This is our fifth blog post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on the differences between data collectors, service providers, and third parties. We also discuss data brokers and their specific obligations under the CCPA. While this post does not require any background on the CCPA, if you would like the benefit of our preliminary discussions before diving into this post we invite you to start with Part 1: The California …
Continue ReadingTag: cybersecurity
Part 4: Privacy Policy Requirements Under the CCPA
This is our fourth blog post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on a business’ obligations when it comes to their privacy policy, such as including and disclosing certain information regarding consumers’ rights. While this post does not require any background on the CCPA, if you would like the benefit of our preliminary discussions before diving into this post we invite you to start with Part 1: The California Consumer Privacy …
Continue ReadingPart 3: Coverage Considerations Under CGL Policies for CCPA Violations
This blog post is our third in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA).
Imagine this: You own a successful string of sporting goods stores across California. Not only do you sell goods directly, but you also finance large purchases to well-qualified buyers and have a generous rewards program.
When customers log in to your website, you gather personal information (e.g., name, email address, cell number, etc.). In order to participate in the rewards …
Continue ReadingDFS Partially Clarifies Who Qualifies for an Exemption Under Cybersecurity Regulation
By the terms of 23 NYCRR 500.19(e), Covered Entities that have determined they qualify for a limited exemption from compliance under 23 NYCRR 500.19(a)-(d) of New York’s new Cybersecurity Regulation — as of August 28, 2017 — are required to file a Notice of Exemption with the New York Department of Financial Services (NYDFS) on or prior to September 28, 2017.
The first compliance date of August 28, 2017 in New York’s cybersecurity regulation, and the date for Covered Entities to determine whether they qualify …
Continue ReadingELANY Publishes Practical Tips on Applying New York’s New Cybersecurity Regulation to “Unique Situations”
There has been a lot of commentary on New York’s new regulation entitled Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) (the Regulation) which went into effect on March 1, 2017. On March 16, 2017, The Excess Line Association of New York (ELANY) released Bulletin 2017-12 which contains some practical guidance for insurance producers that will face some “unique situations” not addressed in the other commentary.
Specifically, the bulletin refers to insurance producers that “may not meet the technical definition of a ‘Third Party …
Continue ReadingNew York Issues Final Cybersecurity Regulation
On February 13, 2017, the New York Department of Financial Services (NYDFS) adopted the final version of its first-of-its-kind cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). This regulation took effect on March 1, 2017. The final regulation reflects several of the comments offered during the final comment period that concluded on January 27, 2017. For a prior list of significant changes from the initial version to the second version, please see our blog post located here.
Most of …
Continue ReadingNYDFS Issues Updated Cybersecurity Regulation
The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows:
- Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities
Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability
In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available …
Continue ReadingControversial Cybersecurity Information Sharing Act Passes Senate, Will Likely Become Law
This post originally appeared on Goldberg Segalla’s Data Privacy and Security blog.
On October 27, 2015, the United States Senate passed S.754, the Cybersecurity Information Sharing Act (CISA or the Act) 74-21. Without requiring such information sharing, CISA would create a system for federal agencies to receive threat information from private companies in real time.
However, the bill is not without controversy. As we discussed in August the Department of Homeland Security raised concerns in July and August that the “real time collaboration…
Continue Reading