Data breach and privacy concerns are top of mind for companies no matter where they operate. However, those that do business in California should take careful note of the flurry of recent California legislative activity that increases regulation and potential corporate exposure in this arena.
For example, signature collection recently began in California for a state initiative that is intended to significantly lessen the largest hurdle faced by plaintiffs in privacy actions — demonstrating harm from the disclosure of “personal information.” If the initiative passes, culpable harm will be presumed upon allegedly improper disclosure of broadly defined “personal information.” To date, numerous privacy actions have been dismissed because the plaintiffs cannot establish injury/harm. Hence, multiple commentators have predicted that this initiative could create substantial increased exposure to class action privacy lawsuits for any entity that collects and maintains personal information.
Additionally, within the last month, the California legislature has modified its privacy laws to increase consumer protections, resulting in an increase in risk for businesses operating in California:
- California Civil Code sections 1798.29 and 1798.82 were modified to expand data breach notification requirements.
- California Business and Professions Code section 22575 (California’s Online Privacy Protection Act) was amended to require additional disclosures regarding an entity’s online privacy policies.
- California’s Business and Professions Code sections 22580 through 22582 (“Privacy Rights for California Minors in the Digital World”) were enacted to among other things: (a) prohibit online service operators from targeting certain advertising to minors.
This recent and ongoing California activity emphasizes that businesses in California and elsewhere must continue to be vigilant in their focus on methods to reduce their risk of exposure. Unfortunately, examples of claims and litigation resulting from alleged statutory breaches have grown and will continue to do so. For example, Yahoo was recently sued in a proposed California class action lawsuit that accused it of violating both federal law and California’s Invasion of Privacy Act. The plaintiffs allege in part that Yahoo users have “an expectation of privacy for the content of their electronic communications” and that any business practice of reading such communications is not within the “ordinary course of business” exception found in certain laws.
Insurance is an important component of a risk management plan that seeks to combat this increased exposure. As statutory regulation continues to morph, companies should — on an ongoing basis — examine their potential exposure, matched against their existing insurance portfolio, to confirm that they are adequately protected to pay for both lawyers’ fees and other amounts spent responding to statutory claims against them. For example, depending upon the type of coverage at issue, the question of coverage for alleged statutory breaches, including claimed intentional/willful breaches, can be a major area of dispute between insurers and policyholders. Some insurers include language in their commercial policies that they later argue precludes coverage when the policyholder is alleged not to have complied with a particular statute. Insurers also often argue against coverage for statutory damages.
However, such arguments could all but gut critical insurance protection. Thus, in the first instance, companies should review their existing policies now to assess the extent of coverage for this increased risk. For example, does a company's policy contain exclusions that purport to preclude coverage for some measure of statutory exposure? How specific or broad is the language of any such exclusion(s)? What about coverage for statutory “fines” or “penalties”? And does the policy language track the evolving case law? In fact, insurers often seek to include exclusions for statutory fines/penalties/damages, even though the courts are increasingly finding in favor of coverage for such exposure.
Depending upon the breadth of the coverage or exclusions in current policies, at renewal, policyholders should negotiate for language or purchase specialized policies that most effectively match their risk profile, based upon evolving regulation in the states and countries where they do business. Coverage counsel can help accomplish this goal by discussing in a privileged setting the extent to which the existing or offered policy language is adequate and how it can be modified to increase insurance protection.
And, finally, if a company is sued for an alleged privacy statute violation and its insurer cites to a “statutory” exclusion in to deny coverage, the company should scrutinize its policy language for holes in the insurer’s position. For example, last week, Judge Fees in the Central District of California rejected Hartford’s argument against coverage for two California Confidentiality of Medical Information Act actions regarding alleged disclosures of patient medical information. Hartford pointed to exclusion for injury “arising out of the violation of rights created by state or federal acts.” The court found that the exclusion did not apply in part because medical record privacy rights existed under common law long before California enacted statutory protections.
As the states continue to regulate in the privacy arena, and companies continue to focus on an overall program to address risks of claimed privacy breaches, they should include a careful consideration of insurance as an important part of any such program.