Evaluating the Insurability of CCPA Fines Assessed by the California Attorney General
The insurability of civil fines imposed by the California Attorney General under the California Consumer Privacy Act ("CCPA" or "the Act") has been an area of significant concern since the CCPA's enactment in 2018. The issue has taken on heightened interest now that the Act's compliance deadline of January 1, 2020 has passed and July 1, 2020—the date by which the AG may begin enforcement—is approaching. Here, we consider the relevant text of the CCPA and the likelihood that civil fines issued pursuant to the AG's enforcement authority will be insurable.
Original CCPA Civil Enforcement Provision
When it was originally enacted, the CCPA contained the following enforcement provision:
(a) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be liable for a civil penalty as provided in Section 17206 of the Business and Professions Code in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
(b) Notwithstanding Section 17206 of the Business and Professions Code, any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.
The references to Section 17206, California's Unfair Competition Law (UCL), in the enforcement section created concerns about the insurability of CCPA fines because of the UCL's interplay with California's Insurance Code. Section 533.5 of the Insurance Code provides in the relevant part:
(a) No policy of insurance shall provide, or be construed to provide, any coverage or indemnity for the payment of any fine, penalty, or restitution in any criminal action or proceeding or in any action or proceeding brought pursuant to Chapter 5 (commencing with Section 17200) of Part 2 of, or Chapter 1 (commencing with Section 17500) of Part 3 of, Division 7 of the Business and Professions Code by the Attorney General, any district attorney, any city prosecutor, or any county counsel, notwithstanding whether the exclusion or exception regarding this type of coverage or indemnity is expressly stated in the policy.
In a letter dated August 22, 2018, however, the California Attorney General recommended removal of the references to the UCL, for reasons having nothing to do with the insurability issue. The AG stated:
[T]he CCPA's civil penalty provisions are likely unconstitutional. These provisions . . . purport to amend the Unfair Competition Law's . . . civil penalty provision . . . as applied to CCPA violations. The UCL's civil penalty provisions were enacted by the voters through Proposition 64 in 2004 and cannot be amended through legislation. . . .We can and should address this constitution infirmity by simply replacing the CCPA's current penalty provision with a conventional stand-alone enforcement provision that does not purport to modify the UCL. My team has offered corrective language for this purpose.
Legislative hearing notes dated August 28, 2018, confirm that legislators reached agreement to revise the AG enforcement section of CCPA "to ensure that there are no Proposition 64 issues by removing references to the UCL."
Current CCPA Enforcement Provision
The CCPA enforcement provision now states, in relevant part:
(b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
On its face, therefore, the enforcement provision is now agnostic concerning the issue of insurability. But is that dispositive of the issue? Even in the absence of a statutory prohibition against coverage, California public policy, the terms of the policy, and the facts giving rise to the fine should also be considered.
Legislative History of Insurance Code Section 533.5
The California Legislative Counsel's Digest indicates that the assembly bill that became Insurance Code section 533.5 would prohibit "any policy of insurance providing, or being construed to provide, coverage or indemnity for the payment of fine, penalty, or restitution in any civil or criminal action brought by the Attorney General, district attorney, or city attorney regardless of what the policy says." The Attorney General proposed and urged enactment of section 533.5 "to hold individuals personally accountable for behavior [that] constitutes an unfair business practice or false and misleading advertising, in order to avoid the litigation becom[ing] a contest between the public entity and the insurance company in which the involvement of the person whose conduct is at issue is almost negligible." Mt. Hawley Ins. Co. v. Lopez, 215 Cal.App.4th 1385, 1403 (2013) (internal citations omitted).
In Mt. Hawley, California's highest court conducted a lengthy analysis of the legislative history of the section 533.5 and stated:
The legislative history of the original [version of section 533.5 and its subsequent amendments] make it clear that the purpose of the statute, the circumstances of its enactment, and the Legislature's goal in enacting the statute, were to preclude insurers from providing a defense in civil and criminal UCL . . .actions brought by the Attorney General . . . Id. at 1410.
Despite the reasons underpinning the law's enactment, a question remains as to whether section 533.5 represents a "fundamental public policy" of California, which might preclude coverage for civil AG fines that are not directly covered by section 533.5.
How the Issue Might Arise
Many of the reported cases across the country addressing coverage for fines and penalties concern criminal fines and/or policies that do not expressly provide such coverage. But broad regulatory coverage, including for civil fines and penalties, is an important feature of many cyber insurance policies. Coverage may be explicitly conditioned, however, on insurability under the applicable law.
For example, some forms grant coverage for civil fines "unless the civil fine or penalty imposed is uninsurable under the law of the jurisdiction imposing such fine or penalty." Other forms state that the insurability of civil fines "shall be in accordance with the law in the applicable venue that most favors coverage." Still, other policies apply the law of the jurisdiction issuing the fines. In the absence of such provision, choice of law provisions should be considered.
Disputes concerning coverage for CCPA fines are likely to arise when the fine is premised on intentional acts of the insured. In certain circumstances, the insured's acts may trigger an intentional acts exclusion. It's also important to note that California Insurance Code section 533 precludes coverage for loss caused by the willful acts of the insured. In particularly egregious situations, a fine might be considered punitive in nature, triggering a punitive damages exclusion. Fines arising vicariously against an insured may not fall within policy exclusions or impact public policy insurability concerns.
To discuss specific policy wordings, public policy, regulatory, and other issues attendant to the insurability of CCPA fines, as well as potential implications for other lines of coverage, please contact the authors.
 In a recent case, the California Court of Appeal ruled that the common law notice-prejudice rule is a "fundamental public policy" of the State of California, which overrode an insurance policy's New York choice of law policy provision. Pitzer College v. Indian Harbor Ins. Co., 8 Cal.5th 93 (2019). The court discussed the fundamental public policy issue in the context of a coverage dispute, where the coverage was dependent on the application of California versus New York law.