Articles Posted in Regulatory Developments

Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax.  There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers.  Many think that this is a move in the right direction.

In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015.  At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule.  In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount.  Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.

What about everyone else?

Health and Human Services’ (HHS) Office for Civil Rights recently issued a $239,000.00 HIPAA fine to Lincare, Inc.  I don’t know if the fine will be covered by cyberinsurance.  I don’t even know whether the company has cyberinsurance.

What I do know is that the fact pattern highlights a critical coverage issue for healthcare entities.  The Lincare breach did not involve electronic records.  An employee had stored physical records for 278 patients in his home.  When the employee moved, he left the records behind.  They were discovered by a third party who was – surprise – not authorized to access them.  Earlier this month, an administrative law judge affirmed the relatively hefty fine in light of the modest number of compromised records.

Had Lincare’s breach been of the electronic variety, a cyberinsurance policy with regulatory coverage would likely pick up the tab (dependent on policy language, of course).  The situation is  more complicated when physical documents are involved.  There’s case law on how physical data breaches interact with other types of insurance, such as commercial general liability (CGL), but I’m not aware of any reported case determining whether a physical breach triggers cyberinsurance coverage (if you are, let me know).

It’s been four months since the EU invalidated the Safe Harbor agreement that had been allowing US companies to transfer data into and out of the EU despite the EU’s more stringent privacy laws.  I wrote about that here.

In the ensuing clusterkerfuffle (trademarked term), US companies have scrambled to adopt policies incorporating the EU’s Model Contractual Clauses.  These clauses, however, have given rise to complicated issues of interpretation, particularly with respect to the distinction between “data processors” and “data controllers.”  These designations drive the applicability of particular clauses and dictate the range of responsibilities of parties dealing in EU data.  As companies have struggled to define themselves in this context, most have been holding out hope for a clearer, more streamlined arrangement akin to the prior EU/US safe harbor agreement.

Well, it’s here.  Sort of.

Yes, I’m late to the party.  President Obama signed the Cybersecurity Act of 2015 into law over a month ago.  Plenty of ink has already been spilled about it.  The act encourages, but does not require, companies to share information about data breaches and responses with each other and with the federal government.  Most of the ‘controversy’ has centered on the act’s perceived lack of privacy protections for individuals whose information is shared.


Privacy is important.  Measures should be taken to protect individuals’ data, and the act does include at least some level of protection.  Whether it’s enough remains to be seen.

In the European Union, data privacy is a fundamental right.  Think life, liberty and the sanctity of your Gmail inbox.  The EU’s data privacy laws are therefore more stringent than similar laws in the United States.  From 1995, when the EU’s laws came into effect, until 2000, this was a big problem for US companies doing business internationally.  Compliance with stricter data privacy laws is expensive, logistically difficult, and – well – really, really expensive.

On July 26, 2000, everything changed.  The European Commission adopted the “Safe Harbor Adequacy Decision.”  This allowed US companies to opt-in a self-certify that they complied with a stipulated set of US/EU data privacy standards.

On October 6, 2015, everything changed.  Again.