Proactive risk management protects against exposure from increasing regulation of privacy interests
A flurry of recent California legislative activity has increased regulation and potential corporate exposure in the data breach and privacy arena.
November 05, 2013 at 03:00 AM
5 minute read
The original version of this story was published on Law.com
Data breach and privacy concerns are top of mind for companies no matter where they operate. However, those that do business in California should take careful note of the flurry of recent California legislative activity that increases regulation and potential corporate exposure in this arena.
For example, signature collection recently began in California for a state initiative that is intended to significantly lessen the largest hurdle faced by plaintiffs in privacy actions — demonstrating harm from the disclosure of “personal information.” If the initiative passes, culpable harm will be presumed upon allegedly improper disclosure of broadly defined “personal information.” To date, numerous privacy actions have been dismissed because the plaintiffs cannot establish injury/harm. Hence, multiple commentators have predicted that this initiative could create substantial increased exposure to class action privacy lawsuits for any entity that collects and maintains personal information.
Additionally, within the last month, the California legislature has modified its privacy laws to increase consumer protections, resulting in an increase in risk for businesses operating in California:
- California Civil Code sections 1798.29 and 1798.82 were modified to expand data breach notification requirements.
- California Business and Professions Code section 22575 (California's Online Privacy Protection Act) was amended to require additional disclosures regarding an entity's online privacy policies.
- California's Business and Professions Code sections 22580 through 22582 (“Privacy Rights for California Minors in the Digital World”) were enacted to among other things: (a) prohibit online service operators from targeting certain advertising to minors.
This recent and ongoing California activity emphasizes that businesses in California and elsewhere must continue to be vigilant in their focus on methods to reduce their risk of exposure. Unfortunately, examples of claims and litigation resulting from alleged statutory breaches have grown and will continue to do so. For example, Yahoo was recently sued in a proposed California class action lawsuit that accused it of violating both federal law and California's Invasion of Privacy Act. The plaintiffs allege in part that Yahoo users have “an expectation of privacy for the content of their electronic communications” and that any business practice of reading such communications is not within the “ordinary course of business” exception found in certain laws.
Insurance is an important component of a risk management plan that seeks to combat this increased exposure. As statutory regulation continues to morph, companies should — on an ongoing basis — examine their potential exposure, matched against their existing insurance portfolio, to confirm that they are adequately protected to pay for both lawyers' fees and other amounts spent responding to statutory claims against them. For example, depending upon the type of coverage at issue, the question of coverage for alleged statutory breaches, including claimed intentional/willful breaches, can be a major area of dispute between insurers and policyholders. Some insurers include language in their commercial policies that they later argue precludes coverage when the policyholder is alleged not to have complied with a particular statute. Insurers also often argue against coverage for statutory damages.
However, such arguments could all but gut critical insurance protection. Thus, in the first instance, companies should review their existing policies now to assess the extent of coverage for this increased risk. For example, does a company's policy contain exclusions that purport to preclude coverage for some measure of statutory exposure? How specific or broad is the language of any such exclusion(s)? What about coverage for statutory “fines” or “penalties”? And does the policy language track the evolving case law? In fact, insurers often seek to include exclusions for statutory fines/penalties/damages, even though the courts are increasingly finding in favor of coverage for such exposure.
Depending upon the breadth of the coverage or exclusions in current policies, at renewal, policyholders should negotiate for language or purchase specialized policies that most effectively match their risk profile, based upon evolving regulation in the states and countries where they do business. Coverage counsel can help accomplish this goal by discussing in a privileged setting the extent to which the existing or offered policy language is adequate and how it can be modified to increase insurance protection.
And, finally, if a company is sued for an alleged privacy statute violation and its insurer cites to a “statutory” exclusion in to deny coverage, the company should scrutinize its policy language for holes in the insurer's position. For example, last week, Judge Fees in the Central District of California rejected Hartford's argument against coverage for two California Confidentiality of Medical Information Act actions regarding alleged disclosures of patient medical information. Hartford pointed to exclusion for injury “arising out of the violation of rights created by state or federal acts.” The court found that the exclusion did not apply in part because medical record privacy rights existed under common law long before California enacted statutory protections.
As the states continue to regulate in the privacy arena, and companies continue to focus on an overall program to address risks of claimed privacy breaches, they should include a careful consideration of insurance as an important part of any such program.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Coinbase Hit With Antitrust Suit That Seeks to Change How Crypto Exchanges Operate
3 minute read
Baker Botts' Biopharma Client Sues Former In-House Attorney, Others Alleging Extortion Scheme
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
