CyberGuide - Information Security and Cyber Risk Management

Cyber legislation: What’s here and what’s on the horizon?

By Erin Ayers, Advisen

A wide range of factors contributed to the rise in adoption of cyber insurance over the last two decades, but the impact of legislation on cybersecurity and data breach accountability can’t be underestimated. Even with data breach laws in all 50 states and many countries across the world, lawmakers continue to examine and refine the requirements businesses must follow. For insurers, brokers, and their clients, it pays to know what’s coming your way and when.

It’s (almost) here

This month brings the data security obligations of New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act into play. On March 21, the law will be fully enacted and much like the GDPR and the California Consumer Privacy Act (CCPA), it has reach beyond the borders of New York and carries liability for businesses in and out of state. Notably, the SHIELD Act broadens New York’s existing data breach laws by expanding the definition of private information to include biometric information, email addresses and passwords, and financial account numbers.

On the horizon

California, already a must-watch in terms of cyber-related legislation, recently introduced a bill (AB-2320) requiring any contractor doing business with a state agency involving access to protected personal information to carry cyber insurance. The legislation goes on to say that contractors should “carry cyber insurance sufficient to cover all losses resulting from potential unlawful access to or disclosure of personal information, in an amount determined by the contracting agency.”

These two provisions combine to create an interesting situation. Thus far, cyber insurance has not been mandated by any local, state, or federal government. The global coverage take-up rate has been steady but slow, despite concerns over cyber risk rising steadily to boardrooms and executives. A mandate for buying coverage, even for a select group of private contractors in one U.S. state, could speed adoption – and legislation in other states.

However, allowing a state agency to determine the amount of coverage carried by a private firm as a condition of doing business with them seems like a significant stumbling block, as does the language “insurance sufficient to cover all losses” in the event of a data breach. “All” may be subject to interpretation, but it sounds like it opens the door to shifting “all” liability to the contractor.

As with the CCPA, the legislative actions of the nation’s most populous state frequently provide templates for other lawmakers. In an opinion piece on The Hill, Anne Hobson of George Mason University and Ian Adams, an attorney with Orrick and vice president of policy for TechFreedom, say that this bill offers some guidance for the federal government and federal contractors.

“For better and for worse, California has a history of foreshadowing policy developments that spread to other places. In 2002, its legislature passed the first state data breach law requiring businesses to disclose any breach of the security of personal information. Over the next 16 years, all 50 states followed suit. Should it pass, AB 2320 may prove similarly prone to widespread adoption. With any luck, Congress will take a hard look at the right way to implement cyber insurance requirements,” they wrote.

Editor Erin Ayers can be reached at [email protected].