Category

U.S. State Law

19 September 2016

New York State Department of Financial Services Proposes Regulations Imposing Detailed Cybersecurity Rules on Insurance, Banking and Other Licensed Financial Institutions

On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.

(more…)

EmailShare
04 April 2016

Tennessee Amends Breach Notification Law

On March 24, Tennessee enacted a law amending its breach notification law, originally enacted in 2005. The new amendment requires businesses and government agencies to notify citizens affected by data breaches within 45 days of discovering the breach. Exceptions to the 45-day time limit will be allowed only when required for law enforcement purposes. The amendment also specifies that unauthorized access of information by employees of the business or agency that holds the information triggers the 45-day notification requirement.

(more…)

EmailShare
15 March 2016

California Data Breach Report Gets Specific on “Reasonable” Information Security

This February, the California Attorney General released the “California Data Breach Report,” summarizing developments from 2012-2015.  Drawing from 657 reports filed with the California AG impacting 49 million records, the report is notable for its “recommendations.”  These recommendations are ostensibly non-binding guidance that may nonetheless serve as the basis for the AG’s understanding of what constitutes “reasonable” data security in future investigations and enforcement actions.

(more…)

EmailShare
04 January 2016

California’s New Data Breach Notification Requirements Effective January 1, 2016

When the California legislature closed out their 2015 session on September 11 of 2015, they sent three bills to Governor Jerry Brown proposing amendments to the state’s data breach laws which were all signed into law on October 6 and took effect January 1, 2016. The new laws address what license plate data automated readers may collect, defined encryption, and critically, made significant changes to the details of the required content and format of data breach notifications.  S.B. 570 specified that data breach notices must be titled “Notice of Data Breach” and be broken into sections titled “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “For More Information.”  Notice formatting must be in at least 10-point font and call attention to the notice’s “nature and significance.” A model notification, which companies may use to comply with these content amendments, is also provided in the bill (see below). These formatting requirements would not be prohibited under other state breach notification laws, and so we will likely soon see this format become a de facto national standard for efficiency’s sake.

(more…)

EmailShare
07 July 2015

Joint FTC and NJ AG Complaint and Settlement Against App Developer that Allegedly “Hijacked” and “Drained” Phone Resources

On June 29, the FTC and New Jersey Attorney General announced the filing of a joint complaint, and proposed, stipulated settlement, against an Ohio-based app developer, Equiliv Investments LLC and an individual officer of the company. The federal and state enforcement agencies alleged that Equiliv marketed a free app that users believed would let them earn rewards points for playing games or downloading affiliated apps.  The agencies alleged that Equiliv explicitly represented the app was free of malware when in fact the app’s main purpose was actually to load malicious software on the users’ phone to mine virtual currency.  Allegedly, the app took control of the devices’ computing resources and degraded the phones’ performance by draining battery life and data plans, and causing the devices to charge slowly.  The malware was alleged to pool the computing resources of consumers’ mobile devices to benefit the company’s effort to generate virtual currencies through a peer-to-peer network to compete with other devices in solving complex mathematical equations – a process known as “mining.”

(more…)

EmailShare
02 July 2015

Connecticut Amends Breach Notification Law Regarding Timing and Credit Monitoring; Imposes New Data Security Requirements on Health Insurers and State Contractors

New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection.  S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.

(more…)

EmailShare
18 June 2015

Privacy advocates abandon Commerce Department multistakeholder process on facial recognition technology code of conduct

The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014.  NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context.   After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down.  On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.”  The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”

(more…)

EmailShare
15 April 2015

Connecticut AG creates new department focusing exclusively on privacy and data security

Connecticut Attorney General George Jepsen has announced the creation of a new Privacy and Data Security Department within the AG’s office. The Department will be tasked with handling all consumer privacy investigations and litigation, as well as educating the public and businesses about protecting sensitive data. Assistant Attorney General Matthew Fitzsimmons, who previously chaired a privacy and data security task force within the AG’s office, will head the new department and its dedicated team of lawyers. The AG has not received any additional funding for the Department.

(more…)

EmailShare
02 April 2015

New U.S. Sanctions Program Targets Malicious Foreign-Origin Cyber Activities

Yesterday, the United States established a new sanctions program designed to deter and financially target foreign parties who engage in, support or profit from “significant malicious cyber-enabled activities.” Declaring a national emergency, President Barack Obama issued an executive order authorizing the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to identify as Specially Designated Nationals and Blocked Persons (SDNs) cyber-actors whose activities significantly harm the national security, foreign policy or economic health or financial stability of the United States. The U.S. government has not yet designated any parties under this new sanctions program. Once parties are so designated, U.S. companies must cease doing business with them and report any blocked property to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).

(more…)

EmailShare
XSLT Plugin by BMI Calculator