CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘CCPA’

Could Facebook’s $5 Billion FTC Fine for Privacy Violations be Covered by Cyber Insurance?

Posted on: August 14th, 2019

By: Isis Miranda

A similar question was posed to me recently at a conference where I was speaking about the GDPR (European General Data Protection Regulation): “Could my company just buy insurance instead of worrying about whether our China-based venders are complying with the GDPR?” The audience chuckled. But the question raises important and complex issues, one of which is whether civil fines are insurable and, more importantly, whether they should be.

Record-breaking fines recently announced by the FTC (Federal Trade Commission), including $5 billion against Facebook and up to $700 million against Equifax, and proposed fines by the ICO (the UK’s Information Commissioner’s Office), including £183 million against British Airways and £99 million against Marriott, combined with the advent on the horizon of the CCPA (California Consumer Privacy Act), a sweeping GDPR-like privacy law, has increased anxiety over the insurability of these fines.

Traditional insurance policies generally do not cover regulatory fines, but many cyber policies do. These insuring provisions, which typically provide coverage for civil fines and penalties levied by any regulator worldwide arising from a data breach “where insurable by law,” have yet to be scrutinized by a court. Uncertainty over whether courts may void these policy provisions as being contrary to public policy prompted the Global Federation of Insurance Associations to request assistance from the OECD (Organisation for Economic Co-operation and Development), explaining that “there is international confusion as to the insurability of fines and penalties” and stating that “OECD work to clarify this issue would benefit consumer and insurer contract certainty.”

Answering this question is no easy task. Starting with the question of whether these fines are insurable, one immediately finds that there are no legislative pronouncements or court decisions addressing the issue in the context of a cyber policy that expressly provides coverage for regulatory fines. And efforts to predict how a court might rule once the issue is raised, as it inevitably will be, are stymied by the disarray of the current case law in the related areas of punitive and statutory damages. This diversity of opinion reflects the complexity of the underlying question – whether such fines should be insurable. Courts struggle with questions, such as who should decide – legislators, judges, insurance companies? And what criteria should be applied in making the decision? Should the decision apply to all civil fines and penalties issued pursuant to a given regulation or should the issue be decided on a case-by-case basis for each violation?

In the U.S. the decisions of courts across the country regarding the insurability of punitive damages are, well, all over the map. These decisions vary in their approach to reconciling the language of the insurance policy at issue with public policy considerations in the approximately 20 states that prohibit insurance for directly assessed punitive damages, including decisions that:

  1. prohibit insurance for punitive damages, even if the policy expressly provides coverage;
  2. prohibit insurance for punitive damages, unless the policy expressly provides coverage;
  3. do not prohibit insurance for punitive damages but do not interpret policies as covering them, unless expressly included; and
  4. do not prohibit insurance for punitive damages and interpret policies as covering them, unless expressly excluded.

It is unclear whether courts will address coverage for fines and penalties in similar fashion. States that do not prohibit punitive damages could, nonetheless, place restrictions on insurance for civil fines and penalties beyond existing limits on insuring intentional conduct. And vice versa. Thus far, a few courts have applied the prohibition on punitive damages to civil fines and penalties without addressing the distinctions between the two. For example, in City of Fort Pierre v. United Fire and Casualty Company, 463 N.W.2d 845 (S.D. 1990), the federal government sued the City of Fort Pierre seeking civil penalties due to violations of the Clean Water Act of 1977. The South Dakota Supreme Court held that the civil penalties were punitive in nature and thus precluded from being covered under the City’s insurance policy. A dissenting justice disagreed, stating: “Before punitive damages may be awarded, malice on the part of the party from whom the punitive damages are sought must be shown. No similar requirement exists for the imposition of the civil penalty. Therefore, the civil penalty the United States sought to have imposed upon the City of Ft. Pierre cannot be equated to punitive damages.” Similarly, in Bullock v. Maryland Casualty Company, 85 Cal. App. 4th 1435 (Ct. App. 2001), the California Court of Appeal held that civil fines are not insurable without addressing the fact that the public policy prohibiting insurance for punitive damages was expressly limited to punitive damages that were assessed upon a finding of fraud, oppression or malice. City Products Corporation v. Globe Indemnity Company, 88 Cal. App. 3d 31 (Ct. App. 1979). It will be interesting to watch how the case law evolves as coverage battles involving cyber policies that expressly provide coverage for fines and penalties percolate through the courts.

Now to the question we started with. Without knowing the contents of Facebook’s insurance policy, we can only speculate as to its terms, including which state’s laws would apply to interpret the policy. But we would not be going out on a limb by saying that the $5 billion FTC fine likely exceeds policy limits. Facebook will not garner much sympathy, given that it inarguably violated the FTC’s 2012 order and can readily afford the $5 billion fine. And there is concern that allowing companies to obtain insurance to cover civil penalties for violating data privacy and security statues would discourage them from making the investments necessary for compliance. But the reality is more nuanced. Small- and medium-sized businesses, in particular, benefit from the data security assessments, cyber risk consulting services, and preferred vendors that are made available by many cyber insurance carriers, which serves to increase compliance with related statutes. See, e.g., Kyle D. Logue & Omri Ben-Shahar, “Outsourcing Regulation: How Insurance Reduces Moral Hazard” (Coase-Sandor Institute for Law & Economics Working Paper No. 593, 2012). These issues will, no doubt, continue to be debated for many years to come.

Amidst all this uncertainty, one thing is sure: the future will be fascinating.

If you have any questions or would like more information, please contact Isis Miranda at [email protected].

 

The CCPA: Precursor To American GDPR Or Undue Burden On American Businesses

Posted on: July 30th, 2018

By: Jonathan Romvary

As we recently posted, California recently passed the landmark California Consumer Privacy Act of 2018 (“CCPA”) that goes into effect on January 1, 2020 and grants California residents new expansive privacy rights. Many observers are comparing its scope to that of the European Union’s General Data Protection Regulation (“GDPR”). However, as protective as the new statute may be for California residents, it represents a number of significant burdens and challenges for businesses throughout the country.

Unknown Final Requirements

Despite what appears to be a finalized bill, future amendments and clarifications to the CCPA are necessary and will likely significantly alter the current draft. The CCPA was enacted after a single week of legislative debate. The reasons for the quick turnaround can be debated but the current draft contains a number of errors that will need to be addressed before its effective date on January 1, 2020. The uncertainty surrounding the bill means that businesses attempting to be proactive in terms of compliance may be throwing darts in the dark.

Attorney General Regulations

Additionally, the bill instructs the California Attorney General to develop regulations ahead of the effective data in a number of areas to further the purposes of the CCPA. While its arguable whether this will provide greater protections to consumers, it will undoubtedly come at the burden of those businesses covered by the CCPA. At this time these specific AG regulations are unknown and with an upcoming election, there is no guarantee we will know what these regulations will be until late next year before implementation.

Compliance Burn Out

As we all know, the GDPR went into effect on May 25, 2018. Most companies have spent the last year conducting data flow analysis, mapping, and regulatory compliance in order to come into compliance prior to the effective date. According to an October 2017 survey by Paul Hastings LLP, the cost of GDPR compliance for Fortune 500 firms runs approximately $1 million just for the necessary technology that those companies need to comply.

Unfortunately for all of those companies that spent the last 12 to 18 months traversing GDPR compliance, you will not automatically be complying with the CCPA. The CCPA requirements, while similar, do not entirely overlap with the GDPR and, in many cases, the CCPA goes even further than the GDPR. All those companies will now need to engage in an additional 18 months of legal compliance reviews in anticipation of the January 1, 2020 implementation date.

The scope of the CCPA affects businesses across the country, not just those in California. The CCPA protections generally encompasses all retail and commercial activity that includes the collection of data relating to a resident of California which retained, sold or transferred by the business. While the CCPA contains numerous exemptions of data use and functionality these exceptions require close scrutiny and analysis by covered businesses. To discuss how the CCPA might affect your business and what you can do in anticipation of the numerous issues relating to the act, please contact Jonathan Romvary at [email protected].