P&C Technosavvy the March 2014 issue

Q&A with Lauri Floresca

Lauri Floresca, SVP, partner, Woodruff-Sawyer & Co.
By Michael Fitzpatrick Posted on March 1, 2014
Q
What changes has California made to its data breach laws?
A
The change is in the definition of what constitutes personally identifiable information, or PII. A user name and password is now considered PII. In the other 45 states that have laws regulating the disclosure of PII, you have to disclose some combination of name, address, Social Security number, credit card number or bank account number. Now added to that list will be a user name and password.
Q
Why does this matter?
A
A much wider web of companies are affected. If you do nothing else but let people have their preferences stored, you now are at risk of incurring significant costs and potential liability if you don’t comply with this new measure. Companies that didn’t think they had liability now do. Social media companies in most cases don’t collect credit cards or your address, but you have a login and password.
Q
How does that impact businesses outside California?
A
Because most companies doing business online potentially have customers in all 50 states, the general advice if you have a breach is to revert to the strictest standard. Now that California has taken this new step and added log-in credentials to PII, most legal counsel are going to advise clients that they need to follow California notification guidelines.
Q
Will other states follow suit?
A
That’s been pretty consistent so far. As one state has expanded these provisions, other states have followed. It’s not an unreasonable extension given the state of the password universe. Despite all the advice out there, people continually use the same password and user name combinations on multiple websites.
Q
What steps should businesses take?
A

One of the first things you need to do is to take steps to better understand what you’re collecting, how you’re storing it and how you’re protecting it, and particularly understanding if you’re storing anything you don’t need to. The more data you’re storing, the greater risk you have of losing it.

Second, you have to understand how you’re protecting data and have an independent, third-party assessment of whether it’s adequate.

Third, you have to think about the potential to transfer that risk. There are definitely insurance products that will help with the costs of dealing with PII. People would be surprised at the scope of costs that can be covered.

Michael Fitzpatrick Technology Editor Read More

More in P&C

Risky Business
P&C Risky Business
RiskScan 2024 identifies what buyers and sellers in the insurance industry are w...
Sponsored By Munich Re
P&C When Disaster Knocks
A continuous series of natural catastrophes around the United States might final...
Business Interruption Goes Digital
P&C Business Interruption Goes Digital
Brokers have long worked to help ensure their clients are covered for unexpected...
Sponsored By Ryan Specialty
Bond, Completion Bond
P&C Bond, Completion Bond
For movie buffs, completion guarantors are a little-known but crucial element of...
Council Q3 2024 P/C Market Survey Results
P&C Council Q3 2024 P/C Market Survey Results
More premium increase moderation, but umbrella sees effects ...
Weathering Cyber Storms
P&C Weathering Cyber Storms
Q&A with Joshua Motta, CEO and Co-Founder, Coalition