Data Privacy Laws, Hackers Put New Emphasis on Cyber Insurance

By: Rich Ehisen

THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)¹ and other state data privacy laws have done more than motivate companies to rethink how they manage consumer data; they also have many organizations thinking more than ever about how they manage their cyber insurance coverage.

Once considered a niche product, cyber insurance policies have become common for companies that handle large amounts of consumer data. With increased exposure under new data privacy laws like the CCPA, such policies are rapidly turning into a must-have, with global premiums expected to grow² from about $2.5 billion today to approximately $7.5 billion by next year.

“The wolf at the door right now is CCPA readiness,” says Scott Ferber, a partner with King & Spalding’s Data Privacy and Security practice in Washington, D.C., who often works with the mergers and acquisitions side of the company. “How well a company is prepared for the CCPA is now a consideration point for assessing an acquisition target’s valuation.”

Data laws are hardly the only concern. In its annual MidYear Quick View Data Breach Report, cybersecurity firm Risk Based Security said it had tracked³ more than 3,800 data breaches and ransomware attacks in the first six months of 2019 alone, a remarkable 53% increase over the same time period in 2018. A recent World Economic Forum report⁴ listed data fraud or theft and cyber attacks as the fourth and fifth most likely risks companies face in the world today, and good cyber hygiene as a top three tenet for good business leadership.

But cyber compliance experts say just having a cyber insurance policy may not be enough. With hundreds of carriers in the United States alone and no single set of standards for what a policy should cover—and with greater likelihood than ever of litigation over breaches and privacy violations—ensuring adequate protection from liability may actually be harder than ever. “Even for companies that have worked hard to put cyber insurance policies in place, those policies may not provide the coverage they need,” says Jones Day Insurance Recovery partner Rich DeNatale in a video⁵ on the company’s website. He notes that claims against a company under the CCPA for failing to adequately protect consumer data might not be covered under many of the policies currently available on the market.

Judy Selby, principal at Judy Selby Consulting LLC, an insurance and privacy advisory services firm in New York City, says many companies right now might believe they are fully covered for any eventuality, when in reality their policies have significant holes that could leave them high and dry in the case of a breach or lawsuit.

“The cyber insurance market is really challenging right now, and there are no shortcuts around closely reviewing every single form in your cyber insurance policy,” she says.

And there is definitely a lot to know. Similar to the European Union’s General Data Protection Regulations,⁶ the CCPA requires companies to inform their customers upon request exactly what personal data they’ve collected, why they did so, and with whom they have shared it.

There are some major limitations to the law’s grasp: it applies only to for-profit entities doing business in California that derive more than 50% of their income from selling personal data, or which have annual gross revenues over $25 million, or which hold the personal information of 50,000 or more Golden State consumers. Violators face potential fines of $7,500 per record, with enforcement power residing with California Attorney General Xavier Becerra.

Selby says the CCPA’s fine structure is one of the most troubling aspects of the law for insurers.

“With damages now defined under the CCPA, we’re going to see a lot more breach litigation over smaller and smaller breaches,” she says.

It is also likely to spur those with policies to pay very close attention to every detail in a way they might not have before.

“Does a policy cover only a data breach? Or does it cover a data privacy violation as well?” Selby says.

Different policies may also define a security event or other terms in very different ways, leading some companies to believe they are covered for such an event when they are not. A policy might also have specific requirements, such as obtaining the carrier’s consent before paying a ransomware attack ransom.

These complexities have led to some high-profile disputes⁷ between hacking victims and their insurers, which have consequently led to media reports claiming that cyber carriers are looking for ways out of honoring their policies. But Selby believes a failure to properly scrutinize a policy is the real culprit.

“You really have to watch for the definitions and requirements in a policy,” she says. “Oftentimes the company simply didn’t buy the right policy.”

State laws play a major role as well. Andrew Lipton of White and Williams LLP in New York City recently noted8 that California, Delaware, and New York are just a few states with laws that bar insurance from bearing the cost of civil penalties, meaning policies that otherwise cover those liabilities might not apply in those states.

The CCPA and other state laws are not the only elements driving interest in cyber insurance, and the private sector isn’t the only one feeling the sting of data mishaps.

According to the cybersecurity firm Recorded Future, at least 230 ransomware attacks⁹ have been carried out against local governments since 2013, with at least 140 of those in 2019. Many have come against smaller cities, or police departments, or even hospitals, but size definitely is not the determining factor. And given the significant amount of personal data local governments hold on their citizens—far more than what is held by private companies—the potential impact of those attacks is perhaps even greater.

When hackers infected key parts of Baltimore’s data network earlier this year, the city refused to pay the demanded ransom. The city did not have cyber coverage, and the resulting cost to restore lost data is estimated at over $18 million. A similar attack in Atlanta cost an estimated $17 million.

With that hit fresh in their minds, Baltimore officials last month signed off on the purchase of $20 million in cyber insurance spread out equally over two policies. The policies’ terms are for one year, but a spokesperson for Mayor Bernard C. “Jack” Young told the Baltimore Sun¹⁰ that officials expect to continue carrying the coverage for the foreseeable future.

Charm City is not likely to be the only municipality to come on board the cyber insurance train. Cooper Martin, Director of Sustainability and Solutions for the National League of Cities (NLC), said a recent survey¹¹ the NLC conducted found that about 70% of respondents had some form of cyber insurance. Conversely, 50% said they did not know the amount of that coverage or the extent of its protection.

That’s not optimal, Martin said, but he noted the NLC is seeing a greater interest from its members all the time. “The kind of high-profile attacks we’ve seen now in states like Florida,¹² Maryland, and Texas¹³ are definitely raising alarm bells,” he says.

Those bells were also going off in Ohio, where at least three local governments endured ransomware attacks this year. To help mitigate the cost of such attacks, Gov. Mike DeWine (R) signed legislation¹⁴ that creates a volunteer “cyber reserve” of computer and information technology experts who will help local governments that get hit with ransomware.

Even the insurers are not safe. Like municipalities, insurance carriers often possess a deep trove of consumer data, making them a rich target for cyber attacks.

Because of that, the National Association of Insurance Commissioners has developed a cybersecurity model law¹⁵ specifically for insurance carriers, based on a 2017 New York statute that imposed strict guidelines on financial securities companies. To date eight states have adopted the model law or variations of it, with South Carolina, Ohio, and Michigan adopting it last year and Mississippi, Alabama, Delaware, New Hampshire, and Connecticut coming on board this year. Many more are expected to consider it this year.

Article courtesy of State Net Capitol Journal. Please direct inquiries to statenet@lexisnexis.com. Copyright © 2020 LexisNexis. State Net is a registered trademark and State Net Capitol Journal News & Views from the 50 States is a trademark of RELX Inc. No part of this document may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine readable form, in whole in in part, without prior written consent of RELX Inc.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Insurance > Assessing Claims and Coverage > Types of Insurance > Articles

Related Content

1. https://oag.ca.gov/privacy/ccpa. 2. https://www.pwc.com/gx/en/industries/financial-services/publications/insurance-2020-cyber.html. 3. https://pages.riskbasedsecurity.com/hubfs/Reports/2019/2019%20MidYear%20Data%20Breach%20QuickView%20Report.pdf. 4. http://www3.weforum.org/docs/WEF_Cybersecurity_Guide_for_Leaders.pdf. 5. https://www.youtube.com/watch?v=lk2os3TOUy4. 6. https://eugdpr.org/. 7. https://www.cpomagazine.com/cyber-security/aig-case-highlights-complexities-of-covering-cyber-related-losses/. 8. https://www.whiteandwilliams.com/resources-alerts-Will-California-Law-Permit-Insurance-Coverage-for-Civil-Penalties-Assessed-Under-the-California-Consumer-Privacy-Act.html. 9. https://www.recordedfuture.com/state-local-government-ransomware-attacks-update/. 10. https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-cyber-attack-insurance-20191016-4owu233bmfgnjmqu3yf2rzjxt4-story.html. 11. https://bit.ly/2Pzv37n. 12. https://www.nytimescom/2019/06/19/us/florida-riviera-beach-hacking-ransom.html. 13. https://www.npr.org/2019/08/20/752695 554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of-cyberassault. 14. 2019 Ohio SB 52. 15. https://www.naic.org/store/free/MDL-668.pdf.