California privacy law to have big impact on business insurance

(United States) Michael Palotay predicts that the California Consumer Privacy Act will have a big impact on businesses, who will have to assess their exposure to fines and penalties on a "per violation" basis. Insurance Business America reports as follows:

The evolving privacy regulation environment is likely to have reverberations for the cyber insurance space, especially as one of the strictest privacy laws in the United States is just around the corner.

One cyber expert [Michael Palotay, Tokio Marine HCC] says the California Consumer Privacy Act (CCPA) will have “a big impact” on this line of business.

“It’s something that businesses will want to take very seriously – you’ve got some statutory damages on a per violation basis that can add up to really big numbers when you’re talking about millions of consumer records, so the potential for a big loss is great,” said Palotay.

These fines also put insurers in an interesting and tough position, he added.

“A company could theoretically have millions of violations, so if insurers are providing a $1 million limit or a $5 million limit, but a company has $50 million-plus in exposure, it can quickly turn into a situation where we just basically have to give them the limit,” he said. “And they end up managing the defense on their own because they have way more to lose than what we have up on the limit. It’s a weird dynamic that doesn’t happen very much in my world, but my claims department has been warning that that can happen.”

The CCPA has two main penalty mechanisms – one where the government can come after a business for violating the law’s requirements and another where individuals affected by a data breach can sue the impacted company. One relief is that the question of whether a breach would be required for individuals to sue seemed to be influx at first, which would’ve meant much more exposure for cyber insurers, but has since been clarified.

(Privacy press clipping sourced via Insurance Business America)
Jurisdiction: United States

Key takeaways:


  • One live question is the extent to which insurance contracts can insure fines and penalties paid for statutory violations. This is a gray area in many legal systems, but some jurisdictions have rules that insurance cannot cover fines and penalties payable for breaches of the law. Such insurance could however cover civil damages awards resulting from, for example, a data breach.

  • One key point is that fines under the Californian law will add up. The “per violation” approach means that a data breach involving a million records could become costly, quickly, even if on first blush the fining amounts stated within the California Consumer Privacy Act look on the low side compared with the GDPR.

  • Businesses should review their present level of coverage and work out the position for data breaches or cybersecurity losses. Insurers can also provide services additional to coverage, in the sense of practical assistance in loss mitigation and precautions before an event takes place.

Leave a Reply

Your email address will not be published. Required fields are marked *