This article introduces key privacy legislation in the US, Canada and Europe and discusses the need for and potential role of cyber insurance when dealing with privacy breaches and violations of data privacy law.
Privacy legislation is a term that describes any law intended to protect an individual’s right to privacy.
For any business owner or director, it is essential to have an understanding of privacy laws. In collecting, handling, and storing data, your organization may be exposed to lawsuits from different stakeholders or charged hefty fines for violations by regulators. The exposure to lawsuits, not to mention the cost of rectifying a data breach, has created the need for cyber insurance.
Privacy in Cyberspace
The issue of privacy began as the popularity of the internet increased. The internet started as a tool for researchers to share their studies and other information. Back then, no laws applied to it. As the internet became a tool for transacting business, issues about privacy and identification began to crop up. This new way of doing business, transmitting, and using data, signaled the need for courts and legislatures to regulate cyber activities and the use and collection of data.
Privacy law is continuously evolving. Regulators continue to examine which parts of the internet to regulate, to what extent, and how to enforce regulations. The challenge is that data transmission has no boundaries, so it’s important to keep apprised of local and international laws.
Overview of Privacy Laws
Below are examples of laws that businesses should be aware of regarding privacy and data handling. Privacy laws vary by region. In the U.S., for example, there are numerous laws, both for different purposes as well as states. Conversely, Europe has adopted a more general approach with General Data Protection Regulation (“GDPR”), blanketing many purposes and countries.
- Federal Trade Commission Act – prohibits unfair or deceptive trade practices. Enacted in 1914, it is the forerunner of many modern data privacy laws which countries adopted much later. This law holds businesses accountable when they haven’t been upfront and truthful about items sold or representations made to consumers.
- Health Insurance Portability and Accountability Act (HIPAA) – protects personal health information (PHI). The healthcare sector is particularly vulnerable to cyber extortion and privacy breaches.
- Gramm-Leach Bliley Financial Services Modernization Act – sets privacy regulations for financial institutions, including insurance companies. This law requires financial institutions to give you an opt-out option if you don’t want your information shared with other parties.
- Children’s Online Privacy Protection Act (COPPA) -protects the privacy and confidential information of children under 13.
- Sarbanes-Oxley Act -places responsibility for data security on corporate executives.
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) regulates the use of email and criminalizes specific commercial emails. It mandated a visible and operable unsubscribe mechanism to be present in all emails.
- Fair and Accurate Credit Transaction Act – sets regulations to help protect consumers who have been victims of identity theft. It gives the consumer the option to disallow the company from sharing credit and application information with affiliates. It also prohibits selling information to third parties.
- Health Information Technology for Economic and Clinical Health Act – promoted the adoption of health information technology.
In the U.S., some states also have their own privacy legislation (with several state privacy laws now pending). One to note is the California Consumer Privacy Act, which went into effect July 1st 2020.
A note on the California Consumer Privacy Act:
The CCPA is the most comprehensive privacy law in the U.S. and extends beyond California borders. The law applies to for-profit companies exceeding $25M in revenue, handling over 50,000 PII records, or in the business of selling consumer’s personal information.
The CCPA gives consumers control over their private information giving consumers the right to:
1. Know what information has been collected about them and how it will be used and with whom it will be shared
2. Opt-out on businesses’ selling their personal information to others.
3. Delete their private information held by a business.
Moreover, the CCPA has broadened the definition of Personally Identifiable Information. Under this new law, any information that could be reasonably linked or associated directly or indirectly, with a consumer or household, is considered PII. Even pictures and sounds can be considered PII!
It’s particularly noteworthy as it allows consumers to claim statutory damages of up to $750 per consumer. This means that consumers don’t have to go through the challenging task of proving damages and will likely prove quite costly for businesses. There are many conditions and specifics to this law, so it’s important to engage legal counsel if it affects you or your clients.
The Personal Information Protection and Electronic Documents Act (PIPEDA), along with the Privacy Act, are the two federal privacy laws in Canada.
PIPEDA covers how businesses handle personal information. It applies only to organizations that operate for-profit across Canada. Also included under the PIPEDA are airlines, banks, telecommunications companies, which are federally-regulated businesses.
The Privacy Act governs how the federal government handles personal information. There is a specific list of government institutions governed by the Privacy Act, but it applies to all personal information that the federal government uses, collects, and discloses, including personal information of federal employees.
CASL, Canada’s Anti-Spam Legislation, was enacted in 2014 to prevent the misuse of digital technology, like spam or other electronic threats. The intent is to protect consumers and businesses, with consent as a core focus.
The General Data Protection Regulation (GDPR) simplifies data privacy regulation in Europe by unifying the regulation within the European Union. It regulates the collection and processing of personal data of individuals within the European Economic Area. GDPR also restricts the export of personal data outside the European Economic Area. It penalizes violators with a fine of four percent of their global revenues or 20 million euros, whichever is higher. Any company that manages or holds the data of customers in the E.U. is accountable under this law. It doesn’t matter if the violating company is based outside of the E.U.
What is Personally Identifiable Information?
The definition of personally identifiable information (PII) varies by region and legislation. However, the core focus is that if you can identify, contact, or locate an individual with specific data, it may qualify as PII.
Below are some examples of how different regions define PII:
Under the California Consumer Privacy Act (CCPA), PII includes “any information that could be reasonably linked or associated with, directly or indirectly, a consumer or household.”
Under Canadian Law,” personal information includes any factual or subjective information, recorded or not, about an identifiable individual.”
In Europe, personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Cyber Insurance Coverage
When faced with a violation of any data privacy law, the regulating authority may impose fees on the erring company. A cyber insurance policy might contain an insuring agreement called Regulatory Coverage. This coverage might help make up the loss incurred from paying the fines, which is a first-party loss.
Keep in mind that not all fines are insurable. Some cyber insurance policies may also cover defense costs and regulatory proceedings, depending on the policy wordings.
In many cases, the regulator may go easier on a business if they’ve handled the cyber breach well. Having appropriate policies in place before a breach (information security policy, incident response plan) can significantly assist in response to the breach. Also, taking the breach seriously from the start and engaging experts may reduce potential fines and liabilities later on, even if it means higher upfront costs. A cyber policy can help assist with the breach response as well as communicating with regulators. If the policy includes privacy liability, keep in mind that it’s in the insurer’s best interest to handle the event well, and avoid potential lawsuits.
Want to learn more about Cyber Insurance?
Read about Social Engineering Fraud.
Sign up to view our free Cyber 101 mini course.