Changes in Data Breach and Privacy Laws – Sticks Vs. Carrots

Changes in Data Breach and Privacy Laws – Sticks Vs. Carrots

October 2, 2019 Business Insurance and Risk Management, The Beacon Blog 0 Comments

An article by Ironshore (a Liberty Mutual insurance company) officials David Standish and Vivian Beqaj Freedman, originally published in the Professional Liability Underwriting Society PLUS Journal surveys changing data breach and privacy laws and their implications. The complete article can be found at

Standish and Freedman see a number of factors motivating state law changes:

  1. Current laws are primarily focused on post-breach notifications when damage has already been done.
  2. The European Union General Data Protection Regulation (GDPR) with strict privacy regulation enforced through heavy fines is an example for states.
  3. Biometric data compromise is increasingly recognized as a privacy threat. Since this information cannot be changed, it must be protected to prevent a breach.

States have taken two approaches to deal with these concerns. Most use the “stick” approach, strict regulation similar to the GDPR. The alternative is the “carrot” of encouraging businesses to adopt high security standards.

Examples of new and proposed state laws:

  • California: The California Consumer Privacy Act scheduled to go into effect 1/1/20 follows the GDPR with broader definitions of personal information and broad consumer rights. Both the attorney general and consumers have the right to bring actions for violations. A proposal for even broader privacy protection made earlier this year was withdrawn.
  • Massachusetts breach notification standards were updated as of 4/11/19 to strengthen consumer protection and designate biometric information as personally identifiable information but with differences from the controversial Illinois Biometric Information Privacy Act.
  • Washington D.C.’s attorney general has proposed new legislation closer to the GDPR and expanding protected information including biometric information.
  • Vermont now regulates data brokers, requiring registration and compliance with data protection standards.
  • Ohio’s data protection act takes the incentive approach, offering businesses a safe harbor if they had a written cybersecurity program that reasonably conforms to industry standards.

Businesses must be aware of the various approaches and make sure their data protection practices at least meet legal requirements in the states where they do business. Standish and Freedman believe the goal of data protection laws should be to incentivize consumer protection. The strict GDPR-type approach may be more likely to lead to class action suits, while safe harbor legislation will result in better data protection. No matter which approach wins out, the best advice for businesses is to adopt best data practices rather than minimum compliance.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.