Tag: cybersecurity

CCPA

Part 5: A Game of “Who’s Who” Under the CCPA

This is our fifth blog post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on the differences between data collectors, service providers, and third parties. We also discuss data brokers and their specific obligations under the CCPA. While this post does not require any background on the CCPA, if you would like the benefit of our preliminary discussions before diving into this post we invite you to start with Part 1: The California

Continue Reading
CCPA

Part 4: Privacy Policy Requirements Under the CCPA

This is our fourth blog post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on a business’ obligations when it comes to their privacy policy, such as including and disclosing certain information regarding consumers’ rights. While this post does not require any background on the CCPA, if you would like the benefit of our preliminary discussions before diving into this post we invite you to start with Part 1: The California Consumer Privacy

Continue Reading
CCPA

Part 3: Coverage Considerations Under CGL Policies for CCPA Violations

This blog post is our third in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA).

Imagine this: You own a successful string of sporting goods stores across California. Not only do you sell goods directly, but you also finance large purchases to well-qualified buyers and have a generous rewards program.

When customers log in to your website, you gather personal information (e.g., name, email address, cell number, etc.). In order to participate in the rewards …

Continue Reading
Regulatory

DFS Partially Clarifies Who Qualifies for an Exemption Under Cybersecurity Regulation

By the terms of 23 NYCRR 500.19(e), Covered Entities that have determined they qualify for a limited exemption from compliance under 23 NYCRR 500.19(a)-(d) of New York’s new Cybersecurity Regulation — as of August 28, 2017 — are required to file a Notice of Exemption with the New York Department of Financial Services (NYDFS) on or prior to September 28, 2017.

The first compliance date of August 28, 2017 in New York’s cybersecurity regulation, and the date for Covered Entities to determine whether they qualify …

Continue Reading
Regulatory

ELANY Publishes Practical Tips on Applying New York’s New Cybersecurity Regulation to “Unique Situations”

There has been a lot of commentary on New York’s new regulation entitled Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) (the Regulation) which went into effect on March 1, 2017. On March 16, 2017, The Excess Line Association of New York (ELANY) released Bulletin 2017-12 which contains some practical guidance for insurance producers that will face some “unique situations” not addressed in the other commentary.

Specifically, the bulletin refers to insurance producers that “may not meet the technical definition of a ‘Third Party …

Continue Reading
Regulatory

New York Issues Final Cybersecurity Regulation

On February 13, 2017, the New York Department of Financial Services (NYDFS) adopted the final version of its first-of-its-kind cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). This regulation took effect on March 1, 2017. The final regulation reflects several of the comments offered during the final comment period that concluded on January 27, 2017. For a prior list of significant changes from the initial version to the second version, please see our blog post located here.

Most of …

Continue Reading
Regulatory

NYDFS Issues Updated Cybersecurity Regulation

The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows:

  • Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities
Continue Reading
Cyberinsurance / Emerging Issues

Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available …

Continue Reading
Legislative Update

Controversial Cybersecurity Information Sharing Act Passes Senate, Will Likely Become Law

This post originally appeared on Goldberg Segalla’s Data Privacy and Security blog. 

On October 27, 2015, the United States Senate passed S.754, the Cybersecurity Information Sharing Act (CISA or the Act) 74-21. Without requiring such information sharing, CISA would create a system for federal agencies to receive threat information from private companies in real time.

However, the bill is not without controversy. As we discussed in August the Department of Homeland Security raised concerns in July and August that the “real time collaboration

Continue Reading