JONES DAY PRESENTS®: Insurance Implications of the California Consumer Privacy Act
Jones Day Insurance Recovery partner Rich DeNatale talks about insurance implications for clients subject to the California Consumer Privacy Act ("CCPA"), including policy limits and coverage for statutory damages. The CCPA takes effect in January 2020.
Read the full transcript below:
Rich DeNatale:
The California Consumer Privacy Act of 2018 is our state's new data privacy law. And it's significant for a number of reasons. It imposes requirements on companies to make new, detailed disclosures about their data collection and sharing practices. It gives consumers the right to opt out of data sharing, and even to ask companies to delete their data altogether, and companies have to honor those requests. And it gives consumers the right to sue for violation of the statute.
Rich DeNatale:
I think it's fair to say the law is the toughest data privacy law now in the United States, and it has significant implications for our clients and for their insurance coverage.
Rich DeNatale:
From an insurance perspective, I think many companies will find that their current insurance programs don't adequately cover the new risks and liabilities created by the statute. Even companies who've worked hard to put cyber insurance in place, those policies may not provide the coverage they need. Let me just give you one example. Claims under the new statute for failing to delete consumer data on request would not be covered under many cyber policies currently on the market, and companies will have to go to their insurers and seek amendments in their coverage to get that insurance.
Rich DeNatale:
For noncompliance, there can be some severe penalties. The California attorney general will have new enforcement authority. There are new penalties that can be imposed, and consumers are also given the right to sue a company for the unauthorized disclosure of their personal information. And that could be in a data breach or in another kind of event. But if there's a disclosure of information due to poor security practices, and consumers can sue and can get statutory damages. And frankly, that may be the most significant part of the statute.
Rich DeNatale:
Well, the statutory damages remedy is significant because it's the first time that any state has imposed statutory damages for a general data breach. And we expect that it will lead to a real surge in litigation activity. Up until now, there have not really been a lot of lawsuits filed for small and medium-sized breaches. I've worked on about 45 data breach incidents from the insurance side, and I've never seen class actions filed where the number of affected individuals was under about 300,000 people. Now with the new statutory remedy of $100 to $750 per person, a smaller breach, 50,000, 100,000 people could very easily lead to a lawsuit with a very large damages claim.
Rich DeNatale:
There are a few other issues I think companies should have their eye on. Statutory damages, given the large potential exposure. I think companies should make sure their policies have language that covers statutory damages. They should be covered, but we've seen insurers sometimes argue against coverage for statutory damages. You should have wording in your policy that precludes that argument. Policy limits. Given the higher your risk of litigation, I think companies have to make sure that their limits are sufficient to defend and settle these claims, especially if you assume that settlements are going to become more costly.
Rich DeNatale:
One of the few bright spots of the statute is that it doesn't come into effect until January of 2020. So companies renew their insurance programs every year. That's a window of opportunity companies should use to really look hard at their policies, make sure they understand the coverage they have for cyber risk. See whether they have coverage for these new liabilities, and if not, talk to their counsel, their brokers, their insurers, to try to get that coverage in place.
