Category: Privacy

Locke Lord QuickStudy: Ready or Not, Here It Comes: Litigation and Enforcement Issues Under The California ‎Privacy Rights Act

Locke Lord

Locke Lord 

Originally Published February, 2021

 

The passage of the California Privacy Rights Act (“CPRA”) on November 3, 2020 will result in ‎increased litigation and enforcement actions for companies doing business in California. Indeed, ‎only months after the California Consumer Privacy Act (“CCPA”) became effective, California ‎voters expanded on the CCPA’s already groundbreaking data privacy protections by passing the ‎CPRA. Now, the creation of the California Privacy Protection Agency (the “Agency”) and the ‎elimination of some of the more business-friendly provisions of the CCPA make clear that ‎companies will suffer significant and costly consequences for data breaches and privacy ‎violations in California.‎

 

The substantive provisions of the newly enacted CPRA go into effect January 1, 2023, but the ‎regulatory implications may be felt much sooner. While many businesses are still navigating the ‎emerging litigation and enforcement landscape created by the CCPA, they should also ramp up ‎efforts to comply with the CPRA in order to avoid additional liability issues down the road.‎

 

The Creation of the Agency

The CPRA amends and expands the enforcement mechanism of the CCPA through the creation ‎of the Agency, a newly formed California state government agency whose sole purpose is the ‎regulation of consumer data privacy. Cal. Civ. Code § 1798.199.10 et seq. The CPRA describes ‎the Agency as an “independent watchdog whose mission is to protect consumer privacy” to ‎‎“ensure that businesses and consumers are well‐informed about their rights and obligations” and ‎to “vigorously enforce the law against businesses that violate consumers’ privacy rights.” See ‎CPRA SEC. 2, Findings and Declarations L. The Agency will replace the California Attorney ‎General as enforcer of the CCPA no later than July 1, 2021 and will oversee enforcement of the ‎CPRA effective July 1, 2023. ‎

 

The creation of the Agency will undoubtedly result in increased attention and investigations into ‎data breaches and ‎privacy violations involving California residents. First, the sole responsibility ‎of the Agency is to investigate these ‎issues, and that hyper-focus is likely to lead to more intense ‎scrutiny. Second, the Agency is funded through the ‎Consumer Privacy Fund, which is made up ‎of fines that the Agency collects in its enforcement actions, thus creating an incentive to enforce ‎the provisions of the CPRA. ‎Consequently, businesses should expect aggressive enforcement ‎actions by the Agency.‎

 

Agency Enforcement under the CPRA

Not only does the CPRA change who is responsible for its enforcement, but it also eliminates the ‎ability to cure a violation before any action is taken. The CCPA specifically allows companies to ‎avoid an enforcement action and/or administrative fines by curing the violation within 30 days. ‎Conversely, under the CPRA, the Agency is permitted to order substantial administrative fines ‎‎(from $2,500 to $7,500 per violation) at the time that it issues a cease and desist letter, though it ‎will look to the “good faith cooperation of the business” in determining the amount if any ‎administrative fine.‎ Because this change makes it more likely that businesses will be assessed fines, it is important to ‎be in compliance. Notably, the CPRA has a “look back” provision to January 2022 for ‎enforcement purposes. Thus, to avoid costly enforcement actions in the future, companies should ‎review their procedures for compliance with the CPRA and take steps to remedy any issues as ‎soon as possible. ‎

 

Civil Liability under the CPRA

The CPRA may also result in increased litigation by California residents by expanding the narrow ‎list of personal information giving rise to a private right of action. Under the CCPA, a consumer ‎may bring an action if four elements are met: (1) the plaintiff is a consumer (defined as a ‎California resident), (2) there was unauthorized access and exfiltration, theft, or disclosure of, (3) ‎nonencrypted and nonredacted personal information, and (4) the disclosure was due to the ‎business’s alleged failure to maintain reasonable security procedures and practices. Cal. Civ. ‎Code ‎§ 1798.150(a)(1). Importantly, though, the types of personal information that were ‎misappropriated is limited to a combination of the consumer’s name (first name or initial and last ‎name) and a social security number, driver’s license number or identification card number, ‎financial account number and security/access code or password, medical information, health ‎insurance information, or biometric information. See Cal. Civ. Code § 1798.150(a)(1) (citing ‎‎“personal information” defined under ‎Cal. Civ. Code § 1798.81.5(d)(1)(A)).‎ The CPRA ‎expands this narrow list to include consumer login credentials (such as email addresses and ‎passwords). See Cal. Civ. Code § 1798.150‎. Given the number of online transactions that ‎require consumers to disclose their email addresses and passwords, this addition may result in ‎increased litigation in the event of a breach. ‎

 

Unlike enforcement actions based on compliance violations, the CPRA did not eliminate the 30 ‎day cure provision with respect to consumer claims brought under the private right of action ‎provision. This means that a business can still avoid statutory damages if it cures the violation ‎upon 30 days’ written notice from the consumer – assuming a cure is possible. See Cal. Civ. ‎Code § 1798.150‎(b). However, the CPRA clarifies that “the implementation and maintenance of ‎reasonable security and practices…following a breach does not constitute a cure of that breach.” ‎Id. Thus, a business cannot avoid civil liability under the CPRA simply by adopting reasonable ‎security standards after the fact. Further, the notice and opportunity to cure provision does not ‎apply if the consumer is just seeking actual pecuniary damages, and not statutory damages. See ‎Cal. Civ. Code § 1798.150‎(b).‎

 

Conclusion

The enactment of the CPRA further muddies the privacy waters in California as many businesses ‎are still waiting for guidance from the courts and/or the Attorney General ‎regarding enforcement ‎of the CCPA. The creation of the Agency makes increased attention and enforcement actions a ‎near certainty. Particularly in light of the one-year look back provision included in the CPRA, it ‎is important for companies to promptly begin reviewing their policies and practices for ‎compliance with both the CCPA and CPRA in order to avoid liability issues in the future.‎

LBTC Announces New Co-Chairs

LBTC_logo_color

 

We are excited to Announce that The Life Brokerage Technology Committee (LBTC) has elected 3 New Co-Chairs (See complete bios at end of post). The new leadership team brings a vast amount of industry experience to drive LBTC forward in working with its members in solving industry technology pain points and creating process improvement for Life Insurance services. The LBTC new co-chairs will also bring awareness of new innovations to the industry.

 

12345* Pat Wedeking, Vice President of Tellus Brokerage Connections

12345* Marjorie Ma, VP & Head of Product Management of AIG USA Life Insurance

12345* Brian Kirland, Senior Director Sales & Marketing of SuranceBay

 

 

The new co-chairs each represent respectively Distributors, Carriers and Vendors. They will serve a 2-year term. The new co-chairs are supported by the LBTC Steering Committee: Joann Mattson of Highland Capital Brokerage, Jeff Lingenfelter of John Hancock Insurance Company, and Ken Leibow of InsurTech Express. LBTC has 120+ industry members. Please see below on how to join LBTC.

 

The Life Brokerage Technology Committee (LBTC) is an independent working group whose purpose is to exchange information about technology related systems and services related to the marketing, sale, and servicing of insurance in independent distribution channels. Some of LBTC’s past initiatives focused on process improvement and solving technology pain points: Automated-Underwriting, eApp, eDelivery, eSignature, Commission Accounting, and Pending Case Status to name a few. LBTC conducts industry surveys, whitepapers, webinars, media and has a face-to-face meeting at the Annual NAILBA Conference in November. LBTC partners with other industry associations such as NAILBA, ACORD and LIDMA.

 

JOIN LBTC

There is no cost to becoming an LBTC Member. Each person who wants to participate in LBTC in your organization can join. Each person will need to fill out a membership form.  You can join LBTC by downloading the membership form and emailing it to Joann Mattson at jmattson@highland.com. Download LBTC Membership Form: https://lnkd.in/eHhHjfZ

Pat Professional 2012

Pat Wedeking

Pat Wedeking is an industry veteran whose focus has been on process improvement, direct marketing and brokerage business development. Coming from the hospitality business as a PGA apprentice, Pat entered the life insurance business through Northwestern Mutual’s training program.  After 10 years in personal production Pat entered the general agency business with a technology driven brokerage focusing on lead generation a lead relationship management (LRM) system.  This platform served as the foundation of Quick Life which was sold to Crump in 2016.

 

During the growth of the brokerage Pat was the founding President of the Life Insurance Direct Marketing Association known throughout the industry as LIDMA.  This organization focuses on industry technology that improves the process of obtaining insurance and helped usher in the ubiquitous use of electronic payments, signatures and delivery of policies.  Further process improvement initiatives focus on voice signature, data based underwriting and bringing data closer to the point of sale.  After service to LIDMA Pat was elected to the Life Happens board of directors and served as Chairman of that organization in 2017. Since joining Crump Pat has been in business development positions focusing on the use of their transaction center platform and, most recently, with Crump’s IMO division, Tellus Brokerage Connections.  Pat brings energy and a big picture mentality to his endeavors.  He has a wealth of knowledge and industry relationships that will help any organization he serves.

Marjorie Ma photo

Marjorie Ma

Marjorie Ma is the Vice President and Head of Product Management and Market Intelligence, AIG USA Life Insurance. She has over 8 years life insurance experience and is now responsible for Life Insurance Product Development and Management at AIG, including product strategy development and implementation, as well as day-to-day product management across AIG’s broad life product portfolio. She is also leading Market Intelligence Team to collect industry and competitor updates and to provide actionable intelligence to product, pricing, sales, marketing and operation teams.  Marjorie joined AIG in 2012 after obtaining her MBA degree from Rice University and has since worked in the Life Insurance Industry.

 

Brian Kirland 0411181615b

Brian Kirland

Brian J. Kirland received his Economics degree from Saint Mary’s College of California in 1997. He began his career in the financial industry as a Portfolio Manager’s Assistant at NWQ Investment Management. From 1998 until 2014, Brian was a part of a growing technology firm, Xtiva Financial Systems, whose products focused on the Broker-Dealer and Securities industry for Sales compensation. Brian then joined LaserApp Software in 2014, deepening his insurance technology expertise. During his two years with LaserApp, Brian spent his time meeting agency principals and carrier partners helping establish a new business platform for the firm.

 

Brian joined SuranceBay as a National Account Executive in July of 2016 and currently serves as Senior Director of Sales & Marketing and a member of the executive management team. Brian works to increase sales within the distribution channels, carrier partners and vendor integrations for SuranceBay’s flagship product, SureLC™. Since 2009, SuranceBay has been an industry leader in providing innovative licensing and contracting software to independent brokers, agents, and carriers. The recent introduction of complementary tools such as DataLink, SureLC One, Background Screening, and AML training, makes SuranceBay’s SaaS platform a one-stop-shop for over 85% of the independent life insurance agents in the United States. SuranceBay incorporates the assets of more than 600 life insurance carriers with subscriptions from over 800 BGAs, optimizing the workflows of 425,000+ active producers nationwide, and processing over 50,000 monthly contract submissions.