More Fragmented US Data Privacy Law for Insurers to Ponder

Written by Mark Bowers

On March 2, 2021, the Virginia Consumer Data Protection Act (“VCDPA”) was signed into law effective from 1 January 2023.

The privacy regime created by the VCDPA draws heavily from laws and regulations in effect, such as California’s enactment of the Consumer Privacy Act (“CCPA”) and the European Union General Data Protection Regulation 2016/679 (“GDPR”). The provisions of the VCDPA outline responsibilities and privacy protection standards for both “data controllers” and “processors,” borrowing those terms from the GDPR. The VCDPA includes a requirement that organisations conduct data protection assessments, implement certain policies and procedures to ensure compliance. The VCDPA includes broad exemptions from coverage for certain classes of entities and types of data already covered by federal data protection laws.
Organisations will need to carefully assess whether their activities are covered by the VCDPA, and if they are, take steps to ensure they comply with it by 2023. The law applies to both U.S. and non-U.S. companies that process personal information of over 100,000 Virginia consumers, or that process information of over 25,000 Virginia consumers and also derive more than 50% of their revenue from the sale of this data.

Implications:
• The VCDPA and CCPA apply to businesses under different circumstances, making it important for businesses to assess whether they fall within the Virginia law.
• Data controllers may be incentivised by the VCDPA’s exemptions to increase their use of pseudonymous data in order to avoid the obligation to comply with consumer requests and minimise their potential liability under the statute.
• The use of DPAs as a mechanism of ensuring that specific types of activities are conducted in a manner that maintains the security of consumers’ personal data is likely a development that will be incorporated into other states’ data protection regimes, and one that imposes a potentially significant burden on entities seeking to comply.
• Companies with strong GDPR and CCPA compliance programmes may enjoy a head start on ensuring compliance with the VCDPA but there are important differences between the regimes and compliance with VCDPA will require specific focus.
• The enactment of VCDPA suggests that there is momentum for other states to enact privacy legislation, such as Washington and New York who will soon pass their own data protection laws. This development will complicate the compliance obligations companies face in the US and may increase pressure to pass a comprehensive federal data privacy law to supersede and simplify the laws in this space.

Conclusion:
The US legal system is a patchwork of laws that creates inherent risks and uncertainties for insurers providing coverages in that jurisdiction. The increase of state-level data protection laws will only increase the risk and exposure that insurance companies face and will make risk assessment and loss management more difficult to predict and manage. A Federal data protection law would go a long way to providing a universal framework that could be adopted state by state as this would provide significantly more clarification on standards, obligations, compliance and risk management. The reality is each state is its own island and rather than create certainty and consistency across the piste, the legal landscape will continue to develop in a fragmented way creating risk rather than certainty and clarity.

Knowledge Base

Why You Should Invest In Your Users

For the last 22 years, Frank Siepmann – Global Director of Risk Management Services at CyberClan, has witnessed the evolution of cybersecurity within businesses and the changes this has meant

Read More +

Employee Spotlight – Episode 15

Dion Symonette, Head of Client Success, takes the time to talk to the MSSP side is his team; Client Success Managers, Katrina Watts, Vince Guzman, Matt Winger. In this episode,

Read More +

Employee Spotlight – Episode 14

In this week’s Employee Spotlight, Natlee Green, CyberClan’s Global Director of Human Resources, takes the time to talk to; Dana Hedges, Client Success Manager, Gloria Tan, Cyber Risk Analyst and

Read More +
icon-dark icon-light icon logo-light