according to Dan Burke, the firm’s national cyber practice leader.

“I would say that it is driving some increased purchasing from a limit perspective for us,” Burke said, adding that something similar occurred just before Europe’s GDPR kicked in last year. “A lot of that buying activity happened right up until the regulation went into effect.”

He expects a similar experience up to and beyond the Jan. 1 implementation of the new law.

“We’ll see an increase in those six months right prior to that,” Burke said.

Following California

Tony Dolce, vice president and cyber lead for Chubb NA, is responsible for the technical aspects of his company’s cyber line of business in the financial lines claim department as well as handling complex cyber matters.

Dolce believes that what the attorney general does to promulgate more regulations to interpret the law and govern its oversight may be as important as the law itself.

“A large carrier in the cyber space like Chubb, we’re closely monitoring the situation,” Dolce said.

The Warren, N.J.-based carrier’s interest goes beyond just following the California law, because Dolce believes the rest of the nation will be watching the rollout of the CCPA and he expects other states may follow the lead.

“I think it’s an interesting bellwether to see whether other states follow,” Dolce said. “I think the rest of the country is going to pay close attention to that.”

Beside the wait on the attorney general’s rules, there’s no certainty the CCPA will look like it does now. Several bills were introduced this Legislative session to alter, beef up or water down the CCPA. Many died, including a bill that would have expanded a consumer’s rights to bring a civil action for damages.

However, numerous bills are still alive that would alter the CCPA in some way. They include:

  • Assembly Bill 25 – Would exclude job applicants.
  • Assembly Bill 846 – Provides that certain prohibitions in the CCPA would not apply to loyalty or rewards programs.
  • Assembly Bill 873 – Excludes from the definition of personal information consumer information that is deidentified, or aggregate consumer information.
  • Assembly Bill 874 – Excludes publicly available information from the definition of “personal information,” and defines the term “publicly available” to mean information that is lawfully made available from federal, state or local government records.
  • Assembly Bill 981 – Would eliminate a consumer’s right to request a business to delete or not sell a consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction.
  • Assembly Bill 1130 – Would close a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.
  • Assembly Bill 1146 – Would exempt the right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
  • Assembly Bill 1202 – Would require data brokers to register with the attorney general. Defines a data broker as a business that collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Would also require the attorney general to make the information provided by data brokers available on its website.
  • Assembly Bill 1355 – Would exclude consumer information that is deidentified or aggregate consumer information from the definition of personal information.
  • Assembly Bill 1416 – Would establish an exception to the CCPA for a business that provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.
  • Assembly Bill 1564 – Would require a business to make available a toll-free telephone number or an email address and a physical mailing address for submitting requests for information required to be disclosed.

Not on the list is Senate Bill 561. State Sen. State Sen. Hannah-Beth Jackson, D-Santa Barbara, introduced SB 561 during the session. The bill would have expanded a consumer’s rights to bring a civil action for damages.

The current version of the CCPA, set to go into effect in 2020, enables a limited private right of action. Individuals can bring a lawsuit if there’s been a data breach and a company isn’t using reasonable security measures to protect information being gathered.

SB 561 would have enabled individuals a private right of action for any CCPA violation.

The bill was killed, which may have caused those in the insurance industry who were paying attention to breathe a sigh of relief.

“That would have really opened the floodgates,” Miller said.

Burke offered a similar take.

“That one would have been, in my eyes, disastrous,” he said.

Rates

While many of Burke’s conversations with clients as of late center around him giving his opinion on how the law will ultimately look, the most common question he is getting on the CCPA, of course, goes to the bottom-line.

“How’s this going to impact my insurance?” is a question Burke is getting a lot.

The impact of the CCPA on carrier profitability will ultimately have a big hand in determining rates.

That’s the best answer Burke can give his clients right now.

“The CCPA has the ability to significantly impact the claims that carriers feel,” he said. “I think you’re going to start seeing settlements in those cases become bigger. As the claims severity increases, there’s really two things going to happening from a coverage standpoint: either premiums are going to have to go up to deal with severity or coverages are going to have to be reduced to deal with those losses.”

He added: “I really think that there’s going to be some significant claim payment that happens. I do think there’s going to be a pretty significant impact.”

Miller, on the other hand, believes rates hikes may take some time to wend their way down to buyers.

“I don’t think it will affect the premium rates at the outset,” Miller said, adding that rates weren’t immediately impacted with the implementation of GDPR. “Those by and large came without any premium changes. And I expect the same here.”

The severity of claims, at least for now, is uncertain.

However, Dolce believes that an increase in frequency is a good bet.

“I think the jury’s still out on the severity piece,” Dolce said. “I think the frequency piece is definitely a possibility.”

While Wallan and his clients wait, many of these companies he does business with have set up special task forces made of several employees to consider a host of CCPA-related issues – from compliance to legal matters – and what they can proactively do about them. The task forces are typically reaching out and working with departments all over the companies, making them a key part of many operations, he added.

“That’s what’s really recommended here as a best practice,” Wallan said. “You better have one, two or more people who are experts on CCPA to make sure you are in compliance.”

Following is what experts had to say about California’s new data privacy law and pending Legislation to alter or enhance it.

Celine Guillou

In July 2018, California passed the California Consumer Privacy Act (CCPA), effective January 2020. By far the strictest data privacy law to date in the United States, CCPA applies to certain companies doing business in California that collect or sell the personal information of California consumers (and households) and meet a number of other thresholds.

With this, CCPA has effectively provided plaintiffs’ attorneys newfound incentive to more actively pursue large class actions, which they have historically shunned with respect to businesses experiencing “smaller scale” security incidents due to the difficulty of demonstrating actual damages and the small likelihood of a substantial recovery. Thanks to CCPA, a data breach affecting just 10,000 consumers could easily exceed $1 million at a minimum. For plaintiffs’ attorneys, this is rather enticing, and the anticipated rise in lawsuits could have broad implications on cyber insurance industry. And if many companies – small to midsize, especially – have typically based their cyber insurance needs on the costs associated with investigating a security incident and notifying affected regulators and/or customers, they will now have to weigh in litigation costs, which are more significant and highly unpredictable.