Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

How Coalition helps your business respond to evolving privacy regulations

Featured Image for How Coalition helps your business respond to evolving privacy regulations

This is how I came to hate acronyms. HIPAA, CCPACPRA, PIPEDA, CPPA, GDPR, COPPA, GLBA, SHIELD Act, etc.

All of the above are future or currently enacted statutory provisions and legal frameworks that concern consumer or individual privacy rights. If you know what all of these acronyms mean without using Google, and you’re not a privacy attorney, then you’ve just won your internet gold star for the day (or one free cat GIF).

If you’re at a loss as to what the acronyms signify, then you’re not alone. According to the Pew Research Center in a 2019 study, “63% of Americans say they understand very little or nothing at all about the laws and regulations that are currently in place to protect their data privacy.” Privacy isn’t rocket science, but it is confusing; and a potential legal quagmire for your business regarding the application of local, federal, or international privacy laws and regulations.

This isn’t just difficult to parse for laypersons, it can be an undertaking for privacy lawyers as well. If baseline legal expertise wasn’t enough, you also have to be vigilant for changes or updates to those privacy laws as they may be re-drafted with more stringent compliance requirements or even provide for the fining and penalization of businesses for non-compliance.

So what is a smart business owner supposed to do?

Step 1) Seek Counsel: Engage competent legal counsel that has privacy expertise to determine what your compliance requirements are; and, if you fall under any of the regulatory schemes, how you maintain that compliance.

Hint: If you sell or purchase personally identifiable information (PII); maintain, process, or store the PII of over 50,000 California residents or any European Union residents; control or process private health information (PHI); are a financial institution; have children under the age of 13 as customers; and/or have suffered any type of privacy breach; you’ll want to discuss with legal counsel.

Step 2) Protect Your Business: Buy cyber insurance that provides a defense for regulatory proceedings and coverage for any regulatory fines and penalties that might be issued. (Hint: Coalition has market-leading coverages that do just that.)

Canada’s Consumer Privacy Protection Act: A Coalition case study

The Canadian federal government recently outlined a new privacy bill that is set to be put in front of the Canadian legislature in 2021. Called the Consumer Privacy Protection Act (CPPA), it will update and replace their current privacy framework, PIPEDA (Personal Information Protection and Electronics Documents Act). The drafting of the bill coincides with the European Union’s adequacy review of the Canadian privacy framework for intercountry data transfers. Canada is currently one of only 12 jurisdictions in the world that the EU considers to have similar privacy protections as their privacy law, the General Data Protection Regulation (GDPR). This is an important legal process as a determination of adequacy will allow Canadian and EU companies to continue to engage in cross-border data transfer in the absence of stringent contractual agreements or additional authorization to transfer the data. This could save EU and Canadian companies millions of dollars per year. The CPPA changes the existing law in several ways:

  • Requires an obligation to implement a privacy management program and establish a privacy officer within the company with direct access to management

  • Allows individuals to request that the business dispose of their personal information, subject to limited exceptions

  • New transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence, requiring businesses to explain how such systems are utilized

  • An obligation to de-identify personal information prior to sharing it with parties in the context of a proposed business transaction

  • A much stronger enforcement regime which would provide the Privacy Commissioner of Canada additional enforcement powers, such as the power to make an order requiring businesses to conform with and stop contravening CPPA, take public measures to correct privacy practices, and recommend a monetary penalty up to CAD $10,000,000 or three percent of the business’ total global revenues for the prior fiscal year

  • Individuals have a private right of action in front of the newly created Personal Information and Data Protection Tribunal

In summary, the CPPA creates a stronger burden of privacy compliance on businesses and makes it easier for consumers to sue businesses while also providing for potentially large penalties for non-compliance.

Not just a Canadian problem

But what if you’re an American policyholder? Well, do I have good news for you! We also have our share of ever-changing privacy regulations. Enter the CPRA (California Privacy Rights Act of 2020), which amends and adds to the CCPA (California Consumer Privacy Act of 2018). You can find an excellent write-up by my colleague Catherine Lyle that explains some of the differences between the CCPA and the CPRA.

Similar to our northern cousins’ upcoming privacy bill, the CPRA increases the compliance burden for business owners, as well as potentially increasing the likelihood of being subject to a regulatory investigation and private right of action for failure to comply with the privacy laws.

Coalition policy is here to help and it doesn’t matter what privacy laws are changed

All of the above can be frustrating from a business owner’s perspective, but you shouldn’t have to worry about whether your insurance policy is going to cover changes in your jurisdiction's privacy regulatory framework. The Coalition policy provides broad coverage for regulatory proceedings. Our policy provides a defense to any regulatory investigation using the best Canadian and US privacy lawyers, and if needed, provides for payments for covered regulatory fines and penalties. Whether it is PIPEDA and the CPPA, or the CCPA and CPRA, or most any other privacy regulation acronym, you’re covered.

If you made it this far, you now know what five of the nine acronyms listed at the top of the page mean. Here’s a handy table that explains all of them:

| Acronym | Definition | Jurisdiction and Subject Matter | |------------ |--------------------------------------------------------------- |----------------------------------------------------------------------------------------------------------------------------------------------- | | HIPAA | Health Insurance Portability and Accountability Act | United States; sensitive patient health information | | CCPA | California Consumer Privacy Act of 2018 | California, United States; personally identifiable information of California residents | | CPRA | California Privacy Rights Act of 2020 | California, United States; personally identifiable information of California residents | | PIPEDA | Personal Information Protection and Electronics Documents Act | Canada; private-sector organizations that collect, use or disclose personal information in the course of a commercial activity | | CPPA | Canada Privacy Protection Act | Canada; private-sector organizations that collect, use or disclose personal information in the course of a commercial activity | | GDPR | General Data Protection Regulation | EU Member Countries and any company that has the personal information of EU domiciled individuals; data privacy of individuals and households | | COPPA | Children’s Online Privacy Protection Act | United States; any commercial activity that aims to collect the personal information of children under the age of 13 | | GLBA | Gramm Leach Bliley Act | United States; regulates how financial institutions share and protect their customer’s private information | | SHIELD Act | Stop Hacks and Improve Electronic Data Security Act | New York, United States; any person or business which owns or licenses computerized data that includes private information |