New Mexico has become the 48th state to enact a data breach notification law, which also includes data security requirements. The Data Breach Notification Act, signed by Governor Martinez on April 6, 2017, requires notification within 45 days of discovery of a security breach, or “unauthorized acquisition” of computerized personal information, subject to the needs of law enforcement. A security breach is also limited to unencrypted data or encrypted data when the decryption key is compromised. Personal data protected by the law includes Social Security numbers, driver’s license numbers, government-issued identification numbers, account, credit card or debit card number paired with the security code or other pin, and biometric data.
The National Association of Insurance Commissioners (NAIC) has created a new task force to monitor technology, data collection and Cybersecurity developments in the insurance industry. The Innovation and Technology (EX) Task Force (IT Task Force) was formed on March 9, 2017 and reports directly to the NAIC’s Executive Committee. The IT Task Force will appoint and oversee the work of the following NAIC groups: the Big Data Working Group, the Cybersecurity Working Group and the Speed-to-Market Working Group. According to the NAIC’s March 9, 2017 press release, the IT Task Force’s purpose is to help insurance regulators stay informed about technology-related developments, products and services in the insurance industry, including start-up companies, and to ensure they meet consumer expectations and ensure consumer protections. The press release notes that annual investment in insurance technology (InsurTech) has increased to more than $2.5 Billion and continues to grow.
On February 3, 2017, Eastern District of Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with FBI search warrants to produce emails stored on foreign servers as part of a domestic criminal investigation. In re Search Warrant No. 16-960-M-01 to Google (E.D. Pa. Feb. 3, 2017). This ruling comes on the heels of the Second Circuit’s decision in Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (denied rehearing on January 24, 2017), which reached an opposite decision and held that Microsoft could not be forced to turn over user data stored on a server located in Ireland. (For more background, see Second Circuit Microsoft Ruling: A Plea for Congressional Action (August 8, 2016)).
*The authors are not licensed to practice law in Australia, and this information is intended for educational purposes only.
Australia has passed data breach notification legislation requiring certain companies with annual revenue over AU $3 million ($2.3 million) to notify the Australian Information Commissioner and affected individuals in the event of a qualifying data breach.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”), which the Australian Senate passed on February 13th, amends the Privacy Act of 1988 (Privacy Act) to require that qualifying companies provide notification if there is “unauthorized access to, unauthorized disclosure of, or loss of, personal information by an entity,” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.” According to the Office of the Australian Information Commissioner, examples of personal information include names, signatures, addresses, telephone numbers, dates of birth, medical records and “commentary or opinion” about individuals.
On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”). The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)
The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified. The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.
*This article first appeared in Bloomberg BNA Corporate Law & Accountability Report on February 23, 2017
On Jan. 12, 2017, the National Association of Corporate Directors (NACD) released its new “NACD Director’s Handbook on Cyber-Risk Oversight.” The NACD has suggested that directors can use this Cyber-Risk Oversight Handbook as a resource to “[l]earn foundational principles for board-level cyber-risk oversight” and gain insight into issues including how to:
- “allocate cyber-risk oversight responsibilities at the board level”;
- address “legal implications and considerations related to cybersecurity”;
- “set expectations with management about the organization’s cybersecurity processes”;
- “improve the dialogue between directors and management on cyber issues”; and,
- “improve and enhance boardroom practices.”
The Third Circuit recently overturned a district court’s ruling on In re Horizon Healthcare Services Inc. Data Breach Litigation and gave new life to a putative class action over a data breach. No. 15-2309 (Jan. 20, 2017). The Third Circuit panel held that allegations of unauthorized disclosure of personal information in violation of the Fair Credit Reporting Act (“FCRA”) constituted a de facto injury sufficient to establish Article III standing. Plaintiffs did not allege identity theft, any other misuse of the compromised data, or even any mitigation costs.
2016 was a year of seismic changes in the global data protection and privacy landscape. Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.
Year In Review
1. GDPR Adoption
On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer. Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.
2. Political Cyber Warfare
There is a new front in geopolitical battles. (more…)
On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”). The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016. The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.
After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.