FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires a financial institution to maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, says the amendments are meant to, “better protect consumers and provide more certainty for business.”

NIST Privacy Framework

The National Institute of Standards and Technology (NIST) released working draft of a standard Privacy Framework meant to, “help organizations: better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services.”

AG Racine Proposes Changes to Data Breach Law

District of Columbia AG Racine introduced legislation to amend the District’s current data breach law in an effort to provide greater protection over personal data.  Specifically, the AG proposes:

  • Holding companies accountable for safeguarding a broader range of private information;
  • Creating security requirements for companies that handle personal information;
  • Requiring companies to provide identity theft protection if they expose Social Security numbers; and
  • Requiring companies to inform consumers of their rights when a data breach occurs.

Internet of Things (IoT) Cybersecurity Improvement Act of 2019

Bipartisan legislation meant to improve the cybersecurity of Internet-connected devices was introduced in the Senate and the House of Representatives. The legislation would require that devices purchased by the U.S. government meet certain minimum security requirements.

 

Freshman Delegate Hala Ayala recently introduced House Bill 2793 in this session of the Virginia General Assembly.  If enacted, the legislation will impose new requirements on businesses with regard to the disposal of certain consumer records and manufacturers in the design and maintenance of devices that connect to the internet. Continue Reading Virginia General Assembly to Consider Minimum Security Standards for Care and Disposal Consumer Information and Security of Connected Devices

Yesterday Gov. Jerry Brown signed California Consumer Privacy Act of 2018, which grants California residents unprecedented control over the collection, use, and sale of personal information. Many have already speculated that other state legislatures will follow suit and adopt a similar law in their own states, as has occurred in the wake of past California laws on data privacy and security. A copy of the law can be found here.

Continue Reading New California Privacy Law Could Have Nationwide Implications

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

Continue Reading South Carolina Requires Cybersecurity Program for Insurance Licensees