The Expert Podcast

One of the areas where cyber protection and cyber insurance have started to see some conflict is in the area of state-level cyber breach laws. What's happening is that regulations for companies to abide by disclosures or protections of consumer information are creeping from the federal government level down to the States. Many states now have data privacy laws that require any company that stores, records, or retains certain customer data—iit could be as simple as your phone number or your address—tto have certain best practices and certain protections in place. And if there is a breach or a loss, there is a provision for statutory damages and payments that have to be made to the parties. This can get very expensive. So, if there's a breach and the company has to pay even ten dollars per customer and they have, you know, fifty thousand customers, that could be half a million dollars. And these costs can be very Draconian and add up quickly. Not only do you have to pay to fix the breach and pay to repair your network, but you could have very serious costs and fines that go along with that breach and notification requirements.

What's happening with the cyber liability insurance companies is that they're starting to recognize this and factor that into their decision-making on underwriting and issuing policies. If you are an insurance company looking to issue a cyber liability insurance policy, you're going to have to account for the fact that you might have one of these breaches for your insured company and that you have to pay out a claim if it's a covered claim. One of the executives for a major insurance company, Cyber Tech or Tokyo Marine, took note of the changes in data privacy legislation right before the height. The courts modified their schedules. We saw a lull in litigation, but now we're starting to see an influx of class-action lawsuits.

Since 2020, the CCPA (California Consumer Privacy Act) has granted data breach victims the right to file individual or class-action lawsuits against businesses that allow unauthorized access to their private personal information. It's because of a failure to implement appropriate security practices. What's appropriate? That's going to be up to the jury. And when you're a company sitting there and you're being sued because 5,000 people had their personal information stolen and some of them had identity theft or couldn't get a loan because they had bad credit, you're going to be on the hook. So, you've got to make sure that you are aware of this, and whether or not you just put in good safety practices or have good insurance coverage, make sure that the coverage you get matches what you think you're going to get. A lot of cyber policies may or may not cover all these things, so you want to make sure that you read through the policy terms to make sure you have the right coverage and that you will abide by the requirements of that policy because some policies will become void if you don't implement certain basic prevention practices in your company.

And here's the scary part: this regulation, CCPA, eliminates the requirement for plaintiffs to show evidence of damages. Instead, all they have to show is that their personal information was compromised. That's it. They don't even have to pay damages. They just have to have potential damages. For this reason, California is an attractive form for plaintiff attorneys because it's a California-based rule, but it's filtering out to other states. So, if you're a company, you may find that your business practices are creating liability and exposure that you may not be aware of. So again, these victims don't even have to suffer any actual damages. They just have to show my information was released, and that's it. And if they do that, they win and you lose, and it costs a lot of money. So, check your coverages, your policies, and your procedures internally to make sure that you're not living under the umbrella of a serious exposure that you might not be aware of.