Issues To Consider When Evaluating Cyber Coverage In Light Of The CCPA And Other State Privacy Laws


With the expansion of privacy legislation—from the General Data Protection Regulation (GDPR) in Europe to the coming California Consumer Privacy Act (CCPA) in the United States—cyber liability insurance is taking on increased importance. This post discusses key issues companies should consider as they review their cyber coverage in light of changing legislation and increased litigation risks. Companies should act now to ensure they have sufficient cyber coverage in place before the CCPA goes into effect on January 1, 2020.

Covering costs related to data breach response and recovery and data breach- and privacy-related enforcement actions and litigation presents challenges. Worldwide, as of April 2019, the average total cost of a data breach was $3.92 million.1 The average total cost of a data breach in the United States was $8.19 million.2 The costs of enforcement actions can be similarly significant in terms of monetary penalties and secondary costs. Without adequate coverage, these costs can have long-term effects on a business.

Cyber policies are now a common part of most companies' insurance portfolios. The policies generally cover five principal areas: (1) costs to manage and respond to a cyber-incident, (2) costs stemming from network interruption, (3) costs for security and privacy liability, (4) costs relating to extortion and (5) costs for media liability or reputational harm. Whether insurers cover all of these areas or all costs within different areas varies from policy to policy. Most policies offer first-party and third-party coverage. First-party coverage applies to losses that are directly sustained by the insured party, such as damage to a company's own electronic data files. Third-party coverage applies to claims by others against the insured company, such as claims by people who were injured by the insured company's actions (or inactions).

With the increase in state privacy legislation, particularly the CCPA, many insurance companies are working with clients to also cover certain "compliance" costs arising out of a violation of a privacy-related legal obligation where no underlying cyber incident has occurred. Insurers and insureds alike are also working to understand how the CCPA's private right of action fits within existing third-party liability coverage and whether and how they may need to expand such coverage. We provide below a few points of guidance for companies to consider as they engage in similar discussions...

To continue reading