Last year, VeraSafe published a blog post that highlighted the importance of cyber insurance in a risk management strategy under the EU General Data Protection Regulation (“GDPR”). VeraSafe examined the question of how to guard against regulatory risks such as fines and penalties under the GDPR, whether such fines and penalties are insurable in terms of applicable law, and how cyber-insurance fits into a practical approach to risk management under the GDPR. In that article VeraSafe pointed out that certain insurance policies tend to exclude fines and penalties, unless they are “insurable by law”.
With the California Consumer Privacy Act (“CCPA”) now in effect (as of January 1, 2020) and bearing in mind that the California Attorney General (“AG”) can impose penalties for non-compliance with the CCPA for the period from January 2020 to July 2020, despite the fact that enforcement only begins on July 1, 2020, VeraSafe now takes a deeper dive into the question of the insurability of fines for violations of the CCPA. Please note that this blog post does not contemplate insurance coverage for private actions which result from non-compliance with the CCPA, but simply penalties imposed by the AG.
What are the Potential Penalties under the CCPA?
Fines under the CCPA range from civil penalties of up to $2,500 for each unintentional violation, to up to $7,500 for each intentional violation. While the CCPA does not define what constitutes a “violation”, the most likely approach that the AG will follow, based on our interpretation of the CCPA, is to use the same system and rules that are used to enforce the 2003 California Online Privacy Protection Act (“COPPA”). Under this law, each instance where a person whose personal information is processed in violation of the COPPA, will represent an independent violation. The risk of incurring fines for non-compliance would therefore vary depending on the number of California residents whose personal information you process. These fines may either not come close to the GDPR fines of €20 million or 4% of annual worldwide turnover, or may greatly exceed them.
Cyber Insurance: Why Is it Important?
Even the most sophisticated cybersecurity program cannot not entirely prevent all data breaches. Having this in mind, cyber insurance policies (specialized insurance products which insure organizations against a wide variety of cyber-related and data privacy risks) are a necessity in this age of increasingly expanding data privacy regulation, increasingly expensive penalties for contravention of data privacy regulation, and ever increasing risk to the protection of personal information held by organizations.
Cyber Insurance: What Should I Consider?
It is crucial to be wary of the exclusions from the scope of insurance coverage. Numerous insurance policies exclude fines and penalties, unless they are “insurable by law”. The insurability of fines and penalties imposed by the GDPR is questionable and yet to be tested by the courts in the EU Member States and the U.S.
Cyber Insurance: Just How Much Can it Protect My Organization from Fines and Civil Penalties?
The pertinent question is, then, ‘to what extent are these penalties “insurable by law”, and will my cyber insurance policy actually cover me?’.
The short answer is that it depends on the relevant jurisdiction.
There is a compelling argument based on the CCPA, read with other relevant Codes1, that provisions in insurance policies which indemnify the insured against fines or penalties imposed by the AG would be contrary to public policy and considered void under California law. There is further case law to support the idea that as a matter of public policy under California law, one cannot insure against fines or penalties imposed by law (Bulluck v. Maryland Casualty Company2 and Allen v. Steadfast Insurance Company3). This view has not been tested by U.S. courts specifically in the context of the CCPA; however, it is a likely outcome that at least under California law, this type of fine or penalty is not “insurable by law” as contemplated in the wording of many insurance policies.
There appears to be convincing public policy under New York law that insurance provisions which cover an insured against civil penalties would be considered void and unenforceable, borne out of the concept in New York law that one should not be able to profit from his/her own wrongdoing. This is supported by New York case law (Silverman Neu, LLP v. Admiral Insurance Company4).
Unlike in New York law, it does not appear that any convincing public policy exists specifically preventing provisions in insurance policies which cover an insured against civil penalties under Delaware law. This idea is supported by Delaware case law (Wilson v. Chem-Solv, Inc.5 and U.S. Bank N.A. v. Indian Harbor Insurance Company6).
What Steps Can my Organization take?
- Choosing optimal cyber insurance coverage requires a thorough investigation of the company’s policies and practices relating to protection of personal information, which will assist in highlighting the related risks and help you to select appropriate coverage for these risks. It is critical therefore that you conduct this thorough analysis of your enterprise’s practices around processing and protection of personal information.
- Discuss with your insurance broker whether a cyber insurance policy that provides coverage for CCPA-related fines is appropriate for your circumstances.
- Speak with your insurance broker and review the terms of your cyber insurance policy which relate to how the choice of law determination for the policy will be made in the event of a coverage dispute. Whether or not a specific jurisdiction is set out in the policy, we recommend that you examine this issue before purchasing a policy (or as it relates to a current policy) and negotiating for provisions and state/governing law designations that favor broader coverage.
VeraSafe’s experts have hands-on experience with analyzing an organization’s personal information processing practices, reviewing cyber-insurance policies, and spotting compliance gaps and problematic insurance exclusions. We can therefore assist you to identify what can be improved in your cyber insurance policy, and provide expert advice on favourable insurance policies to ensure that you are adequately insured against relevant risks.
California Civil Code, Section 1798.155(a) and (b), California Insurance Code, Section 533.5, and the California Business and Professions Code, Section 172062 85 Cal. App. 4th 1435 (Cal. Ct. App. 2001)
85 Cal. App. 4th 1435 (Cal. Ct. App. 2001)
2014 U.S. Dist. LEXIS 1994, (C.D. Cal. August 22, 2014)
933 F. Supp. 2d 463 (E.D.N.Y. 2013)
No. 85C-MY-1, 1988 Del. Super. LEXIS 372 (Super Ct. Oct. 14, 1988)
2014 U.S. Dist. LEXIS 91335, (D. Minn. July 3, 2014)