The recently enacted European Union (EU) General Data Protection Regulation (GDPR), the National Association of Insurance Commissioners (NAIC) Model Law and the New York State Department of Financial Services (NYDFS) Cybersecurity Act all address data privacy (the personal information of individuals) and data protection (using such personal information for business objectives), but from different perspectives. The NYDFS and NAIC regulations are focused on the technical requirements of financial service companies to assess cyber risk in their systems, implement additional security and report breaches promptly.
The NAIC adopted a Model Law in 2017 that follows the NY Regulation closely. One of its requirements is that insurers provide 72 hour notice of material cyber incidents to insurance commissioners. This notice period is equivalent to the NY Regulation, but it may conflict and/or add to the notice requirements on a state or federal level. Specifically, the cybersecurity event is "reportable" and notice to any government or regulatory body is required, if it impacts the Covered Entity or if it has a reasonable likelihood of causing material harm to any material part of the Covered Entity's operations. South Carolina has passed a version of the NAIC law, prompted by the South Carolina Insurance Director. He chaired the NAIC Cybersecurity Working Group that drafted the NAIC Model Law.
Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.
Statements concerning tax, accounting, legal or regulatory matters should be understood to be general observations based solely on our experience as reinsurance brokers and risk consultants, and may not be relied upon as tax, accounting, legal or regulatory advice, which we are not authorized to provide. All such matters should be reviewed with your own qualified advisors in these areas.
Developments in the Data Privacy Regulatory Landscape (Introduction)
Regulatory Landscape Part I: The New Privacy Order Created by GDPR
Regulatory Landscape Part II: Extra-Territorial Application of GDPR
Regulatory Landscape Part III: New York Department of Financial Services Regulation
Regulatory Landscape Part IV: NYDFS Cybersecurity Act - Risk of Third Party Service Providers
Regulatory Landscape Part VI: California Consumer Privacy Law Regulatory Landscape Part VII: Conclusion