During this time of year, it is common for business owners to set some time aside for reflection on the events of 2022, and to set goals for the coming year. Or perhaps you are putting together new objectives for your team. However you structure your plans for the new year, make sure that you give some consideration to data privacy and cybersecurity. Here are a few topics to review and build into your plans for 2023:
Most businesses should have a cybersecurity insurance policy, which provides coverage for data breaches and other cybersecurity liability issues. This insurance does not just provide monetary payouts, but can provide active assistance in responding to a data breach, or negotiating a resolution where your business information and systems have been taken hostage. If your business does not have such a policy, you should investigate available options. If you already have a policy in place, you should review the coverage and any upcoming renewal deadlines. While you may have provided your carrier with certain information to obtain your initial policy, we have found that renewals in 2022 included extensive questionnaires that required the insured to provide new details regarding the steps they have taken to secure business and consumer data and protect from cyber-attacks. We expect that carriers will continue to request detailed information from insureds to renew cybersecurity insurance policies.
While the U.S. still has not passed a federal consumer data privacy act, the list of states that are enacting such laws keeps growing. In 2023, consumer data privacy laws will go into effect in Colorado, Connecticut, Virginia, and Utah. Additionally, the California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act (“CCPA”) will be enforceable as of July 1, 2023. The list of states with consumer data privacy laws will continue to grow as consumers desire more transparency and control over their personal information. With the ever-growing power of the internet and the ability for businesses to attract customers from anywhere, it is prudent to be aware of state data privacy laws of each state in which your company conducts business, maintains personnel and offices, or provides website access. State data privacy laws typically are applicable to businesses even if they do not have a physical location in that state.
In addition to state consumer privacy laws, businesses should also be aware of any industry specific privacy laws that may be applicable. For example, the health care, education, and banking industries each have federal privacy laws (HIPAA, FERPA and GLBA) that apply to businesses in these industries. The beginning of the year is a great time to review these laws and make sure your business is in compliance with them.
Even if your business is not subject to any state consumer privacy laws or industry-specific federal privacy laws, you may still have a privacy notice or policy (“privacy notice”) posted on your website. Additionally, many businesses create privacy notices to have an app added to an app store. Privacy notices should be reviewed and updated on a regular basis to ensure the statements made as part of these notices are correct. The Federal Trade Commission (“FTC”) can and does take law enforcement action to ensure that promises made in privacy notices are true. Additionally, if your business is subject to state consumer data privacy laws, state regulators or even private citizens may be able to take action against your business in the case of false or misleading information presented in your privacy notice, or as part of any data breaches.