A survey of select proposed state laws and practical implications
This article originally appeared in the 2019 Q3 issue of the PLUS Journal, the quarterly publication of the Professional Liability Underwriting Society. It is reprinted here with the permission of PLUS.
As long as businesses continue to collect and process private consumer information, the threat of sensitive data compromise will exist. In the absence of comprehensive federal data breach legislation, individual states are filling that void and attempting to reshape data breach and privacy laws to increase protection of consumer data. A number of factors are motivating the states’ legislative efforts. First, the current laws are primarily focused on post-data breach notifications and privacy protections. However, consumers are notified so frequently of a potential compromise of their information that the threats have become more annoying than frightening. Further, a notification does not change the fact that their information was compromised, and the damage has potentially already been done. Second, the European General Data Protection Regulation (“GDPR”), which more strictly enforces consumer privacy protections through governmental agency fines, may be providing an example for some states. Third, concern about data privacy is becoming increasingly personal with biometric data compromise (fingerprints, retinal scan, facial features) being recognized as an emerging threat to consumers, being something that cannot be changed as easily as a credit card number, highlighting the importance of putting protections in place to prevent a breach in the first instance.
Several individual US states are changing or proposing changes to their laws to deal with the above concerns. So far, they have taken two varying approaches. The first is the “stick” approach, trending in the direction of strict consumer protections and stronger regulatory powers similar to those found under the GDPR. The second is the “carrot” approach, incentivizing businesses to protect consumer information before a breach happens by rewarding heightened security standards as opposed to simply imposing damages after a breach. We will explore the laws of a few states in more detail below and then provide some practical observations for claims, underwriting and risk management professionals. Finally, we offer some thoughts on why the ultimate goal of data breach and privacy regulations should be to incentivize businesses to protect consumer data, mitigate the risk of data breaches by focusing on root causes, and keep interests of businesses and their customers aligned by avoiding costly litigation and oppressive statutorily created damages.
California, the first state to pass a data breach notification law in 2003, is moving closer to the sweeping breadth of the GDPR with the passage of the California Consumer Privacy Act (“CCPA”) in June 2018 (to go into effect on January 1, 2020). The CCPA will expand the rights of California residents to control the disclosure of their personal data and increase the burden on businesses to manage retention of personal information. Businesses will fall under the purview of the CCPA if they are associated with the collection and processing of personal information and either have revenues of $25,000,000 annually, collect, buy or sell the info of 50,000 California residents annually, or derive 50% or more of their annual revenues from the sale of personal information.1
The CCPA will broaden the definition of personal information to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including names, social security numbers, passport numbers, financial information like insurance policy numbers, IP addresses, geolocation information and health and medical information, as well as biometric information.2
Consumers will be granted broad rights with respect to the handling of their personal information including: the right to opt-out of the sale of their information (with opt-in requirements with affirmative authorization for minors); request disclosure of the types and categories of information collected and sold by the business including the sources from which it is collected; the right to request deletion of personal information; and the right to be free from discrimination for exercising rights under the statute.
The California Attorney General has enforcement powers and may bring actions for violations of the CCPA. Consumers will have a private right of action for the unauthorized acquisition of non-encrypted or unredacted personal information and will be entitled to the greater of actual damages or statutory damages of $100 to $750 per violation. Enforcement actions by the Attorney General and consumer private actions will both require notice to the business of non-compliance and then a 30-day period to cure.
Despite the strength of the CCPA’s consumer protections, some interest groups believe the CCPA does not go far enough in protecting consumer information. Proposed amendment AB 1760, introduced by Assembly Member Buffy Wicks (D-Oakland) on April 4, 2019, sought to “revise and recast” the CCPA and move California even closer to the strict protections of the GDPR.3 Named the Privacy for All Act of 2019 (“PAA”), AB 1760 sought to grant consumers express opt-in consent rights as a condition to use of personal information. The amendment would have allowed for a private right of action for any violation of the CCPA, as well as removing the 30-day cure period as a pre-condition to suit and allowing the right to recover attorney fees. Consumers would have been granted expanded rights to deletion of personal information as well as disclosure, as businesses would be required to disclose the specific information collected, as opposed to the categories of information.4 While the measure was effectively killed when it was pulled from consideration by the California Assembly Committee on Privacy and Consumer Protection, the backing of the amendment by a broad coalition of consumer privacy interest groups (ACLU, Electronic Frontier Foundation, etc.) evinces an appetite in the consumer privacy community to move closed to a GDPR-level of protection.
Massachusetts’ data breach notification law, the “Standards for The Protection of Personal Information of Residents of the Commonwealth (‘Standards’),” was recently updated and in effect as of April 11, 2019, strengthening consumer protections with respect to data breach notification obligations and disclosure of the extent and purposes of data collection and disclosure to Massachusetts residents.5
Entities subject to the updated Standards must develop a Written Information Security Program (“WISP”) which memorializes, in writing, the systems and processes the company has in place to protect consumer information. The WISP must document polices and procedure for the storage, access and transportation or disclosure of information, as well as documenting a company’s efforts taken in response to a data breach incident. Entities that suffer a data breach exposing the Personally Identifiable Information (“PII”) of Massachusetts residents must notify the Massachusetts Attorney General and Director of Consumer Affairs and Business Regulation and show whether a WISP was in place before the breach as well as whether it was updated after the breach.6
Under the new Standards, companies must disclose to residents that there is no charge to consumers to freeze or secure credit in the event of a breach.7 Consumers will be entitled to 18 months of credit monitoring services in a breach where social security numbers (“SSN”) are exposed and 42 months in the event of a credit rating agency breach. Businesses are required to disclosure the categories of PII to be collected and the third parties to which that PII might be disclosed as well as the business purposes for the collection and disclosure of the PII.
Massachusetts seeks to significantly expand consumer privacy protections by expressly designating biometric information as a category of PII with proposed Consumer Privacy bill SB 120, which resembles the CCPA in its breadth of consumer privacy protections.8 Consumers would have a private right of action for a violation of the proposed law and would be entitled to statutory damages of $750 per violation or actual damages, whichever is greater.9 Statutory damages would be subject to the court’s application of several factors to make the statutory damages award more considered and equitable. The proposed law is clear that a simple violation of the statute would constitute an injury in fact, which should prevent the motion practice on standing that the courts have seen under the Illinois Biometric Information Privacy Act (“BIPA”).10 In contrast to the BIPA and CCPA, the proposed law allows a carve-out for biometric information collected by an entity acting in the capacity as an employer.
Washington, D.C. and Vermont
The Washington D.C. Attorney General proposed new data breach legislation titled the Security Breach Protection Amendment Act of 2019 (“SBPA”), which seeks to modernize the District’s data breach protections and move closer to the reach of laws like the GDPR.11 The SBPA would expand the categories of protected information to include biometric information (including DNA profiles), passport numbers, taxpayer identification numbers, military ID numbers, health information, and health insurance information; mandate two years of credit monitoring in breaches where social security numbers are compromised; and require disclosure of consumer rights to credit freeze at no cost.12 Vermont became the first state in the nation to regulate data brokers, requiring companies that buy and/or sell information to register with the state, disclose data collection categories and uses to the public, and comply with various other data protection standards.13,14 Yet, despite the Vermont legislature’s intentions with this effort, it has proven difficult to execute regulation of these businesses, as many companies register erroneously or not at all.15
Ohio and the Carrot
In contrast to the “Stick” approach of the GDPR and its imitators, the Ohio legislature took more of a “Carrot” approach with the passage of the Ohio Data Protection Act (“OH Act”), which was signed into law in August 2018. The OH Act incentivizes the proactive protection of consumer information by offering a safe harbor to businesses that have suffered a data breach by allowing them to take advantage of a legal affirmative defense in data breach litigations if those businesses had a written cybersecurity program in place that reasonably conforms to industry standards.16 The program must protect the security and confidentiality of information and protect against threats that could lead to the compromise of that information, weighed against factors such as the size and revenue of the business and the nature of its activities and the information collected.17 Examples of industry standard cyber security programs include: The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; NIST Special Publication 800-171; NIST Special Publications 800-53 and 800-53a; the Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework; or the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense.18 The OH approach shifts the focus from penalties after the fact to persuading businesses to make sure their data protection practices meet industry standards to minimize the risk of data compromise in the first place.
Insurer Practice Considerations
Cyber insurers can prepare for the legislative changes by remaining flexible when underwriting risk and managing claims. For states using the “Stick” approach, carriers can continue to offer robust pre-breach services such as security consulting and extra threat monitoring where appropriate to prevent data breaches in the first place. Carriers offering these value-add services will be more attractive partners for their customers and also make their insureds a better risk. Carriers can also vet new insureds or renewals based on their compliance with the new legal landscape. When underwriting business in states using the “Carrot” approach, carriers can examine an applicant’s written security protocols to determine the state of the Insured’s data protection environment and how well that Insured might mitigate litigation risk after a breach. Finally, carriers must determine how meeting those legal standards affects insurability or price of risk.
From a claims perspective, it is critical to have the appropriate legal and forensic vendors in place to deal with the ever-changing data breach and privacy legal landscape. Cultivation of a nationwide panel of legal professionals with the geographic breadth and expertise to stay current with new state legislative changes in the privacy sphere is key. Cyber claims professionals are in the unique position to vet and develop legal and forensic breach response professionals with the right experience and abilities who stay abreast of the various legislative changes to ensure the execution of the appropriate data breach response.
Finally, while it is clear there is a need for smarter if not stronger laws, we think the ultimate goal of the state data protection laws should be to incentivize the protection of consumer information. Time will tell whether the “Stick” approach will provide that incentive or whether allowing consumers to pursue a private right of action will simply create another niche litigation market that rewards the plaintiffs’ bar with high attorney fee awards, rather than compensating consumers. The proverbial “Gotcha” class action lawsuit with high statutory damages is the same approach rolled out with the Telephone Consumer Protection Act (TCPA),19 Fair Claims Reporting Act (FCRA)20 and Fair and Accurate Credit Transactions Act (FACTA)21; Similarly biometric data litigation under Illinois’ BIPA statute is gaining traction. The high statutory damages contained within these Acts often result in large class action settlements that have, in the past, lead to insurance carriers amending their forms to preclude coverage for these actions as the risk and exposure become too great.22 In the absence of a single federal data breach and privacy standard, a more reasonable approach for state legislation is to incentivize the proactive protection of private information with safe harbor/affirmative defense provisions based on the most robust system protections (i.e., the Ohio Legislation) as opposed to sparking a costly race to the top on strong data breach fines and statutory damages after an event has already occurred.
2 1798.140 sub o
5 201 CMR 17.
9 https://www.natlawreview.com/article/massachusetts-state-senators-seek-to-enact-biometric-data-protection-law https://www.natlawreview.com/ article/washington-dc-attorney-general-seeks-stronger-data-security-and-breach-notification
10 740 ILCS 14/5. Awards damages per violation of $1000 or actual damages for negligent violations and $5000 for intentional violations.
19 47 U.S.C §227, awards damages of $500 or actual damages, whichever is greater, or $1500 for willful violations.
20 15 U.S.C. §1681, awards acrtual damages, statutory damages from $100 to $1000 per violation, and potential punitive damages. 21 15 U.S.C. §1681n. Allows for damages of $100 to $1000 per violation
22 See Flores v. ACE American Ins. Co., No. 17-cv-8674 (S.D.N.Y. Apr. 30, 2018.