By KATIE KUEHNER-HEBERT, a freelance veteran business journalist based in San Diego.
SAN DIEGO -- As privacy legislation spreads across the world, global companies need to make sure they tailor their practices for each country to satisfy differing perceptions of what privacy actually means, and differing levels of acceptance for the collection and sharing of personal data.
That's according to a panel of experts, who also discussed how insurance companies can better draft policies to cover emerging privacy risks last week at the Professional Liability Underwriting Society's annual conference here in San Diego.
"The concept of privacy is amazingly different in different areas of the world," said Tim Jaggs, executive director of specialty casualty at Towers Watson (Re)Insurance Brokers Ltd. "Global companies need to understand that there's no single understanding of privacy, and that there will be terrible liability and litigation for them if they don't."
Regarding the safeguarding of personal data stored on computer systems, people in the U.S. generally expect that the companies they do business with will have at least some of their personal information. As such, the concern revolves around how companies safeguard their personal information and how companies might be sharing that data with others, said John F. Mullen Sr., a partner at the law firm Nelson, Levine, de Luca & Horst LLC.
However, most state notification laws do not specify every kind of personal information that must be safeguarded, such as zipcodes, he said.
"Most laws are very gray," Mullen said.
Currently, there are 46 states with laws on notification, and there are now at least four different pieces of federal legislation on the issue introduced in Congress, Mullen said. As those bills move forward, he expects a fair amount of pre-emption fights and requests for "carve-outs" from industry sectors already complying with existing privacy laws such as the Gramm-Leach-Bliley Act.
"I do believe we are going to see something there, but this is an election year, so that 'something' may not be for some time," Mullen said.
People in many other countries care more about whether companies can actually collect personal customer information without informed consent, said Tom Allen, senior underwriter at Aspen Insurance UK. Moreover, many European countries, like Germany, are concerned not only about information that definitely identifies a person such as a tax identification number, but also about information that could potentially identify a person if there is enough information collected by the company for someone else to ascertain their identity, Allen said.
Asia-Pacific countries such as Japan, Korea and Taiwan have "prescriptive" rules on how companies can treat data, compared to state laws within the U.S. that tend to have more "standard-based" rules, he said.
"However, the emphasis in those countries is not so much on penalties" for breaches, "but on the assumption that you would just follow the rules," he said.
India's notification laws are "pretty robust," Allen said. "It's their national exercise in branding."
For many countries, the onus of enforcement is on their respective regulators, but in the U.S. and now South Korea and parts of Europe, the "overarching" stick is class-action lawsuits, Mullen said.
Insurance policies generally have been built around U.S. notification laws, and as such, they don't quite protect for breaches in other countries in the same way as they protect for breaches in the U.S., Allen said. Underwriters are now asking global companies more informed questions, to determine all of their various privacy exposures.
But Mullen said that can also depend on those companies' brokers; "some won't let them ask these questions."
Lori Bailey, senior vice president, head of professional liability at Zurich North America and the session's moderator, asked the panelists this question: how could insurance companies better address privacy issues?
Jaggs said that insurers need to be explicitly clear on whether or not their general liability policies cover the effects of breaches.
Jaggs' clients are also asking for "income damage" coverage that would span two to three years after a cyberattack.
"It can be in the billions," Jaggs said, "and we simply don't have the capacity to do it today, but that's what they are asking for."
November 7, 2011
Copyright 2011© LRP Publications