Privacy Liability
Third-party cyber coverage for claims alleging the insured failed to protect personal information as required by law or contract.
What It Is
Privacy liability is a third-party insuring agreement in a cyber policy that responds to claims alleging the insured violated a duty to protect personal information. Unlike network security liability, which focuses on technical security failures, privacy liability addresses the insured's legal obligations around data collection, use, storage, and disclosure regardless of whether a technical breach occurred.
Covered claims may arise from violations of state privacy laws (such as the California Consumer Privacy Act, Illinois Biometric Information Privacy Act, or state breach notification statutes), federal regulations (HIPAA, GLBA, COPPA), international regulations (GDPR for clients with EU exposure), or the insured's own published privacy policy. Privacy liability can be triggered even without a cyberattack if, for example, the insured shares customer data with a marketing partner in violation of its privacy policy.
The coverage typically includes defense costs, settlements, judgments, and in some policies, regulatory fines and penalties where insurable by law. The insurability of regulatory fines varies by jurisdiction, and policy language regarding fines must be reviewed carefully.
Why It Matters for Brokers
The explosion of state privacy legislation means every commercial client faces potential privacy liability regardless of industry. Brokers must understand which privacy regulations apply to each client based on the type of data they collect, their industry, and the states where their customers reside. BIPA claims in Illinois alone have generated billions in class action settlements, and CCPA enforcement is accelerating. The costs of responding to a regulatory investigation can be substantial even when no fine is ultimately assessed, making regulatory defense coverage an essential component of the cyber policy for any business subject to data protection oversight. The duty to defend is broader than the duty to indemnify, meaning the carrier must provide a defense even if only one allegation in the lawsuit potentially falls within coverage, making this a powerful protection for policyholders facing multi-count lawsuits.
Real-World Example
A fitness chain with locations in Illinois uses fingerprint scanners for employee time-tracking without providing the written disclosures required by BIPA. A class action is filed on behalf of 3,200 current and former employees seeking statutory damages of $1,000-$5,000 per violation. The cyber policy's privacy liability coverage funds $380,000 in defense costs and a $2.1M settlement, well within the $3M policy limit. Without coverage, the chain faced potential exposure of $3.2M to $16M in statutory damages.
Common Mistakes
- 1Assuming privacy liability only triggers after a data breach, when violations of privacy statutes like BIPA can occur through routine business operations.
- 2Not verifying whether the cyber policy covers regulatory fines and penalties, which are excluded in many forms or limited to fines insurable by law in the applicable jurisdiction.
How brokerageaudit.com Handles This
brokerageaudit.com's Submission Intake module collects data about the types of personal information each client handles and the states where they operate, automatically flagging applicable privacy regulations. Policy Checker validates that the privacy liability insuring agreement covers the specific regulatory frameworks relevant to the client's operations.