Over the past few years, State Attorneys General (AGs) have grown increasingly active in a variety of areas not traditionally within their domain. One of the areas in which AGs have increased their attention is data privacy. Notably, in the past year AGs have added data privacy enforcement units, worked with their legislatures to expand their data privacy enforcement capabilities, and have brought high-profile investigations and enforcement matters on data privacy issues. As a result of this increased activity, companies should closely scrutinize their insurance portfolios to ensure that they are covered for any such investigations and enforcement activity, and, if not, work with insurance brokers to consider obtaining insurance to address these risks.
AGs’ interest in this area is most obviously demonstrated by the expansion of their offices to form dedicated data privacy units. Early this year, Maryland Attorney General Doug Gansler selected International Data Privacy Day, January 28, to announce that he has established an Internet Privacy Unit dedicated to protecting online privacy. Last summer, California Attorney General Kamala Harris created her own Privacy Enforcement and Protection Unit to enforce state and federal privacy laws. Prior to Maryland and California, both Connecticut and Indiana also set up their own dedicated divisions to focus on Internet fraud and data privacy issues, and given this trend, it is likely that many more AGs will follow suit.
In addition to establishing these units to focus on data privacy matters, a variety of states have sought to bolster data protection laws and regulations. As of March 1, 2012, Massachusetts requires that all entities that “own or license” residents’ personal information must select vendors that can and will “maintain[] appropriate security measures to protect such personal information.” Vermont, California, and Connecticut all joined in 2012 the growing list of states requiring a company that experiences a data breach to notify the AG. More recently, Maryland AG Gansler urged lawmakers to pass legislation that would declare that a violation of the federal Children’s Online Privacy Protection Act (COPPA) is also an unfair and deceptive practice under the state’s consumer protection laws, which would permit the AG to bring COPPA actions in state courts. Finally, Maryland AG Gansler, the 2012-2013 president of the National Association of Attorneys General (NAAG), announced “Privacy in the Digital Age” as his NAAG Presidential Initiative. As a result of this focus, the attention of all 50 AGs has been brought to bear on privacy issues.
AGs also have not shied away from using their existing authority to investigate or litigate against companies that appear to be violating their states’ data privacy laws. In December 2012, California AG Harris filed a lawsuit against Delta, alleging that it committed an unlawful, unfair, or fraudulent business practice by failing to include a privacy policy in its mobile app, in violation of California’s Online Privacy Protection Act (CalOPPA). This past March, 38 states and the District of Columbia entered into a settlement with Google to resolve their long-running investigation of Google’s collection of data from unsecured personal and business wireless networks nationwide between 2008 and May 2010 while taking photographs for its “Street View” mapping service. Under the settlement, Google is banned from such data collection, required to train employees on privacy, must produce a national campaign to educate consumers about protecting their personal information, and pay a penalty of several million dollars to the states participating in the settlement.
This AG activity is likely to continue in 2013 and beyond. It is critical that companies ensure that their insurance coverage is adequate to respond to AG-led activity in the data privacy arena. Companies facing these data privacy risks would be well served to analyze their entire portfolio of insurance policies, as well as their contractual risk transfer clauses (including additional insured coverage and contractual indemnity requirements) to determine what insurance policies or other risk transfer mechanisms might apply to such risks. These risks may be covered under a so-called cyberinsurance policy or other insurance policies, including commercial crime and commercial general liability policies. The value of insurance coverage for these risks, in light of the increasing focus by AGs on the issues, cannot be overstated.