Washington has moved a step closer to bringing its data-breach notification law in line with the laws of many states (including Oregon) that require notification in the majority of scenarios, closing what some viewed as loopholes in the law and mandating notification within 45 days, rather than the prior “as soon as possible” requirement. (Oregon law still lacks a specific presumptive deadline). In particular, the new Washington bill removes the exemption for lost or stolen data that is “encrypted,” in recognition of the fact that “encryption” can fail if the technology used was old or if the encryption key was also stolen. The Washington bill has passed the House and it set for hearings in the Senate later this week, and is expected to pass.
What does this mean from an insurance standpoint? Cyber insurance policies typically provide “first-party” coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage. In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required. That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined. And of course if your business lacks cyber coverage entirely, it is time to explore your options. The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology). By comparison the cost of regulatory fines and lawsuits was tenthin the ranking of impacts on businesses experiencing a breach. The conventional wisdom is that a business should expect to spend at least $188 per record on notification and similar first-party response-related costs. With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs. So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.
ps. Speaking of Washington, not 48 hours after news broke this week of a major data breach at Premera in Washington a class action was filed. But the cause of action — breach of contract — may cause coverage problems. The liability portions of cyber policies often exclude breach of contract actions. One more reason to check those policies.
Update April 22: The bill has passed and is now awaiting signature by the Governor.