Be prepared—new statutory claims may not be covered under existing policies.
In June 2018, California enacted the toughest data privacy law in the United States. Companies doing business in California may have to make significant changes to their insurance programs to protect against the risks created by the statute.
The California Consumer Privacy Act of 2018 ("CCPA") requires companies to make detailed disclosures about their data collection and sharing practices. It also requires companies to honor consumer requests to delete personal information or stop sharing it with third parties. Companies could face statutory liability under the CCPA when inadequate security measures result in the disclosure of personal information—in a data breach or otherwise. Consumers may recover statutory damages of $100 to $750 per person per violation.
This new statutory damages provision could lead to a surge in data breach lawsuits. Even relatively minor cyber incidents may attract the attention of plaintiffs' class action counsel, given the amount of potential damages.
The CCPA has critical implications for insurance coverage. Many companies—even those with cyber insurance—will find that their current insurance programs do not adequately protect them against the new statutory liabilities. For example:
Many cyber policies currently on the market would not cover claims for violating the CCPA's disclosure requirements or for failing to delete data upon request. Policyholders may have to amend their policies to cover such claims.
Companies should ensure their policies contain language covering statutory damages, given the potential exposure under the CCPA.
The CCPA may increase the likelihood of data breach litigation and drive up the cost of settlements. Under cyber policies, defense costs erode policy limits. Companies should assess whether they have sufficient policy limits to defend and settle data breach claims.
Many cyber insurers do not include coverage for regulatory claims in their standard form. Regulatory coverage becomes more important in light of the CCPA's civil penalties and the California attorney general's enforcement authority.
The CCPA becomes effective on January 1, 2020—which means corporate insurance programs will go through at least one renewal cycle before the law takes effect. Companies should use this window of opportunity to review their insurance policies and make changes as necessary to address the new exposures under the CCPA.