Can Insurance Drive Reasonable Security Measures?
A recent Wall Street Journal article stated that the excessive costs of responding to breaches have become a challenge for insurance companies. The article presents insurance company executives being particularly concerned with their clients not implementing basic data management controls such as having a designated employee that is responsible for information security, or having written information security programs.
All fifty states have data breach notification laws, and in recent years we have seen the emergence of a “reasonable security measures” requirement. The Alabama data breach notification law, which was signed into law on March 28, 2019 lays out considerations for determining reasonableness including: (1) designating an employee to coordinate security measures; (2) Risk identification and mitigation; (3) Making sure service providers have reasonable information security standards; and (4) Proper communication channels that regularly notifies management of the status of the information security risks.
It is no coincidence that insurance companies are expressing concern over information security and data process management with just a couple months left before the California Consumer Privacy Act (“CCPA”) takes effect. Insurance companies in the data and cybersphere are used to facing expenses and legal liabilities associated with data security and privacy breaches. Regulators often come down hard on entities after they dealt with hacks and other attacks. And if companies are as woefully unprepared as insurance executives claim, it is not wholly surprising that regulators find that these entities have not maintained reasonable security measures. However, the CCPA necessarily provides California consumers more knowledge and control over their personal information. The CCPA unlike most state laws invites enforcement action beyond cybersecurity incident, but to the actual affirmative obligations carried in the law.
The nuts and bolts of this is: insurance companies may now have to cover entities liabilities and/or legal fees for being “unprepared.” It will no longer be sufficient, if subject to the CCPA, to have avoided a cyber-incident, and that will surely lead to an increase in coverage exposure. All of this serves as a reminder to read your insurance contracts (if you have cyber insurance) and see what the limitations are on coverage. Insurance companies are likely to mandate reasonable security measures be taken, and to reduce the scope of their coverage to post-incident liability and fees.
Will the insurance companies be ready for the deeper scrutiny and tougher punishments for their customers and will insurance customers be ready for the higher premiums likely to come? And will all this attention lead to better data security at US companies?