What Insurers Need to Know About New York’s SHIELD ActA Q&A with Laurie Kamaiko of Saul, Ewing, Arnstein & Lehr LLP
Going into effect in its entirety on March 21, 2020, the New York SHIELD (Stop Hacking and Improve Electronic Data Security) Act updates previous data security laws while creating more obligations and potential concerns for companies and their cyber insurers. We asked Laurie Kamaiko of Saul, Ewing, Arnstein and Lehr about this legislation and how insurers can prepare for its implementation.
What are some of the key provisions of the New York Shield Act that expand potential liability for companies handling personal information of NY residents?
The Act broadens the private information that, if breached, would require notification, such as now including biometric information. It also broadens the requirements for when notification is triggered to include unauthorized “access,” while before it was just unauthorized “acquisition”—for example, snooping malware could be on a system without someone stealing the data but if forensics shows that private information was viewed that’s an event that could trigger the notification obligation. (There are still some safe harbors for data that is encrypted.)
Then there is the expansion to covered entities who are not located in New York State but who have private information of people living in New York State on their systems. That also triggers notification and security obligations under the Act. In all, many more entities are now subject to these obligations than ever before and they can be triggered by many additional incidents.
I should also point out that the Act takes the size of the company into account and smaller entities (under 50 employees, under $3 million in gross annual revenue the past three fiscal years, or under $5 million in year-end total assets ), while not off the hook, will be judged as to whether they have reasonable data security measures in place, according to scale.
What areas are of particular areas for cyber insurers?
Like many recent privacy and cybersecurity laws such as the EU’s GDPR and California’s CCPA, the SHIELD Act is focused on the business practices of companies protecting information, and not just on what to do after an incident occurs. This is a good thing, making companies a better risk and reducing the likelihood of incidents. For instance, the SHIELD Act addresses safely disposing of private information when it’s no longer needed. The Act provides a long list of administrative safeguards, such as training employees in security practices, implementing and designating an employee to coordinate data security programs, and identifying risks and reasonable technical safeguards. On the positive side, that means encouraging entities to adopt best practices. The other side of all this, however, is that all of these requirements create more risks of regulatory violation.
Another emerging concern for cyber insurers is about whether they are—perhaps without realizing it—insuring companies for their deliberate business practices, and whether that is or should be within the scope of cyber insurance. We need to consider if there are moral hazards when the coverage is so broad that there are situations when there are not enough security measures but organizations don’t see it as a problem because they have cyber insurance to cover their regulatory investigation costs, fines and penalties.
The SHIELD Act also reinforces that insurers on other lines of insurance (e.g. EPL, or other policies covering ERISA liability for errors in handling of records), need to be aware of potential exposure from such laws from handling of employee information. Another interesting example of this is the Illinois Biometrics Information Privacy Act.
What can insurers do to limit their exposure to business practices?
Cyber insurers need to be careful in policy wording when it comes to covering violations of privacy laws. They should also review their policies to see if they are pricing them correctly with regard to the expanded exposures. They might have a competitive issue there, but it’s also important to keep the pricing in line with the potential liability.
We often focus on tabletop exercises for policy holders addressing breach response, but insurance companies would also do well to practice their responses to incidents under their policies when faced with a given event. For cyber insurers: Are your policies covering what you intend to cover? Are your policies likely to be found to cover types of obligations or loss you didn’t intend to cover? Are you broadly insuring obligations under privacy laws that encompass a policyholder’s business practices you do not want to cover? Are your policies appropriately taking into account your policyholders’ concerns about their expansion of liability? We often talk about the expansion of risk by virtue of technology developments, but we should also think of the expansions in liability of insureds and exposures to insurers created by these changing regulations and laws.
Ms. Kamaiko often shares her much-appreciated expertise with the NetDiligence community and her thoughtful overview on this emerging regulation is equally insightful. Our cyber risk insurance carrier partners are especially paying attention to New York’s SHELD regulation and how that might impact their cyber policyholders who either reside in New York state or have New York resident customers in their databases. SHIELD is part of a growing list of far-reaching state and federal laws designed to protect citizen or customer data privacy. Ms. Kamaiko also points out that encryption of data still provides some safe harbor in the event of a data breach —in today’s highly regulated environment, encryption is a must-have safeguard control needed to mitigate future liabilities — but businesses also need to be aware that New York and many other states are now requiring companies to undertake more security and breach response obligations. Organizations must anticipate that their data will be breached or accidentally leaked at some point. Given the growing scope and number of these regulations, having an actionable data breach crisis plan and a review of data security procedures before an incident occurs that helps them demonstrate that they prepared and responded in a timely, good faith manner is more crucial than ever.