This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Enforce Cyber Insurance to Avoid Being Blindsided
We live in the era of privacy threats, security attacks, and ransomware. Because of the dangers, states are now proceeding with regulations that deal with business customers’ and state citizens’ data collection, storage, processing, and distribution. Each state has a different view of what to do and how to accomplish their goals since there is little federal government action. California as an example is considering implementing new safeguards for state collected and processed data by mandating the adoption of cyber insurance by obligating contractors to have access to state data.
California Privacy Rights and Enforcement Act of 2020 (CPEA)
The California Privacy Rights and Enforcement Act of 2020 (CPEA) requires organizations and businesses to disclose details about profiling algorithms that relate to personal information. This covers the employment, housing and credit of citizens and whether and how the personal information is used to influence elections.
The initiative creates the California Privacy Protection Agency, to carry out CCPA enforcements and provides guidance to the industry, citizens, and consumers starting no later than July 1, 2020. The CPEA increases penalties for organizations and businesses who violate children’s privacy by tripling the amount currently fined for collecting or selling the personal information of minors less than 16 years of age without their consent.
Following the progress of the CPEA is important for organizations and businesses to remain abreast of the changing laws to produce effective and responsive compliance programs.
Cyber insurance is one way to mitigate the financial risks from these attacks. Many experts believe that payouts are encouraging attacks in the first place. Cyber insurance typically covers a business' liability for a data breach involving sensitive customer or citizen information, such as numbers from social security cards, credit cards, bank accounts, driver's licenses, and health records. A cyber insurance policy intends to help the business, contractor, or organization mitigate their risk exposure by offsetting costs involved with recovery after a cyber-related security breach or attack.
Preparing to be insured requires that the organization produce policies, procedures, hardware, and software tools, as well as systems to prevent or limit the attacks. Without good security and privacy initiatives implemented, insurance probably won’t be available. Even if you are insured, there is no guarantee that when the premiums are paid, the insured organization will receive the financial compensation, according to “Businesses are Finding out that Cyber Insurance Coverage might not be what they thought.” Most claims are limited to reimbursing for losses incurred during a network interruption, therefore not covering for the entire period that the business has been disrupted.
There is evidence that many of the cyber insurance policies are not that valuable since insurance companies look for excuses to avoid paying out the full amount of a claim.
California’s Cyber Insurance Approach
The bill “AB-2320 Personal information: contractors: cyber insurance” was introduced in February 2020. It mandates that cyber insurance coverage be obtained when a contractor receives access to records that contain personal information protected under the state's Information Practices Act (IPA) passed in 1977. This requires an agency to ensure the security and confidentiality of personal information in accordance with specified conditions and limitations. Examples of personal information are names, social security numbers, physical descriptions, home addresses, home telephone numbers, education, financial matters, and medical or employment history.
AB-2320 has the potential to transfer some cyber-attack costs from taxpayers to the private sector. The hope is that this will improve the basic risk awareness and best practices among contractors.
California isn’t the only state involved in the expansion of security and privacy protections. There are about 300 other bills up for approval across the U.S. It behooves the business and organization to establish one or more staff members to monitor the states and their actions. That can help ensure that the compliance requirements can be anticipated rather than blindsiding the business and organization.