On October 14, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) adopted a cybersecurity “Bill of Rights” that proposes certain rights for insurance consumers relating to the protection of their personal information by insurance companies, insurance producers and other entities regulated by state insurance departments. The Bill of Rights also outlines specific notices, information and actions that consumers should expect from such entities, particularly in the event of a data breach. This Bill of Rights, if adopted by NAIC’s Executive/Plenary Committees, could ultimately be incorporated in NAIC Model Acts and Regulations, and could be adopted by insurance companies on their own initiative.
On September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule. In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients. Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not – according to the SEC – make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack.
The Practising Legal Institute has published “Cybersecurity: A Practical Guide to the Law of Cyber Risk,” a treatise edited by Ed McNicholas and Vivek Mohan of Sidley Austin LLP. This “Sidley on Cybersecurity” treatise sets out in a clear and readable manner the complex legal framework for cybersecurity in the United States. We hope that it will be a practical legal guide for in-house attorneys, IT leaders, senior executives, and corporate directors concerned about cybersecurity risk.
Cybersecurity attacks have increasingly garnered significant attention this summer—and financial regulators are taking notice and taking action. Earlier in August, the Securities and Exchange Commission (“SEC”) announced the indictment of nine players in a major hacking ring. The ring was designed to obtain corporate announcements prior to their public release, to give purchasers of the illegally obtained information an edge in securities trading. The attack combined old-school securities fraud with new-school cybercrime, and served as a reminder of financial markets’ potential vulnerabilities from the ingenuity of cybercriminals.
On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.
In an effort to address growing concerns about security vulnerabilities in both the public and private sectors, the National Institute of Standards and Technology (NIST) has released a flurry of new and updated information security recommendations. The latest recommendations address protections for sensitive data held by federal contractors, encryption standards, and security for federal Smart ID cards.
An already active TCPA class action bar is sure to become even more active after a significant Declaratory Ruling and Order from the FCC that, among other points, broadened what technologies may be considered autodialers, gave further strength to class actions based on reassigned cell numbers, and muddied the waters for constructing compliance mechanisms to support consumer revocation of consent.
On July 10, 2015, the Federal Communications Commission issued a declaratory ruling to resolve various concerns raised by 21 petitions regarding the Commission’s implementation of the Telephone Consumer Protection Act, which carries a $500 penalty for each call or text in violation.
This week we moved one step closer to the adoption of the proposed EU Data Protection Regulation with the agreement by the Council of Ministers on its proposals for the draft Regulation. The Regulation has been described as the most lobbied piece of European legislation in history and, once adopted, will have a significant impact on governments, businesses and individuals.
Although a frequent topic of discussion on Capitol Hill, no single standard for private-sector cybersecurity programs has yet to emerge. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is often considered foremost among existing guidance, but several other agencies are also expressing views, including the following recent guidance from the Department of Justice (DOJ), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC). Significantly, both the DOJ and FTC tout the advantages of cooperating with law enforcement after a data breach by noting that such cooperation may lead to “regulatory” benefits.
BNA’s Privacy & Security Law Report
Following meetings held Feb. 24-25, the Council of the European Union released its ‘‘Conclusions’’ in response to the EU Commission’s Nov. 4, 2010 ‘‘Communication’’ proposing ‘‘a comprehensive approach on personal data protection in the European Union.’’ The Council is the main decision-making body of the European Union, comprising the ministers of the Member States. Depending on the issue on the agenda, each country is represented by the minister responsible for that subject (foreign affairs, finance, social affairs, transport, agriculture, etc.).