Page 22 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 22
The law also speaks to steps that must happen before a breach occurs. Not only do insurance companies need to have an incident response plan, they must also have a comprehensive information security program in place by July 1st, 2019. The program must include risk assessments and be appropriate both to the company’s size and to the scope of its data assets. Companies will also be required to vet third party vendors and make sure they have appropriate cybersecurity controls. Additionally, the law requires that senior leadership, including the Board, be involved in this program.
PUTTING IT INTO PRACTICE: Insurance companies should keep this new law in mind, in particular the n notification requirement for when 250 or more residents have been impacted. Also noteworthy are the pre-breach steps, including an incident response plan and information security program. This is the second in our series of upcoming breach notice obligations going into effect January 1, 2019. Click here for the first article.
US Breach Laws Are Coming: Iowa
Posted on December 12, 2018
As we approach 2019, companies will want to keep in mind the changes that are coming to various US states’ breach notice laws. On January 1, 2019 Iowa’s law, which has already been amended twice since it was passed in 2008, will change again.
Under this update companies subject to and compliant with HIPAA will have certain exceptions under the law. Previously only financial entities could take advantage of such exceptions. This change brings Iowa in line with many other states with similar exemptions. Encrypted will now be defined to mean a method that meet industry standards. Finally, the attorney general will need to be notified five days after notice is made to impacted individuals. This is instead of five days after discovering the breach.
PUTTING IT INTO PRACTICE: Companies with nationwide incident response plans will want to tweak the deadlines for the AG notification in Iowa. They will also want to keep the definition of encryption in mind as well as new the HIPAA exemption. Stay tuned for more this month in this series of blog articles.
Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program
Posted October 30, 2018
Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to “industry-recognized frameworks” like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act. Anticipating that these frameworks may be amended from time to time, the law gives companies a year to modify their programs to get into compliance with the amended law. Programs must meet minimal criteria to qualify. This includes (1) protecting the security and confidentiality of the information, (2) protecting against anticipated threats or hazards, and (3) protecting against unauthorized access to and acquisition of the information. The program would be right-sized to take into account the size of the business, nature of its business, type of information, cost of protection tools, and resources available to the company. The drafters emphasized that this provision does not give rise to a private right of action.
21 Eye on Privacy 2018 Year in Review