State-Mandated Cyber Insurance Bill Fails Passage

Legislation opposed by the California Chamber of Commerce as an overbroad state mandate requiring contractors with state agencies to obtain cyber insurance failed to pass the Assembly Privacy and Consumer Protection Committee this week.

The 11-member committee, chaired by Assemblymember Ed Chau (D-Monterey Park), failed to approve AB 2320 (Chau; D-Monterey Park) on May 5.

In testimony to the committee, CalChamber Policy Advocate Shoeb Mohammed argued that the bill “raise[s] concerns, particularly for small businesses,” and detailed ambiguities with the language of the bill which could lead to duplicative insurance coverage, unreasonable coverage limits, and liability for losses that are not the result of a contractor’s breach of an agreement with a state agency.

Overall Lack of Clarity

CalChamber opposed AB 2320 because it is unclear. The bill did not clarify whether businesses with existing coverage are required to obtain duplicative cyber insurance policies, and it does not specify whether duplicative insurance is a requirement.

Additionally, the bill’s requirement that contractors purchase cyber insurance should be tied to whether the contract itself involves receiving personal information, but the language of the bill does not address this.

Moreover, there is a lack of clarity as to whether the bill intends to be prospective only, or whether it has retroactive applicability.

Overbroad Insurance Requirements

CalChamber further opposed the bill because it would require a contractor to carry “cyber insurance sufficient to cover all losses resulting from potential unlawful access to or disclosure of personal information” (emphasis added).

This language is problematic because the term “all” losses could include losses that are not the result of the contractor’s breach of the agreement, and the term “potential” unlawful access or disclosure is not tailored by any measurable harm.

These concerns were also shared by Assemblymember Jay Obernolte (R-Big Bear Lake), who asked the author to respond to CalChamber’s comments relating to this broad language during the committee hearing.

Amount of Cyber Insurance Coverage Not Linked to Contract

CalChamber additionally opposed AB 2320 because it provided no guardrails to ensure that the value of any mandatory cyber insurance coverage is mathematically or logically linked to the value of the data, the amount of data, the value of the contract, or any other relevant metric.

As it relates to the amount of cyber insurance coverage, the bill says that it shall be “in an amount determined by the contracting agency” but provides no safeguards to ensure that the amount of coverage required by state agencies must be calculated in a logical and relevant manner.

Although CalChamber agrees with efforts to increase data protection and cyber security for people across the state, mandatory insurance requirements are most appropriately addressed during the request for proposal process. This is partly because state mandates drive up the barriers of entry for businesses that want to compete for these types of contracts, thus eliminating the number of businesses who can compete and therefore eliminating competition. Consequently, this also harms state agencies by driving up costs for these contracts, ultimately increasing costs for taxpayers.

Key Vote

AB 2320 fell short of votes needed to pass Assembly Privacy and Consumer Protection on May 5, 5-3:

Ayes: Chau (D-Monterey Park), Carrillo (D-Los Angeles), Medina (D-Riverside), Mullin (D-South San Francisco), Wicks (D-Oakland).

Noes: Kiley (R-Roseville), Gallagher (R-Yuba City), Obernolte (R-Big Bear Lake).

Not voting: Bauer-Kahan (D-Orinda), Berman (D-Palo Alto), Irwin (D-Thousand Oaks).

Staff Contact: Shoeb Mohammed