New CalOPPA disclosure rules could pave way for federal cyberliability laws
As network security breaches and cybercrimes continue to plague businesses and major corporations, the issue has come under strict scrutiny from federal regulators, with at least 46 states passing laws pertaining to data breach and disclosure requirements. Most recently, the State of California has amended the California Online Privacy Protection Act (CalOPPA) which requires that any person or business operating a commercial Web site or online service that collects “personally identifiable information” about state residents post privacy policies on their site. Effective January 1, 2014, businesses must also disclose how their sites respond to “do not track” (DNT) signals sent by web browsers . DNT signals are proposed HTTP header fields that allow users to opt-out from being tracked by certain Web sites, including analytics services, advertising networks, and social platforms.
The law also now requires operators to disclose whether third parties may collect personally identifiable information about an individual consumer’s online activities and when they are using certain sites. The amendment expands the definition of “personally identifiable information” from a person’s name, social security and credit card information to now include an individual’s email address, username and/or password and security questions, such as those used on social networking sites.
As the threat of online data breaches continues to grow, it’s likely that other states will follow California’s lead and enact similar DNT requirements into their cyber security laws. Research shows that organizations with strong security regulations in place can reduce their exposure to data breaches by at least 20 percent according to a Ponemon Institute survey conducted last year.
Today, risk managers have more responsibility than ever before to safeguard their client’s and customer’s personal information. Companies often store large volumes of private information on servers and databases, and as the recent Target scandal (http://news.msn.com/us/target-encrypted-pins-were-stolen-in-recent-breach) has shown, even when that data is encrypted, the files can be accessed. In addition, the use of unsecure smartphones and other mobile devices increases the threat of data breaches even more, especially when used for sending messages containing private information. As a result, risk managers have all the more reason to add cyberliablity coverage to their risk management portfolios.
Click here to learn more about the expansion of CalOPPA and its requirements from our friends at Pepper Hamilton LLP. In fact, they are hosting an upcoming webinar on Privacy and Data Security for Life Sciences and Health Care Companies, click here to for more information.
About the Author
Amy Sinclair is an Executive Vice President and co-leader of the Life Sciences Practice in WGA’s Property and Casualty Group. She negotiates, implements and manages comprehensive insurance programs for a variety of clients, ranging from venture-backed start-up organizations up to publicly traded companies.