Page 17 - Feb2019_BarJournal
P. 17
INSuRANCE LAW
and not the location of the company has InSUrancE covEragE rEgUlaTory continue to grapple with the unresolved
implications for organizations outside fInES anD PEnalTIES question of the insurability of data breach
the EU that monitor, process, or hold Although cyber insurance has developed fines. In the meantime, companies should
information that would be considered considerably from when it was first carefully review their internal cyber
EU-based data. In fact, many U.S.-based introduced to the market, cyber insurance and other security controls, not only for
companies that operate in the EU or have policies are still not a universally standard compliance with government regulations,
data from persons in the EU would be form, but a type of insurance offered by but also so that they can develop the
subject to compliance with the GDPR. insurers, whose terms and conditions vary best possible defense for the company’s
from policy to policy. In general, though, confidential and protected information.
California cyber insurance protects against the typical And, if they do not have coverage, companies
After the passage of the GDPR, California costs associated with a data breach, such should also strongly consider obtaining
enacted the Consumer Privacy Act of as investigation and notification expenses, cyber insurance from their carriers, and
2018. The Consumer Privacy Act (CCPA) credit monitoring and credit card re-issuing ensuring that their business associates carry
is similar to the GDPR in many ways. First, fees, data recovery, business interruption the appropriate insurance as well.
the focus of the CCPA is on where the expenses, and liability for third-party
data is from instead of the location of the claims. Since the regulations imposing fines
company. Second, Californians will have and penalties for a data breach are a recent Gabrielle Kelly is an attorney at
the right to know the PII that is being occurrence, it is unclear how cyber policies Brouse McDowell in its insurance
collected, whether the information is being will respond to these costs. coverage group where she
sold, and the right to request deletion In other types of insurance policies, represents policyholders in their
of their information. Additionally, the coverage for fines and penalties has been disputes with insurance companies.
concept of personal information is broadly viewed as being against public policy due She is recognized as a certified insurance
worded to include any information that to concerns of giving policyholders a way coverage specialist by the State of Ohio. She
“identifies, relates to, describes, references, to lessen the blow for punishment that a has been a CMBA Member since 2007. She
is capable of being associated with, or could court or agency bestowed on the company. can be reached at (216) 830-6826 or gkelly@
reasonably be linked, directly or indirectly, And, criminal penalties are still considered brouse.com.
with a particular consumer or household.” uninsurable, but recently, there has been
This definition goes beyond traditional PII a shift in attitude to allow for coverage of
to potentially include IP address or social presumably less reprehensible civil penalties
media information. Lastly, the CCPA also when the amount was imposed by statute or
imposes fines for violation of the law. The there was no finding of a malicious, reckless, Niki Z. Schwartz
fines for violation of the CCPA, however, or intentional wrongdoing. Nonetheless, Mediator/Arbitrator
will largely depend on the number of a review of local law and public policy
records held by the company. Under the principles would be necessary to determine
CCPA, each violation is fined up to $2,500 whether such coverage provided by insurers
for negligent violations and $7,500 for would hold up in the legal systems of a
intentional violations. particular jurisdiction.
While there is uncertainty on the
Colorado insurability of regulatory fines, the shift away
In Colorado, a new law was enacted known from a blanket denial of coverage for all fines
as the Protections for Consumer Data and penalties is promising. And, insurers
Privacy Act that requires businesses of any appear to be thoughtfully considering how to
size to do the following: have a written provide protection amid the changes in the
policy explaining how it will dispose of landscape. Insurers are acknowledging the
PII and follow through on the procedures, potential for coverage of regulatory fines under
take “reasonable” steps to protect the broad definitions of regulatory compliance “If he can settle
PII that it keeps, and alert consumers of that are included in the policy. Further, some a prison riot,
a data breach within 30 days, and alert insurers are writing specific provisions and
the attorney general if more than 500 endorsements designed to respond to GDPR he can settle
Coloradans are affected. Like the GDPR, and other regulatory fines. This does not
a company may be liable for the actions guarantee that an insurer or others won’t raise anything!”
of its third-party service provider. If a the insurability argument, but it is less likely
violation occurs, the Colorado Attorney that a policyholder will receive coverage, as
General has authority to bring an action parties in the insurance industry agree that 216-696-7100
in law or equity, as well as other relief that these issues are far from settled.
may be appropriate to ensure compliance Until there is routine enforcement of the nzs.adr@gmail.com
with the law. regulations, policyholders and insurers will
february 2019 Cleveland Metropolitan Bar Journal | 17
