Insurance 2022 - the year ahead
Cyber will be a D&O hotspot in 2022
Insurance 2022 - the year ahead
Companies need a better understanding of the nature of personal information they collect and how they protect it.
In 2022, US insureds will continue to face hurdles arising from stricter underwriting for cyber insurance and cyber exclusions added to non-standalone cyber policies aimed at preventing cyber incidents from causing a covered loss.
US regulators’ top priority appears to be enforcement of data privacy laws rather than assisting businesses to understand how to better evaluate what data to collect and manage the data they do collect. This reactive approach is similar to how regulators have handled the ransomware crisis that grew significantly during the pandemic. While enforcement is certainly appropriate in some situations involving egregious violations or serial violators of data privacy laws, many businesses simply need guidance on how to better comply with data privacy laws but the cost of doing presents a barrier. However, while there is a cost to comply with existing regulations, companies that have engaged in the process have benefitted from having a better understanding of the nature of the personal information they collect, maintain and share.
Ransom payments for ransomware is an issue that has become increasingly controversial around the world. In the US, regulators and law enforcement have been clear that they do not support paying a ransom in response to a ransomware attack. More importantly, businesses may be precluded by law from paying ransom demands under certain circumstances and could face serious consequences if a payment is made that violates the law. In addition, many local governments are considering enacting laws that would prevent their paying a ransom.
2021 has been a busy year for US legislators with three major pieces of legislation being passed. The California Privacy Rights Act (CPRA) was approved in November by voters in California. The CPRA comes into effect on 1 January 2023 thereby replacing the CCPA. The CPRA is intended to further strengthen individual privacy rights.
The Virginia Consumer Data Protection Act (CDPA) was signed into law in March 2021 and will also take effect on 1 January 2023. While similar to the CPRA, the CDPA has differences, such as requiring consumers to opt-in to the collection of their information, not requiring a “do not sell my personal information” notice, and enforcement will be carried out by the Virginia Attorney General’s Office.
The Colorado Privacy Act (CPA) was passed in May 2021. While the CPA has common elements with the CPRA and CDPA, the CPA is applicable to businesses that acquire information from Colorado residents and households, Colorado consumers must be allowed to opt out of having their information collected for profiling, and the opt-in consent needs to be open and obvious.
2022 could see some businesses being unable to secure cyber insurance at a time when cyber incidents and data privacy regulations and their enforcement are ramping up. Hopefully, this will cause businesses to invest in hardening their cybersecurity and evaluate their need to collect and maintain data.