Page of | Results - of

Podcast

Specialty Podcast: Is 2022 the Year to "Get Real" About Data Privacy Compliance?

By Alliant Specialty

Like every year prior to 2020, the past year was another tumultuous year in the world of cyber liability. Considerable movement in the market and the cyber landscape has changed exponentially – and not for the better. Threat actors have become more sophisticated, resulting in an increase in data breaches, phishing attacks and more. Understandably, there was increased pressure put on the markets from a claims perspective. Brian Dunphy and David Finz, Alliant, sit down to discuss the ever-changing landscape in the regulatory world, both at the state and, at the federal level as other states ramp up consumer data privacy protection.

Intro (00:00):
Welcome to the Alliant Specialty Podcast, a show dedicated to risk management and professional solutions. Here is your host, Brian Dunphy.

Brian Dunphy (00:14):
Welcome to the latest edition of the Alliant Specialty Podcast series. I am Brian Dunphy, the leader of Alliant’s Management Professional Solutions group, and we happen to be in the middle of International Data Privacy Week. And so here with me to discuss all things cyber, is our cyber claims attorney David Finz. Hello David.

David Finz (00:39):
Hi, Brian. A pleasure to be here.

Brian Dunphy (00:41):
Thanks for joining us, and so, David, the last time we spoke, I think you told me to put all of my money in a Maxwell House can and bury it in the backyard, unplug all my computers, and don't talk on the phone. And that was the only way to keep everything safe. Is that right, or do I have that wrong?

David Finz (0:52):
Oh, that and hand deliver payments to all of your utility companies.

Brian Dunphy (0:57):
Right. I forgot about that. Yeah. I forgot about that. Yeah, that's true, you did me that as well. No, all kidding aside like every year prior to last year was another tumultuous year in the world of cyber liability, a lot of movement in the market. And a lot of things happened that hadn't happened previously. And there was a lot of pressure put on the markets from a claim’s payment perspective. But today, specifically I wanted to get your perspective on the ever-changing landscape in the regulatory world, both at the state and at the federal level. And so, we've always operated under the presumption that the benchmark state law that had been passed. The date was the CCPA in California, the California Consumer Protection Act. And I know that there's a lot of stuff changing around now, as other states ramp up their own protections for their local citizenry. Can you walk us through some of what's happening in that regard?

David Finz (01:53):
Sure. So, what we have seen play out in California is beginning to play out in some other states as well, that trend of state regulators now stepping in and protecting the rights of consumers, not just in terms of breach notification, but going beyond that to actually give them some rights over the control of their data. So, you have Colorado which enacted a privacy act, which will go into effect on July 1st, 23 and Virginia has a consumer data protection act, which will be going into effect on January 1st, 23. And each of these new laws will give consumers a right to access their data, the right to rectify any incorrect information, the right to have their information deleted from a company's database and also the right to opt out of having their information collected at all. What these laws do not do, is they do not create a private right of action. So, any enforcement is going to need to be initiated by regulators rather than by the consumers themselves.

Brian Dunphy (2:59):
So, David, effectively what that means is that the consumers themselves can raise the issue, but they do not have a path through civil courts to secret remediation. It has to be brought by a regulatory body, correct?

David Finz (3:13):
That is correct. They don't have a lawyer’s called standing to sue.

Brian Dunphy (3:16):
Right. Great. And so, in addition to what's happening there, I do believe, as we've mentioned, there are other states that have their own additions and changes to privacy laws that are due to come up this coming year.

David Finz (3:30):
Right. So, in addition to Colorado and Virginia, which have actually enacted this legislation, right, there are bills that are being considered right now in a number of other states, including Massachusetts, Minnesota, New York, North Carolina, Ohio, and Pennsylvania, that are each their own iteration of the types of protections we now see in California and these two other states that have actually passed bills.

Brian Dunphy (3:54):
And as it stands now, we still have this sort of operating premise. That's almost like a patchwork quilt of 50 states and 50 different rules. Although they seem to be homogenizing in some respects, but talk for a minute, if you can, about the changing attitude of some of the federal regulators and how they're looking to enhance protections for the citizens.

David Finz (4:19):
Sure. So, the federal role in regulating cyber risk has been really industry-specific. So, for example, in the healthcare field, you have HIPAA, right? What we're beginning to see is that the Federal Trade Commission is stepping up in a number of ways to assert themselves as an enforcement body in the air area of cyber. One thing that they will be doing this year is starting in December of 2022, the FTC will be requiring specific security controls and greater accountability from what are known as private funds.

Now these are financial institutions that are not otherwise covered by the Investment Company Act of 1940. So, they don't fall under the authority of the SEC, instead here what the Federal Trade Commission is going to do is essentially take the enhanced cybersecurity measures that were rolled out by the New York State Department of Financial Services, and then bring those into enforcement at the federal level, even for financial institutions that are outside of New York state's jurisdiction. And so, what they're doing is they're accomplishing this through updates to the safeguards rule, under Gramm-Leach-Bliley, around information security. So, what you're going to see is the scope of institutions that will fall under the FTC's authority on this is quite broad. It includes mortgage brokers, investment advisors, private lenders, and many asset managers. And even beyond that.

Brian Dunphy (5:55):
So, outside of the realm of financial services, the SEC has really broad latitude in terms of where they can dive in and assert their authority. And I think that has potential ramifications coming through potentially if the current administration is successful in passing some of their legislative agenda as laws come up, it seems like every single one of them now has some related to privacy.

David Finz (6:22):
One of the areas that we're watching very closely is with respect to building back better legislation. And if Congress ends up passing that the current version would give the FTC the authority to file complaints in federal district court, and to seek penalty of up to $43,000 per violation under the EEGs of unfair or deceptive acts or practices. And what they're doing is they're taking areas where they already have jurisdiction such as the Children's Online Privacy Protection Act, and saying that perhaps a single statement on a company website, which is found to violate that law or any other law that falls under the FTCs jurisdiction around data privacy could result in liability for that company with respect to each and every consumer who relied on it now, to be fair, the courts do have the authority to reduce those damage awards because they could actually be quite a burden on businesses, but the prospect of a nuclear verdict is always out there.

And that could drive some companies to settle with the government, even though they might have strong defenses that no violation has actually occurred of the FTC's authority. If we are to look at, for example, what they exercise over to telephone Consumer Protection Act is quite broad to go after these companies on a per-violation basis. And if we see that play out in the data privacy arena, it can actually be quite an enormous exposure for businesses.

Brian Dunphy (7:55):
And just as, as we layer one step up now, more and more in the United States continue to expand their interaction in a global market. How does what we have here as far as regulatory compliance efforts? How do they stack up presently as against what we know in Europe, GDPR, and any other enforcement acts that are enforced globally?

David Finz (8:22):
So, I mean, the GDPR is probably one of the most stringent regulatory regimes on the face of the earth when it comes to data privacy, and many US businesses are subject to GDPR in as much as they conduct business with European consumers. In fact, the California legislation, any in many ways was of as mirroring, many of the safeguards of GDPR. What we're seeing here that is, I think, qualitatively different is regulators now coming in and imposing some liability on companies for failures of security. In other words, not just the fact that data might have been breached, but because they don't have the proper controls in place or the proper governance procedures. So, we're going to begin to see this now, especially in the FI arena. Going back to what the FTC is going to be able to do under the safeguards rule later this year, some of the controls that they are looking for out of financial institutions include, these are the basic blocking then tackling of cyber security, multifactor authentication, encryption of consumer data and compliance around procedures for retention of consumer records. So, you could have a situation where an enforcement action is brought, even though a breach might not have occurred. But if regulators believe that a business is not complying with these security controls, they could be cited for that.

Brian Dunphy (9:49):
Yeah, you can see that could have a massive trickle-down effect in the financial services space in terms of the way that funds interact with direct consumers or act through other intermediaries and how that could have widespread implications for a number of different organizations.

David Finz (10:06):
Yeah. I mean, there are also new governance requirements that are going into effect for these entities involving risk assessment, employee training, vendor management, these are things that we have been speaking about with our clients over the past couple of years, in terms of good things to have, good controls, to have in place, to present yourself as a more attractive risk to the underwriters. Now they're going to have the added incentive of having regulatory oversight in these areas. So now again, the carrot of presenting yourself as a good risk when we go to market to try to get cyber coverage in place for a company is now being matched with the stick, if you will, the FTC's enforcement authority.

Brian Dunphy (10:49):
Yeah, the added burden of compliance should only prove to be at least a good self-checkup as far as risk awareness and security posture.

David Finz (11:00):
Yeah, and I think this is why, what we're seeing now is being reported. There's a report that actually came out from the International Association of Privacy Professionals in cooperation with Ernst & Young, that says that the spending for the corporate budget for privacy is on the rise. The average privacy budget now for a company, in the United States is $873,000. And that 45% of the businesses surveyed are hiring new privacy professionals over the next six months. And I think this is all a reflection of the increased oversight they're seeing in the regulatory space. The fact that their stakeholders demand that they have greater security measures in place. And frankly their underwriters are requiring it as a precondition to coverage.

Brian Dunphy (11:45):
Yeah, the past year in the markets for our clients and, and brokers is certainly challenging in that regard, and a lot of the hurdles that needed to be cleared before coverage could be obtained. Certainly, those hurdles got higher, and more hurdles were placed in front of clients and brokers like making it an incredibly challenging time. And there certainly doesn't appear to be any let-up coming soon in 2022.

David Finz (12:11):
Because there's not. And I think companies are going to need to stay vigilant in this space. I mean, we are getting out in front of it in terms of speaking with our clients, 90, 120, and sometimes even 150, 180 days prior to renewal, to set expectations. In terms of what moves the needle to the underwriters, what kind of security controls our clients need to have in place.

What type of privacy procedure, so that they are prepared when we go to market to be able to present themselves as attractive risk. Because things that in the past were nice to have now become "must haves" for purposes of getting favorable terms and conditions from the underwriters.

Brian Dunphy (12:49):
That's absolutely right. I couldn't agree more. I think that's a great place to leave it off today. David, thank you. So, your time, why don't you tell everyone where they can follow you on LinkedIn with some of the new stuff you're up to?

David Finz (12:58):
Right. So, I have started doing a weekly blog known as the Cyber Insurance Imperative Content is coming out every Monday and you can follow me on LinkedIn there. And if you'd like to stay up to date with any content that we're putting out, you can DM me or send me an email at David.finz@alliant.com and we'll be sure to add you to our mailing list.

Brian Dunphy (13:21):
Awesome. That's all. Great. Thanks, David. Again, for your time. This is Brian Dunphy with Alliant Specialty, and to discover the more rewarding way to manage risk, you can find David me or any of your other Alliant colleagues online. Thanks so much for tuning in.

 

Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.