As new and comprehensive privacy and cyber regulations continue to proliferate across the globe, I’m frequently asked if cyber insurance covers claims for related regulatory investigations, fines, and penalties. Although the answer to that question requires an in-depth review of the specific insurance policy at issue, the good news is that some cyber insurers are now providing more expansive regulatory coverage than ever before. Insureds, however, must know where to look. Here are some key issues to keep in mind when reviewing a policy for broad regulatory coverage.
Go Beyond the Headings in the Insurance Policies
Cyber insurance policies typically include some form of “Regulatory” coverage, but the devil is in the details. Not all regulatory coverage is created equal. For example, the policy may limit coverage to regulatory claims arising from alleged violations of only US federal and state regulations. As more US companies face exposures arising from foreign regulations, this type of coverage would not provide comprehensive global protection to the insured.
In addition, the regulatory coverage in some policies is triggered by regulatory actions arising only from data breaches and security events. Although these are no doubt two very significant exposures, many of today’s privacy and cyber regulations contain requirements going far beyond those two issues. The GDPR, for instance, contains 99 Articles that include mandates concerning the adequacy of data subjects’ consent to data processing, limits on how long companies can retain data, the appointment of a data protection officer, designation of an EU representative, and many more. It may be an uphill battle to obtain coverage for a claim arising out of noncompliance with the vast array of GDPR requirements under an insurance policy with regulatory coverage limited to data breach and security events.
Even a specific GDPR Endorsement may not provide the kind of comprehensive coverage that some companies may desire. Despite implications that might be drawn from its title, at least one such GDRP endorsement specifically applies only to noncompliance with just four GDPR Articles.[i]
Types of Information within Coverage
One of the groundbreaking features of some recent privacy and cyber regulations — including the GDPR, California’s pending Consumer Privacy Act (CCPA), and New York State’s Department of Financial Services (NYDFS) CyberSecurity Regulation — is how broadly they define the categories of data they cover. For example, with some enumerated exceptions, the CCPA protects “personal information,” which is defined as:
[I]nformation that: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This includes, without limitation:
· identifiers such as a real name, alias, signature, physical characteristics or description, telephone number, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, passport number, driver’s license or state identification card number or other similar identifiers, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
· Characteristics of protected classifications under California or federal law (for example, race, color, sex, age, religion, national origin, disability, citizenship status, and genetic information).
· Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
· Biometric information.
· Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement.
· Geolocation data.
· Audio, electronic, visual, thermal, olfactory, or similar information.
· Professional or employment-related information.
· Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.
· Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Insureds, therefore, should examine any potential cyber insurance policy to determine the scope of information for which it provides coverage. For instance, a policy may limit its coverage to the types of data protected under only certain specified laws and regulations, such as US state data breach notification laws and HIPAA, which are not as encompassing in that regard as some newer regulations.
Fines and Penalties
Although cyber policies typically provide coverage for regulatory fines and penalties, covered fines may be limited to those that arise only from certain types of regulatory violations. Thus, if a policy’s regulatory coverage is triggered only by a data breach or a security event, it likely will not cover a fine arising out of some different type of noncompliance claim. In addition, some cyber policies provide that fines and penalties are insurable only if the law of the jurisdiction issuing the fine allows for such coverage. This could be an important issue for companies subject to GDPR, since many EU countries do not permit such coverage.
Even where a policy does not require application of the law of the fining jurisdiction, it will be important for insureds to determine if a specific state law is designated in the policy. In the absence of an explicit designation, insureds should review policy terms that relate to how the choice of law determination will be made in the event of a coverage dispute. Whether or not a specific state is designated in the policy, a company would do well to examine this issue before purchasing a policy and negotiate for provisions and state designations that are likely to favor broader coverage.
Further, to the extent a fine or penalty is considered punitive in nature, it will be important to look for specific coverage for punitive damages. Choice of law considerations are critical in this regard as well, since a number of US states prohibit coverage for punitive damages on public policy grounds. Again, negotiation for favorable terms concerning this coverage issue before buying a policy is strongly recommended.
Take Away Thoughts
Insureds that are looking for more complete coverage for the wide range of exposures arising under today’s privacy and cyber regulations should consider policies with broad coverage provisions concerning a number of issues, including:
- Actions by both US and ex-US regulators;
- Information protected by any US, state, or foreign privacy or cyber regulation;
- Violations of privacy and cyber laws themselves, as opposed to component parts of such laws. For example, a policy that applies to regulatory actions arising out of “an actual or alleged or suspected breach of statutes and regulations as they currently exist and as amended with respect to the confidentiality, access, control, and use of” protected information should provide broader coverage than one that limits regulatory coverage to a data breach or security event; and
- Fines, penalties, and punitive damages coverage grants, along with favorable choice of law terms.
[i] The identified articles are: Article 5.1(f), also known as the Security Principle, Article 32, Security of Processing, Article 33, Communication of a Personal Data Breach to the Supervisory Authority, and (d) Article 34, Communication of a Personal Data Breach to the Data Subject.