Over the past few years, State Attorneys General (AGs) have grown increasingly active in a variety of areas not traditionally within their domain. One of the areas in which AGs have increased their attention is data privacy. Notably, in the past year AGs have added data privacy enforcement units, worked with their legislatures to expand their data privacy enforcement capabilities, and have brought high-profile investigations and enforcement matters on data privacy issues. As a result of this increased activity, companies should closely scrutinize their insurance portfolios to ensure that they are covered for any such investigations and enforcement activity, and, if not, work with insurance brokers to consider obtaining insurance to address these risks.
AGs’ interest in this area is most obviously demonstrated by the expansion of their offices to form dedicated data privacy units. Early this year, Maryland Attorney General Doug Gansler selected International Data Privacy Day, January 28, to announce that he has established an Internet Privacy Unit dedicated to protecting online privacy. Last summer, California Attorney General Kamala Harris created her own Privacy Enforcement and Protection Unit to enforce state and federal privacy laws. Prior to Maryland and California, both Connecticut and Indiana also set up their own dedicated divisions to focus on Internet fraud and data privacy issues, and given this trend, it is likely that many more AGs will follow suit.
In addition to establishing these units to focus on data privacy matters, a variety of states have sought to bolster data protection laws and regulations. As of March 1, 2012, Massachusetts requires that all entities that “own or license” residents’ personal information must select vendors that can and will “maintain appropriate security measures to protect such personal information.” Vermont, California, and Connecticut all joined in 2012 the growing list of states requiring a company that experiences a data breach to notify the AG. More recently, Maryland AG Gansler urged lawmakers to pass legislation that would declare that a violation of the federal Children’s Online Privacy Protection Act (COPPA) is also an unfair and deceptive practice under the state’s consumer protection laws, which would permit the AG to bring COPPA actions in state courts. Finally, Maryland AG Gansler, the 2012-2013 president of the National Association of Attorneys General (NAAG), announced “Privacy in the Digital Age” as his NAAG Presidential Initiative. As a result of this focus, the attention of all 50 AGs has been brought to bear on privacy issues.
This AG activity is likely to continue in 2013 and beyond. It is critical that companies ensure that their insurance coverage is adequate to respond to AG-led activity in the data privacy arena. Companies facing these data privacy risks would be well served to analyze their entire portfolio of insurance policies, as well as their contractual risk transfer clauses (including additional insured coverage and contractual indemnity requirements) to determine what insurance policies or other risk transfer mechanisms might apply to such risks. These risks may be covered under a so-called cyberinsurance policy or other insurance policies, including commercial crime and commercial general liability policies. The value of insurance coverage for these risks, in light of the increasing focus by AGs on the issues, cannot be overstated.