One of the most often discussed (and debated) aspects of the soon-to-be effective California Consumer Privacy Act (CCPA) is that the CCPA provides for statutorily assessed civil penalties against any violators, up to $7,500 per violation per consumer. With many businesses seeking to transfer the risk of third-party actions that might be brought against them pursuant to the CCPA (especially to cyber and privacy liability insurance), an issue to consider is whether an insurance policy would provide indemnity coverage for civil penalties assessed under the CCPA when applicable state law prohibits such coverage.
Insurance policies tend to highlight this issue for the policyholder. For example, the definition of “Loss” or “Damages” under a Cyber, Tech E&O and/or D&O liability insurance policy typically carves out “fines and/or penalties except to the extent insurable by law.” In the absence of a “choice of law” provision in an insurance policy which is part of a nationwide insurance program, the law of the state where the insurance policy was bound and delivered (typically the company headquarters) is the law that arguably governs the interpretation of that insurance policy. Given the multitude of tech companies headquartered in Silicon Valley that will fall within the parameters of the CCPA, what exactly does California law say about whether civil penalties are insurable? As discussed below, certain companies seeking insurance coverage for CCPA penalties may be facing a metaphorical “404 Error.”
The CCPA, which becomes effective January 1, 2020, applies to companies based in or doing business in California that either: (1) generate gross revenue of more than $25 million per year; (2) receive or share personal information of more than 50,000 individuals; or (3) earn at least half of their annual revenue by selling the personal information of California residents. Among other things, the CCPA will:
[R]equire a business to make disclosures about [a consumer’s personal] information and the purposes for which it is used…grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified…grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed…require a business to provide this information in response to a verifiable consumer request…authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
The CCPA provides for the assessment of civil penalties against businesses that violate its provisions. Specifically, sub-sections 1798.155(a) and (b) of the CCPA provide that:
(a) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be liable for a civil penalty as provided in Section 17206 of the Business and Professions Code in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
(b) Notwithstanding Section 17206 of the Business and Professions Code, any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.
The cost of CCPA penalties could be substantial. For example, if 1,000 customers request that their personal data be deleted from a company’s server, and that company is found to have intentionally violated the CCPA’s provisions specific to those requests, the company may face $7.5 million in civil penalties under sub-section (b).
INSURABILITY OF PENALTIES UNDER CALIFORNIA LAW
In addition to highly-developed case law on insurance coverage issues, California also has a robust state insurance code. Consulting these statutes prior to reviewing case law can be instructive. In particular, certain sections of the California Insurance Code disallow insurance coverage for particular categories of damages regardless of whether coverage is affirmatively provided for those damages in any insurance policy bound and delivered in California.
Along these lines, California Insurance Code § 533.5 provides that:
No policy of insurance shall provide, or be construed to provide, any coverage or indemnity for the payment of any fine, penalty, or restitution in any criminal action or proceeding or in any action or proceeding brought pursuant to Chapter 5 (commencing with Section 17200) of Part 2 of, or Chapter 1 (commencing with Section 17500) of Part 3 of, Division 7 of the Business and Professions Code by the Attorney General, any district attorney, any city prosecutor, or any county counsel, notwithstanding whether the exclusion or exception regarding this type of coverage or indemnity is expressly stated in the policy.
Any provision in a policy of insurance which is in violation of [the clause above] is contrary to public policy and void.
The civil penalty provision of the CCPA specifically states that violators of the statute “shall be liable for a civil penalty as provided in Section 17206 of the Business and Professions Code.” California Insurance Code § 533.5 forbids indemnity coverage of any “penalty” in any action or proceeding brought pursuant to California statutes “commencing with Section 17200.” The CCPA commences at Section 1798.100 under the California Civil Code.
This begs the question: when the Attorney General of California brings an action under the CCPA and seeks civil penalties, is that an action brought, at least in part, pursuant to Section 17206 of the California Business and Professions Code considering that it is specifically incorporated into the CCPA as a statutory source for the assessment of those civil penalties? If so, then isn’t there a strong argument to be made that under California law insurance coverage of penalties assessed under the CCPA is “contrary to public policy and void?”
Notwithstanding the California Insurance Code, several case decisions from California support the notion that civil penalties are uninsurable as a matter of California public policy. For example, in Bulluck v. Maryland Casualty Company, 85 Cal. App. 4th 1435(Cal. Ct. App. 2001) insureds brought a bad faith action against their liability insurers for refusing to defend the insureds in an action brought by a city seeking to compel the insureds’ compliance with a city ordinance. The city specifically sought civil penalties. The insured argued that “the penalties were ‘damages’ because they would compensate the city for an injury to the ‘public fisc.’” However, the court rejected that argument citing California Insurance Code § 533.5 for the proposition that the payment of a penalty was not “damages” within the meaning of a liability insurance policy under California law.
Similarly, in Allen v. Steadfast Insurance Company, 2014 U.S. Dist. LEXIS 1994, (C.D. Cal. August 22, 2014), the court assessed whether a CGL policy ought to provide coverage for civil penalties assessed against a company for its violations of various California state environmental statutes. Citing Bulluck, the court held that “as a general matter, civil penalties – by virtue of their punitive nature – do not constitute ‘damages’ as they are not intended to ‘compensate’ a third party for losses or injuries.” Id. at *36.
As one would imagine, this analysis is not unique to California. For example, here is a snapshot of what Delaware and New York have to say about the topic:
- Delaware – There is no compelling public policy against insurance coverage for civil penalties, and where statutes do not specifically prohibit insurance coverage for civil penalties, Delaware courts will not “partially void what might otherwise be a valid insurance contract as contrary to public policy in the absence of the clear indicia that such policy actually exists.” See Wilson v. Chem-Solv, Inc., No. 85C-MY-1, 1988 Del. Super. LEXIS 372 (Super Ct. Oct. 14, 1988) see also U.S. Bank N.A. v. Indian Harbor Insurance Company, 2014 U.S. Dist. LEXIS 91335, (D. Minn. July 3, 2014).
- New York – There is a public policy against allowing insurance coverage for civil fines and punitive damages because under New York law “no one shall be permitted to profit by…or to take advantage of his own wrong” and “the sting of…penalties is not to be soothed by permitting its payment out of an insurance pool rather than directly by the wrongdoer.” See Silverman Neu, LLP v. Admiral Insurance Company, 933 F. Supp. 2d 463 (E.D.N.Y. 2013); quoting Drexel Burnham Lambert Group, Inc. v. Vigilant Insurance Company, 157 Misc. 2d 198, 595 N.Y.S.2d 999, 1010 (N.Y. Sup. Ct. 1993).
At the end of the day, if a state has a compelling public policy (supported by statutes and/or case law) against insurance coverage for civil penalties, and that state’s law governs a particular insurance policy issued to an insured seeking coverage for civil penalties assessed under the CCPA, then a reasonable argument can be made that no coverage is available for those civil penalties. There appears to be a strong basis for that argument to be made under California law.
Many businesses across the United States and the entire world will come within the purview of the CCPA, meaning that multiple states’ and countries’ laws regarding the insurability of penalties will be relevant. If the transference of CCPA penalty risk is critical to any organization, one should take care to consider whether coverage of that penalty risk is prohibited in any applicable jurisdiction – regardless of what the insurance policy says.