The February 15, 2019 NYDFS compliance certification deadline represents the last annual compliance certification subject to the transition period for covered entities to come into compliance with the cybersecurity regulations. NYDFS now expects covered entities to certify as to their compliance with all but one provision of the cybersecurity regulations which relates to the implementation of third party service provider security policies and procedures. This 2019 compliance certification is the first certification to cover compliance with the provisions relating to audit trail, application […] Read more
As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data. One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users. The amount of the Google fine startled many companies, but with time the shock faded. Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not […] Read more
In an opinion issued Friday, the Illinois Supreme Court handed a potentially significant victory to plaintiffs advancing claims under Illinois’ Biometric Information Privacy Act and seeking statutory damages under that law. The Court held that plaintiffs do not need to assert injury or harm outside of a relevant violation of the statute itself in order to bring claims and seek statutory damages for relevant violations of the statute. Friday’s decision represents a potentially significant victory for members of the class action plaintiffs’ bar seeking to bring claims under the law. Illinois’s […] Read more
On January 23, 2019, the Personal Information Protection Commission of Japan (the “PPC”) and the European Commission (the “Commission”) jointly announced the adoption of the decisions recognizing each other’s personal data protection systems as equivalent. The Commission launched the process leading to the adoption of the adequacy decision in September 2018 and successfully completed the process by obtaining the green light from a committee composed of representatives of the European Union (“EU”) Member States. In parallel, the PPC adopted a decision to designate the EU as equivalent […] Read more
Massachusetts Governor Charlie Baker has signed legislation amending the state’s data breach notification law, and the amendments will take effect on April 11, 2019. The new requirements relate to the timing and content of individual and regulator notifications, as well as credit monitoring services offered to affected residents. The key amendments include the following provisions. No Fees for Security Freezes: The amended law does not allow consumer reporting agencies to charge fees for consumers who elect to place, lift, or remove a security freeze from their consumer report. Individual […] Read more
The Securities and Exchange Commission has filed a Complaint against eight traders, one alleged hacker, and others, in connection with a previously disclosed cybersecurity attack that infiltrated the SEC’s EDGAR system in 2016. The Complaint brings claims for violations of federal securities and antifraud laws and unjust enrichment, and seeks injunctions against future securities law violations as well as disgorgement, prejudgment interest, and civil penalties. The Complaint alleges that in 2016, a Ukrainian hacker infiltrated the EDGAR system and extracted “test files” containing non-public […] Read more
The IAPP article, “US federal privacy preemption part 1: History of federal preemption of stricter state laws,” written by Alston & Bird Senior Counsel Peter Swire and published on January 9, 2019, discusses the potential for a general U.S. privacy law and whether and to what extent this new federal law would “preempt” state privacy protections. This article, the first of two parts, primarily focuses on the history of federal privacy legislation. Swire looks at the arguments for and against a general federal privacy law in light of the historical trends of federal privacy legislation […] Read more
On December 28, 2018, the Department of Health and Human Services (HHS) issued new voluntary cybersecurity guidance for the health care industry titled, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” This four-volume set of consensus-based principles and practices (the “HICP”) reflects the recommendations of the 405(d) Task Group, a HHS and industry-led collaborative task group named for Section 405(d) of the Cybersecurity Act of 2015, a provision that calls for a more coordinated approach to cybersecurity in the health care industry. The HICP […] Read more
Michigan enacted the Michigan Data Security Act on December 28, 2018, imposing stringent cybersecurity measures on any person (individual or corporate) licensed by the Michigan Department of Insurance and Financial Services. Based on the 2017 NAIC data security model law and nearly identical to the South Carolina Insurance Data Security Act, the Michigan statute will require insurance licensees to adopt a number of measures including a comprehensive written information security program (“WISP”), the submission of an annual certification of compliance to the Department of Insurance and Financial […] Read more
South Carolina’s prescriptive data security law for insurers took effect on January 1, 2019. Subject to specified exemptions, the law requires any person licensed pursuant to South Carolina insurance laws to take certain steps, including among other things notification of specified cybersecurity events to the South Carolina Department of Insurance. Covered persons are also required to implement a written information security program (by July 1, 2019) and to comply with provisions on third-party service providers (by July 1, 2020).
Please see our previous coverage of the law for additional [...] Read more
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy
