In the aftermath of the Facebook-Cambridge Analytica data privacy controversy, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a federal data privacy bill on April 10, 2018 titled the Customer Online Notification for Stopping Edge-provider Network Transgressions Act, or the CONSENT Act (the “Act”).  While the Act is unlikely to pass in the near term given the lack of a Republican sponsor, it reflects increasing attention to privacy concerns in the United States, including consideration by both federal and state legislatures of significantly more prescriptive privacy requirements.
Continue Reading CONSENT Act: Proposed Legislation a Sign of Potential U.S. Consent to Greater Privacy Protections?

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) published a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”).  NIST is a non-regulatory federal agency within the Department of Commerce, with a mission to promote innovation and industrial competitiveness in the United States by advancing measurement science, standards and technology in beneficial ways.  The Framework was initially developed as a result of the issuance of Executive Order 13636 in 2013 (“Executive Order”), which specifically addressed the cybersecurity of critical infrastructure (defined below) and directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to such critical infrastructure.  Therefore, the Framework provides nonbinding guidance, and compliance is not mandatory.  In practice, the Framework is used as the basis for best practices by many companies in the United States that have cybersecurity policies and procedures.  The Framework has generally been praised as a successful example of cooperation between the public and private sector and is cited by many as a more effective approach than prescriptive regulatory requirements.
Continue Reading NIST Proposes Fine-Tuning of its Framework for Improving Critical Infrastructure Cybersecurity

On October 24, 2017, the National Association of Insurance Commissioners (the “NAIC”) adopted the Insurance Data Security Model Law (the “Model Law”).  According to the NAIC’s press release, the purpose of the Model Law is to provide “rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach.”  The NAIC is a U.S. standard-setting and regulatory support organization composed of state-level insurance regulators, and the Model Law is non-mandatory, model legislation that states must voluntarily adopt in order for it to be enforceable.  Importantly, based on a Drafting Note in the Model Law, the drafters intended for entities that are in compliance with the New York State Department of Financial Services (the “DFS”) Cybersecurity Regulations, which apply to DFS-licensed banks and insurance companies operating in New York, to automatically also be in compliance with the Model Law.  Similar to the DFS’s Cybersecurity Regulations, the Model Law sets forth standards for data security, as well as the response to, and notification of, data breach incidents.
Continue Reading NAIC Adopts Insurance Data Security Model Law

On October 18, the Consumer Financial Protection Bureau (the “CFPB”) released the Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (the “Principles”).  The Principles represent a cautious step forward by the CFPB in providing guidance on how institutions holding customer accounts (such as banks) should share information with service providers, including “fintech” companies that obtain customer authorization to access their account information in order to provide services to such customers.  Such data aggregation-based service providers can provide useful products and services to consumers, such as fraud screening, identity verification, personal financial management and bill payment, and promote competition in the financial services market.  With respect to fraud screening and identity verification services in particular, in the aftermath of the recent Equifax breach, the appeal of such services is obvious.  However, with additional sharing of data comes additional risks—the increase in data access points, albeit consumer-authorized, presents new challenges from a cybersecurity and privacy perspective, increasing the possibility of consumers inadvertently losing control of their information.
Continue Reading CPFB Releases Consumer Protection Principles for Consumer-Authorized Financial Data Sharing and Aggregation