Delaware (July 31, 2019) and New Hampshire (August 2, 2019) have become the latest states to add to the insurance cybersecurity landscape by enacting information security laws.  These laws come on the heels of Connecticut’s law enacted a few days earlierNotably, while Connecticut followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations model, Delaware and New Hampshire followed South Carolina, Ohio, Michigan, and Mississippi in adopting a version of the model law put forth in 2018 by the National Association of Insurance Commissioner (“NAIC”).  Although the New York and NAIC frameworks are similar—both require written information security programs and impose a 72-hour breach notification deadline—the legislation as enacted by each state varies, resulting in a patchwork compliance framework for insurance companies that practice across multiple states.

The New Hampshire’s Insurance Data Security Law and Delaware’s Insurance Data Security Act apply to any individual or non-governmental entity that is required to be licensed, authorized, or registered pursuant to New Hampshire’s insurance laws (each a “Licensee”), and is intended to protect “nonpublic information,” defined, generally, as any information that can be used to identify a consumer, including health care information.  Excluded from covered Licensees are those entities with fewer than 20 employees (New Hampshire) and 15 employees (Delaware), an increase from the 10 employee exception found in the NAIC model law.

Under both laws, a Licensee is required to have a written information security program in which administrative, technical, and physical safeguards are implemented based on the results of a risk assessment.  A written incident response plan and a schedule for retention/process for destruction of nonpublic information must also be components of the information security program.  Written certification to the respective state commissioner that the Licensee is in compliance with these requirements must be submitted annually (though, New Hampshire and Delaware have different submission deadlines).  Compliance with such requirements are viewed in the context of the Licensee’s size and complexity, nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information it possesses or uses.  The commissioner is authorized to “examine and investigate” any Licensee and to take “action that is necessary or appropriate” if the commissioner “has reason to believe” a Licensee is in violation of the law.  Notably, the New Hampshire law contains a safe harbor provision which deems compliant those Licensees who are in compliance with the NYDFS Cybersecurity Regulations.

Should a “cybersecurity event” occurdefined generally as unauthorized access to nonpublic information or the information systemboth laws require notification to the commissioner within three business days (relaxed from NAIC’s rigid 72 hour deadline) from the determination that such an event has occurred.  If the nonpublic information was encrypted or the impacted nonpublic information was not used or has been returned or destroyed, such circumstances do not rise to a “cybersecurity event”.  In Delaware, under certain circumstances in which notice to the affected consumers is required, Delaware imposes a 60-day deadline and, further, requires the Licensee provide free credit monitoring services to the consumer for a period of one year.  The medium by which consumers must be notified is also detailed in Delaware’s law.

The Delaware law’s compliance deadline is July 31, 2020, and the New Hampshire law’s compliance deadline is January 1, 2021.  Both laws allow an additional year to ensure that third-party service providers are compliant.  

These recent laws serve as yet another reminder that insurance licensees need to closely monitor the changing legal landscape and be ready to adapt their practices to ensure compliance.

On July 26, 2019, Connecticut Governor Ned Lamont signed into the law the state’s new Insurance Data Security Law, which imposes new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department (“CID”).  In doing so, Connecticut joins New York, South Carolina, Ohio, Michigan, and Mississippi as states that have enacted information security laws for insurance companies.  However, whereas the recent trend has been to follow the 2018 Model Act published by the National Association of Insurance Commissioners (“NAIC”), Connecticut largely followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations.

The Connecticut law will require companies to maintain an information security program that is commensurate with the size and complexity of the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law also requires oversight by the licensee’s board of directors and annual certification of compliance to the CID.  Licensees will also have to report cybersecurity incidents to the CID within three business days.  The law is effective October 1, 2019, but gives licensees until October 1, 2020 to implement their security programs.

While the Connecticut law does not break new substantive ground, it is significant for two reasons.  First, Connecticut’s law demonstrates that states have not uniformly adopted the NAIC model over the NYDFS model.  And, while the NYDFS and NAIC models are similar, there are important differences in the details.  Second, regardless of which model is chosen, Connecticut’s law highlights the fact that insurance companies operating across multiple states will have different obligations, especially with respect to breach notification.  Accordingly, insurance licensees should ensure that they are staying abreast of developments and prepared to comply with the changing patchwork of laws and regulations.

Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.

Continue Reading Facebook to Pay $5 Billion for Violating 2012 FTC Consent Order

Equifax has agreed to pay $575 million to settle consumer as well as state and federal regulatory claims for its 2017 data breach. This is the largest data breach settlement to date. Continue Reading Equifax Reaches Historic $575 Million Settlement Agreement Arising from 2017 Data Breach

New York’s proposed data privacy law failed to materialize in the latest legislative session and is now presumed dead.  New York was one of a number of states that proposed sweeping privacy legislation after the enactment of the California Consumer Privacy Act (CCPA). The proposed New York law, in fact, was broader than the CCPA in many ways. The law would have applied to non-profits as well as for profits, and included a private right of action for data breaches of $10,000 per consumer.  The proposed law also would have designated businesses that collect personal information of New York consumers as “information fiduciaries” and imposed on such companies a “duty to exercise loyalty and care” in how the business uses personal information, as the Electronic Frontier Foundation put it.

Concerns about the overly prescriptive nature of the proposed law as well as its potential impact on small and medium-sized companies appear to have derailed the bill in the New York senate. A number of other states, including Massachusetts and Connecticut, are still considering their own privacy laws, but for the time being at least, the CCPA remains the only comprehensive US state privacy law on the books.

At what has been described as a marathon hearing that lasted late into the night of July 9, the California Senate Judiciary Committee advanced several amendments to the California Consumer Privacy Act (the “CCPA”), but major changes that opponents claimed would have eroded privacy protections for consumers largely failed.  The bills advanced from the Senate Judiciary Committee will now go to the Appropriations Committee, and if they pass, to a full Senate vote.

Among the more notable amendments that advanced was AB25.  A  more business-friendly version of AB25 passed in the Assembly in May, pursuant to which certain employment-related information would be excluded from the CCPA.  However, AB25 was modified while in the Senate Judiciary Committee, and the version of AB25 that advanced from Committee requires employers to tell employees what type of information they are collecting and the reason for doing so.  The modification was made in an effort to “create a layer of transparency between employers and employees.”

Another amendment that advanced was AB1564.  The prior text of the bill removed a requirement that businesses provide a phone number for customers requesting access to their personal information.  Groups who opposed this amendment argued that it would make it harder for people without internet access to exercise their privacy rights.  The amended version of AB1564 that advanced restored the phone number requirement for stores that have a direct, in-person relationship with the customer.

Two hotly contested amendment bills did not advance—AB873 and AB1416.  AB873 would have changed the definition of “personal information” and “deidentified information” so that more private data falls outside the protection of the CCPA.  Supporters say that this amendment would make the CCPA workable for both small businesses and major corporations.  Critics say that the amendment would dramatically weaken the effect of the CCPA as a whole.  AB873 deadlocked in a 3-3 vote, meaning it failed to advance.  However, there has been a request for reconsideration.  AB1416 would have allowed businesses to sell personal data to third parties even after the consumer opted out if the sale was for the purpose of detecting security incidents or protecting against various types of malicious actors.  Groups that oppose AB1416 say that it would create a major loophole in the CCPA. The bill was dropped from this year’s legislative session, but it will likely re-emerge next year.

While the advanced bills may undergo more modifications, the Judiciary Committee changes serve as a reminder that companies should not bet on major changes to save them from the CCPA’s reach.  Indeed, the modifications to AB25 indicate that business-friendly amendments may need to be watered down to a degree in order to advance.  Accordingly, companies should be diligently preparing for the January 1, 2020 effective date of the CCPA.

Since the passage of the California Consumer Privacy Act (CCPA) in June 2018, over a dozen US states have proposed their own privacy laws, many of which are nearly identical to the CCPA.  Some of these proposals have since become law.  Others are in different stages of the legislative process.  To help clients keep track of the status of these proposed laws, Ballard has launched a US State Privacy Law Tracker.  We’ll be updating the Tracker as these laws progress and states propose new privacy laws, so check back regularly.  Continue Reading Ballard Launches US State Privacy Law Tracker

Last Friday we blogged on the Saks data breach class action, and in the process mentioned a trend among federal courts to reject fear of future identity theft claims in retail breach cases.  As we  explained, because retail breaches rarely involve theft of social security numbers, date of birth, healthcare information or other data that can be used to commit identity theft, courts have typically found that plaintiffs in such cases lack standing to pursue their claims in federal court. Continue Reading 8th Circuit Decision in SuperValu Class Action is a Reminder that Injury and Damages Aren’t the Same Thing.

For years, plaintiffs in data breach class actions have argued that the threshold for Article III standing is low – and increasingly courts are accepting that argument. The Saks data breach class action, pending in the Southern District of New York, is the latest example of a federal court finding that Article III standing exists even where the plaintiff’s asserted injuries are very minimal. Continue Reading Court Ruling in Saks Data Breach Case Illustrates That Threshold for Article III Standing Is Low

The Office of Civil Rights of the Department of Health and Human Services (OCR) announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers.  The resolution agreement requires Medical Informatics Engineering, Inc. (MIE) to pay $100,000 and adhere to a corrective action plan.  Under the corrective action plan, MIE must conduct a security risk assessment and implement a security risk management plan under OCR supervision.

 

The breach giving rise to the settlement resulted from a compromised user name and password that allowed hackers access to the electronic protected health information of 3.5 million people.  The information compromised included names, addresses, dates of birth, Social Security numbers, e-mail addresses, clinical information, and health insurance information.  As required by HIPAA, MIE itself reported the breach.  OCR investigated and found that MIE had failed to conduct an accurate and thorough security risk analysis.

 

The resolution agreement does not provide details about OCR’s evaluation of the situation, but the settlement suggests that OCR did not find MIE’s violation to be particularly blatant and that it paid more attention to the nature of the breach than to its impact.  On the basis of the information revealed and the numbers affected, the penalty could have been much larger. Under OCR guidance, the minimum penalty that applies (when even reasonable diligence would not have prevented the breach) would be calculated based on $100 per violation.  With 3.5 million individuals affected, that would come to $350 million.

 

That amount does not take into account the maximum limit that applies for each type of violation. In this case, only one type of violation was identified, so the cap is easy to figure. Under the rules that applied prior to the new guidance issued a few weeks ago, all penalties were  capped at a total of $1.5 million for each type of violation, so we might have expected that to be the penalty. However, under the new guidance, penalties are reduced where the violations are less blameworthy. The $100,000 penalty in this case matches the maximum penalty for a violation that is due to reasonable cause.

 

Without a more detailed understanding of the facts, it is not possible to determine whether the reasonable cause limitation was applied or appropriate in this case, but the result suggests that the new caps may influence sanctions that OCR will seek in at least some HIPAA enforcement actions.