Lawmakers respond to breaches with prescriptive privacy protections

Introduction

The proliferation of data privacy legislation in multiple states combined with numerous high-profile security breaches have elevated cybersecurity defense as a top priority for CEOs and boards of directors. Corporations, small businesses, and public entities are victims of cybercrimes on a daily basis. Well-publicized mega breaches that plagued major corporations, including Marriott, Equifax, and Facebook, make headlines, while several sources estimate that approximately half of all cybercrimes impact and in some instances cripple small and mid-sized businessesi. A majority of states have introduced and/or enacted data privacy provisions in recent years and Congress continues to grapple with broad legislation that would create compliance requirements for entities that collect and/or sell personal information. Violations of existing privacy laws cost companies millions in fines and expose organizations to civil actions and reputational harm. Private and public entities have elevated cybersecurity discussions to the highest levels within leadership and undertaken various efforts to mitigate exposure to cybersecurity liabilities. 

Breaches

Many Americans have become numb, almost indifferent, to the proliferation of data breaches and cybercrimes in the U.S., which is the number one worldwide target for hacks and attacks. Recent trends, which include 11% and 67% increases in security breaches over the past one and five years, respectively, according to an Accenture surveyii, are disturbing and in some instances devastating for victims. Cybercrime damages are expected to cost businesses and organizations $6 trillion by 2021, which is double the $3 trillion estimate in 2015 according to the Annual Cybercrime Report (ACR) by Cybersecurity Ventures. The cost of the average data breach to companies worldwide is nearly $4 million and $8 million to U.S. companiesiii. More notable breaches like Equifax, which settled with federal and state governments for $575 million, can cost corporations hundreds of millions. The frequency of breaches that have exposed millions of consumers’ private information to criminals with nefarious intent has led to inevitable responses from lawmakers.

Legislation

The European Union enacted the General Data Protection Regulation (GDPR), effective May 25, 2018, as a first attempt to establish norms and requirements for protecting consumers’ personal information. American companies that conduct business in the EU are subject to GDPR and began preparing to comply prior to the effective date. Those entities will have a jump start on similar legislation enacted in the States and currently under consideration in Congress. 

The California legislature approved first-of-its-kind and sweeping privacy protection legislation when it enacted the California Consumer Privacy Act (CCPA) in 2018. The measure becomes effective January 1, 2020, and has businesses across all sectors of the economy scrambling to understand its requirements and implement compliance programs to avoid potential fines. Key provisions of CCPA empower consumers to demand from businesses the categories of information they collect, the right to opt out of a business’ sale of personal information, and the right to request that a business delete their personal information. Liberty Mutual Insurance sponsored legislation in California that would have created an entity-level exemption for insurers, but the measure failed to overcome opposition from privacy advocates. Liberty Mutual, via its relationship with Cal Chamber, has secured other favorable amendments to CCPA and continues to advocate for additional “CCPA fixes.” The California Attorney General’s Office will, in its capacity as the enforcer of CCPA, adopt regulations later this year to clarify various provisions and requirements of the Act.

Privacy laws were introduced in at least 36 states this year according to the National Council of State Legislators (NCSL). Three years ago, only a handful of states had enacted privacy legislation that applied to businesses only. The majority of privacy laws effective in 2016 applied to government only. The number of states with laws that apply to businesses has tripled since 2016. Congress is also considering several broad privacy protection proposals that Liberty Mutual is monitoring and influencing.  

i Cybersecurity Ventures – Annual Cybercrime Report (2019), at page 11
ii Cost of Cybercrimes Study by Accenture (2019), at page 10
iii Cost of a Data Breach Study by Ponemon (2018), at page 15

This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.