New Laws Generate Demand for Cyber Insurance

Companies both large and small face the challenges of keeping up with newly enacted and/or amended laws on privacy and data security. Cyber insurance can help you stay up-to-date on changes and transfer some of the risks your business can face.

Whether your company operates locally and deals only with employees’ personally identifying information (PII), or is a global operation, it’s likely affected by at least one data privacy and/or cybersecurity law.

  • As of last year, all fifty states and certain United States possessions and territories (Guam, D.C., Virgin Islands, Puerto Rico) require some sort of notice to affected individuals and/or law enforcement in the event of a data breach.
  • Many states are either considering or have enacted new or amended data privacy and security laws, with most of those states considering more than one measure.
  • Several states have passed laws or are considering proposals to shorten the time allowed to notify affected individuals in the event of a data breach and expand the definition of PII.
  • Nearly half of the United States require entities that collect or store PII to have at least “reasonable security,” and some states have moved to dictate specific security standards.

Data privacy legislation in the U.S. grows in California

Perhaps the most potentially sweeping data privacy legislation passed in the United States was passed by the California legislature. The California Consumer Privacy Act (CCPA) becomes effective in January of 2020 and contains privacy protections similar to the European Union’s General Data Protection Regulation (the GDPR went into effect in May of 2018).

  • The California legislation recognizes the rights of consumers to request that businesses disclose the categories and specific pieces of personal information that they collect about the consumer, the categories of sources from which that information is collected, the business purposes for collecting, using, or selling the information, and the categories of third parties with which the information is shared.
  • The CCPA grants consumers the right to request deletion of personal information and requires businesses to delete the information upon receipt of a verified request.
  • The CCPA also requires businesses to provide consumers with the option to opt out of the sale of their personal information and prohibits discrimination against the consumer for exercising this right.

Commercial cyber insurance transfers both risk and knowledge

Navigating the complex and constantly evolving cyber law requirements is challenging, and if the trend continues, there will certainly be more legislation and regulation to come. Commercial cyber insurance can help to transfer some of the risks in the event that a data breach results in a government investigation.

Cyber insurers may offer coverage for fines and penalties in jurisdictions where it is allowed by law, subject to applicable policy terms and a potential separate limit. In addition to coverage of new potential fines and penalties, many cyber insurers also offer risk mitigation and management tools to assist insureds with compliance efforts. A cyber insurance policy can also offer the insurer’s expertise and financial resources, which can help with an insured’s response to a breach of personal information and compliance with applicable laws. For more information on cyber insurance and coverages, consult your agent or broker.

Want more information like this delivered straight to your inbox? Click the “Follow” button on the bottom right, and enter your email address.

© 2019 The Hartford Steam Boiler Inspection and Insurance Company. All rights reserved. This article is for informational purposes only and is not intended to convey or constitute legal advice. HSB makes no warranties or representations as to the accuracy or completeness of the content herein. Under no circumstances shall HSB or any party involved in creating or delivering this article be liable to you for any loss or damage that results from the use of the information contained herein. Except as otherwise expressly permitted by HSB in writing, no portion of this article may be reproduced, copied, or distributed in any way. This article does not modify or invalidate any of the provisions, exclusions, terms or conditions of the applicable policy and endorsements. For specific terms and conditions, please refer to the applicable endorsement form.

Monique Ferraro

Monique is counsel in Munich Re’s US Cyber Practice at HSB. Previously, she was principal at a digital forensics, e-discovery and information security consulting firm and owner of a law firm. Ms. Ferraro is a Certified Information Systems Security Professional.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.