2 Insurance Insights Spotlight Google Threat Intelligence announced on June 17 that hacker group Scattered Spider, known for attacking a sector at a time, has renewed attacks against insurers. Google Threat Intelligence has warned insurers to be on the lookout for social engineering schemes targeting call centers. Beyond this imminent threat, the data privacy space has captured our attention this quarter due to a continued flurry of state legislative activity. While insurers are typically exempted from the growing number of states’ comprehensive privacy laws (and instead subject to the Gramm–Leach–Bliley Act and states’ adoption of insurance-specific regulations), insurers still face evolving and varying obligations across different states. Here, we highlight recent privacy law developments in California, New York, and Illinois. We also invite experts from our Privacy, Cyber & Data Strategy Team to give their thoughts on top considerations for insurers. Also in this edition, we head to summer school as we cover certain civil procedure developments in class actions and other contexts. While these holdings aren’t shocking, they involve procedural rules that frequently impact insurers. - Tania Kazi (Rice), Andy Tuck, Tiffany Powers, Alex Lorenzo California: Adding Layers to an Onion? Privacy laws in California have been convoluted for insurers. The California Financial Information Privacy Act (CFIPA) adds protections beyond the federal Gramm– Leach–Bliley Act (GLBA), including permitting consumers to opt out of affiliate sharing and requiring written consent before sharing information with nonaffiliates. Separately, California’s Insurance Information and Privacy Protection Act (IIPA) sets requirements for personal information received in connection with an insurance transaction, including standards for notice, collection, and obtaining written authorization before disclosure. California’s comprehensive privacy law—the 2018 California Consumer Privacy Act (CCPA), as revised in 2020 by the California Privacy Rights Act (CPRA)—contains a more nuanced carve-out for insurers than the one found in many other states’ laws. Instead of an entity-level exclusion, it excluded only the data collected by insurers that was already regulated by the GLBA and CFIPA. So while data collected as part of an insurance transaction is subject to the industry-specific laws, insurers could still be subject to the CCPA as to other data. On November 8, 2024, the California Privacy Protection Agency board proposed new regulations to update the CCPA and clarify how it applies to insurance companies. This would formalize an understanding that insurers must comply with the CCPA for consumer information not collected as part of an insurance transaction. The proposed regulation (as modified on May 9, 2025) provides illustrative examples: the CCPA covers information collected from website visitors who have not applied for an insurance product and information collected from employees and job applicants; it does not cover information submitted as part of a claim for coverage. A public comment period on the proposed regulation closed on June 2, 2025. A new bill introduced in the California Senate on February 12, 2025, the Insurance Consumer Privacy Protection Act of 2025 (SB 354), aims to strengthen and modernize the privacy framework for insurers and their third-party service providers. Building on (but not entirely replacing) existing protections, SB 354 would include requirements to: Exercise due diligence in overseeing third-party service providers that process personal information and include certain provisions in service-provider contracts. Limit processing of consumers’ personal information only to that reasonably necessary to an insurance transaction, certain marketing and research activities, and specified other purposes. Delete personal information no longer necessary to the performance of an insurance transaction or specified other purposes. Obtain express consent for use of personal information for any purpose other than the insurance transaction requested; provide clear privacy notices. Provide consumers the right to correct or delete inaccuracies in their records. The California Department of Insurance, which has sponsored the bill, would have enforcement authority to impose penalties for violations. The bill remains under review in the state Senate. n 3 Bo Phillips Rachel Lowe Kathy Huang Gillian Clow Samantha Burdick Sam Park Tania Kazi (Rice) Tom Evans Jonathan Kim Meet our California insurance team: Eye on Privacy
RkJQdWJsaXNoZXIy MTc0OTA5