In the past two years, multiple state bills that have been introduced in the US to provide for cybersecurity requirements and standards to the insurance sector, with recent legislative activity taking place in particular within the States of Ohio, South Carolina, and Michigan. The entering into effect of multiple state laws in this area may present challenges for insurance providers operating in states where such cybersecurity requirements are provided for.
The Federal Trade Commission issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act, commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade.
The California Consumer Privacy Act of 2018 (“CCPA”) exempts information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulations (the “Privacy Rule”), or the California Financial Information Privacy Act (“CFIPA”). It does not exempt financial institutions altogether from its requirements where a financial information is processing information not subject to these regimes. In such situations, a financial institution must comply with a wide array of CCPA obligations, including requirements to make certain disclosures to consumers and to provide certain rights to consumers, such as the right to stop “sales” of their personal information and the right to access data that a business has collected about them. Determining whether information a financial institution processes is covered by the exemption or not can be challenging and is something that financial institutions will need to analyze for their operations.
This blog post provides background on the scope of the exemption and an overview of key considerations for financial institutions developing CCPA compliance programs.
Earlier this month, the Federal Deposit Insurance Corporation’s Division of Risk Management Supervision released “A Framework for Cybersecurity” in its Winter 2015 issue of Supervisory Insights. The FDIC article outlines the current and evolving cyber threat landscape and identifies the challenges presented by these threats as “critical” to financial institutions. The article describes regulatory steps the FDIC has taken and also how banks should incorporate cybersecurity into their overall risk management framework. The article is helpful for understanding the FDIC’s cybersecurity focus and the issues upon which it expects banks subject to its supervision to focus.
The Federal Trade Commission yesterday announced settlements with two companies over security breaches caused by peer-to-peer (P2P) file sharing software. The settlements require the companies to establish and maintain comprehensive information security programs and to undergo data security audits by independent auditors every other year for 20 years.
Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article. Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children. Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act. Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.
Yesterday the financial regulatory agencies issued a model notification form for Gramm Leach Bliley Act consumer notices, Use of the new model form provides a “Safe Harbor” for covered entities required to provide consumer notices of data sharing practices. A link to the new form is contained within this blog entry.