Industry specific privacy laws becoming a new norm
Businesses and other organizations are subject to privacy requirements that apply to all industries, such as data breach notification laws, data destruction laws, and biometric information privacy laws. In recent months and years, however, a new trend has emerged: many legislatures are enacting, and regulators are implementing, additional industry-specific privacy laws and regulations, often rendering organizations liable to both privacy laws of general applicability and the additional industry-specific laws.
Consider, for example, that a number of states have enacted privacy laws specifically targeting the insurance industry. Effective January 20, 2021, a Michigan-licensed insurer or producer (and other insurance professionals) is required to develop, implement, and maintain a comprehensive written information security program by January 20, 2022. The program must feature administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system. This program must also be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against any threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer. The program must also be designed to [sic] maintain policies and procedures for the secure disposal on a periodic basis of any nonpublic information that is no longer necessary for business operations or for other legitimate business purposes.
Additionally, a Michigan-domiciled insurer must certify to the state that it is in compliance with the law and maintain for examination records supporting this certificate for five years. The law also requires a licensee to, in some circumstances, notify regulators and consumers of events that result in unauthorized access to and acquisition of, or disruption or misuse of, an information system or nonpublic information stored on an information system.
The law may be found here. Other states such as South Carolina have enacted similar insurance-focused privacy statutes.
Financial services industry
Similarly, consider New York’s Cybersecurity Requirements for Financial Services Companies, which requires any person operating under or required to operate under the Banking Law, the Insurance Law or the Financial Services Law (collectively, a covered entity) to maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the covered entity’s information systems. This program must, in part, identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems; use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts; detect cybersecurity events; respond to identified or detected cybersecurity events to mitigate any negative effects; recover from cybersecurity events and restore normal operations and services; and fulfill applicable regulatory reporting obligations. The regulation’s full text may be found here.
In the coming months and years, we expect to see additional industry specific laws and regulations enacted and implemented throughout the United States.
Attorneys from McDonald Hopkins’ Data Privacy and Cybersecurity Practice Group are available to counsel organizations on all aspects of data privacy and security laws.