On November 8, 2024, the California Privacy Protection Agency Board hosted its public bimonthly meeting, during which it adopted new regulations applicable to data brokers and initiated the formal rulemaking process for proposed regulations for risk assessments, cybersecurity audits, automated decisionmaking technologies and AI, and insurance.
The Texas Attorney General’s Office joined the recent swell of regulatory and judicial scrutiny into privacy issues related to connected cars, driving data and telematics, launching an investigation on the data practices of several car manufacturers.
In April 2022, two states enacted insurance data security legislation based on the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law (MDL-668). Kentucky Governor Andy Beshear signed HB 474 into law on April 8, 2022, and Maryland Governor Larry Hogan signed SB 207 into law on April 21, 2022. The new laws establish data security obligations for insurance carriers and generally require carriers to take the following actions, subject to certain exemptions:
As reported on the Hunton Insurance Recovery blog, on February 4, 2021, the New York Department of Financial Services (“NYDFS”), which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework” (the “Guidelines”), calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, NYDFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”
On January 27, 2020, CISCO released its 2020 Data Privacy Benchmark Study entitled “From Privacy to Profit: Achieving Positive Returns on Privacy Investments” (the “Study”). The Study explores the return on investing in privacy compliance for organizations, examines how such return correlates with an organization’s accountability level and details the value of privacy certifications in the buying process. To measure organizations’ accountability level, CISCO used the CIPL Accountability Wheel, a privacy accountability framework developed by the Centre for Information Policy Leadership. More than 2,500 respondents took part in the Study from across 13 countries.
As previously posted on our Hunton Insurance Recovery blog, a Maryland federal court awarded summary judgment to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, finding coverage for a cyber attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack. This is significant because it demonstrates that insureds can obtain insurance coverage for cyber attacks even if they do not have a specific cyber insurance policy.
As reported on the Insurance Recovery Blog, Hunton Andrews Kurth insurance practice head Walter Andrews recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.
Recently, the Sixth Circuit rejected Travelers Casualty & Surety Company’s request for reconsideration of the court’s July 13, 2018, decision confirming that the insured’s transfer of more than $800,000 to a fraudster after receipt of spoofed emails was a “direct” loss that was “directly caused by” the use of a computer under the terms of American Tooling Company’s ("ATC's") crime policy. In doing so, the court likewise confirmed that intervening steps by the insured, such as following the directions contained in the bogus emails, did not break the causal chain ...
On January 23, 2018, the New York Attorney General announced that Aetna Inc. (“Aetna”) agreed to pay $1.15 million and enhance its privacy practices following an investigation alleging it risked revealing the HIV status of 2,460 New York residents by mailing them information in transparent window envelopes. In July 2017, Aetna sent HIV patients information on how to fill their prescriptions using envelopes with large clear plastic windows, through which patient names, addresses, claims numbers and medication instructions were visible. Through this, the HIV status of some patients was visible to third parties. The letters were sent to notify members of a class action lawsuit that, pursuant to that suit’s resolution, they could purchase HIV medications at physical pharmacy locations, rather than via mail order delivery.
On August 1, 2017, a unanimous three-judge panel for the D.C. Circuit reversed the dismissal of a putative data breach class action against health insurer CareFirst, Attias v. CareFirst, Inc., No. 16-7108, slip op. (D.C. Cir. Aug. 1, 2017), finding the risk of future injury was not too speculative to establish injury in fact under Article III.
On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) agreed to a $5.5 million settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals.
In March 2017, Syed Ahmad, a partner with Hunton & Williams LLP’s insurance practice, and Eileen Garczynski, partner at insurance brokerage Ames & Gough, co-authored an article, Protecting Company Assets with Cyber Liability Insurance, in Mealey’s Data Privacy Law Report. The article describes why cyber liability insurance is necessary for companies and provides tips on how it can make a big difference. Ahmad and Garczynski discuss critical questions companies seeking to protect company assets through cyber insurance should be asking.
As reported on the Insurance Recovery blog, earlier this week, retailer Tesco Plc’s (“Tesco”) banking branch reported that £2.5 million (approximately $3 million) had been stolen from 9,000 customer bank accounts over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank. The reported loss still is being investigated by UK authorities, but is believed to have occurred through the bank’s online banking system. The loss, which is about half of what Tesco initially estimated, is still substantial and serves as a strong reminder that ...
On October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page Guide details steps businesses should take once they become aware of a potential breach. The Guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.
On October 18, 2016, the United States Court of Appeals for the Fifth Circuit held in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that a crime protection insurance policy does not cover loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy.
As reported in the Hunton Insurance Recovery Blog, insurance-giant American International Group (“AIG”) announced that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption and product liability that results from cyber attacks and other cyber-related risks. According to AIG, “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s].” The new AIG product, known as CyberEdge Plus, is intended to offer broader and clearer coverage for harms that had previously raised issues with insurers over the scope of available coverage. AIG explains its new coverage as follow:
As reported on the Hunton Insurance Recovery Blog, data breach claims involving customer data can present an ever-increasing risk for companies across all industries. A recent case illustrates efforts to recover the costs associated with such claims. A panel of the Fourth Circuit confirmed that general liability policies can afford coverage for cyber-related liabilities, and ruled that an insurer had to pay attorneys’ fees to defend the policyholder in class action litigation in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. Syed Ahmad, a partner in the Hunton & Williams LLP insurance practice, was quoted in a Law360 article concerning the importance of this decision.
On February 3, 2015, the Securities and Exchange Commission (“SEC”) released a Risk Alert, entitled Cybersecurity Examination Sweep Summary, summarizing observations from the recent round of cybersecurity examinations of registered broker-dealers and investment advisers under the Cybersecurity Examination Initiative. Conducted by the SEC Office of Compliance Inspections and Examinations (“OCIE”) from 2013 through April 2014, the examinations inspected the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers through interviews and document reviews. The examinations evaluated the institutions’ practices in key areas such as risk management, cybersecurity governance, network security, information protection, vendor management and incident detection.
It seems that every week brings news that another company has been impacted by a major data breach – and of the resulting financial, legal and public relations costs. As companies seek out ways to prevent these events and recoup losses associated with a data breach, cyber insurance is increasingly discussed as an effective method of recovery. In a recent article published in the Daily Journal, Hunton & Williams’ Insurance Coverage Counseling and Litigation attorney William T. Um offers a primer on cyber insurance, outlining key considerations for businesses as they explore this emerging area of coverage. The article discusses how:
The scale of some recent cyber events has been extraordinary. Target reports that 70 million people (almost 25% of the U.S. population) were affected by its recent breach. CNN recently reported that in South Korea there was a breach that affected 40% of its citizens. The staggering impact of these events is leading companies to seek protection through both technology and financial products, such as insurance. Insurers typically attempt to avoid this sort of enormous exposure with terrorism exclusions, and it is reasonable to expect aggressive insurers to rely upon such exclusions ...
On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final Cybersecurity Framework, as required under Section 7 of the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”). The Framework, which includes standards, procedures and processes for reducing cyber risks to critical infrastructure, reflects changes based on input received during a widely-attended public workshop held last November in North Carolina and comments submitted with respect to a preliminary version of the Framework that was issued in October 2013.
On November 4, 2013, the China Insurance Regulatory Commission, which is the Chinese regulatory and administrative authority for the insurance sector, issued the Interim Measures for the Management of the Authenticity of Information of Life Insurance Customers (the “Measures”). The Measures require life insurance companies and their agents to ensure the authenticity of personal data of life insurance policy holders. To help achieve this objective, the Measures impose rules for the collection, recording, management and use of the personal data of policy holders.
On October 7, 2013, the United States District Court for the Central District of California held that a general liability insurance policy covered data breach claims alleging violations of California patients’ right to medical privacy. Hartford Casualty Insurance Co. v. Corcino & Associates, CV 13-03728-GAF (C.D. Cal. Oct. 7, 2013). The court rejected the insurer’s argument that coverage was negated by an exclusion for liabilities resulting from a violation of rights created by state or federal acts. The decision also rejected an attempt commonly made by insurers to exclude ...
As the number of security breach incidents and privacy violations continues to increase, so too has the volume of lawsuits—particularly class action lawsuits—seeking damages for actual and future harms resulting from unauthorized disclosures of personal information. Affected companies have looked to their traditional insurance coverage to defray costs associated with responding to these incidents and lawsuits, but standardized commercial general liability policies may not provide adequate coverage.
On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.
Reporting from Israel, legal consultant Dr. Omer Tene writes:
The Israeli Law, Information and Technology Authority (“ILITA”) has issued a new instruction (the “Instruction”) restricting financial institutions from using information concerning writs of execution issued against clients’ property. Pursuant to the Instruction, if a bank or insurance company finds out that a client’s account has become subject to a writ of execution, such information may not be used to deny the client credit or to adjust the rate of his or her insurance premiums. Information regarding writs of execution may be used only to carry out the writ. ILITA’s Instruction is based on the purpose limitation provisions in the Israeli Privacy Protection Act, 1981, as well as a specific section in the Execution of Judgments Act, 1967.
On August 18, 2010, the Connecticut Insurance Department (the “Department”) issued Bulletin IC-25, which requires entities subject to its jurisdiction to notify the Department in writing of any “information security incident” within five calendar days after an incident is identified. In addition to providing detailed procedures and information to be included in the notification, the Bulletin states that the Department “will want to review, in draft form, any communications proposed to be made” to affected individuals. The Bulletin further indicates that, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code