- Privacy Picks
- Posts
- Cyber Liability Insurance, Records Retention, and Tracking Privacy Laws
Cyber Liability Insurance, Records Retention, and Tracking Privacy Laws
Welcome to the first issue of PrivacyTilt!
This issue includes topics relevant to most businesses, including cyber liability insurance, data security as it relates to privacy violations, and the importance of having a good data records retention policy in place.
Plus, a summary of consumer data privacy rights afforded by the new Florida Digital Bill of Rights (FDPR) and a couple of resources to help you keep track of new state privacy laws and their effective dates.
Enjoy!
Cyber Liability Insurance vs. Data Breach Insurance
Like many business owners these days, you've probably looked into (or at least heard about) new insurance coverage options designed to protect against loss suffered in the event of a cyber-security incident.
If you're just starting in this area, there are a couple of key policy types to consider, including cyber liability insurance and data breach insurance.
This article summarizes the key differences between these types of coverage:
Put simply, cyber liability insurance refers to coverage for third-party claims asserted against a company stemming from a network security event or data breach. Data breach insurance, on the other hand, refers to coverage for first-party losses incurred by the insured organization that has suffered a loss of data.
Data Breach or Privacy Violation?
Speaking of data breaches, they are often considered separately from standard privacy violations.
But, as Daniel Solove from Teach Privacy notes, there is actually plenty of overlap between the two:
As I have been arguing for years, privacy and cybersecurity are quite interrelated and should not be understood as the often-siloed separate domains that they are today. Data breaches need not be caused by hackers breaking in or when data is leaked or lost. They can occur even when a company intentionally shares data improperly — a common privacy violation.
Highlighting two recent FTC cases involving privacy violations under the Health Breach Notification Rule, Professor Solove notes that while many companies are concerned with protecting the "back door" of their information systems against cyber threats, they often neglect to guard the front door against threats posed by inadequately vetted customers and 3rd party vendors.
In fact, Professor Solove wrote an entire book on the matter, entitled Breached! Why Data Security Fails and How to Improve It.
How's Your Records Retention Policy?
For many businesses, data retention requirements are a major headache. There are different retention requirements depending on the classification of data you store, your jurisdiction and applicable laws, and requirements defined by contracts with business partners.
As a result of this confusion, some businesses just choose to store data indefinitely, often in a cloud storage system. But, as this article points out, that's not always the best approach.
Creating a well-defined and well-documented data retention policy or record retention schedule can help your company:
Clarify the minimum and maximum retention periods for different types of records, and comply with specific retention periods under different laws, i.e. ADA, FMLA, FLSA, ERISA, OSHA minimum periods, etc;
Designate the appropriate access levels for different types of data, including sensitive personal data;
Develop a clear-cut storage strategy;
As a result of a better storage structure and well-defined access roles, you can reduce costs and improve operational efficiency;
Improve your company's decision-making; and
Ensure your company is well-prepared in the event of litigation and discovery requests.
Florida's New Privacy Law
Back on June 6, 2023, Florida Senate Bill 262 (SB 262) was signed into law.
This law has new data protection requirements for businesses, including the "Florida Digital Bill of Rights", which will come into effect on July 1, 2024.
Similar to other state privacy laws, the Florida Digital Bill of Rights (FDBR) includes:
The right to control personal data, including the right to confirm, access, and delete your personal data from a social platform;
The right to know that your personal data will not be used against you when purchasing a home, obtaining health insurance, or being hired;
The right to know how internet search engines manipulate search results;
The right to opt out of having personal data sold; and
The right to protect children from personal data collection.
SB 262 also addresses opt-out rights for targeted advertising and customer profiling, plus the collection of certain “sensitive” and “biometric personal data".
Read more about SB 262, including who qualifies as a "controller" under the law, here, here and here.
State Privacy Laws: Tracking Effective Dates
It can be overwhelming for any business or privacy professional to keep track of all the new laws and their effective dates.
Luckily, there are some excellent resources to help us out.
For example, this chart created by the Future of Privacy Forum (FPF) provides a very helpful summary of the effective dates for 15 state privacy laws (updated as of June 30, 2023), with links to their analysis of each.
For a more comprehensive chart, be sure to bookmark the IAPP's US State Privacy Legislation Tracker.