With the California Consumer Privacy Act of 2018 (CCPA) having taken effect on January 1, 2020, the privacy and data security landscape for insurance carriers, producers and insurtech (collectively, “insurers”) continues to grow more complex. A number of states have also recently passed laws regulating data security in the insurance industry, with the first transition period under a number of these laws set to end in 2020. Given the significant amount of sensitive personal information that insurers collect, process and retain, this trend of increased privacy and data security regulation within the insurance industry is likely to continue. To stay ahead of these new privacy and data security requirements, insurers need to take steps now to navigate the increasingly complex regulatory landscape.
How Does the CCPA Impact Insurers?
On January 1, 2020, California became the first state in the United States to enact comprehensive privacy legislation that governs the collection, use and sale of personal information of California residents (i.e., consumers) and households. Personal information is broadly defined as any information that identifies, relates to, describes is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The CCPA applies to “businesses,” which are for-profit entities that determine the purposes and means of processing consumers’ personal information that do business in California and meet certain applicability thresholds.
Insurers operating in California that meet the CCPA applicability thresholds will be deemed “businesses” subject to a number of obligations under the CCPA, including disclosure obligations and requirements related to consumer privacy rights. While these obligations can be quite onerous, the vast majority of personal information that many personal line insurers collect, process and retain will likely fall under an exemption in the CCPA. The CCPA includes exemptions for:
(i) Personal information that is collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing regulations (GLBA) or the California Financial Information Privacy Act (CalFIPA);
(ii) Personal health information collected by a covered entity or a business associate (as such terms are defined in HIPAA) and medical information (as defined in the California Confidentiality of Medical Information Act (CCMIA)); and
(iii) Covered entities (as defined in HIPAA), to the extent the entity maintains patient information in the same manner as personal health information.
Insurers providing products or services to individuals for their personal, family or household purposes are currently subject to GLBA at the federal level (and may be subject to HIPAA in some cases) and state laws implementing GLBA. Many of these state laws are based upon the National Association of Insurance Commissioners (NAIC) Privacy of Consumer Financial and Health Information Model Regulation (Model Privacy Regulation); however, some state laws place restrictions on insurers beyond those in GLBA or the Model Privacy Regulation. Obligations imposed on insurers by GLBA and state laws include, among others, notice obligations and requirements related to sharing personal information with third parties. Some state laws also provide for access, correction and deletion rights in relation to the personal information the insurer collects.
Even prior to the CCPA, state insurance privacy laws presented a challenge for insurers trying to comply with similar but subtly different obligations and restrictions across multiple states where the insurer operates. Insurers subject to the CCPA are now faced with the added challenge of having to categorize all the personal information that they have collected, processed or disclosed in order to determine the scope of their obligations under the CCPA.
What Should Insurers Do to Comply with the CCPA?
Insurers need to act to determine whether the CCPA applies to their operations and, if so, what key steps they must take to comply with this new law. While working through these compliance activities, it is also an ideal time for insurers to review and confirm that their current policies, procedures and practices comply with GLBA, state insurance privacy laws and, to the extent applicable, HIPAA. Listed below are key steps for insurers to consider.
1. Undertake an Analysis to Determine Whether the CCPA Applies to You
The CCPA applies to for-profit entities “doing business” in California (not only companies physically located in California) that meet or exceed the following thresholds:
- Gross an annual revenue of at least $25 million;
- Annually buy, receive for commercial purposes, sell or share for commercial purposes personal information of 50,000 or more California residents, households or devices; or
- Derive 50% or more of annual revenue from selling California residents’ personal information.
The CCPA also applies to any entity (e.g., parent/subsidiary companies) that controls, or is controlled by, a business that meets the above criteria and shares common branding with that entity.
2. Understand Your Data
To the extent that an insurer meets the CCPA applicability requirements, it is critical that the insurer compile a comprehensive data inventory to assess the categories, sources and uses of the personal information it collects as well as the categories of personal information it shares with third parties and the recipients of such information. Without a data inventory, it will be difficult for an insurer to determine whether personal information falls under a CCPA exemption.
In categorizing personal information, an insurer should pay close attention to identify the types of personal information that may not be covered by GLBA, CalFIPA, HIPAA or CCMIA, and therefore be subject to the CCPA. For example, personal information of job applicants, employees and independent contractors, as well as personal information of website visitors and B2B contacts, will likely be subject to the CCPA (although most of those categories of information are subject to their own limited exemptions under the CCPA). If insurers are obtaining leads or prospects, this information will also likely be subject to the CCPA. Insurers should also take note that the definitions of “consumer” and “personal information” do not align under the different laws.
3. Update Your Privacy Notices
The CCPA requires insurers to provide certain notices to California residents prior to collecting their personal information that is subject to the CCPA, including disclosures about the personal information collected as well as the rights that consumers may have under the CCPA. Notices with more limited disclosures are also required for employees, job applicants, independent contractors and certain other individuals under the CCPA. There are also notice requirements under GLBA and state laws implementing GLBA, as well as state laws applicable to website operators. Insurers should revisit their privacy notices to ensure that the notices are accurate and customized to the insurer’s practices, meet the requirements of the multiple applicable laws and consistent in their disclosures.
4. Implement Policies and Procedures to Respond to Consumer Requests
The CCPA introduces new privacy rights for California residents, such as the right to access and obtain a copy of their personal information, the right to request deletion of their personal information and the right to opt out of the sale of their personal information. An insurer is exempt from fulfilling these requests (but still needs to reply to such requests) with respect to personal information covered by GLBA, CalFIPA, HIPAA or CCMIA. Even when exempt from the CCPA, insurers may have obligations to fulfill access, correction and deletion rights under other state laws. It is, therefore, essential that insurers implement policies and procedures to track and respond to these requests in accordance with the various state law requirements, including CCPA requirements.
5. Review and Amend Agreements
The CCPA creates onerous obligations in relation to the “sale” of personal information. For personal information subject to the CCPA, insurers will need to review their data flows with third parties and, as necessary, revise their contracts in order to avoid the sharing of personal information with these third parties being deemed a “sale” under the CCPA. At the same time, insurers should review their agreements with service providers to ensure that such agreements include required restrictions on how service providers can use and disclose personal information and that such agreements impose appropriate security measures on service providers in accordance with GLBA, state laws implementing GLBA and new data security laws specific to the insurance industry.
6. Ensure “Reasonable” Security Is in Place
In the event of a data breach involving certain personal information, California residents can sue an insurer whose failure to implement and maintain “reasonable” security led to the breach. The CCPA allows California residents to recover statutory damages of $100-$750 per impacted individual, or actual damages—whichever is greater.
It is imperative that insurers take steps to implement and enhance their information security programs to follow industry best practices and applicable federal and state data security laws. While insurers are relieved of many of the obligations of the CCPA for personal information covered by GLBA, CalFIPA, HIPAA or CCMIA, these exemptions do not apply in the case of a data breach. In the event of a data breach resulting from the insurer’s failure to implement reasonable security, applicants and insureds have the right to file suit seeking statutory damages. As a result, even data breaches impacting a small number of California residents have the possibility for significant damages. Additionally, as discussed below, there are new security obligations for the insurance industry coming into effect in five states in 2020.
Data Security Requirements for Insurers
In addition to the privacy requirements with which insurers must comply, there is a growing number of state data security laws and regulations directed at the insurance industry. The New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (Part 500), which fully took effect on March 1, 2019, was one of the first cybersecurity regulations directed at financial services companies, including insurance companies. Following passage of Part 500, the NAIC membership adopted the Insurance Data Security Model Law (Model Security Law) in October 2017. While Part 500 is more prescriptive than the Model Security Law, both measures establish standards for data security for the insurance industry and investigation and notification obligations in the event of a data security incident. In addition to state laws and regulations specific to the insurance industry, insurers are also subject to general data security laws in the states where they operate in relation to the personal information they collect outside of the insurance context, such as employee personal information.
In 2018 and 2019, eight states adopted into law a version of the Model Security Law. Generally, these laws provide for two transition periods to allow insurers time to implement the required security measures, with the first transition period related to security program requirements and the second related to third-party safeguards. South Carolina was the first state to adopt such a law on May 3, 2018, with the requirements related to the security program taking effect on July 1, 2019, and the requirements related to third-party safeguards scheduled to take effect on July 1, 2020. In 2020, the security program requirements take effect (in order of deadline) in Ohio, Alabama, Mississippi, Delaware and Connecticut. Additionally, on January 29, 2020, Assembly Bill 819, which follows the Model Security Law, was introduced in the Wisconsin State Assembly.
Below is the full set of deadlines for both the security program and third-party safeguards in each of the states that have adopted a version of the Model Security Law.
|State||Security Program Implementation Deadline||Third-Party Safeguards Implementation Deadline|
|Alabama||April 25, 2020||April 25, 2021|
|Connecticut||October 1, 2020||October 1, 2021|
|Delaware||July 31, 2020||July 31, 2020|
|Michigan||January 20, 2022||January 1, 2023|
|Mississippi||July 1, 2020||July 1, 2021|
|New Hampshire||January 1, 2021||January 1, 2022|
|Ohio||March 30, 2020||March 20, 2021|
|South Carolina||July 1, 2019||July 1, 2020|
Although there are some differences among Part 500, the Model Security Law and the state versions of the Model Security Law, conceptually, they are all substantially similar. All of the measures require insurers to:
(i) Conduct a risk assessment and implement and maintain a cybersecurity program that is based on identified risks;
(ii) Develop, implement and maintain an incident response plan;
(iii) Provide oversight of third-party service providers;
(iv) Investigate and report data security incidents; and
(v) Certify compliance with the respective law/model regulation.
Primary differences among the laws and the model regulation relate to cybersecurity events and notifications, the scope of certain exemptions and prescriptive requirements outlined in Part 500.
Insurers need to stay on top of these new requirements, particularly if they are operating in New York, California or the aforementioned eight other states. Insurers should also expect other states to introduce legislation targeted at data security in the insurance industry as state legislatures come back into session this year. Therefore, now is the time for insurers to assess their cybersecurity programs and begin to make any required improvements.