The Ohio Supreme Court recently reversed the decision of an appellate court and reinstated the trial court’s grant of summary judgment in favor of an insurer and against an insured company on the company’s claim for breach of contract and bad faith denial of insurance coverage relating to damages arising from a ransomware attack.
Posts published in “Data Privacy and Security”
Just a few years ago, the annual review would primarily encompass federal activity. But a shift began in 2018, and by the close of this year, it’s clear there is far more state activity impacting consumer debt collection.
The upward trend in data privacy legislation continued in 2022. According to the National Conference of State Legislatures, “[a]t least 35 states and the District of Columbia in 2022 introduced or considered almost 200 consumer privacy bills,” which is a significant increase from 160 bills in 2021.
In a pair of recent enforcement actions, the Federal Trade Commission cracked down on companies with allegedly lax data security measures that resulted in the theft of personal information of millions of consumers.
The Superintendent for the New York Department of Financial Services recently announced a consent order assessing a $4.5 million penalty against a health insurance company for violations of the DFS Cybersecurity Regulations, 23 NYCRR, Part 500.
On Oct. 25, 2022, the Director of the Consumer Financial Protection Bureau (CFPB), Rohit Chopra, announced at a fintech conference that the CFPB “will launch the process to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act . . . [to] provide for personal financial data rights for Americans . . .”
The U.S. Court of Appeals for the Third Circuit recently held in Clemens v. ExecuPharm Inc. that the risk of future harm from a data breach can be enough for Article III standing, taking into consideration whether the breach was intentional, whether the data was misused, and the nature of the data accessed.
On Sept. 27, Michigan Sen. Rosemary Bayer and eight fellow Democrat cosponsors introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act. The Michigan Legislature remains in session through the end of the year.
Insufficient data protection or information security can violate the prohibition against unfair acts or practices according to a circular released last week by the federal Consumer Financial Protection Bureau.
On Aug. 11, 2022, the Federal Trade Commission issued an Advance Notice of Proposed Rulemaking seeking input that will shape potential rules “to crack down on harmful commercial surveillance and lax data security.”
On July 29, 2022, the New York Department of Financial Services published pre-proposal draft amendments to its Cybersecurity Regulations, 23 NYCRR 500.00, et seq. , that if adopted will require covered entities to implement numerous policy and operational changes.
Determining whether your business engages in activities that can trigger coverage is discussed by the Federal Trade Commission in just released guidance entitled “FTC Safeguards Rule: What Your Business Needs to Know.” The Rule applies to many businesses beyond the scope of what are commonly understood to be “financial institutions” and has implications for service providers to covered entities.