The California Consumer Privacy Act (“CCPA”) will impact how insurers collect, store, sell and process the personal information of California consumers. Other US states are likely to soon follow suit—there are currently at least 11 other states with pending privacy laws that incorporate CCPA-like concepts and requirements. In this Legal Update, we examine the history

On September 28, California Governor Jerry Brown signed a first-of-its kind law to regulate the security of connected devices that make up the “Internet of Things” (“IOT”)—connected fitness trackers, smart appliances, home alarm systems and much more.

The rapid adoption of these connected devices has led to an increase in security risk and a corresponding

The cybersecurity regulation (“CyberRegs”) adopted by the New York State Department of Financial Services (“NYDFS”) is almost two years old and will be fully in effect by March 2019. The CyberRegs has already had a broad impact on financial institutions that are authorized to engage in business in New York (“Covered Entities”). Furthermore, even for

The state of California recently enacted the most sweeping general privacy statute in the United States. The California Consumer Privacy Act, codified in Assembly Bill 375 (“CCPA”), will take effect on January 1, 2020, and is intended to give California consumers more control over their personal information and how it is collected, used and sold

On October 24, 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. The NAIC Model Law builds on existing data privacy and consumer breach notification requirements by requiring insurance licensees to comply with detailed requirements regarding their information security program and responding to and giving notification of cybersecurity events.

Delaware has modified its data breach notification law in an amendment set to take effect in April 2018. Signed on August 17, 2017, the amendment is the first significant change to Delaware’s data breach notification law since its original enactment in 2005. The amended law requires companies to notify affected Delaware residents of a breach

Bylined article by Financial Services Regulatory & Enforcement partner Jeffrey Taft (Washington DC), Corporate & Securities partner Larry Hamilton (Chicago), Cybersecurity & Data Privacy partner Stephen Lilley (Washington DC) and Financial Services Regulatory & Enforcement associate Matthew Bisanz (Washington DC).

Continue reading.

New Mexico, one of the last holdouts in the move to state data breach notification requirements, has enacted its own data breach notification law, which will take effect on June 16, 2017 (i.e., 90 days after the adjournment of the New Mexico Legislature on March 18, 2017). Governor Susana Martinez signed the “Data Breach Notification

On February 16, 2017, the New York State Department of Financial Services (“NYDFS”) finalized regulations that mandate cybersecurity standards for all institutions authorized by NYDFS to operate in New York, including many banks, insurance entities and insurance professionals doing business in New York. The final regulations, titled “Cybersecurity Requirements for Financial Services Companies,” implement a

On March 2, 2016, the National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force proposed a comprehensive Model Law that is intended “to establish the exclusive standards for data security and investigation and notification of a breach of data security” for licensed insurance companies. The proposed Model Law would apply to all insurers, producers “and