By

Stephen McInerney

07 December 2017

U.S. Treasury Expresses National Perspective In Response to NAIC Insurance Data Security Model Law

On October 26, 2017, the U.S. Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries.  The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance, identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. 3, 2017), and makes recommendations to ensure alignment.  For data privacy and security, the Report commented on the Insurance Data Security Model Law (the “Model Law”) adopted by the National Association of Insurance Commissioners’ (the “NAIC”) on October 24, 2017 (for more information on the development of the Model Law, see our prior coverage).  The Model Law attempts to set a baseline for cybersecurity, although it depends on legislative action on the state level. (more…)

SHARE
EmailPrintShare
02 October 2017

Illinois’ Governor Vetoes the Geolocation Privacy Bill

On September 22, 2017, Illinois Governor Bruce Rauner vetoed the proposed Geolocation Privacy Protection Act, which sought to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent.  The General Assembly originally passed the bill on June 27, 2017.  (For more background on the bill, see Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill (July 5, 2017)). (more…)

SHARE
EmailPrintShare
16 August 2017

SEC’s OCIE Cybersecurity Risk Alert Announces Cybersecurity 2 Observations

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms.  Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention.  Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate.  Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures.  (more…)

SHARE
EmailPrintShare
05 July 2017

Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill

On June 27, 2017, the Illinois General Assembly passed a bill seeking to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent.  This notable bill, the Geolocation Privacy Protection Act (“GPPA”), is on its way to Illinois Governor Bruce Rauner’s desk – although it is unclear if it will be signed or vetoed.  If signed, this bill would mark the first state geolocation privacy protection bill in the country—and represent the most stringent requirements related to geolocation data in the nation, potentially creating complex issues for the rapidly proliferating variety of mobile Internet of Things devices.  (more…)

SHARE
EmailPrintShare
14 March 2017

Google’s Overseas Warrants: A Game of Tug-of-War Over Access to Data

On February 3, 2017, Eastern District of Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with FBI search warrants to produce emails stored on foreign servers as part of a domestic criminal investigation.  In re Search Warrant No. 16-960-M-01 to Google (E.D. Pa. Feb. 3, 2017).  This ruling comes on the heels of the Second Circuit’s decision in Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (denied rehearing on January 24, 2017), which reached an opposite decision and held that Microsoft could not be forced to turn over user data stored on a server located in Ireland.  (For more background, see Second Circuit Microsoft Ruling: A Plea for Congressional Action (August 8, 2016)).

(more…)

SHARE
EmailPrintShare
15 February 2017

Chronicles from the Standing Wars: Third Circuit Rules Disclosures of Personal Data in Violation of FCRA De Facto Injury

The Third Circuit recently overturned a district court’s ruling on In re Horizon Healthcare Services Inc. Data Breach Litigation and gave new life to a putative class action over a data breach.  No. 15-2309 (Jan. 20, 2017).  The Third Circuit panel held that allegations of unauthorized disclosure of personal information in violation of the Fair Credit Reporting Act (“FCRA”) constituted a de facto injury sufficient to establish Article III standing.  Plaintiffs did not allege identity theft, any other misuse of the compromised data, or even any mitigation costs.

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator