U.S. companies are turning to cybersecurity insurance to protect themselves from lawsuits and fines with enforcement of California’s landmark privacy law set to begin July 1, attorneys say.
San Francisco-based Coalition, which calls itself the fastest-growing cyber insurance provider, got more than 2,000 requests for policies in December and January to protect against California law violations, said Joshua Motta, Coalition’s CEO. A “surge” in buying will follow the first lawsuits and enforcement actions, he said.
California’s law “will drive more companies to buy,” said Daniel Burke, national cyber practice leader at Woodruff Sawyer & Co. in San Francisco. His clients, including those in technology and retail, are “preparing for possible enforcement by reviewing their insurance programs,” he said.
U.S. companies are eyeing cyber insurance because they have potentially millions of dollars at stake under the California Consumer Privacy Act, which took effect Jan. 1. That’s because state residents can seek up to $750 per consumer, per data security incident under the law, which also directs the state’s attorney general to take enforcement actions for privacy violations.
Large companies that handle personal information, including Facebook Inc., Alphabet Inc.'s Google, and Amazon.com Inc., have millions of customers in the state, placing them at risk for large settlements or expensive jury trials in the event of a data-security incident. Such businesses are likely to see the bulk of consumer-privacy demands, opening them up to possible enforcement for alleged CCPA violations.
Facebook didn’t immediately comment. Google and Amazon didn’t respond to requests for comment. Companies are loathe to discuss the cyber insurance coverage they are buying so as not to become a target for people seeking payouts, attorneys said. Insurance providers also declined to name customers making purchases.
Businesses are “thinking about augmenting” their cyber insurance limits or purchasing it for the first time because of the California law, said Robert Rosenzweig, national cyber risk practice leader at Risk Strategies. They want to act because the CCPA is a business threat that “isn’t going away,” he said.
Private Right of Action
The California law’s private right of action bolsters the need for insurance, attorneys said. That’s because the provision doesn’t require plaintiffs to prove actual damages to pursue data-breach claims. Rather, it provides statutory damages that make it easier for consumers to beat early challenges to data-breach lawsuits.
The provision will lead “to a barrage of litigation” that companies need to protect themselves from, said Elliot Golding, a partner at Squire Patton Boggs who counsels companies on privacy and cybersecurity matters.
Selena Linde, insurance partner at Perkins Coie representing policyholders, said “potential damages are so high that plaintiff’s counsel will unfortunately be looking for high-dollar test cases.”
The law also enables Californians to see personal data that companies are collecting about them and to demand that the information not be sold to third parties.
The biggest slice of Coalition’s cyber insurance coverage tied to the California law—28%—is going to companies that create heavy machinery for the defense, aerospace, and other industries. Consumer-facing businesses are buying another 25% of its California-related coverage, according to the company.
Other businesses getting the coverage include those in the financial (13%), information technology (9%), and health care (7%) sectors, Coalition said.
Businesses should review their insurance plans to make sure they can make claims when needed, attorneys said. Companies will want policies that cover costs from consumer lawsuits, enforcement actions, and data breach clean ups, they said.
Cyber insurance “gives companies the security that they have support in responding to regulatory inquiries or fines,” said Yosha DeLong, head of Zurich’s cyber technical underwriting group.
The scope of coverage is important because statutory damages in data-breach litigation can quickly stack up, attorneys said.
Companies also should carefully review policies because each provider likely offers different coverage, attorneys said. Businesses need to know if they’re covered for different types of damages, various kinds of personal information, employee actions, and even reputational damage, Linde said.
Cyber insurance plans are “heavily manuscripted policies,” Linde said, “and companies need to be hyper vigilant in reviewing the coverage that is being offered.”