The National Association of Insurance Commissioners (NAIC) held its Spring 2019 National Meeting (Spring Meeting) in Orlando, Florida, from April 6 to 9, 2019. This post summarizes the highlights from this meeting.
We held our 5th Annual Privacy and Cybersecurity Roundtable on May 1, in Washington, D.C. The event featured the Chair of the European Data Protection Board Andrea Jelinek and FTC Commissioner Noah Phillips. Other government speakers represented the White House, UK’s Information Commissioner’s Office, and staff members from the U.S. Senate and House of Representatives. Other distinguished panelists included Cam Kerry of Brookings and Jane Horvath from Apple. The speakers addressed privacy and cybersecurity enforcement in the U.S. and EU, Brexit, Online Harms and the prospects for federal privacy legislation. The insightful program was followed by a competition between the sausage-making (and brewing) achievements of leading privacy jurisdictions such as Brussels, California, Washington, D.C. and China (representing a privacy continuum!). Sidley also commemorated “20 Years of CyberLaw at Sidley” – two decades since the founding of today’s Privacy and Cybersecurity practice. We look forward to continuing to thrive and serve our clients. We hope to see you at next year’s Privacy and Cybersecurity Roundtable.
As the legislative session drew to a close, what once seemed like an inevitability suddenly looked unlikely. The Washington Privacy Act, SB 5376/HB1854, failed to make its way through the legislative process. The Bill’s sponsor, Sen. Reuven Carlyle, called the game on April 17, tweeting that despite the “unprecedented 46-1 vote” in the Senate, “[u]nfortunately, House failed to pass privacy legislation this year. We’re committed to 2020.” Nevertheless, the State of Washington did pass notable privacy legislation, albeit on a more narrow topic.
Wednesday, March 27, 2019 | 4:00 p.m. EDT / 1:00 p.m. PDT
CLE & CPE Credit Offered
When the California Consumer Privacy Act enters into force on January 1, 2020, it will grant consumers extensive new data rights and place a number of new obligations on companies – obligations that in some ways even exceed those imposed by the European General Data Protection Regulation (GDPR). This means that just about every company doing business in California or with Californians will need to take steps to comply with the CCPA, regardless of their GDPR status. Please join us for a discussion that identifies the key questions and issues companies should be considering before the CCPA enters into force on January 1, 2020. We’ll talk through the steps companies should take now to meet these new obligations.
- Colleen Theresa Brown, Partner
- Christopher C. Fonzone, Partner
- Alan Charles Raul, Partner
- Kate Heinzelman, Counsel
- Sheri Porath Rockwell,Associate
Even a few short years ago, it seemed unlikely that Congress would enact comprehensive privacy legislation. But a series of high profile data breaches; increasing concerns about data practices, particularly when connected to political micro-targeting; fears about the rise of autonomous, and potentially invisible, decision-making; and the passage of far-reaching foreign and now State privacy laws have all changed the zeitgeist. Congress has taken notice, and, for the past year, Data Matters has been closely following the Legislative Branch’s moves as it a federal privacy bill looks more likely than it has in a generation. (more…)
On February 26, 2019, the Technology Policy Institute’s Two Think Minimum podcast featured Sidley Partner and founder of the Privacy and Cybersecurity practice, Alan Raul, alongside former FTC Acting Chairman and Commissioner of the FTC Maureen Ohlhausen. The topic of the day was the future of privacy legislation in 2019. Topics ranged from politics, U.S. State trends, activity in Europe, FTC enforcement powers and more.
On January 18, 2019, the New York State Department of Financial Services (NYDFS) issued Circular Letter 2019-1 (the Circular Letter), addressing insurers’ use of external consumer data and information sources in underwriting for life insurance. The Circular Letter follows an investigation commenced by NYDFS regarding life insurers’ use of external data, which was initiated in light of reports that insurers were using algorithms and predictive models that include unconventional sources or types of external data. Among other things, the Circular Letter provides guidance that when insurers use external data sources in connection with underwriting decisions, (1) the use of external data sources must not result in any unlawful discrimination, (2) the underwriting or rating guidelines must be based on sound actuarial principle; and (3) life insurers must have adequate consumer disclosures to notify insureds or potential insureds of the right to receive the specific reasons for any adverse underwriting decision based on such data. (more…)
When California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28, 2018, there was broad agreement that revisions and clarifications were necessary. The CCPA was written and enacted with extraordinary speed, as legislators felt the need to move quickly in order to preempt a data privacy ballot initiative that had received enough signatures to be placed on California’s November ballot. Consequently, June 28 was, in many ways, the beginning of a debate over the specifics of the CCPA, rather than the end. Indeed, the California legislature has already passed a “clean-up” bill to address concerns expressed about the CCPA, and heated debates over the meaning and merits of specific provisions continue. (more…)
On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.
On January 25, 2019, the Illinois Supreme Court unanimously held that a plaintiff does not need to allege any actual injury or damages to successfully state a claim under the Illinois Biometric Information Privacy Act (BIPA). Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) (a copy of the opinion is available here). A violation of the statute by itself is sufficient to state a claim, even if no breach or misuse of the biometric information or identifier has occurred. Because BIPA includes stiff liquidated damages for violations, the court’s ruling is likely to lead to renewed interest by the plaintiffs’ bar in class action suits alleging BIPA violations. (more…)