Risk managers, insurers grapple with shifting privacy laws

An increase in online data privacy regulations being introduced at state and national levels is adding another layer of complexity for risk managers trying to master the labyrinth of overlapping or intersecting guidance for cyber breaches and related incidents.

“Navigating country regulation is a test in itself to make sure we have the right people watching it,” said Anthony Dagostino, New York-based global cyber chief underwriting officer for Axa SA, adding that both underwriters and policyholders must keep abreast of regulatory issues. 

<a rel=”gallery” class=”fancybox” href=”https://www.businessinsurance.com/assets/pdf/BI_0324-11A.png”><span class=”rsrch_img” style=”background:white !important; width: 480″>

<img src=”https://www.businessinsurance.com/assets/pdf/BI_0324-11A.png” width=”480″></span></a>

U.S. state regulations pose an additional challenge, as incident notification laws differ, he said. 

Thirteen states have enacted comprehensive privacy laws, according to the International Association of Privacy Professionals, a not-for-profit organization based in Portsmouth, New Hampshire. More than a dozen others have legislation in some stage of development, such as in committee (see map).

The differentiation between states presents an added challenge to risk managers.

“That’s making it incredibly difficult for risk managers to respond in the event of breaches because we have to engage with third parties like breach coaches, or legal representation that really understands what we need to do in specific states, because it differs so much across the board,” said Kristen Peed, Cleveland-based head of corporate risk at San Mateo, California-based Sequoia Benefits and Insurance Services LLC, and vice president of the Risk & Insurance Management Society Inc.

California introduced a mandatory notification requirement in 2003 and all other states followed with their own requirements, said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice. 

“Now you have 50 different state notification requirements. A very similar thing is happening around privacy law and data collection. California was the first and now states are following like dominoes,” he said. 

“The regulatory arena is an evolving arena, not just here in the U.S. but around the world,” said Rachel Lavender, Marsh’s U.S. & Canada cyber brokerage leader, based in Washington.

Brokers and insurers are spending more time helping policyholders with regulations.

“That’s something that we spend lots of time  talking to clients about,” said Paul Bantick, London-based global head of cyber and technology for Beazley PLC.