Is Your Insurance Program Ready for California's New Data Privacy Law?
Be prepared—new statutory claims may not be covered under existing policies.
In June 2018, California enacted the toughest data privacy law in the United States. Companies doing business in California may have to make significant changes to their insurance programs to protect against the risks created by the statute.
The California Consumer Privacy Act of 2018 ("CCPA") requires companies to make detailed disclosures about their data collection and sharing practices. It also requires companies to honor consumer requests to delete personal information or stop sharing it with third parties. Companies could face statutory liability under the CCPA when inadequate security measures result in the disclosure of personal information—in a data breach or otherwise. Consumers may recover statutory damages of $100 to $750 per person per violation.
This new statutory damages provision could lead to a surge in data breach lawsuits. Even relatively minor cyber incidents may attract the attention of plaintiffs' class action counsel, given the amount of potential damages.
The CCPA has critical implications for insurance coverage. Many companies—even those with cyber insurance—will find that their current insurance programs do not adequately protect them against the new statutory liabilities. For example:
- Many cyber policies currently on the market would not cover claims for violating the CCPA's disclosure requirements or for failing to delete data upon request. Policyholders may have to amend their policies to cover such claims.
- Companies should ensure their policies contain language covering statutory damages, given the potential exposure under the CCPA.
- The CCPA may increase the likelihood of data breach litigation and drive up the cost of settlements. Under cyber policies, defense costs erode policy limits. Companies should assess whether they have sufficient policy limits to defend and settle data breach claims.
- Many cyber insurers do not include coverage for regulatory claims in their standard form. Regulatory coverage becomes more important in light of the CCPA's civil penalties and the California attorney general's enforcement authority.
The CCPA becomes effective on January 1, 2020—which means corporate insurance programs will go through at least one renewal cycle before the law takes effect. Companies should use this window of opportunity to review their insurance policies and make changes as necessary to address the new exposures under the CCPA.
For further information on policy reviews to identify potential gaps and enhance coverage for cyber risks, please contact your principal Firm representative or the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Tyrone R. Childress
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.