Navigating TDPSA Compliance & Insurance Coverage in the Digital Age

Show Notes

Unravel the complexities of the Texas Data Privacy and Security Act (TDPSA) with cyber and professional lines broker Josh White from CRC Group’s ExecPro practice group. Discover the essential components of this new legislation, understand its alignment with similar laws, and learn about the unique aspects that set Texas apart. Josh breaks down the immediate compliance requirements for businesses, shedding light on potential costs and challenges. Plus, get a firsthand look at the pivotal role insurance agents play in navigating these regulations, from understanding data collection processes to managing data repositories efficiently. Hear about the standout services CRC offers, including coverage analysis, benchmarking resources, and tools to compare cybersecurity exposures and limits.

Visit REDYIndex.com for critical pricing analysis and a snapshot of the marketplace.

Do you want to take your career to the next level? Join #TeamCRC to get access to best-in-class tools, data, exclusive programs, and more! Send your resume to resumes@crcgroup.com today!

Chapters

• 1:23: Can you give just a brief overview of the Texas Data Privacy and Security Act (TDPSA)? Are there any unique aspects of TDPSA that stand out?
• 4:53: What are some common challenges businesses might face in complying with TDPSA? How can insurance agents assist their clients in navigating these challenges?
• 6:06: Are there some risks that businesses might not be aware of?
• 7:44: What should retail agents look for when evaluating cyber insurance policies in light of the TDPSA? Are there specific coverage aspects that are crucial for businesses to consider?
• 9:22: Have you heard of any unresolved violations or substantial fines yet?
• 14:10: Rapid Fire!

Transcript

Scott Gordon: 0:23

Texas is the latest state to pass data privacy legislation. The law is meant to protect consumers' control over their data. However, it creates regulatory requirements and risks for any business that operates in Texas. Today, we're joined in the studio by Josh White, a cyber and professional lines broker with CRC Group's ExecPro practice group. We're going to talk with him about how businesses can comply with the new law and how you can help your clients minimize their data breach risk.

Amanda Knight: 0:54

This is the Placing you First podcast from CRC Group.

Scott Gordon: 0:57

This podcast features news and insights from a vast knowledge base of over 5,100 associates who write more than $35 billion in premium annually.

Amanda Knight: 1:07

Plus, we give you the latest information on what's happening at CRC. This, this, this is the Placing.

Josh White: 1:13

You First podcast and now the hosts of the podcast Amanda Knight and.

Scott Gordon: 1:18

Scott Gordon. Welcome to the podcast, Josh hey, thanks for having me.

Amanda Knight: 1:22

Well, we'll jump right in. I know that you know people hear new law or law change or you know regulatory change and like their eyes glaze over and they stop reading, or, you know, just kind of want the high points right. They don't want to have to dive into the whole thing themselves, but I know for a fact that you have and that you know what this is about. So could you take a minute and just give our listeners a brief overview of the Texas Data Privacy and Security Act and maybe fill us in on how it compares with similar laws they may have heard of? I know there's one in California. Virginia's got a data privacy law. Are there any unique aspects to the one in Texas that stand out against those?

Josh White: 2:06

Yeah, thanks for having me on, amanda and Scott so excited to jump in. This just went into effect 7-1, so it's emulating the CCPA, virginia's Privacy Act. It's the 18th state to come forward with the Privacy Progressive Act and it's essentially to protect Texas consumers. Now it doesn't apply to necessarily Texas domicile businesses, but rather protects the individuals in the state of Texas from any kind of noncompliance with data collection. So the Texas Data Privacy and Security Act essentially follows five main components. It allows the consumer to talk to a business and request the information that they've collected on an individual, that it's accurate, that the individual can actually request a copy of that data that's been obtained on the individual. They can also opt out of any data selling or profiling of the individual. Again, it just conducts the organization that conducts business in Texas or generates products or services that are consumed by Texas residents, that they process or engage in the sale of data and that they do not identify as a small business based on the USA, the SBA or the Small Business Administration Standards.

Josh White: 3:18

A little caveat to that we've seen with the CCPA and Virginia privacy laws. There's been a number of amendments in the last four years that have expanded the actual legislation to essentially apply to more businesses. So although right now it's just for non-small businesses and I say that quote unquote it's a good best practice for every organization out there, because this will continue to progress, the legislation will continue to get stricter and stricter and again it's just the best practice for really all organizations out there.

Amanda Knight: 3:48

So I know this went into effect July 1. We're now past that date. Is there some sort of grace period for all of this? I know it looks like they have until January 1 of 25 to comply with the global opt out provision. Is there any grace period for the rest of it, or is it July 1,? Everybody get your ducks in a row.

Josh White: 4:10

July 1, everyone, get your ducks in a row.

Amanda Knight: 4:12

Okay, so the portal will be live on the Attorney General's site.

Josh White: 4:16

You can actually go into the portal and already submit a complaint. Now, when that takes place, the organization will have 30 days notice to come into a compliance. But the onus then falls back on that organization to provide a detailed report and receipts, if you will, of the tech stack and the opt-out requirements by the TDPSA. And again that responsibility all falls back on that organization, which can be quite costly and, as you know, with technology advancements, we see with every organization to make improvements it can take weeks, months, sometimes years to go through that certain tech stack to get into compliance.

Scott Gordon: 4:51

So again, get ahead of it now. So, based on that basic breakdown, Josh, what are some of the common challenges that businesses might face when they're complying with TDPSA? How can insurance agents assist their clients in navigating these challenges?

Josh White: 5:07

Great question again, scott, and we don't expect every one of our insurance agents and partners to be a full expert on the Texas Data Privacy Security Act. However, a couple of easy questions and a couple of ways to easily navigate this with your organizations is one is it applicable to that business? There's a couple opt-outs. As well as not being a non-large business Anything like financial institutions, not-for-profit organizations there's a couple other nuances, like political subdivisions, that aren't applicable here. But for your clients that are subject to this kind of legislation, you can walk them through their data opt-out process, ask them about the records that they're collecting and the data that they might be processing and, through that, making sure that they have the appropriate disclaimers on their sites, the contracts in place with the third-party marketing teams that they might be working with. And then again, just having a better understanding of the repository of data Is it segmented, is it backed up? What does it look like from the information that they're collecting and that they're in compliance?

Amanda Knight: 6:06

That makes sense. You know pixels and biometrics and how sometimes even the organizations using these data collection tools don't fully understand or realize the scope of the data that they're collecting or at least not everyone in the organization does and so it can leave some gaps, some risks in place that maybe you're not fully aware of. I assume that would relate here to the TDPSA also.

Josh White: 6:35

Yeah, that's a great point, Amanda, and history repeats itself, right? A good example Sephora, a large but privately held company. They were in violation of the CCPA and underwent a $1.2 million violation, and what we're seeing from the TDPSA is about $7,500 per violation. So again, the organization will receive a 30-day notice, but that $7,500 ticket number is just per violation. Say, you're out of compliance over a thousand different violations and you're definitely going to see some attorneys and ambulance chasing law firms going after some of these organizations. That could be quite costly quite quickly. Insurance agents can also help their clients by taking a pre-breach approach, so assessing the data privacy rights. A lot of these cyber carriers that CRC partners with are not only transferring the risk onto a cyber policy, but they're offering pre-breach services. This includes everything from incident response, global compliance. Again, Texas Data Privacy Security Act isn't anything new. It's following a similar template to your GDPRs of the world and your CCPAs. So there's a number of resources that are widely available for our clients.

Amanda Knight: 7:44

So, with those challenges in mind, and with the fact that you just mentioned, a lot of the cyber carriers we partner with offer some really helpful services to help identify, remediate, do whatever we need to do to try to be in compliance. So what should retail agents look for when they're evaluating cyber options in light of the TDPSA? Are there specific coverage aspects that are really crucial for businesses to consider?

Josh White: 8:13

Sure, and the insurance policy really is two-pronged right. You have your first-party costs and your third-party, and when we talk regulatory fines and investigations, these proceedings are going to fall under that third-party bucket. It's a claim made against the insurer that they're liable for. However, there's a number of first-party costs typically associated when a proceeding takes place Everything from your outside counsels, your legal billables, forensic investigation, any kind of post-breach remediation costs. Those are all going to be costs that the insured actually incurs and what we'd bucket as first party. So when evaluating cyber solutions, to make sure you have comprehensive first and third party, that the perils and the triggers are there in the policy as well. So your regulatory fines, essentially not excluding any kind of unlawful collection due to an act of error or omission. We see a lot of our carriers offering third party response and able to get ahead of any of these violations.

Josh White: 9:11

So, for example, if you receive that 30-day notice from the Texas AG, you're able to notify your carrier and get the appropriate remediation before those costly $7,500 tickets come through right.

Amanda Knight: 9:22

I guess at this point we're not far enough out from July 1 to have had anything substantial hit the news yet. Have you heard any? I mean we've passed the 30-day mark for if you got a notification early in July, but have you heard of any unresolved violations or substantial fine jet? I've been doing it.

Josh White: 9:41

This is just me being nosy, I know, and I've been doing a deep dive on my end, utilizing all resources possible. I've been ringing a lot of my folks at plan, not only the tech side, right, because a lot of these folks are scrambling and working with certain cybersecurity vendors to get into compliance, but no word yet and maybe it just swept under the rug. But, I imagine, very similar to the CCPA, things will start shaking out and it's a great positive for Texas, being the second largest economy. It was about time to put some kind of privacy progressive act in place to be aligned with the rest of the marketplace and with the rest of the United States. So this is a total win for us Texas consumers.

Amanda Knight: 10:20

Also a question for me as a novice about cyber slash data things. If I'm a consumer in Texas, would I notice anything different about the way I interact with a business or, I guess, maybe online or on their websites? Will I notice disclaimers or opt-out buttons or things that I should be looking for if I want to address this myself as a consumer? Absolutely.

Josh White: 10:46

Absolutely so, similar to a lot of those marketing emails that have been coming through, with the unsubscribe here noted in the it's at the very bottom of the email. You're going to start seeing this on websites, so almost consenting to those cookies. You're also going to see what information they're collecting on you and if they do sell, profile or collect that data and they're going to utilize to another third party, they do have to notify you preemptively. So you should be seeing a lot more notice. There's very clear and distinct language. It's not a long blurb by any means, but it has to be included on every page where there may be a jot form or a stepper where you might be inputting information, and then you will be consenting to that.

Josh White: 11:21

Now, always read the fine print right you will see a lot more steps involved as you're inputting information. Another cool component and I had mentioned this a little bit earlier is you can request what information is tracked on you. So I'm not a big social media guy, but I understand that, like Facebook, for example, if you were to go in and you request what your profile looks like on the backend and all the data associated to you as an individual, it would essentially give you a whole rap sheet dating back to the inception of your Facebook page, giving you all the pictures and profiles and comments, so on and so forth, because that's technically on their server and something that they collected about you.

Josh White: 11:57

So you can request that from any third party.

Amanda Knight: 12:03

Wow, that's a lot. I'm not sure I entirely want to know, but if you want it, it's there. Well, I mean, all of this is complex, right? I mean some of it sounds as simple as pushing the button or clicking the link, for on the consumer side, it sounds like it's more complex, obviously, on the retail agent and the business side. So talk a little bit about what makes CRC different, better and special right, what makes us the preferred partner for retail agents.

Josh White: 12:31

We have built out a number of tools to get ahead of this and we get calls every day saying, like, what's the differentiator? Here we have some retail direct options hey, can you just give us a quick green light? And when you take a deeper dive, there's a number of things that we're doing. We're doing coverage analysis.

Josh White: 12:48

So we have over 120 carriers on the cyber side that we represent.

Josh White: 12:52

Not only have we already pre-negotiated stronger terms and conditions for our clients, but, past that, we're actually able to stack rank the carriers depending on the exposure.

Josh White: 13:05

So we'll do a hundred point comparison those first and third-party coverages that we discussed earlier, everything from ransomware coverage to unlawful collection exclusions we really get into the nuances and we're able to provide that to the client along with the proposals to allow them to make an educated buying decision.

Josh White: 13:18

When it comes to cyber insurance, past that, we have a number of resources that help with benchmarking. This is easily one of the best tools that separates us from the rest of the marketplace. We're able to essentially benchmark an individual company against their industry peers. So, for example, if you're a 50 million in revenue, gross revenue manufacturing firm with, say, 3,000 records, we have tens of thousands of clients in our repository, in our portfolio that we can stack rank your cybersecurity exposure and the appropriate limits to buy versus your industry peers. So we're able to give you a certain confidence level on what a claim might look like, how costly it might get, the appropriate limits to buy and again, coupling that with the coverage side by side, you're making sure that you're transferring the risk in all the appropriate places and have adequate coverage.

Scott Gordon: 14:10

Well, Josh, you've never been on here before, so we don't know whether you know about our little bonus round here that we have at the end. But we like to kick off our shoes and do a little thing called rapid fire, where we just ask you things off the top of your head and we have two doozies for you today. Amanda concocts these questions oh goodness, pulls them from her witch's cauldron of knowledge it's my favorite part.

Scott Gordon: 14:32

It's my favorite part, so uh, our first question for you is what was your last impulse buy, and was it worth it? Oh goodness goodness.

Josh White: 14:41

I pulled the trigger recently on a cooling mattress topper and if it was worth it it absolutely was. It was pretty cool. I guess it cools you depending on where you are in your sleep cycle, and then it wakes you up to a warm hug. So it's been pretty neat and I've enjoyed it thus far.

Amanda Knight: 14:55

We might have to have Dawson does the?

Josh White: 14:56

link to that?

Amanda Knight: 14:57

That sounds great.

Scott Gordon: 14:58

We're not commissioned on this, so I won't name drop, you know, and now they're collecting data on how you like to sleep and what temperature.

Amanda Knight: 15:06

This last one seemed appropriate, based on the topic Scott, all cybery and such.

Scott Gordon: 15:10

Yeah, right. So our second question for you, josh other than email or texting, what app do you use the most on your phone?

Josh White: 15:19

Maybe Amazon. No, I'm kidding, Coupling the impulse buy. No, I would say the way I decompress it. I really enjoy chess and I'm very average at best, but I enjoy Blitz games and 3-2 games of chess at the end of the night to decompress. So I would say that's probably number three, that's impressive.

Scott Gordon: 15:40

I used to play chess with friends was a game that you could play with your buddies. Is that still a thing, or do they not have that anymore?

Josh White: 15:49

So you could play with your friends or against somebody randomly globally. Scott, I'll have to add you as a friend and I'll give you the lay of the land.

Amanda Knight: 15:56

There you go.

Scott Gordon: 15:57

Oh, if you want a punching bag, yeah, add me as a friend, because I suck at chess.

Amanda Knight: 16:02

My nine-year-old tried to teach me and then he gave up. So I think maybe I'm hopeless. I'll just stick to checkers, it's fine, Josh.

Scott Gordon: 16:10

thanks for being on and joining us for the convo here.

Josh White: 16:13

It was a blast guys, Thanks for having me on.

Amanda Knight: 16:16

If you're a listener, we're really glad you were able to join us too. Providing current insights into the marketplace is just one more way CRC Group is placing you first. Don't forget to subscribe and share.