Gramm-Leach-Bliley Act
Subscribe to Gramm-Leach-Bliley Act's Posts

Privacy and Data Security: 2020 Considerations for the Insurance Industry

With the California Consumer Privacy Act of 2018 (CCPA) having taken effect on January 1, 2020, the privacy and data security landscape for insurance carriers, producers and insurtech (collectively, “insurers”) continues to grow more complex. A number of states have also recently passed laws regulating data security in the insurance industry, with the first transition period under a number of these laws set to end in 2020. Given the significant amount of sensitive personal information that insurers collect, process and retain, this trend of increased privacy and data security regulation within the insurance industry is likely to continue. To stay ahead of these new privacy and data security requirements, insurers need to take steps now to navigate the increasingly complex regulatory landscape.

How Does the CCPA Impact Insurers?

On January 1, 2020, California became the first state in the United States to enact comprehensive privacy legislation that governs the collection, use and sale of personal information of California residents (i.e., consumers) and households. Personal information is broadly defined as any information that identifies, relates to, describes is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The CCPA applies to “businesses,” which are for-profit entities that determine the purposes and means of processing consumers’ personal information that do business in California and meet certain applicability thresholds.

Insurers operating in California that meet the CCPA applicability thresholds will be deemed “businesses” subject to a number of obligations under the CCPA, including disclosure obligations and requirements related to consumer privacy rights. While these obligations can be quite onerous, the vast majority of personal information that many personal line insurers collect, process and retain will likely fall under an exemption in the CCPA. The CCPA includes exemptions for:

(more…)




Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin

Cybersecurity has become a dominant topic of the day.  The Snowden revelations, the mega-data breaches of 2013, the pervasiveness of invisible online “tracking” and the proliferation of “ data broker” trading in personal data – all feed into the fears of individuals who struggle to understand how their personal information is collected, used and protected.  Over the past year, these forces have begun to merge an old concern by individuals about the security of their personal information into a broader, more universal fear that the country’s infrastructure lay vulnerable.

In many respects, however, the concept of cybersecurity is not new.  Cybersecurity is a form of information security, albeit perhaps with a broader, more universal view of required security controls.  Decades-old statutes include information security requirements for certain types of information, the Health Insurance Portability and Accountability Act (HIPAA) addresses health information and the Gramm-Leach-Bliley Act (GLBA) addresses financial information.  Add to those statutory regimes the U.S. Federal Trade Commission’s (FTC) enforcement authority over corporate information security practices pursuant to Section 5 of the FTC Act (recently upheld in Federal Trade Comm’n v. Wyndham Worldwide Corp.) and certain state-based data security regulations that require corporations to safeguard personal information (e.g., 201 CMR 17.00, et seq.).  The net effect of these regulatory drivers is that many organizations have focused for decades on developing administrative, physical and technical safeguards for effective protection of personal information – resulting in a programmatic approach to information security.

Now, along comes the evolution of cybersecurity with its own emerging standards.  Organizations are asking themselves whether they need to do something different or in addition to the programmatic steps already taken to comply with information security requirements that are applicable to the organization.  The good news is that while some additional work likely will be required as described below, companies with solid programmatic approaches to information security are well on their way to meeting the following emerging cybersecurity standards.

NIST Cybersecurity Framework

On February 12, 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.”  The Executive Order has several key components, but most importantly, it contains a requirement for owners and operators of “critical infrastructure” to develop a cybersecurity framework.  The Order directed the National Institute of Standards and Technology (NIST) to develop a baseline cybersecurity framework to reduce cyber risks to critical infrastructure.  NIST subsequently developed its “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which was released on February 12, 2014.  The goal of these efforts is to provide organizations with a cybersecurity framework as a model for their business.  While at this point, the Framework is intended to provide a voluntary program for owners and operators of critical infrastructure, it is already starting to seep into federal “incentives” used to encourage the private sector to comply with the Framework.  And the Framework itself may evolve into a sort of “security” standard of care.

SEC Cybersecurity and Disclosure Laws

In addition to the Framework, the U.S. Security and Exchange Commission (SEC) recently [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021