Data Privacy Laws, Hackers Put New Emphasis on Cyber Insurance

The impending California Consumer Privacy Act and other state data privacy laws have done more than motivate companies to rethink how they manage consumer data; it also has many organizations thinking more than ever about how they manage their cyber insurance coverage.

Once considered a niche product, cyber insurance policies have become common for companies that handle large amounts of consumer data. With increased exposure under new data privacy laws like the CCPA, such policies are rapidly turning into a must-have, with global premiums expected to grow from about $2.5 billion today to approximately $7.5 billion by next year.

“The wolf at the door right now is CCPA readiness,” says Scott Ferber, a partner with King & Spalding’s Data Privacy and Security practice in Washington D.C. who often works with the mergers and acquisitions side of the company. “How well a company is prepared for the CCPA is now a consideration point for assessing an acquisition target’s valuation.”

Data laws are hardly the only concern. In its annual MidYear Quick View Data Breach Report, cyber security firm Risk Based Security said it had tracked over 3,800 data breaches and ransomware attacks in the first six months of 2019 alone, a remarkable 53 percent increase over the same time period in 2018. A recent World Economic Forum report listed data fraud or theft and cyber attacks as the numbers four and five most likely risks companies face in the world today, and good cyber hygiene as a Top three tenet for good business leadership.

But cyber compliance experts say just having a cyber insurance policy may not be enough. With hundreds of carriers in the U.S. alone and no single set of standards for what a policy should cover – and with greater likelihood than ever of litigation over breaches and privacy violations - ensuring adequate protection from liability may actually be harder than ever.

“Even for companies that have worked hard to put cyber insurance policies in place, those policies may not provide the coverage they need,” says Jones Day Insurance Recovery partner Rich DeNatale in a video on the company’s website. He notes that claims against a company under the CCPA for failing to adequately protect consumer data might not be covered under many of the policies currently available on the market.

Judy Selby, principal at Judy Selby Consulting LLC, an insurance and privacy advisory services firm in New York City, says many companies right now might believe they are fully covered for any eventuality when in reality their policy has significant holes in it that could leave them high and dry in the case of a breach or lawsuit.

“The cyber insurance market is really challenging right now, and there are no short cuts around closely reviewing every single form in your cyber insurance policy,” she says.

And there is definitely a lot to know. Similar to the European Union’s General Data Protection Regulation, the CCPA requires companies to inform their customers upon request exactly what personal data they’ve collected, why they did so and with whom they have shared it.

There are some major limitations to the law’s grasp: it applies only to for-profit entities doing business in California that derive more than 50 percent of their income from selling personal data, or which have annual gross revenues over $25 million, or which hold the personal information of 50,000 or more Golden State consumers. Violators face potential fines of $7,500 per record, with enforcement power residing with California Attorney General Xavier Becerra.

Selby says the CCPA’s fine structure is one of the most troubling aspects of the law for insurers.

“With damages now defined under the CCPA, we’re going to see a lot more breach litigation over smaller and smaller breaches,” she says.

It is also likely to spur those with policies to pay very close attention to every detail in a way they might not have before.

“Does a policy cover only a data breach? Or does it cover a data privacy violation as well?” Selby says.

Different policies may also define a “security event” or other terms in very different ways, leading some companies to believe they are covered for such an event when they are not. A policy might also have specific requirements, such as obtaining the carrier’s consent before paying a ransomware attack ransom.

These complexities have led to some high profile disputes between hacking victims and their insurers, which have consequently led to media reports claiming that cyber carriers are looking for ways out of honoring their policies. But Selby believes a failure to properly scrutinize a policy is the real culprit.

“You really have to watch for the definitions and requirements in a policy,” she says. “Oftentimes the company simply didn’t buy the right policy.”

State laws play a major role as well. Andrew Lipton of White and Williams LLP in New York City recently noted that California and New York are just a few states with laws that bar insurance from bearing the cost of civil penalties, meaning policies that otherwise cover those liabilities might not apply in those states.

The CCPA and other state laws are not the only elements driving interest in cyber insurance, and the private sector isn’t the only one feeling the sting of data mishaps.

According to the cybersecurity firm Recorded Future, at least 230 ransomware attacks have been carried out against local governments since 2013, with at least 140 of those having come just this year. Many have come against smaller cities, or police departments or even hospitals, but size definitely is not the determining factor. And given the significant amount of personal data local governments hold on their citizens – far more than what is held by private companies - the potential impact of those attacks is perhaps even greater.

When hackers infected key parts of Baltimore’s data network earlier this year, the city refused to pay the demanded ransom. The city did not have cyber coverage, and the resulting cost to restore lost data is estimated at over $18 million. A similar attack in Atlanta cost an estimated $17 million.

With that hit fresh in their minds, Baltimore officials last month signed off on the purchase of $20 million in cyber insurance spread out equally over two policies. The policies’ terms are for one year, but a spokesperson for Mayor Bernard C. “Jack” Young told the Baltimore Sun that officials expect to continue carrying the coverage for the foreseeable future.

Charm City is not likely to be the only municipality to come on board the cyber insurance train. Cooper Martin, Director of Sustainability and Solutions for the National League of Cities, said a recent survey the NLC conducted found that about 70 percent of respondents had some form of cyber insurance. Conversely, 50 percent said they “did not know” the amount of that coverage or the extent of its protection.

That’s not optimal, Martin said, but he noted the League is seeing a greater interest from their members all the time.

“The kind of high-profile attacks we’ve seen now in states like Florida, Maryland and Texas are definitely raising alarm bells,” he says.

Those bells were also going off in Ohio, where at least three local governments endured ransomware attacks this year. To help mitigate the cost of such attacks, Gov. Mike DeWine (R) signed legislation last month (SB 52) that creates a volunteer “cyber reserve” of computer and information technology experts who will help out local governments who get hit with ransomware.

Even the insurers are not safe. Like municipalities, insurance carriers often possess a deep trove of consumer data, making them a rich target for cyberattacks.

Because of that, the National Association of Insurance Commissioners has developed a cyber security model law specifically for insurance carriers, based on a 2017 New York statute that imposed strict guidelines on financial securities companies. To date eight states have adopted the model law or variations of it, with South Carolina, Ohio and Michigan adopting it last year and Mississippi, Alabama, Delaware, New Hampshire and Connecticut coming on board this year. Many more expected to consider it in 2020.


The original version of this story mistakenly included Delaware among those states that bar insurance from covering civil penalties. The story has been updated to reflect the correction. We regret the error. 


Eight States Have Passed Insurance Industry Data Security Law

Eight states have enacted some version of the Data Security Model Law adopted by the National Association of Insurance Commissioners (NAIC) in 2017, according to the National Law Review. Three of the states did so in 2018, with the other five enacting measures this year. At least two other states have introduced bills this session that includes language from the NAIC model law, according to LexisNexis State Net’s legislative tracking system.