California Binary Code

Organizations looking to purchase a standard issue cyber insurance policy that will cover all of their forthcoming needs under the California Consumer Privacy Act (CCPA) may be out of luck. Or at the least that was the impression given Wednesday during the “CCPA Insurance Issues: Avoiding Gaps in Your Coverage” webinar held by the law firm Perkins Coie.

Panelists agreed that the CCPA allows for more nuance than can be incorporated into the average cyber insurance policy without a significant investment of time or thought.

“Companies are spending thousands of dollars annually on premiums with the belief that they are buying the type of insurance that's going to cover all of their various risks,” said James Davis, a partner at Perkins Coie.

Basically, it's getting harder to order a standard insurance policy like it's a combo meal at McDonald's. Meanwhile, the stakes for companies or other entities that have not properly vetted their insurance policies are slowly rising, in large part thanks to a CCPA provision that affords consumers a private right of action without the burden of having to show actual damage from a breach.

Panelist Selena Linde, a partner at Perkins Coie, referred to the potential for class action lawsuits as “the plaintiff's candy store”—but the average cyber insurance policy may not account for every item on the menu. For example, while privacy liability is a standard fixture in most cyber insurance policies, that coverage is typically triggered by a breach of some kind. But under the CCPA, as well as the European Union's General Data Protection Regulation (GDPR), privacy violations can still occur in absence of a breach.

“It is absolutely critical that somewhere in your insurance portfolio, you have privacy liability coverage that a breach is not required in order to access,” Linde said.

Many insurance carriers are beginning to tweak their policies to address that issue, but there are still other potential blind spots that could prove to be targets for legal action. According to Linde, plaintiffs attorneys have been increasingly targeting a company's directors and officers over the last five years for lawsuits related to a privacy violation.

That trend isn't expected to abate any time soon, and if a company's regulatory insurance coverage encompasses the business itself but neglects to incorporate management specifically, there could be trouble.

“We're seeing massive discovery at what happened at the board level. What did the board know? How often were they reviewing and looking at the security requirements under their systems? How often were they looking at the privacy regulations in multiple states?” Linde said.

Still, cyber isn't the only branch of insurance that could be implicated by the CCPA. Entities may also find themselves falling back on property coverage in the event that damage to a piece of equipment, a building or even the land that building sits upon is responsible for a privacy violation or data breach.

Bradley Dlatt, an associate at Perkins Coie, said many privacy policies allow clients to purchase specific cyber protections that could handle certain CCPA related claims. However, the scope is fairly limited.

“Unless you can show physical damage resulting from a data breach that then led to a CCPA claim, it may be difficult to get your property policy to respond,” Dlatt said.