Data protection legislation in California and New York adds to existing cyber risk rules
California’s California Consumer Privacy Act (CCPA) becomes effective on 1 January 2020.
Aon has assessed the state’s data protection legislation, as well as New York’s new SHIELD rules, in a new cyber risk report.
“As we approach the inception of these myriad US state privacy laws, this complex web of regulation – and the absence of a federal privacy law – are becoming increasingly taxing to businesses,” Aon warned.
“US underwriters and actuaries will have to keep track of these changes and the potential impacts to claims frequency and severity,” said the report.
Aon headlined several cyber risk themes of the third quarter of 2019 to its report. Ransomware has increased significantly in both frequency and severity this year, Aon warned.
Ransomware payments tripled during the second quarter alone, Aon said, from an average of $12,762 to $36,295.
“Unfounded concerns” have been raised about the potential linkage between having cyber insurance and being a ransomware target, the broker said.
“Media reports have confused correlation with causation. Ransomware attacks are widespread, and all sectors and industries are vulnerable. As many as one quarter of small and medium enterprises are estimated to collapse if unable to trade for a month due to an attack,” according to Aon’s analysis.
“In some instances, paying the ransom may make sense to reduce business downtime. However, paying ransoms also entices sophisticated and unsophisticated groups alike to increase their attacks,” the broker said.
“Relying on a competent and experienced incident responder to navigate – and, if necessary, assist in ransom payments – has become more important than ever. Cyber insurance policies provide these services and offer valuable aid to companies in resolving ransomware attacks,” Aon added.
CCPA vs GDPR
Aon’s report compared CCPA’s incoming rules with the EU’s General Data Protection Regulation (GDPR) implemented in May 2018.
The CCPA grants California consumers the right to know about and control the personal information that businesses collect about them.
“Since compliance with the GDPR does not ensure compliance with the CCPA, businesses are relying upon the advice of counsel to navigate toward compliance. The stakes are high as businesses seek to avoid fines and penalties for non-compliance as well as costly litigation following data breaches,” Aon said.
GDPR is broader in scope and territorial reach, according to Aon. GDPR applies to entities regardless of size, revenue or the amount of personal data processed. The CCPA carves out non-profits as well as small businesses with revenues up to $25m.
“GDPR puts protections on personal data about data subjects. CCPA protects personal information (PI) about consumers, with employees and B2B transactions coming under the law in 2021. These laws are substantially different in approach, but similarly broad in effect. It is worth noting that CCPA includes the PI of households, not just individuals,” Aon said.
The laws provide individuals with similar rights to access and delete the data that entities hold about them, although GDPR also gives individuals the right to Correction, Rectification, and Opposition of data as well as Data Portability, according to Aon.
”It is worth noting that under GDPR one must opt in to sharing data with third parties, whereas under CCPA adults age 16 and older are given the right to opt out,” the report said.
GDPR is more stringent than CCPA, but both significantly increase the financial penalties that entities must pay for missteps, according to Aon.
The GDPR fines have been much discussed, their insurability still debated, and…class-action lawsuits for data breaches are now a reality.”
The first class-action lawsuit has been filed in the UK under GDPR. As many as 500,000 customers of British Airways may participate in class-action lawsuit against BA over its 2018 data breach, the broker explained.
The penalties for non-compliance with CCPA are much more benign than GDPR: $2,500 per violation or $7,500 if the violation is intentional.
However, the CCPA provides California residents the right to sue companies for data breaches of their personal information if the company fails to use reasonable security measures to protect it. Residents can seek statutory damages of $100-750 per consumer per incident under the law.
“This private right of action for a data breach has been touted as the first of its kind in the nation, allowing consumers to sue following a data breach without having to prove they suffered actual harm or damages,” Aon said.
Based on the amendments passed on 11 October, however, class-action lawsuits may only be brought for data breaches pursuant to California’s data breach notification law when the personal information is “nonencrypted and nonredacted,” according to the report
“Under CCPA, statutory damages eliminate the difficult task of calculating actual damages caused by a breach, which could encourage an uptick in lawsuits by data breach plaintiffs. Cyber claim frequency is likely to increase due to the expanded definition of personal information,” Aon said.
“Moreover, the private right of action also paves the way for greater litigation, if the courts do in fact tamp down on the ongoing ambiguity in the Article III standing to sue rulings. Cyber claim severity is also likely to increase due to noncompliance fines and penalties as well as actual damages or statutory damages soon to be in play under the private right of action,” according to Aon’s analysis.
“But with restrictions on class-action lawsuits, the impact to severity is likely to be moderated. Businesses may find it easier to demonstrate that they did not violate their “duty to maintain reasonable security procedures and practices.” Finally, while some reports have found that GDPR fines and penalties are not insurable, fines and penalties in California are more likely insurable,” the broker added.
The California Data Breach Notification Law has also been expanded, also effective 1 January 2020, Aon noted, requiring businesses to notify consumers of compromised passport numbers and biometric information.
In security breach notifications, the new law requires instructions on how to notify other entities that used the same biometric data to no longer rely on data for authentication purposes.
New York’s SHIELD
Several other US states have brought in new data protection legislation, including Nevada, Maine and New York.
On 25 July, New York’s governor signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which amends the New York’s data breach notification and cybersecurity law.
The SHIELD applies to “any person or business that owns…computerized data which includes private information,” regardless of corporate structure, revenues or location. Aon noted it will apply to businesses and employers in New York – and may also apply to those with no physical presence in New York.
SHIELD imposes more expansive data breach notification requirements on companies: broadening the scope of private information to include personal information; and expanding the definition of a security breach to include unauthorised access of computerised data that compromises the confidentiality, security, or integrity of private information
It also expands the territorial scope of the breach notification requirement to any person or entity with private information of a New York resident, not just those conducting business in New York.
The notification requirements are also updated and the procedures that entities must follow when there has been a breach of private information. SHIELD also creates new requirements for companies to implement safeguards to protect the confidentiality, security and integrity of private information.
“Recent amendments provide some exceptions and clarify that businesses will be deemed compliant with SHIELD if they comply with another information security law such as HIPAA, the GLBA, or the requirements of the New York Department of Financial Services,” Aon said.
“Such covered entities are not required to notify affected New York residents after a breach; however, companies must still notify the New York Attorney General, the Department of State Division of Consumer Protection, and the Division of the State Police regarding the breach,” said the report.
Unlike the CCPA, the SHIELD Act does not authorize a private right of action or class action litigation. But similar to CCPA, the AG is authorized to bring enforcement actions, and violations may result in civil penalties.
The SHIELD Act’s breach notification amendments were effective on 23 October 2019, while the new data security requirements will take effect beginning 21 March 2020.
Companies covered by SHIELD will likely have to report a greater number of cyber incidents to regulators, according to Aon’s analysis. This is due to the expanded definitions of “private information” and of a “breach”, according to the broker.
“Defining a data “breach” as unauthorized access is a much lower threshold than its traditional meaning, i.e. data exfiltration. As a result, it seems likely that cyber insurers will see an increase in claims frequency from companies covered by SHIELD,” Aon said.
“But claim severities appear unlikely to change much, given the relatively modest penalties imposed. If cyber insurance policies are found to cover these civil penalties, small businesses are most likely to benefit from the added protection.”