On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.
On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana. See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018). The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.
On January 17, the Financial Industry Regulatory Authority (FINRA) released its annual Risk Monitoring and Examination Priorities Letter (Letter), which identifies topics that FINRA will focus on in 2019. Unlike in previous years, this Letter primarily discusses new topics and priorities in areas of ongoing concern while not repeating topics that have been at the center of FINRA’s attention over the years. FINRA notes, however, that while traditional topics such as cybersecurity,1 recidivist brokers and anti-money-laundering (AML) may not be discussed extensively in the Letter, FINRA will nonetheless review firms for compliance regarding these areas of focus.
As always, firms should use the Letter to review their compliance and supervisory procedures carefully and make any necessary revisions. Firms also should be prepared to explain their compliance and supervisory policies in these areas in their upcoming FINRA examinations and provide documentation of relevant reviews. The following is a discussion of some of the more salient points of the FINRA Letter. (more…)
On December 20, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the SEC) released its report (the 2019 Report) setting forth its list of examination priorities for 2019 (the Exam Priorities).1 OCIE announces its exam priorities annually to provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets.2 The Exam Priorities can serve as a roadmap to assist advisers in assessing their policies, procedures and compliance programs; testing for and remediating any suspected deficiencies related to the Exam Priorities; and preparing for OCIE exams. (more…)
On December 19, 2018, Ohio adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. By doing so, Ohio joins South Carolina as the second state to have adopted the Model Law and the fourth state – along with Connecticut and New York – to have enacted cybersecurity regulations for insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (For more information on South Carolina’s adoption of the Model Law, see our prior coverage.) (more…)
On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry. (more…)
The fifth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. (more…)
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) has published an advance notice of proposed rulemaking (ANPRM) initiating a 30-day public comment process regarding export controls for certain emerging technologies. The notice launches the implementation of a key provision of the Export Control Reform Act of 2018 (ECRA), part of the National Defense Authorization Act for fiscal year 2019 (NDAA). In the ECRA, Congress authorized BIS to establish controls on the export, reexport and transfer (in country) of “emerging and foundational technologies.” The ANPRM, including a list of the 14 proposed representative technology categories and subcategories subject to review, can be found here. Our prior updates on the NDAA and ECRA can be found here.
Rapid advances in automation have the potential to disrupt a number of sectors, perhaps none more so than the automobile industry. The U.S. Department of Transportation (DOT) has accordingly announced its intention to take “active steps to prepare for the future by engaging with new technologies to ensure safety without hampering innovation.” Most recently, on October 4, 2018, DOT issued Preparing for the Future of Transportation: Automated Vehicles 3.0 (AV 3.0), its third round of guidance on the topic. Like its 2017 predecessor, “Automated Driving Systems 2.0: A Vision for Safety,” AV 3.0 emphasizes the development of voluntary, consensus-based technical standards and approaches while noting that there are cross-cutting policy issues where federal leadership may be necessary. AV 3.0 also builds on its predecessors by emphasizing that it reflects the view of all of DOT’s operating administrations; by providing much more detailed guidance on the development and testing of automated vehicle technologies; and by announcing some specific regulatory steps DOT plans to take in the near future. (more…)
Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow. (more…)