By Krishna Jani, Flaster Greenberg
From California to New York, data privacy laws and enforcement actions are ramping up. Check out some highlights below.
1. New York State Department of Financial Services launched its first enforcement action in July 2020.
As U.S. companies focus on CCPA enforcement, they should not ignore other state laws and accompanying regulations. The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (DFS’s Cybersecurity Regulation) first took effect on March 1, 2017.
Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. In an effort to combat such exploitation, this regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a vigorous way. Senior management are encouraged to take this issue seriously. They must ensure that someone is responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
On July 22, 2020, the New York Department of Financial Services announced cybersecurity charges against First American Title Insurance Company for exposing millions of documents with consumers’ nonpublic personal information over the course of several years, including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts and drivers’ license images.
This marks the first cybersecurity enforcement action filed by the department. The hearing will take place at the office of the New York State Department of Financial Services beginning on October 26, 2020.
2. What is The California Privacy Rights Act of 2020 — CCPA 2.0?
If you’re thinking, “Wait! Didn’t the California Consumer Privacy Act (CCPA) just go into effect?” You’re right. The CCPA took effect on January 1 of this year, and enforcement actions began on July 1. Already, a privacy advocacy group, California for Consumer Privacy, collected 900,000 signatures to place the California Privacy Rights Act (CPRA) on the November 2020 ballot. According to several news sources, current polling suggests that the bill will pass.
The CPRA seeks to, among other things, establish the California Privacy Protection Agency (CPPA), a new privacy enforcement authority, similar to the Data Protection Authority put in place in the European Union by the General Data Protection Regulation (GDPR). This Agency will be empowered to fine transgressors, hold hearings about privacy violations, and clarify privacy guidelines.
In addition, the law would establish a new category of sensitive personal information, including Social Security numbers, precise geolocation data, biometric or health information, and more. It would also give consumers greater power to restrict the use of such data. The law would also add email addresses and passwords to the list of items covered by the “negligent data breach” section to help curb identity theft.
3. The Connecticut Insurance Data Security Law goes into effect on October 1, 2020.
The Act establishes standards applicable to licensees of the Connecticut Insurance Department for data security, the investigation of a cybersecurity event, and notification to the Department of such event. In preparation for this law to take effect, Connecticut’s Insurance Department issued a Bulletin on July 20, 2020 to all licensees of the department.
Licensed insurance companies, and any other companies otherwise authorized to operate pursuant to the insurance laws of Connecticut, should be aware of and follow the guidelines laid out in the Bulletin.
Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups.