gdpr and ccpa insurance coverage issues: addressing new...
TRANSCRIPT
![Page 1: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/1.jpg)
GDPR and CCPA Insurance Coverage Issues:
Addressing New Risk Exposures
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, SEPTEMBER 11, 2019
Presenting a live 90-minute webinar with interactive Q&A
Richard (Rich) DeNatale, Partner, Jones Day, San Francisco
Jennifer C. Everett, Attorney, Jones Day, Washington, D.C.
Fred E. Karlinsky, Shareholder, Greenberg Traurig, Ft. Lauderdale, Fla.
Aarti Soni, Senior Vice President, Marsh & McLennan, New York
![Page 2: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/2.jpg)
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-877-447-0294 and enter your Conference ID and PIN when prompted.
Otherwise, please send us a chat or e-mail [email protected] immediately
so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the ‘Full Screen’ symbol located on the bottom
right of the slides. To exit full screen, press the Esc button.
FOR LIVE EVENT ONLY
![Page 3: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/3.jpg)
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
![Page 4: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/4.jpg)
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the link to the PDF of the slides for today’s program, which is located
to the right of the slides, just above the Q&A box.
• The PDF will open a separate tab/window. Print the slides by clicking on the
printer icon.
FOR LIVE EVENT ONLY
![Page 5: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/5.jpg)
GDPR & CCPA:ISSUES IN INSURANCE COVERAGE
Richard DeNatale
Jennifer C. Everett
![Page 6: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/6.jpg)
GDPR: LESSONS FROM YEAR ONE
6
![Page 7: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/7.jpg)
GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES AND CASES
• The GDPR took effect on May 25, 2018
• During the first year, Data Protection
Authorities (“DPAs”) received:
• 280,000 + cases
• 144,000 + individual complaints
• 89,000 + data breach notifications
• So far in 2019, DPAs report an uptick in
data breach notifications
7
Source: European Data Protection Board, 1 year GDPR – taking stock, May 22, 2019,
available at https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en
![Page 8: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/8.jpg)
DATA BREACH: WHAT IS IT?
• What is a personal data breach?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored or otherwise processed.
• To whom and when is notice required?
➢Supervisory Authority: unless unlikely to result in a risk to the rights and freedoms of the
individuals concerned
➢ Individuals concerned: likely to result in a high risk to the rights and freedoms of the individuals
concerned
➢Additional area-specific notification obligations:
▪ Statutory (e.g. telecommunication service providers, critical infrastructure operators,
digital services providers, ad-hoc publicity)
▪ Contractually (e.g. data processing agreements, customer agreements, contractual
accessory obligation)
8
![Page 9: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/9.jpg)
DATA BREACH: TIMING / RISK OF FINES
• Timeframe
1. Without undue delay
– Where feasible, within 72 hours to the supervisory authority
2. After having become aware of the breach
– Reasonable degree of certainty is sufficient
– Short initial investigation is possible
– The controller is usually “aware” when the processor has informed it of
the breach
• Risk of fines with respect to information disclosed in the notification?
9
![Page 10: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/10.jpg)
DATA BREACHES: RECENT DEVELOPMENTS
Marriott International Data Breach
• July 9, 2019: UK‘s Information Commissioner‘s
Office (“ICO”) fined Marriott £99,200,396
(approximately USD $124 million, ~3% of
company’s global revenue)
• In 2016, Marriott International acquires Starwood
Hotels
• During due diligence, Marriott fails to discover
Starwood’s systems had been hacked in 2014.
• ~339 million guest records exposed
• ICO initiated investigation on behalf of other EU
member states
• Marriott cooperated with investigation and made
security improvements; ICO’s announcement
notes that it took Marriott two years to discover
the breach
British Airways Data Breach
• July 8, 2019: UK’s ICO fined British Airways
£183,390,000 (approximately $230 million, ~1.5% of
company’s 2017 global revenue)
• In June 2018, British Airways’ website was hacked,
diverting web traffic to a fraudulent website.
• 500,000 customers affected; British Airways notifies
ICO in September 2018
• ICO faults British Airways’ poor security measures
• ICO acknowledged that British Airways made
improvements to its security systems and cooperated
with the investigation
10
![Page 11: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/11.jpg)
DATA SUBJECT RIGHTS: WHAT ARE THEY?
• Access – right to receive personal data and key processing information
• Rectification – right to rectify inaccurate personal data
• Erasure – right to have data erased where processing no longer necessary,
consent is withdrawn, right of objection used, processing is unlawful, etc.
• Restriction – right to restrict disputed processing
• Portability – right to receive or transfer personal data where processing
based on consent or contract
• Objection to certain processing/automated decisions – e.g. right to prevent
processing based on legitimate interests unless compelling legitimate grounds
11
![Page 12: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/12.jpg)
DATA SUBJECT RIGHTS: EXPERIENCE UNDER THE GDPR
• Large numbers of access requests
➢Over 40,000 in past year in the UK
➢Most common UK complaint - 42% in 2016/17, 39% in 2017/18 (would be over 15,000
DSR complaints)
➢ Likely to increase (activism/awareness, employee litigation)
• Starting to see fines
➢Under GDPR in Hungary for Euro 3,000 (February 2019)
➢UK Magnacrest prosecution - £1,500 fine (February 2019)
➢UK prosecution of Cambridge Analytica - £15,000 fine (pre-GDPR)
• Other DSRs less common (initial increase in erasure requests after
GDPR)
12
![Page 13: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/13.jpg)
ADDITIONAL GDPR ENFORCEMENT ACTIONS
• Outside of the data breach context, DPAs have levied fines for a broad range of GDPR violations.
• January 21, 2019: French DPA (the CNIL) fined Google € 50 million ($56 million)
– Fine resulted from Google’s alleged failure to comply with the GDPR’s (1) transparency and
notice requirements and (2) to obtain valid consent from users.
– The CNIL noted that unambiguous consent requires clear, affirmative user action. A pre-ticked
box does not constitute unambiguous consent.
• July 2019: Greek DPA fines PricewaterhouseCoopers (PwC) € 150,000 ($166k)
– Fine resulted from Google’s alleged failure to comply with the GDPR’s (1) transparency and
notice requirements and (2) to obtain valid consent from users.
– The CNIL noted that unambiguous consent requires clear, affirmative user action. A pre-ticked
box does not constitute unambiguous consent.
13
![Page 14: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/14.jpg)
CCPA: RIGHTS AND REMEDIES
14
![Page 15: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/15.jpg)
OVERVIEW: WHAT IS THE CCPA?
15
• Signed into law on June 28, 2018 by Governor Brown.
• Represents the latest change to California privacy law and toughest privacy law in the U.S.
• Creates statutory damages for data breaches.
• Grants consumers more control over and insight into the spread of their personal information online.
• Imposes on businesses additional obligations related to notice, disclosure, and response to consumer requests.
• Operative January 2020; AG enforcement between January and July 2020.
![Page 16: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/16.jpg)
Businesses (“controller”)
Affiliates
For-profit entities doing business in CA and:
(1) Have annual gross revenues over $25,000,000;
or
(2) Hold personal information of 50,000 or more
consumers, households, or devices; or
(3) Derive at least 50% of annual revenues from
selling consumers’ personal information
Akin to controllers under the GDPR.
Covers affiliates where they:
(1) control or are controlled by a business that
meets the covered business criteria AND
(2) share common branding with the business
(e.g., shared name, service mark or trademark)
WHO IS REGULATED?
16
![Page 17: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/17.jpg)
CCPA IN A NUTSHELL
17
Consumer
Rights
Notice &
Disclosure
Private
ActionSanctions
• Right to be
informed
• Right to access
• Right to deletion
• Right to opt-out
• Right to equal
service
• Disclose the categories of data
collected and the purposes for
which the categories of data will
be used.
• Disclose personal information
shared with third parties,
including when such data is
sold, sources of collection, with
whom data is shared, and how
to exercise consumer rights.
• Consumers have
right to sue where
data was stolen
or disclosed as a
result of a
security breach.
• Statutory
damages range
from $100 to
$750 per
violation, as a
result of a
breach.
• Businesses subject to civil
action for violations of
CCPA by the California
Attorney General.
• Penalties range from
$2,500 to $7,500.
![Page 18: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/18.jpg)
CONSUMER RIGHTS
Consumer Rights
Right to be
Informed
Right to Access
Right to Deletion
Right to Opt-Out
Right to Equal
Service
18
![Page 19: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/19.jpg)
TECHNICAL AND ORGANIZATIONAL MEASURES
Businesses must implement and maintain reasonable security procedures
and practices appropriate to the nature of the information to protect personal
information
19
Measures
Encryption Pseudonymization De-identification
Comply with recognized information security frameworks (e.g., NIST, ISO-27001,
California Center for Internet Security Critical Security Controls).
![Page 20: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/20.jpg)
PUBLIC ENFORCEMENT FRAMEWORK
20
• California Attorney General enforces violations of the CCPA
• Businesses have 30 days to cure an alleged violation
• Penalties:
• Up to $2,500 per unintentional violation
• Up to $7,500 per intentional violation, in addition to the
$2,500 violation
• Portion of penalties go to “Consumer Privacy Fund”
![Page 21: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/21.jpg)
PRIVATE RIGHT OF ACTION: LIABILITY FOR DATA BREACHES
• Consumers have private right of action when their non-
encrypted or non-redacted personal information is subject to
data breach.
oDamages between $100 - $750 per incident (or actual
damages), or
oSeek injunctive or declaratory relief
• For breach liability, definition of personal information follows
California state data breach notification law
oIndividual name + SSN, driver’s license/ID number, account
number, credit or debit card number, medical information, or
health insurance information
21
![Page 22: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/22.jpg)
CCPA & GDPR: BRIEF COMPARISON
22
![Page 23: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/23.jpg)
GDPR & CCPA
23
GDPR
Legal basis for processing
More extensive notice requirements
Different data subject rights
More extensive data processing agreements
Data transfer mechanisms
Different approach to minors
Commonalities
Data breach response obligations
Similar individual rights
Security measures to protect data
Require transparency
Contracts with service providers
CCPA
No legal basis for processing
Notices focus on 12-month look back
Focus on sell of data and right to opt out
Does not address data transfer mechanisms
Fewer obligations on service providers
Focus on sell of minors’ data
![Page 24: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/24.jpg)
KEY INSURANCE ISSUES:
DO CYBER POLICIES PROVIDE ADEQUATE
COVERAGE?
24
![Page 25: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/25.jpg)
CYBER INSURANCE OVERVIEW
➢ Evolution of cyber policies over 20 years has been marked by:
▪ Ongoing change – to respond to emerging risks and market demand
▪ Lack of standardization – more than 30 forms currently available
▪ Divergence in forms – robust vs. restrictive coverage
➢ Same themes apply to the insurance industry’s response to GDPR and CCPA exposures
25
![Page 26: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/26.jpg)
CYBER INSURANCE OVERVIEW
Core coverages:
➢ Incident Response: coverage for cost of legal and forensic investigation, breach notifications, credit monitoring
➢ Network Interruption: coverage for lost revenue and extra expense resulting from network shutdown
➢ Privacy/Security Liability: Coverage for defense and settlement of third party claims
➢ Regulatory Coverage: Coverage for defense and settlement of government investigations
©2016 Jones Day
26
![Page 27: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/27.jpg)
CYBER INSURANCE OVERVIEW
Additional coverages available:
▪ Professional / Technology Services: negligent errors & omissions in professional or technology services
▪ PCI claims
▪ Media content liability
▪ Cyber extortion / ransomware
▪ Data restoration costs
▪ Electronic funds theft
©2016 Jones Day
27
![Page 28: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/28.jpg)
CYBER INSURANCE – KEY QUESTIONS
GDPR
CCPA
New statutory duties
Class action litigation
Risk of regulatory fines
28
![Page 29: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/29.jpg)
COVERAGE FOR GDPR EXPOSURES
29
![Page 30: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/30.jpg)
COVERAGE FOR GDPR EXPOSURES
➢ Many GDPR exposures can be insured under cyber policies
▪ Cost of providing notice
▪ Credit monitoring as remedial measure
▪ Legal fees and forensic consulting fees to investigate breach
▪ Defense and settlement of damages claims by individuals in national courts
▪ Legal fees to defend regulatory investigations by DPAs or Member States
30
![Page 31: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/31.jpg)
COVERAGE FOR GDPR FINES
➢ Considerable debate over insurability of GDPR fines
➢ Three questions may determine coverage
1. What type of fine?
▪ Article 84 permits Member States to impose their own penalties, which may be criminal in nature.
▪ Article 83 authorizes administrative fines
o Two tiers (one tier capped at EUR 10,000,000 or 2% of worldwide revenue; the other capped at EUR 20,000,000 or 4% of worldwide revenue)
o Can be imposed for poor network security practices or violations of individual rights
o Can be imposed for intentional or negligent conduct
31
![Page 32: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/32.jpg)
COVERAGE FOR GDPR FINES
2. Which jurisdictions are involved?
➢ EU member states take different positions on insurability
▪ Where did violation take place?
▪ Where do affected individuals reside?
▪ Where are policyholder and insurer located?
▪ Which Member State’s Data Protection Authority handles enforcement?
32
![Page 33: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/33.jpg)
COVERAGE FOR GDPR FINES
3. What type of conduct?
▪ Article 83 fines may be imposed for intentional or negligent conduct
▪ Fines may be imposed on parties that bear little or no fault
o British Airways and Marriott matters
▪ Little case law addressing insurability of government fines based on negligence or strict liability
▪ Under English law, the argument that government fines cannot be insured is based (in part) on principle of ex turpi causa
o i.e., a party cannot recover insurance for loss that results from its own wrongdoing
o applied where defendant’s conduct involves an element of moral turpitude
33
![Page 34: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/34.jpg)
HYPOTHETICAL
34
US-based multinational corporation has cyber policy from the London market. Its German subsidiary is hacked by criminal actors, who exploit a previously unknown vulnerability and steal personal data of 50,000 consumers.
Policyholder immediately reports breach to the German DPA; notifies affected individuals within 72 hours; and offers free credit monitoring services. It also eliminates the vulnerability and strengthens overall network security.
German DPA investigates and imposes administrative fine.
What is the public policy rationale for prohibiting insurance coverage?
![Page 35: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/35.jpg)
COVERAGE FOR CCPA EXPOSURES
35
![Page 36: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/36.jpg)
COVERAGE FOR CCPA EXPOSURES
Is your cyber insurance program adequate?
➢ New statutory obligations
▪ For the past 10-15 years, cyber policies have focused on the unauthorized disclosure of personal information
▪ CCPA (and GDPR) imposes new requirements for the handling, use, and transfer of information
➢ Violation of data processing requirements may not be covered under existing policies
➢ Sample policy language:
The Insurer will pay on behalf of the Insured:
Damages and Claims Expenses, in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim for theft, loss or unauthorized disclosure of Personally Identifiable Information …
36
![Page 37: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/37.jpg)
HYPOTHETICAL
37
Ohio-based corporation, which does business in California, delays in undertaking a CCPA compliance review of its information security practices.
Company receives a request from Jane Doe, a California resident, to delete all personal data. Corporate compliance officer ensures that Ms. Doe’s data is deleted from all customer databases, but is unaware that the same data resides in other corporate locations.
After her data is compromised in a data breach, Ms. Doe files a class action under CCPA on behalf of all California residents who had requested deletion of their data, seeking damages for failure to delete and unauthorized disclosure.
Will claims be covered under existing cyber policies?
![Page 38: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/38.jpg)
COVERAGE FOR CCPA EXPOSURES
➢ Class action litigation
▪ Anticipate surge in litigation once CCPA becomes effective
▪ Statutory damages remedy ($100 to $750) is likely to drive up cost of defense and settlement
➢ Existing cyber policies:
▪ May not provide sufficient policy limits for major litigation
▪ May not include clear coverage for statutory damages
38
![Page 39: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/39.jpg)
COVERAGE FOR CCPA EXPOSURES
➢ Heightened risk of regulatory enforcement
▪ New enforcement authority of California Attorney General
▪ New civil penalties created under CCPA
▪ Questions of insurability – similar to GDPR
➢ Many existing cyber policies:
▪ Do not cover regulatory proceedings or
▪ Offer qualified coverage for government fines/penalties
➢ Sample policy language:
Loss means the amount the Insured is legally obligated to pay as a result of a Claim including: …
Civil fines or penalties assessed against an Insured Individual if, and to the extent, such fines or penalties are insurable as a matter of law
39
![Page 40: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/40.jpg)
CLOSING THE COVERAGE GAP
40
![Page 41: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/41.jpg)
CLOSING THE COVERAGE GAP
New regulatory landscape requires re-assessment of cyber insurance programs
1. Insuring agreement for Privacy Liability should cover both unauthorized disclosures and data processing violations
2. Review sufficiency of policy limits
3. Include express coverage for statutory damages
4. Include coverage for regulatory actions, with express reference to GDPR
5. Include coverage for fines to the fullest extent permitted by law
6. Consult with coverage counsel for optimal policy language
41
![Page 42: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/42.jpg)
Richard DeNataleJones DaySan FranciscoOffice [email protected]
Rich DeNatale is one of the nation's foremost lawyers in the
field of cyber insurance. He has been retained to handle
insurance claims and strategy for more than 45 cyberattacks
and data breach incidents, including some of the largest in
history. He represented Sony Pictures in obtaining insurance
coverage for the cyberattack attributed to North Korea.
Rich has been recognized in Chambers as one of the leading
coverage lawyers in the United States. He has acted as lead
counsel in precedent-setting coverage litigation on data
privacy issues in both California and New York. He regularly
advises clients on cyber policy acquisitions and renewals.
©2016 Jones Day
RICHARD DENATALE BIO
42
![Page 43: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/43.jpg)
Jennifer C. EverettJones DayWashingtonOffice [email protected]
Jennifer Everett's practice focuses on cybersecurity, dataprivacy, and employment. She advises multinational clients ona wide range of privacy and data compliance issues, includingcyber governance, and developing global data protectioncompliance programs. Jennifer has particular experience inadvising companies on compliance with global data protectionlaws, including the EU General Data Protection Regulation,and the California Consumer Privacy Act.
Jennifer handles all aspects of U.S. and international databreach investigation and response, including advising clientson forensic investigations, notification and other legalobligations, and related regulatory investigations.
©2016 Jones Day
JENNIFER C. EVERETT BIO
43
![Page 44: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/44.jpg)
44
![Page 45: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/45.jpg)
Strafford Webinars
GDPR & CCPA Insurance Coverage Issues
Regulatory Strategies and Risk
954.768.8278
FRED E. KARLINSKY
45
![Page 46: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/46.jpg)
© 2019 Greenberg Traurig, LLP
Fred E. KarlinskyShareholderCo-ChairInsurance Regulatory & Transactions Practice
Tel: 954.768.8278E-mail: [email protected]
46
![Page 47: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/47.jpg)
The Shifting United States
Regulatory Landscape
47
![Page 48: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/48.jpg)
© 2019 Greenberg Traurig, LLP
Cybersecurity &U.S. Regulation• Major data breaches involving large U.S. have
affected U.S. Consumers
• No uniform, comprehensive data security laws and regulations in the U.S. Competing Federal and State Laws and competing regulators (often the states) vie for center stage
• Uneven patchwork of laws and regulations creates problems for Companies doing business in the U.S.
• Companies forced to comply with contradictory or competing requirements
• EU GDPR only complicates matters further since they are not bound to US regulatory and litigation norms
This Photo by Unknown Author is licensed under CC BY-SA-NC48
© 2019 Greenberg Traurig, LLP
![Page 49: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/49.jpg)
© 2019 Greenberg Traurig, LLP
• Federal approach: regulate certain sectors and information – especially the financial markets and banking system, where the public and trust is paramount.
• Health Insurance Portability and Accountability Act (HIPAA) – Protects privacy of protected health information
• Separate privacy laws protect specific areas of U.S. health-care system
• Family Educational Rights and Privacy Act (FERPA)
• Children’s Online Privacy Protection Act
49
Federal Cybersecurity Laws
![Page 50: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/50.jpg)
© 2019 Greenberg Traurig, LLP
• State data breach laws have always been there, just never so visible.
• California Security Breach Information Act in 2003
• Followed by 48 states enacting breach notification laws
• Patchwork of sometimes conflicting provisions
• Differing categories of protected information
• Differing notification requirements
50
State Cybersecurity Laws
![Page 51: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/51.jpg)
© 2019 Greenberg Traurig, LLP
California Consumer Privacy Act (CCPA)
• Takes effect on January 1, 2020
• Most comprehensive privacy law in United States
• Inspired by GDPR, but differs in some key respects
• Numerous requirements related to collecting and process of personal information of California consumers
• Failure to comply may lead to regulatory enforcement actions, steep fines, litigation, and loss of goodwill
51
![Page 52: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/52.jpg)
© 2019 Greenberg Traurig, LLP
Cybersecurity & U.S. Insurance Industry
• New York Department of Financial Services: Cybersecurity Requirements For Financial Services Companies
• Chief Information Security Officer responsibilities and upward reporting to the Board of Directors; annual certification to DHS as well. Not just compliance here, but certifications too.
• National Association of Insurance Commissioners: Insurance Data Security Model Law
• Reporting standards
• Interaction with New York’s requirements
52
![Page 53: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/53.jpg)
New York Department of Financial Services
Cybersecurity Regulation
53
![Page 54: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/54.jpg)
© 2019 Greenberg Traurig, LLP
New York Cybersecurity Requirements for Financial Services Companies
• “Cybersecurity Requirements for Financial Services Companies”
• Insurance Companies, Banks and other Financial Services
• Annual Risk Assessment
• Informs written policies and procedures
• Assists entities in understanding their data vulnerabilities
• Cybersecurity Policy
• Detailed statement of a company’s information security policies and procedures
• Must cover certain specific items including software requirements and physical safeguards
54
![Page 55: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/55.jpg)
© 2019 Greenberg Traurig, LLP
New York Cybersecurity Requirements for Financial Services Companies
• Third Party Service Providers
• Entities must have written policies for ensuring third party contractors do not compromise data
• Incident Response Plan
• Entities must prepare written plans to respond to data breaches describing procedures, designate roles and responsibilities for personnel, and plan to remediate/mitigate harm
• Designation of Key Personnel to oversee cybersecurity measures within company with training requirements and internal procedures to detect cyber risks
55
![Page 56: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/56.jpg)
NAIC Data Security Model Law
56
![Page 57: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/57.jpg)
© 2019 Greenberg Traurig, LLP
NAIC Insurance Data Security Model Law
• Requires “licensees” to:
• Develop an Information Security Program (ISP); Investigate Cybersecurity Events; and Notify Insurance Commissioner of Cybersecurity Events
• ISPs
• Administrative, technical, and physical safeguards are required
• Commensurate with size and complexity of licensee; Nature & scope of activities; Sensitivity of non-public information
• Developed based on internal Risk-Assessment
57
![Page 58: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/58.jpg)
© 2019 Greenberg Traurig, LLP
• Key similarities between the Model and Regulation:
• Incident Response Plan
• Annual certification of compliance to Insurance Commissioner
• Insurance Commissioner authorized to inspect insurer documentation of efforts to improve Incident Response Plan
• Key differences between the Model and Regulation:
• Different exemptions
• NAIC Model provisions governing third-parties are more flexible than NYDFS Regulation
58
NAIC Model & NYDFS Cyber Regulation:Key Similarities & Differences
![Page 59: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/59.jpg)
© 2019 Greenberg Traurig, LLP
• Early adopters: Alabama, Delaware, Ohio, Michigan, Mississippi, New Hampshire, and South Carolina
• Legislative activity in Nevada and Rhode Island
• Connecticut adopted NY DFS approach
• Expect variation between state requirements
• Compliance with inconsistent requirements will be a key issue for companies
59
NAIC Insurance Data Security Model Law: Adoption
![Page 60: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/60.jpg)
Compliance Strategies
60
![Page 61: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/61.jpg)
© 2019 Greenberg Traurig, LLP
Compliance 101Be Informed and Stay in the Lane!
• Inconsistent patchwork of U.S. federal and state laws, companies and boards of directors must be well-informed and stay well within the lanes established by regulators
• Robust compliance protocols must be in place
• Ensuring a culture of compliance within required timeframes (like it or not)
• But boards need to be more involved beyond “check-the-box” compliance as cyber risk is quickly morphing into entity risk, creating the need for a whole-company approach
• Cybersecurity is not just an IT problem; today its everyone’s problem, especially the board
![Page 62: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/62.jpg)
© 2019 Greenberg Traurig, LLP
• Ever-evolving U.S. regulatory landscape is getting more punitive to deal with;
• The time is now to implement internal cybersecurity measures
• Even if non currently apply to your organization, they soon will
• Look to NYDFS Cybersecurity Regulation, the CCPA, and NAIC Model Law
62
Compliance Strategies
![Page 63: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/63.jpg)
© 2019 Greenberg Traurig, LLP
Compliance Strategies
• Conduct regular risk and vulnerability assessments to stay on top of the evolving risks out there today.
• Written information security, cybersecurity, and privacy policies and procedures must be in place regardless of your organization’s size;
• Written guidelines must include:
• How risks will be identified, evaluated and prioritized;
• How systems and controls will be evaluated and tested for adequacy
• How risks will be accepted, mitigated or otherwise controlled for;
• Company cannot mitigate all conceivable risks, but should address risks by either mitigating, accepting, or transferring to a cybersecurity Insurance Carrier for a fair premium
63
![Page 64: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/64.jpg)
© 2019 Greenberg Traurig, LLP
• Must develop Cybersecurity Program commensurate with:
• Size and complexity, as well as the type of data you collect, store or process; big difference between making widgets, and making aircraft parts for a DoD main contractor.
• Nature and scope of company’s activities will matter and vary greatly
• Third-party service providers have magnified risk identification and transfer issues; outsourcing to the cloud is fine, if you know and understand the risk
• Sensitivity of non-public information paramount
64
Compliance Strategies
![Page 65: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/65.jpg)
© 2019 Greenberg Traurig, LLP
• Program developed based on risk-assessment coupled with regulatory landscape
• Risk and Vulnerability assessment results should be reviewed by Board of Directors
• Key areas: software protections & physical safeguards
• Third-party service provider/vendor due diligence policies must be implemented both contractually and on a risk-adjusted basis; some vendors are just more critical than others. Remember, you “own the cybersecurity” of your vendor for compliance purposes.
65
Compliance Strategies (Cont.)
![Page 66: GDPR and CCPA Insurance Coverage Issues: Addressing New …media.straffordpub.com/products/gdpr-and-ccpa-insurance... · 2019-09-11 · GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES](https://reader033.vdocument.in/reader033/viewer/2022050114/5f4b5195fdc96a3f2904e49b/html5/thumbnails/66.jpg)
© 2019 Greenberg Traurig, LLP
Contact Information
Fred Karlinsky
Shareholder and Co-Chair, Insurance Regulatory & Transactions Practice
Greenberg Traurig, P.A.
(954) 768-8278
66