Legal requirements for managing consumer data and handling data breaches are changing, so now is a good time to check your cyber insurance to make sure that it is keeping up.
New Oregon Law + Proposed Washington Law + California CCPA = Increasing Business Risk. Oregon’s amended data breach notification law, effective January 1, 2020, creates breach notification requirements applicable to third-party vendors—the first state law to do so. The Oregon Consumer Information Protection Act (CIPA) now requires that vendors notify the Oregon Attorney General of a substantial breach of security not later than 45 days after discovering the breach. The Bill also requires vendors to notify the “covered entity” (the owner of the data) not later than 10 days after discovering that a breach has occurred (the owner then has 45 days to report the breach to the Attorney General). Key other amendments to the law include the following:
- The definition of “personal information” has been expanded to include an individual’s account username and password (or any other means of account identification and authentication);
- The term “covered entity” has been defined to mean an individual or entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities;” and
- The term “vendor” has been defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”
The proposed Washington law has been referred to as “GDPR-lite” and “aims to give consumers new rights to ownership over their data and establish new transparency requirements for companies that process consumer data. Consumers would have the right to access, delete, correct, and move their data, or opt-out of data collection,” according to this article from GeekWire.
Finally, the California Consumer Privacy Act (CCPA) took effect January 1, and impacts a significant number of for-profit companies doing business with California residents. CCPA imposes a number of GDPR-like requirements on collection and use of consumer data, and permits private citizens to bring lawsuits, including class actions. For more information regarding CCPA, see our blog post from July 10, 2018.
Time for a Cyber-Coverage Check-Up
- Broad Regulatory Investigations & Fines Coverage. Not all cyber insurance products cover the kinds of misuse or mishandling of consumer data that is the focus of GDPR and CCPA. Remember: cyber insurance developed to deal with liability from hacking of credit card data. That was long before the current legislative focus on consumer privacy. Older policy forms often only respond if someone hacks into your system (this has been a particular problem with social engineering fraud). So make sure that your policy covers liability arising from GDPR and CCPA violations of all kinds, not just hacking.
- Vendor Contracts. Your cyber coverage cannot be your first line of defense. And it may not be enough to have the best firewalls, anti-virus software, and employee training. Vendors can be a weak link in your security: just check out what happened with THSuite, a popular cannabis dispensary point-of-sale system. (Spoiler alert: consumer data, including medical information stored in the Amazon cloud, was unsecured). So pay attention to what you require from vendors. No matter what state law requires, your vendor contracts should require that any vendor handling confidential data notify you asap of any problem and should require that they maintain adequate cyber insurance of their own.
- Cyber Is Just One Part of Your Insurance Program. The increased focus on privacy practices and the class-action lawsuits that have followed many breaches have impacted the value of some companies. As a result, shareholders and investors are increasingly willing to sue directors and officers if a cyber-incident impacts the company’s value. Make sure that you have comprehensive D&O insurance with sufficient limits to pay for a defense and settle any claims. For more on D&O and cyber, check out this post from back in 2015 (it’s still good advice).
Cyber coverage is important for all businesses (big, small, and in-between), in all sectors. By now most businesses understand that yes, everyone will be a victim at some point, and yes, claims are being paid. But cyber coverage cannot be a “check-the-box” kind of thing—evolving liabilities such as the new Oregon law, the CCPA, and the anticipated Washington data privacy law have to be taken into account. Talk to your broker and legal advisors now about whether your cyber coverage is keeping pace.