P&C Technosavvy the March 2014 issue

Q&A with Lauri Floresca

Lauri Floresca, SVP, partner, Woodruff-Sawyer & Co.
By Michael Fitzpatrick Posted on March 1, 2014
Q
What changes has California made to its data breach laws?
A
The change is in the definition of what constitutes personally identifiable information, or PII. A user name and password is now considered PII. In the other 45 states that have laws regulating the disclosure of PII, you have to disclose some combination of name, address, Social Security number, credit card number or bank account number. Now added to that list will be a user name and password.
Q
Why does this matter?
A
A much wider web of companies are affected. If you do nothing else but let people have their preferences stored, you now are at risk of incurring significant costs and potential liability if you don’t comply with this new measure. Companies that didn’t think they had liability now do. Social media companies in most cases don’t collect credit cards or your address, but you have a login and password.
Q
How does that impact businesses outside California?
A
Because most companies doing business online potentially have customers in all 50 states, the general advice if you have a breach is to revert to the strictest standard. Now that California has taken this new step and added log-in credentials to PII, most legal counsel are going to advise clients that they need to follow California notification guidelines.
Q
Will other states follow suit?
A
That’s been pretty consistent so far. As one state has expanded these provisions, other states have followed. It’s not an unreasonable extension given the state of the password universe. Despite all the advice out there, people continually use the same password and user name combinations on multiple websites.
Q
What steps should businesses take?
A

One of the first things you need to do is to take steps to better understand what you’re collecting, how you’re storing it and how you’re protecting it, and particularly understanding if you’re storing anything you don’t need to. The more data you’re storing, the greater risk you have of losing it.

Second, you have to understand how you’re protecting data and have an independent, third-party assessment of whether it’s adequate.

Third, you have to think about the potential to transfer that risk. There are definitely insurance products that will help with the costs of dealing with PII. People would be surprised at the scope of costs that can be covered.

Michael Fitzpatrick Technology Editor Read More
See More: Data Breach Data Privacy State Activity

More in P&C

Property & Casualty Hard Market Turns 6
P&C Property & Casualty Hard Market Turns 6
It may not happen immediately, but signs point to softening of P&C rates.
P&C Small Business Cyber Risk Represents a Big Opportunity for Agents
Q&A with Joshua Parrish, Executive Vice President at RT Specialty
Sponsored By RT Specialty
Broker Playbook for Flood Risk
P&C Broker Playbook for Flood Risk
Your clients must take steps to mitigate, prepare for and quickly respond to flo...
Lifestyles of the Rich and Risky
P&C Lifestyles of the Rich and Risky
Affluent insurance customers may not be protecting themselves against increasing...
Farm Bill Idles
P&C Farm Bill Idles
Congress will need to overcome election-year paralysis to fi...
Premium Increases Slowed But Challenging Conditions Remain
P&C Premium Increases Slowed But Challenging Conditions Remain
The Council’s Commercial P/C Market Index for Q4 is here.
Third-party involvement is creating an environment that is not core to what the insurance policy is intended to address and cover.
P&C To Whose Benefit?