Will California’s bill to force cyber insurance be a harbinger for the rest of the U.S.?
On Feb. 15, California Assemblyman Ed Chau, representing the Western San Gabriel Valley (near President Nixon’s old stomping ground of Whittier) introduced AB 2320, which would, if passed, require any entity with a contract with any California government agency or department that “receives or has access to any records which contain any Personal Information” to “carry cyber insurance sufficient to cover all losses resulting from potential unlawful access to or disclosure of personal information, in an amount determined by the contracting agency.” So what kind of insurance are we talking about, what kind of “losses” are we talking about, and what would be the real-world impact of such a law?
When there is a data breach—particularly a breach involving certain kinds of sensitive information—there is a familiar pattern of anger, denial, bargaining and acceptance. First, you blame someone else. Then you investigate. Then you blame someone else. Then comes the breach notification, mitigation and remediation. Then come the litigation and regulatory investigation—maybe by the FTC, maybe some other agency.
Data breaches cause losses, but maybe not the ones you think of. Take this scenario: Someone breaches a local hospital and obtains, among other things, information about your latest hernia surgery, including your insurance information, your allergies, your blood type, your medications and of course, the surgery itself. You learn of the breach and go to your lawyer and ask, “Can I sue?” Which is, of course, the dumbest question to ask a lawyer, as the answer is almost always, “Yes.” But what are your “damages?” That is, what evidence can you present to a jury to prove by a preponderance of the evidence that you have suffered an identifiable economic damage as a result of the breach? A lot of your “damage” depends on what data was taken, who took it and what they did with it. In fact, despite the fact that this is sensitive medical data, it’s easier to calculate the damage resulting from the loss of the financial information (e.g. insurance and payment) than the loss of “privacy” per se.
Data breaches generally cause all kinds of economic losses—first to the data subjects and then to other third parties. So if the State of California contracts with some entity, whether it is a cloud storage provider, a data analytics entity or even an accountant or lawyer, and provides them through the contract with access to or possession of personal information it has collected, and that third party suffers a breach, there could be economic losses to the data subjects, which could be passed on to the state, and therefore to the contractor. These might include the costs of investigation, mitigation, remediation (e.g., putting in new security systems), notification, breach remediation (credit reporting, credit freeze), regulatory fines (against the third party rather than the state agency), attorney’s fees, judgments, etc. Insurance for these losses is not necessarily a bad idea.
Indeed, it is common in many industries, including health care, financial services, retail and others, as a condition precedent to having access to sensitive data to require the third party to have a certain amount of “data breach” insurance coverage. The devil always is in the details.
The Right Policy
If California is going to require its contractors to have cyber insurance, it has to require the right kind of cyber insurance. First and foremost, it has to cover “third party” losses—that is, losses not to the contractor but to the State and to the data subjects. If I give (or are forced to give) my data to the Golden State and assert that they have a duty to protect it, and they then give it to some contractor, the insurance has to cover losses to the state and to the data subject. Second, you want the insurance to cover both direct and indirect losses. For example: Say the government sets up an electronic payment system for parking tickets and uses a contractor to collect fines and data. That contractor suffers a breach and, as a result, Californians no longer trust the electronic system and insist on using a more expensive and labor-intensive in-person payment system. Is the cost of maintaining the more expensive system necessitated by the loss of trust engendered by the breach considered a “covered loss?” Maybe yes, maybe no. Remember, the costs of any uninsured or underinsured losses from a breach are borne either by the contractor (who might go out of business), by the state (meaning the taxpayers) or, in the end, by the data breach subjects. At the end of the day, someone pays for the breach.
Third, make sure it’s the right KIND of insurance. There are lots and lots of insurance policies that call themselves “cyber” policies. In this case, you want a specific policy covering costs and losses associated with a specific kind of data breach. When I was the chief privacy officer of a major defense contractor and we had a government contract that required us to have access to records, I would use a formula that looked at the number and kind of records we were accessing or processing (e.g., all of the medical records of the VA or the civilian access logs at a particular military base). Say it was 10,000 records. I would then evaluate the average breach cost for these kinds of records on a per data-set basis—maybe $100 per data set, maybe $1,000 per data set. Then comes some math to figure out the “worst-case” scenario, including investigative and legal costs. That’s the coverage limit I would look for, and would build the cost of that insurance (discounted for the probability of occurrence) into by bid for the work. At the end of the day, of course, the taxpayers are paying for the insurance, right?
In theory, before an insurance company will give me insurance, it will check to see if I have an adequate and comprehensive data security policy and plan, specifically around the California state data I am collecting, right? I mean, before you get life insurance, the insurance company evaluates your (meaning their) risk, so they do this for cyber and data breach policies, right? Not so much. Some data breach insurers will provide the customer with a questionnaire to fill out, some may require a third-party assessment. But by and large, they want to sell policies and sell them to as many entities as possible. In fact, requiring mandatory insurance may actually cause insurance companies, with a new and wide-open compulsory market, to stop doing individual risk assessments on companies and simply rush to sell policies to lots of companies. This would spread the insurance company’s risk across many customers and mean more premiums for them. Finally, the law would require ALL government contractors with “access” to personal data to have insurance. This also might include office cleaning crews, public defender offices, nonprofit entities, small and tiny businesses and others who might not have ready access to these policies and for whom the actual risks are relatively low. And did I mention that, in the end, the State of California ends up paying for these premiums?
One thing we do know: As goes California, often goes the nation. In fact, California passed the first data breach disclosure law, the first data breach remediation law, the first state law requiring specific degrees of data protection for specific types of data, and has lead the country in regulating data policies. So keep your eyes on this space.
— Mark Rasch