On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.
On March 24, Tennessee enacted a law amending its breach notification law, originally enacted in 2005. The new amendment requires businesses and government agencies to notify citizens affected by data breaches within 45 days of discovering the breach. Exceptions to the 45-day time limit will be allowed only when required for law enforcement purposes. The amendment also specifies that unauthorized access of information by employees of the business or agency that holds the information triggers the 45-day notification requirement.
This February, the California Attorney General released the “California Data Breach Report,” summarizing developments from 2012-2015. Drawing from 657 reports filed with the California AG impacting 49 million records, the report is notable for its “recommendations.” These recommendations are ostensibly non-binding guidance that may nonetheless serve as the basis for the AG’s understanding of what constitutes “reasonable” data security in future investigations and enforcement actions.
When the California legislature closed out their 2015 session on September 11 of 2015, they sent three bills to Governor Jerry Brown proposing amendments to the state’s data breach laws which were all signed into law on October 6 and took effect January 1, 2016. The new laws address what license plate data automated readers may collect, defined encryption, and critically, made significant changes to the details of the required content and format of data breach notifications. S.B. 570 specified that data breach notices must be titled “Notice of Data Breach” and be broken into sections titled “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “For More Information.” Notice formatting must be in at least 10-point font and call attention to the notice’s “nature and significance.” A model notification, which companies may use to comply with these content amendments, is also provided in the bill (see below). These formatting requirements would not be prohibited under other state breach notification laws, and so we will likely soon see this format become a de facto national standard for efficiency’s sake.
On June 29, the FTC and New Jersey Attorney General announced the filing of a joint complaint, and proposed, stipulated settlement, against an Ohio-based app developer, Equiliv Investments LLC and an individual officer of the company. The federal and state enforcement agencies alleged that Equiliv marketed a free app that users believed would let them earn rewards points for playing games or downloading affiliated apps. The agencies alleged that Equiliv explicitly represented the app was free of malware when in fact the app’s main purpose was actually to load malicious software on the users’ phone to mine virtual currency. Allegedly, the app took control of the devices’ computing resources and degraded the phones’ performance by draining battery life and data plans, and causing the devices to charge slowly. The malware was alleged to pool the computing resources of consumers’ mobile devices to benefit the company’s effort to generate virtual currencies through a peer-to-peer network to compete with other devices in solving complex mathematical equations – a process known as “mining.”
New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection. S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.
The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014. NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context. After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down. On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.” The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”
On May 4, 2015, an intermediate appellate court in California held that the Song-Beverly Credit Card Act of 1971 (Song-Beverly), Cal. Civil Code § 1747.08, does not apply to online transactions involving the sale of merchandise that the buyer chooses to pick up at a retail store.
Connecticut Attorney General George Jepsen has announced the creation of a new Privacy and Data Security Department within the AG’s office. The Department will be tasked with handling all consumer privacy investigations and litigation, as well as educating the public and businesses about protecting sensitive data. Assistant Attorney General Matthew Fitzsimmons, who previously chaired a privacy and data security task force within the AG’s office, will head the new department and its dedicated team of lawyers. The AG has not received any additional funding for the Department.
Yesterday, the United States established a new sanctions program designed to deter and financially target foreign parties who engage in, support or profit from “significant malicious cyber-enabled activities.” Declaring a national emergency, President Barack Obama issued an executive order authorizing the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to identify as Specially Designated Nationals and Blocked Persons (SDNs) cyber-actors whose activities significantly harm the national security, foreign policy or economic health or financial stability of the United States. The U.S. government has not yet designated any parties under this new sanctions program. Once parties are so designated, U.S. companies must cease doing business with them and report any blocked property to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).