Category

U.S. State Law

17 March 2017

NAIC creates new Innovation and Technology (EX) Task Force

The National Association of Insurance Commissioners (NAIC) has created a new task force to monitor technology, data collection and Cybersecurity developments in the insurance industry.  The Innovation and Technology (EX) Task Force (IT Task Force) was formed on March 9, 2017 and reports directly to the NAIC’s Executive Committee.  The  IT Task Force will appoint and oversee the work of the following NAIC groups:  the Big Data Working Group, the Cybersecurity Working Group and the Speed-to-Market Working Group.  According to the NAIC’s March 9, 2017 press release, the IT Task Force’s purpose is to help insurance regulators stay informed about technology-related developments, products and services in the insurance industry, including start-up companies, and to ensure they meet consumer expectations and ensure consumer protections.  The press release notes that annual investment in insurance technology (InsurTech) has increased to more than $2.5 Billion and continues to grow.

(more…)

SHARE
EmailPrintShare
28 February 2017

NYDFS issues final cybersecurity regulations, setting new industry standard for cybersecurity controls

On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”).  The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods  — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)

The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified.  The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.

(more…)

SHARE
EmailPrintShare
05 January 2017

NYDFS Revises Cybersecurity Regulations Incorporating Risk-Based Approach; Maintains Prescriptive Requirements and Certifications

On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”).  The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016.  The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.

(more…)

SHARE
EmailPrintShare
27 December 2016

NYDFS to Delay New Financial Cybersecurity Rules

After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.

SHARE
EmailPrintShare
12 October 2016

Lessons for California Business Over Recorded Phone Calls

*This article originally appeared in L.A. Biz at bizjournals.com on Oct. 11, 2016.

Over the past few months, Taylor Swift and Kanye West’s feud over a recorded phone call has put the California Invasion of Privacy Act (CIPA) in the spotlight.

Who can record a call? What type of consent is needed? These questions are not just fodder for celebrity tabloids but fundamentally important issues for companies recording customer service calls.

CIPA, codified in California’s Penal Code Section 630 et seq., is an invasion of privacy statute originally designed to restrict wire-tapping and the recording of calls snatched from the airways at the dawn of the wireless telephone industry.

However, in recent years, plaintiffs’ lawyers have embraced Section 632.7 of the Act as a sword to attack companies that record customer service calls.

Read More

SHARE
EmailPrintShare
19 September 2016

New York State Department of Financial Services Proposes Regulations Imposing Detailed Cybersecurity Rules on Insurance, Banking and Other Licensed Financial Institutions

On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.

(more…)

SHARE
EmailPrintShare
04 April 2016

Tennessee Amends Breach Notification Law

On March 24, Tennessee enacted a law amending its breach notification law, originally enacted in 2005. The new amendment requires businesses and government agencies to notify citizens affected by data breaches within 45 days of discovering the breach. Exceptions to the 45-day time limit will be allowed only when required for law enforcement purposes. The amendment also specifies that unauthorized access of information by employees of the business or agency that holds the information triggers the 45-day notification requirement.

(more…)

SHARE
EmailPrintShare
15 March 2016

California Data Breach Report Gets Specific on “Reasonable” Information Security

This February, the California Attorney General released the “California Data Breach Report,” summarizing developments from 2012-2015.  Drawing from 657 reports filed with the California AG impacting 49 million records, the report is notable for its “recommendations.”  These recommendations are ostensibly non-binding guidance that may nonetheless serve as the basis for the AG’s understanding of what constitutes “reasonable” data security in future investigations and enforcement actions.

(more…)

SHARE
EmailPrintShare
04 January 2016

California’s New Data Breach Notification Requirements Effective January 1, 2016

When the California legislature closed out their 2015 session on September 11 of 2015, they sent three bills to Governor Jerry Brown proposing amendments to the state’s data breach laws which were all signed into law on October 6 and took effect January 1, 2016. The new laws address what license plate data automated readers may collect, defined encryption, and critically, made significant changes to the details of the required content and format of data breach notifications.  S.B. 570 specified that data breach notices must be titled “Notice of Data Breach” and be broken into sections titled “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “For More Information.”  Notice formatting must be in at least 10-point font and call attention to the notice’s “nature and significance.” A model notification, which companies may use to comply with these content amendments, is also provided in the bill (see below). These formatting requirements would not be prohibited under other state breach notification laws, and so we will likely soon see this format become a de facto national standard for efficiency’s sake.

(more…)

SHARE
EmailPrintShare
07 July 2015

Joint FTC and NJ AG Complaint and Settlement Against App Developer that Allegedly “Hijacked” and “Drained” Phone Resources

On June 29, the FTC and New Jersey Attorney General announced the filing of a joint complaint, and proposed, stipulated settlement, against an Ohio-based app developer, Equiliv Investments LLC and an individual officer of the company. The federal and state enforcement agencies alleged that Equiliv marketed a free app that users believed would let them earn rewards points for playing games or downloading affiliated apps.  The agencies alleged that Equiliv explicitly represented the app was free of malware when in fact the app’s main purpose was actually to load malicious software on the users’ phone to mine virtual currency.  Allegedly, the app took control of the devices’ computing resources and degraded the phones’ performance by draining battery life and data plans, and causing the devices to charge slowly.  The malware was alleged to pool the computing resources of consumers’ mobile devices to benefit the company’s effort to generate virtual currencies through a peer-to-peer network to compete with other devices in solving complex mathematical equations – a process known as “mining.”

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator