Do employees have a privacy right in the shape of their faces, the color of their eyes, or the texture of their fingertips? In many states, the law now says yes—leading employers to ask: Are resulting biometric privacy claims covered under their existing policies, or is insurance otherwise available?
As cybercrimes and data breaches continue to cause significant damage to companies of all types, policyholders are looking to their various insurance policies for coverage to help weather the storm and recoup losses. A recent decision by the U.S. Court of Appeals for the Fifth Circuit highlights the need for companies to review all of their policies for potential cyber-related coverage, including their CGL policies.
Since July 9, 2021, New York City’s businesses have been subject to the requirements of a new biometrics law. Businesses operating in New York City should consider both their potential liability under these new requirements and whether their current insurance program protects them against associated risks.
The Biden administration has hit the ground running with executive orders, regulatory and legislative priorities, and cabinet-level and other top posts being announced on a daily basis. Our public policy colleagues have been closely tracking many of the policy priorities of the new administration and highlighting important regulatory and legislative developments that businesses can expect coming down the pipeline.
A few months into the COVID-19 pandemic, the insurance focus (understandably) has been on business interruption and event cancellation coverage. Various other coverages are in play as well, given the types of COVID-19-related claims and lawsuits being filed (and that will be filed in the future) against corporate policyholders, from bodily injury due to exposure to the virus, to breach of contract, to securities violations, to misrepresentations and consumer protection violations, just to name a few. However, cyber risks are also highly salient for companies in this “new normal,” and companies must consider the role their insurance plays in preparing for and responding to those risks.
Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
In late January 2019, the French data protection authority, CNIL, imposed a fine of €50 million—or roughly $57 million—on Google for violations of the GDPR. The fine is the largest imposed to date under the GDPR, since it came into effect in May 2018. The Google fine highlights a couple of things: the GDPR has teeth, and regulators in the EU won’t hesitate to enforce the regulation. Possibly more frightening to companies subject to the GDPR is that the fine was not imposed because of any data breach or disclosure of sensitive information but, rather, on account of Google’s ordinary data privacy practices.
Does the coverage in commercial general liability (CGL) policies for violations of the right to privacy extend to unwanted intrusions, or is it limited to the disclosure of personal information to a third party? On a recent request for clarification from the U.S. Court of Appeals for the Ninth Circuit in Yahoo Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, the California Supreme Court may be poised to answer this question under California law, which could have wide-ranging effects on companies seeking CGL coverage for Telephone Consumer Protection Act (TCPA) claims.
The stopwatch is running. Companies are scrambling to figure out how the EU’s General Data Protection Regulation (GDPR)—due to go into effect on May 25, 2018—will affect how they do business. Uncertainty and speculation abound; no one knows exactly how the law will be enforced, particularly with respect to companies domiciled outside the EU, with no EU footprint, who process and hold the personal data of EU residents. But while publications are awash with advice regarding compliance, few tackle the question whether your business is protected against loss in the event of a data breach or other unintentional failure to comply. We strongly suggest that your due diligence include a review of your insurance coverage for GDPR non-compliance, especially for fines, penalties and lawsuits (individual or class action). Qualified coverage counsel should assist in the review, but key areas of focus include:
Coverage for Costs of Compliance
Many costs that companies will incur to comply with GDPR simply will not be covered by any insurance. Insurance is designed to respond to fortuitous loss or liability, not ordinary costs of doing business. Thus, for example, coverage likely is unavailable for expenses to adopt and implement data security measures, maintain required records, respond to individuals’ requests to access or delete their data, or hire a Data Protection Officer.
One thing is for certain: cyberattacks have become the norm, not the exception. Not even the NSA is capable of completely warding off security breaches. Major banking and retail institutions, as well as the government, are not surprisingly the most likely targets because of the amount of sensitive and private data they control. Still, other companies outside these sectors must heed the warnings and not become the next cyber victim. Protecting against cyber vulnerability is not merely a domestic issue. Rather, multinational companies are prime targets, and are currently undergoing institutional changes to navigate the EU General Data Protection Regulation (GDPR) that goes into effect May 2018.