Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in...more
North Dakota criminal law currently contains penalties for misusing the personal information of another. That law has been expanded, and beginning August 1, 2019, it is a class B felony to use a skimmer or scanning device to...more
Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has...more
The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being...more
4/24/2019
/ Comment Period ,
Cybersecurity ,
Data Privacy ,
Data Processors ,
Data Protection ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Public Comment
The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member...more
4/18/2019
/ Consent ,
Data Breach ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data-Sharing ,
Information Commissioner's Office (ICO) ,
Notification Requirements ,
Personally Identifiable Information ,
Privacy Policy ,
UK
In response to the concern of many that the definition of consumer is so broad as to cover employees, a bill has been introduced in California to exclude employees from the scope of CCPA. As those who have been following CCPA...more
The French CNIL (the country’s data protection authority) has released rules for how companies can use the biometric information of their employees. Fingerprint scanning is a popular method for “clocking in” around the globe,...more
4/3/2019
/ Biometric Information ,
CNIL ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Protection Acts ,
Data Protection Authority ,
Data Security ,
Employee Privacy Rights ,
Employer Liability Issues ,
General Data Protection Regulation (GDPR) ,
New Rules
Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273, applies to insurers authorized to do...more
3/21/2019
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Hackers ,
Incident Response Plans ,
Information Security ,
Insurance Industry ,
Insurer Liability ,
New Legislation ,
Personally Identifiable Information ,
Risk Assessment ,
State Data Breach Notification Statutes ,
Third-Party Service Provider
Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11,...more
3/12/2019
/ Amended Legislation ,
Corporate Counsel ,
Credit Monitoring ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Hackers ,
Personally Identifiable Information ,
State Attorneys General ,
State Data Breach Notification Statutes
In a recent letter, the New York Department of Financial Services provided guidance for insurers who use third party data to help with their underwriting decisions. The letter was drafted in response to reports that insurers...more
2/22/2019
/ Algorithms ,
Big Data ,
Burden of Proof ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Department of Financial Services ,
Financial Services Industry ,
Insurance Industry ,
Third-Party Service Provider ,
Transparency ,
Underwriting
Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their...more
2/14/2019
/ Children's Toys ,
Connected Items ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
EU ,
European Commission ,
GPS ,
Hackers ,
Internet of Things ,
Popular ,
Smart Devices ,
Technology Sector ,
Toy Recalls
South Carolina now has specific breach and security requirements for insurance companies. The law applies to those licensed under the state’s insurance laws and went into effect January 1. Under the law, companies must tell...more
1/23/2019
/ Cybersecurity ,
Data Breach ,
Data Breach Plans ,
Data Privacy ,
Data Protection ,
Data Security ,
Insurance Industry ,
New Legislation ,
Notice Requirements ,
Risk Management ,
State Data Breach Notification Statutes
Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to...more
1/15/2019
/ Data Privacy ,
Data Protection ,
Data Security ,
Departments of Commerce ,
Enforcement ,
EU ,
EU-US Privacy Shield ,
Federal Trade Commission (FTC) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Privacy Certification ,
Privacy Policy
Everyone who has been paying attention to privacy news knows that January 1, 2020 is the implementation date of the California Consumer Protection Act, and July 1, 2020 is the current deadline for enforcement to begin. July...more
In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance...more
12/20/2018
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Incident Response Plans ,
Insurance Industry ,
National Association of Insurance Commissioners ,
New Legislation ,
Notification Requirements ,
Risk Assessment ,
State Data Breach Notification Statutes
The UK Information Commissioner’s Office recently released helpful encryption guidance. Although released to address the GDPR security requirements, this document may be helpful more broadly because of the detail around...more
As we approach 2019, companies will want to keep in mind the changes that are coming to various US states’ breach notice laws. On January 1, 2019 Iowa’s law, which has already been amended twice since it was passed in 2008,...more
12/13/2018
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Encryption ,
Exemptions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Notification Requirements ,
State Attorneys General ,
State Data Breach Notification Statutes
The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses...more
11/13/2018
/ Cyber Insurance ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
New Guidance ,
Phishing Scams ,
Popular ,
Risk Mitigation ,
Small Business ,
Vendor Contacts
Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence...more
10/30/2018
/ Affirmative Defenses ,
Confidential Information ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Gramm-Leach-Blilely Act ,
Health Insurance Portability and Accountability Act (HIPAA) ,
New Legislation ,
NIST ,
Policies and Procedures ,
Popular ,
Safe Harbors ,
Security Controls ,
State Data Breach Notification Statutes
The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car...more
The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre-paid...more
10/26/2018
/ Consent ,
Data Privacy ,
Data Protection ,
Email ,
Enforcement Actions ,
Fines ,
Information Commissioner's Office (ICO) ,
Marketing ,
Opt-Outs ,
Privacy and Electronic Communications Regulation 2003 (PECR). ,
Third-Party ,
UK
The Securities and Exchange Commission recently settled with Voya Financial Advisors, Inc. for alleged violation of Regulation S-ID (otherwise known as the Identity Theft Red Flags Rule) and Regulation S-P (otherwise known as...more
10/23/2018
/ Bad Actors ,
Broker-Dealer ,
Customer Information ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Enforcement Actions ,
Fines ,
Identity Theft ,
Identity Theft Prevention Program ,
Identity Theft Red Flags Rule ,
Investment Adviser ,
Passwords ,
Personally Identifiable Information ,
Policies and Procedures ,
Regulation S-ID ,
Regulation S-P ,
Safeguards Rule ,
Securities and Exchange Commission (SEC)