CCPA Could Frustrate Tripartite Relationship Between Insured, Insurer, and Legal Service Provider
Risk Management Question
How will proposed regulations implementing the California Consumer Privacy Act (CCPA) impact the tripartite relationship between an insurer, its insured, and the law firm retained by an insurer to represent its insured?
The Issue
The CCPA, which goes into effect on January 1, 2020, grants California consumers several of the same type of privacy rights found in the European Union's General Data Privacy Regulation (GDPR), including the right to access, delete, and object to the sale of their personal information. However, the proposed regulations that implement the CCPA raise a number of concerns regarding the ability of legal service providers to effectively execute and defend legal claims within the tripartite relationship context.
Hinshaw submitted a letter to the California Attorney General outlining these concerns, which are summarized below:
- Law firms could find it impossible to use any personal information obtained by the insurance carrier during the claims review process or prior to the suit being filed. Furthermore, law firms seemingly will also be prohibited from sharing information provided by the carrier with experts and consultants necessary to defend the insured.
- Law firms acting as "Service Providers" under the CCPA do not currently qualify for CCPA exceptions—e.g. when exercising or defending legal claims and when compliance would violate an evidentiary privilege under California law.
- It is currently unclear whether common industry practices such as storing personal information in the cloud, or using electronically stored personal information for discovery purposes would constitute "Processing" under the current CCPA regulatory scheme.
- The scope of the "exercise or defend legal claims" exception is completely undefined.
Risk Management Solution
If you are an insured law firm or business, the CCPA may unintentionally impair your legal counsel’s ability to defend you against claims by using personal information protected under the law. We look forward to the Attorney General's guidance in resolving these issues.
More information about these issues is described in a press release on the Hinshaw website