The Impact of “California’s GDPR” from Cyber Insurance Industry Perspective

In 2018, the EU’s General Data Protection Regulation (GDPR) loomed over the insurance industry, triggering a rush of compliance efforts from firms either headquartered in Europe or servicing European customers before the GDPR’s effective date on May 25 of that year.

Now, the California Consumer Privacy Act (CCPA) is having much the same effect on insurers and brokers operating in California or with California-based clients, especially now that CCPA’s effective date of January 1, 2020, is less than six months away. With that in mind, a new report from Insurance Journal consulted over a dozen industry experts, including one of Marsh’s cyber practice leaders and Chubb’s cyber lead.

We found two key takeaways to help brokers better prepare for the new year.

1. The major worry among the experts interviewed is litigation. Rob Rosenzweig, national cyber practice leader for Risk Strategies, predicted that the new minimum damages threshold set by the CCPA ($100 to $750 per individual incident) will result in an “uptick in class action lawsuits following data breaches, even for relatively small breaches.” Attorneys Celine Guillou and Robert L. Wallan  have similar assessments, saying they expect the first class action lawsuits to start rolling in soon after January 1, 2020, and that litigation costs could pose a very real threat to brokers and insurers.
   
   This is especially relevant in light of the “nuclear verdicts” The Council highlighted as a cause of increasing Commercial Auto premiums in our Q4 2018 property/casualty survey. Granted, increased distracted driving and more drivers on the road were also to blame for more claims and thus higher premiums, but cyber breaches have the potential to be immensely damaging—the average cost of a U.S.-based data breach last year was $7.91 million.
   
   Given the general consensus in the report that there will be an “inevitable onslaught of lawsuits,” as Rosenzweig put it,  brokers (and insurers) may need to brace themselves for litigation costs that can often be unpredictable and severe. Jeff Dennis, head of Newmeyer & Dillon’s privacy and security data practice, put this in perspective: because of the new damages threshold, “a data breach of 50,000 pieces of personal information would lead to a class action damage award of $5 million to $37.5 million.” Considering how broadly defined “personal information” is in the CCPA, this would not be a particularly unlikely scenario. “Two things are going to happen from a coverage standpoint: either premiums are going to have to go up to deal with severity, or coverages are going to have to be reduced to deal with those losses,” said Dan Burke, national cyber practice leader for Woodruff-Sawyer.
   
   
2. The experts also recommended keeping an eye on legislation moving through the California legislature, as that could ultimately change how the CCPA affects the industry…An amendment to CCPA cited in the report (fortunately defeated  in the state Senate), Senate Bill 561, “would have enabled individuals a private right of action for any CCPA violation,” instead of only after a data breach caused by a lack of “reasonable security measures.” Another important amendment to CCPA, and one more beneficial for the industry, is Assembly Bill (AB) 981. “The fate of the insurance community under the CCPA hangs in the air right now—dependent upon the passing or rejection of AB-981,” warned KJ Dearie, product specialist and privacy consultant for Termly. “AB-981 proposes to exempt insurance institutions that fall under the purview of the Insurance Information and Privacy Protection Act from complying with certain CCPA requirements. If this bill is successful, the insurance community will likely see little difference in how it operates compared to present day.”

Given the concerns laid out by industry experts, it is clear that preparing for the CCPA is crucial for brokerages in the coming months. And as we’ve heard time and again, California’s size and influence means that any laws passed there typically have a ripple effect on the rest of the country—for example, the fact that four big automakers recently agreed to voluntarily comply with the state’s strict emissions standards. Preparation for the CCPA may also better position brokerages should there be a wave of similar state laws.

But that, for now, is hypothetical. Above all, “any business that is subject to the CCPA should start their compliance efforts as soon as possible,” said David Stauss, partner at Husch Blackwell LLP.