Over the past few years, companies in the U.S. and across the world have felt the squeeze of stricter data privacy laws that restrict how they can collect and store customer data. In June 2018, hot on the heels of the European Union's General Data Protection Regulation (GDPR) law,1 the State of California passed a similar bill, the California Consumer Privacy Act (CCPA).2
Both of these laws are designed to protect consumer's personal data from company-wide data breaches, a cause that most Americans can get behind. However, the laws accomplish this protection by holding corporations to a high standard of consumer data protection, with large financial penalties if stored consumer data is stolen or illegally leaked.
The advent of laws like the CCPA has broad implications in the world of privacy, cybersecurity and cyber insurance, as they govern the long-term consequences of a data breach. As more laws like the CCPA are passed, companies will have to find new ways to cope and comply with increased privacy regulations.
In response to these market conditions, cyber insurance underwriting has become more reflective of today’s risks.
The CCPA isn't the only recently passed law to shake up the world of corporate data privacy. While most of these laws are state specific, states that want to adopt privacy laws are likely look to these existing regulations when drafting bills. So even if a client doesn't operate in a state mentioned in these laws, similar regulations may affect you or your clients in the future.
New York State's Stop Hacks and Improve Electronic Data Security Act
In July 2019, then-Governor Andrew Cuomo of New York State signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act3 in response to an increase in cybersecurity breaches. SHIELD expands the state's definition of private information to include "biometric information, credit/debit card numbers, access codes, usernames, email addresses, passwords, and security questions and answers." It also expands the scope of the law to regulate any business or person that licenses or owns the private information of any New York State resident.
Companies that fail to implement "a reasonable security program that's appropriate for the size and complexity of your business" face fines of $5,000 per violation and a $250,000 fine for failing to notify authorities soon after a data breach has taken place.
SHIELD's expansion of scope is extremely significant. While previous New York State privacy law had penalties for improper protection of consumer data or failure to alert the public of breaches, SHIELD expands regulation to all companies that deal with New York State residents' data — almost every national company in the U.S. Instead of splitting up their consumers' data into groups of higher and lower security, most companies have simply opted to heighten security on all their consumer data, perhaps also anticipating that other states will soon follow New York State's example.
Nevada's Privacy of Information Collected on the Internet from Consumers Act
Nevada's Privacy of Information Collected on the Internet from Consumers Act4 — sometimes referred to as Nevada's privacy law — was passed in 2017 and expanded in 2019. It works much like CCPA and SHIELD. However, in one area, Nevada goes further than any other state previously has to protect consumer data from hacks and breaches.
The Nevada law requires that online companies give consumers the explicit option to opt out of having their data collected or sold for profit. All companies covered under the law must operate an "electronic mail address, a toll-free telephone number, or a website through which a Nevadan can submit a request"5 for their data to remain unsellable.
Data breach notification laws brought deepened cyber exposure front and center for many companies.
The law applies to any person or organization that operates a website or online service for commercial purposes; that collects and maintains digital information specified in the law from Nevada residents; and that directs activities to Nevada or makes transactions in Nevada. The law is broad in its scope and essentially regulates anyone who owns the data of Nevada residents — in this respect, it's similar to SHIELD.
Massachusetts' Act Relative to Consumer Protection From Security Breaches
Massachusetts' new privacy law, An Act Relative to Consumer Protection From Security Breaches,6 regulates the disclosure of breaches in a timely and fair fashion.
The law requires that the company notify the public of a new range of information related to the breach, including "the disclosure of the person responsible for the breach in breach notifications, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents." This information may be difficult for some companies to obtain, especially in the timeline stipulated. It also requires that a breached business provide free credit monitoring services for at least 18 months to residents of Massachusetts whose social security numbers were stolen.
This law is an incentive for companies to prevent breaches, because these punishments increase in severity depending on the amount of resident data that hackers took. The more data is stolen, the more the company will pay to protect its consumers.
These three are just a few laws passed recently that are changing the U.S.'s privacy and cybersecurity landscape in dramatic ways. Many other states have similar laws in development or in practice, but these three examples use novel techniques to push corporations towards better cybersecurity techniques and protection.
When discussing security and insurance with a client, it can be useful to look at some of these laws as test cases, even if they're not implemented in the client's home state. Many of these laws already implicate most companies above a certain annual revenue in the U.S., and future legislation indicates that these regulations will only tighten.
Sources
1Frankenfield, Jake. "General Data Protection Regulation (GDPR) Definition and Meaning," Investopedia, updated 11 Nov 2022.
2Korolov, Maria. "California Consumer Privacy Act (CCPA): What You Need to Know to Be Compliant," CSO, 7 Jul 2020.
3Davis, Matt. "The Definitive Guide to the New York SHIELD Act," Osana, 29 Jun 2022.
4"SB220," Nevada Electronic Legislative Information System (NELIS), accessed 28 Sept 2022.
5Brook, Chris. "Nevada Beats California With New Privacy Law," Digital Guardian, 7 Oct 2019.
6"An Act Relative to Consumer Protection From Security Breaches," The 192nd General Court of the Commonwealth of Massachusetts, accessed 28 Sep 2022.
