The California Consumer Privacy Act (CCPA), is set to take effect on Jan. 1, 2020, which is less than a month away. Businesses are preparing for yet a new era in privacy and cyber protection. While cyber insurance is still an emerging market, it will be equally impacted. A recent report by Goldman Sachs says that they are expecting cyber premiums to grow by double-digit numbers through the next 3-5 years and one of the drivers being new privacy regulation. Insurance policies are still tackling how they address other recently introduced regulations such as Europe’s General Data Protection Regulation (EU GDPR) through endorsement or other adjustments on how they write insurance policies.
Here are key considerations:
(1) Who exactly is impacted?
For-profit companies doing business in CA to which any of the following apply (1) gross revenues in excess of $25 million (2) annually buy, receive, sell or share for commercial purposes personal information of 50,000 or more CA consumers, households or devices (3) 50% or more of revenues originate from the sale of CA consumers personal identifiable information (PII). With penalties ranging from $2,500 for each unintentional violation to $7,500 for each intentional violation, penalties for non-compliance could potentially be significant. If it were for each record could an intentional violation of 10,000 records could cost up to $75 million?
(2) State lines are not easy to manage online.
For any business operating digitally, respecting the state lines if far from trivial. As soon as you operate online or digitally, your customers might come from any country, and obviously any state in the US. Unless businesses have the systems in place to isolate California consumers, they might apply the same privacy restrictions to all consumers across the U.S.
(3) CCPA’s definition of personal information is much broader than any prior regulations.
The spirit of the CCPA law is to give consumers greater control over the use of their personal data and penalize companies that misuse or expose such information. In that sense, it is quite similar to EU GDPR in intent. But CCPA goes way beyond what’s traditional understood as sensitive or protected data such as PII or PHI to include information that can be linked, directly or indirectly, with a particular consumer or household. Read web browsing history, online purchase of products and services, and any data that can be used to infer the profile of a consumer.
This, by itself, broadens significantly the class of businesses impacted—retail, ecommerce sites, online services, health services, education services and much more.
The Bottom Line: How CCPA Might Impact Cyber Insurance
The new regulation is quite restrictive and at the same time, broadens the types of businesses impacted. The insurance industry must take a proactive view on how a cyber policy’s coverage responds to these penalties with transparency. From the minute our brokers put their clients’ domain in our platform to the minute their client submits a claim Cowbell creates a risk transfer rooted in transparency. Here are considerations to maintain transparency from insurance application, quote, bind and claim submission:
(a) Coverage Selection: Measure a customer’s compliance to CCPA as a rating factor in the cyber insurance application process. Regardless of state regulation, we are moving to an era where more attention is paid to privacy and all digital infrastructure should account for the tightening of regulations.
(b) Exposure Assessment: Understand the volume of records subject that are potentially subject to the regulation if the organization security posture is weak given that CCPA sets the bar high with a penalty of $2,500 per violation on the low end.
(c) Remediation Guidance: Increase remediation guidance to increase readiness to CCPA compliance and risk improvement techniques
(d) Premium Optimization: Set specific sub-limit for penalties and expenses related to lack of CCPA compliance to balance premiums
(e) Claims Handling: Conduct continuous risk assessment to prevent any insurance gap, and provide time-series data to correlate losses to events
(f) Risk Ratings: Be broad in how you rate compliance risk and use as much data as available to assess the risk at a granular and individualized level as well as an aggregated level.
Taming the Mammoth
With the influx of regulations such as CCPA and GDPR comes a heightened focus on security and privacy. Our Cowbell Factors will help articulate a business security posture while also comparing it to peers in real-time. Partnership between policyholders and insurers is crucially important. Transparency across all stakeholders is needed and having them all work off of the single source of truth will be equally important. This holistic view of privacy needs to be ingrained throughout private and public organizations and ultimately become less regulation-driven.