In this post, Thomas Ritter and I take a look at cyber security laws affecting the insurance industry and offer recommendations about how affected companies can get in good cyber shape. Thomas is a leading cyber security attorney with Thomson Burton in Nashville. He advises clients on regulatory compliance, incident response, and risk mitigation techniques.
In May of 2018, the EU’s groundbreaking privacy and cyber security regulation, the General Data Protection Regulation (GDPR), went into effect. The GDPR covers virtually every aspect of how companies handle protected data and empowers individuals with a wide range of rights over their data. Implementing these sweeping GDPR requirements has proved to be strategically and operationally challenging for affected businesses, with few expecting to have achieved full compliance by the Regulation’s May 25, 2018, effective date.
Just as companies were catching their collective breath after racing toward the GDPR deadline, Governor Jerry Brown of California signed the hastily enacted and similarly groundbreaking California Consumer Protection Act (CCPA). Like the GDPR, the CCPA also vests individuals with more control over their protected data. Although the CCPA is expected to be further clarified prior to its January 1, 2020, effective date, it also promises to create challenging strategic and operational hurdles for covered businesses. While there are a number of similarities between GDPR and CCPA — some commentators actually refer to CCPA as “GDPR light” — understanding the specific areas of overlap as well as the differences between the two standards can help companies more efficiently and effectively work towards ongoing compliance with both.
Corporate boards are facing mounting pressure concerning their oversight of data security and privacy risks. Regulatory guidance, emerging regulatory requirements, fines, and lawsuits combined with technological advances and changing business processes are shaping a new and evolving standard of care with exponentially increasing exposures for today’s directors and their organizations. Boards now find themselves front and center when it comes to dealing with these difficult issues, which dramatically increases their need for effective reporting from management and other subject matter experts.
As cyber and privacy threats continue to evolve and relentlessly plague today’s organizations, the 2017 State of Cybersecurity Report by cybersecurity firm Forcepoint focuses much needed attention on factors that create people-based risks that can compromise even the most advanced and comprehensive cyber defense systems and privacy protocols. These insider risks are exacerbated by today’s mobile and remote workforce, which demands constant access to critical corporate data from a vast array of business and personal devices, and by an increased reliance of third party service providers and business associates.