Articles Posted in Regulatory Developments

This month, the Department of Justice issued a fairly comprehensive set of pre and post cyber security incident recommendations.  For all you total geeks, you can get the whole thing here.  For those of you preoccupied with, well, other news, here’s some highlights.

Pre-incident, the DOJ recommends having a breach response plan.  We’ve all heard this repeatedly at this point, and many companies and firms still do not have actionable response plans.  Some of the important components of these plans highlighted by the DOJ include: (1) identifying your most vital resources and prioritizing their protection; (2) having a clear internal and external reporting structure that focuses on containing the incident, mitigating its effects and preserving information to later understand the scope and source of the incident; (3) identifying and establishing relationships with applicable law enforcement authorities and regulators who have jurisdiction in your industry or jurisdiction; and (4) finally hammering out appropriate policies and procedures for the use of and access to key information assets, as well as investing in appropriate technical protections.

Post incident, DOJ basically recommends – wait for it – following the plan you established pre-incident.

On May 18, 2018, the Colorado legislature sent HB 18-1128, an Act Concerning Strengthening Protections for Consumer Data Privacy, to the governor’s desk for execution.  The bill is one of a number of recent efforts by states to respond to a slew of high profile breaches announced this year, including Equifax, Facebook, Panera Bread, Under Armour and – well, you get it.

The bill mimics a trend of inching toward the heightened and more specific standards employed by the EU’s General Data Protection Regulation.  For example, HB-18-1128 replaces an ‘as soon as practicable’ breach notification requirement with a deadline of not later than 30 days from the date a breach is determined to have occurred.  That’s more latitude than GDPR’s seemingly impossible 72-hour time limit (where feasible, of course), but it is another indication of regulators’ insistence on firm, identifiable timelines.

Also like the GDPR, the Colorado bill explicitly mandates that data is maintained “no longer than needed,” an example of the growing trend toward data minimization.  With respect to security measures themselves, the bill requires “reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations,” a ‘commercially reasonable’ standard of sorts that also mirrors the GDPR (appropriate technical and organizational measures in light of a host of factors).  Want one more similarity?  The bill requires covered entities to mandate implementation of reasonable security measures by third party service providers, another trend reflected both in the GDPR and newer legislation being passed or proposed around the country.

Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax.  There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers.  Many think that this is a move in the right direction.

In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015.  At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule.  In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount.  Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.

What about everyone else?

Health and Human Services’ (HHS) Office for Civil Rights recently issued a $239,000.00 HIPAA fine to Lincare, Inc.  I don’t know if the fine will be covered by cyberinsurance.  I don’t even know whether the company has cyberinsurance.

What I do know is that the fact pattern highlights a critical coverage issue for healthcare entities.  The Lincare breach did not involve electronic records.  An employee had stored physical records for 278 patients in his home.  When the employee moved, he left the records behind.  They were discovered by a third party who was – surprise – not authorized to access them.  Earlier this month, an administrative law judge affirmed the relatively hefty fine in light of the modest number of compromised records.

Had Lincare’s breach been of the electronic variety, a cyberinsurance policy with regulatory coverage would likely pick up the tab (dependent on policy language, of course).  The situation is  more complicated when physical documents are involved.  There’s case law on how physical data breaches interact with other types of insurance, such as commercial general liability (CGL), but I’m not aware of any reported case determining whether a physical breach triggers cyberinsurance coverage (if you are, let me know).

It’s been four months since the EU invalidated the Safe Harbor agreement that had been allowing US companies to transfer data into and out of the EU despite the EU’s more stringent privacy laws.  I wrote about that here.

In the ensuing clusterkerfuffle (trademarked term), US companies have scrambled to adopt policies incorporating the EU’s Model Contractual Clauses.  These clauses, however, have given rise to complicated issues of interpretation, particularly with respect to the distinction between “data processors” and “data controllers.”  These designations drive the applicability of particular clauses and dictate the range of responsibilities of parties dealing in EU data.  As companies have struggled to define themselves in this context, most have been holding out hope for a clearer, more streamlined arrangement akin to the prior EU/US safe harbor agreement.

Well, it’s here.  Sort of.

Yes, I’m late to the party.  President Obama signed the Cybersecurity Act of 2015 into law over a month ago.  Plenty of ink has already been spilled about it.  The act encourages, but does not require, companies to share information about data breaches and responses with each other and with the federal government.  Most of the ‘controversy’ has centered on the act’s perceived lack of privacy protections for individuals whose information is shared.

Yawn.

Privacy is important.  Measures should be taken to protect individuals’ data, and the act does include at least some level of protection.  Whether it’s enough remains to be seen.

In the European Union, data privacy is a fundamental right.  Think life, liberty and the sanctity of your Gmail inbox.  The EU’s data privacy laws are therefore more stringent than similar laws in the United States.  From 1995, when the EU’s laws came into effect, until 2000, this was a big problem for US companies doing business internationally.  Compliance with stricter data privacy laws is expensive, logistically difficult, and – well – really, really expensive.

On July 26, 2000, everything changed.  The European Commission adopted the “Safe Harbor Adequacy Decision.”  This allowed US companies to opt-in a self-certify that they complied with a stipulated set of US/EU data privacy standards.

On October 6, 2015, everything changed.  Again.