South Caroline Passes First Insurance Industry Cybersecurity Law*:
- South Carolina has become the first state to pass a cybersecurity bill requiring any insurance entity operating in the state to establish and implement a cybersecurity program protecting their business and their customers from a data breach.
- There are concerns about what the impact to the industry could be if other states pass laws different to South Carolina's – the "model law" from the National Association of Insurance Commissioners (NAIC).
- The law follows the NAIC Insurance Data Security Model Law the group approved in 2017.
- The law creates rules for South Carolina licensees, defined as insurers, agents and other licensed entities, regarding data security, investigation and notification of a breach.
- The law requires licensees to maintain an information security program based on ongoing risk assessment, oversee third-party service providers, investigate data breaches and notify regulators of a cybersecurity event.
- Other provisions of the new law include:
- Requires the insurance industry to protect consumer information by safeguarding individual insurance policyholder's personal information.
- Requires insurance companies establish data security standards to mitigate the potential damage of a data breach.
- Requires insurance companies to develop, implement and maintain a secure information security program, investigate any cybersecurity events and notify the SCDOI of such events immediately.
- The new law also requires licensees report a cybersecurity event to the department with 72 hours of the event occurring.
- However, the event must affect at least 250 people and have a reasonable impact on South Carolina consumers for reporting to be required.
- The effective date of the law is Jan. 1, 2019. Insurers are required to develop, implement and maintain a comprehensive written information security program and report it to SCDOI by July 1, 2019.
- Licensees must require their third-party service providers to implement security measures to protect and secure any information systems and personal information by July 1, 2020.
- In this day where cybersecurity breaches are a real and ongoing threat it is best to take a proactive approach to protecting data before there is an issue, rather than trying to fix a breach once it has happened.
*Source: Insurance Journal, June 1, 2018
Brussels Says New GDPR Law Doesn't Apply to EU-After 'Embarrassing' Leak On Website*:
- The European Commission has insisted the new data protection law which has swept the continent DOES NOT apply to them.
- This bombshell revelation follows an "embarrassing" leak of personal details of hundreds of citizens by the European Commission.
- This leak would normally constitute a breach of the General Data Protection Regulation (GDPR) if other organisations had done it themselves.
- For "legal reasons", European institutions are separate from the GDPR.
- Instead, officials will follow a new law similar to the GDPR but this does not come into effect until autumn.
- The European Commission published more than 700 records that included names, professions and addresses.
- Furthermore, specific postcodes and addresses of Britons can be found by searching on the official EU website using Google.
- Tech site indivigital first spotted the documents, which are only part of the thousands of Microsoft Excel spreadsheets that can be found easily online.
- The documents were uploaded from 2013 by various European Commission department officials and is hosted by website Europa.eu.
- Although the information disclosed here does not appear to be particularly sensitive, it does raise questions about the general level of compliance, and whether any further inadvertent disclosures have been made.
*Source: Express, June 1, 2018
BMO & IBC-Owned Simplii Financial Reveal Hacks of Customer Data*:
- CIBC-owned Simplii Financial was the first to warn on Monday morning that hackers had accessed the personal and account information of more than 40,000 of the bank's customers.
- The bank said it received a tip over the weekend that hackers had obtained the data, and after a preliminary investigation decided to go public on Monday.
- Cybersecurity firm says a ring of hackers has stolen $1B from banks
- Bank of Canada warns financial sector vulnerable to cyberattacks
- The email ended with a sample of the information in question: the names, dates of birth, SIN and account balances of an Ontario man and a woman living in B.C.
- Outside Canada: We have notified and are working with relevant authorities as we continue to assess the situation. We are proactively contacting those customers that may have been impacted and we will support and stand by them.
- Unusual approach: It's very unusual for hackers themselves to tip off the company, because the moment they do, whatever information they have becomes effectively worthless.
- Unlike a so-called phishing attack, which targets people indiscriminately in the hope that someone will fall into the trap, a spear phishing attack is more closely targeted at individuals, using techniques to make them hand over crucial data.
- Will return 100%: It is important to inform clients so that they can also take additional steps to safeguard their information. If a client is a victim of fraud because of this issue, we will return 100 per cent of the money lost from the affected bank account.
- Different notice: They are pulled between two competing forces: they want to make it easier to use technology to bank with them, but they don't want to open themselves up to more fraud.
*Source: CBC, May 31, 2018
An American Alternative To Europe's Privacy Law*:
- Google, Facebook, and Amazon hold themselves out as trustworthy, enticing us to share our information with them — from the banal details of our lives to our most intimate secrets — without making it very clear that everything is being recorded, kept and used for advertising.
- The Europeans find this kind of thing distasteful, which is why last Friday they instituted a strict online privacy law — the General Data Protection Regulation.
- Under the G.D.P.R., any company that gathers or processes personal data is defined as a "data controller" and is subject to a raft of new rights and duties that are enforced by Europe's member states.
- Many people have argued that the United States should adopt or borrow from the G.D.P.R. in strengthening its own online privacy protections.
- It has repeatedly failed to pass a number of proposed privacy bills, and despite increased public outrage, it seems unlikely to create a European-style privacy bureaucracy anytime soon.
- For all these reasons, the United States may need to try something different and more American: namely, to rely on judges and state law to establish that the legal concept of "fiduciary duty" can apply to technology companies.
- These entities present themselves as trustworthy, have a special expertise and usually require you to reveal information about yourself to be useful.
- To be sure, a European-style regulatory system operates faster and has clearer rules than an American-style common-law approach.
- Case-by-case consideration might be the best way to find good solutions to many of them and, when the time comes (if the time comes), to guide the writing of general federal privacy legislation.
*Source: NY Times, May 30, 2018
Facebook's Health Groups Offer a Lifeline, But Privacy Concerns Linger*:
- Facebook group administrators have noticed that their members are increasingly worried about the privacy of their personal information and soul-baring posts.
- So while usage doesn't currently seem to be at risk, Facebook users' behaviour might be changing.
- It's impossible to expect a true sense of privacy among groups with large number of people, but users and bioethicists alike have lingering questions about Facebook's use of data.
- How much of Facebook is truly closed? How visible are your posts? Could someone take a screenshot of something you said and repost it?
- These new questions may be a good thing. Our deep desire to connect can lull us into a false sense of security.
- Although Facebook denies sharing the content of users' posts or comments in closed groups, some people are wondering whether other kinds of health information could be at risk.
- We take protecting people's privacy very seriously.
- We do not sell people's data. Nor do we allow advertisers to target people based on health conditions or conversations on Facebook, including in Groups.
- Yet the social media network is constantly gathering other kinds of health information that's valuable to advertisers.
- Facebook announced it was launching a feature to help users control the release of their info to third parties.
- Imagine what kind of connections future data miners could make based on your social media posts, fitness trackers, voting record, purchasing history and perhaps even genetic data.
- Whatever the risks are now, if there are no policy changes as more and more data about you becomes known, the risk of re-identifying you is only going to go up.
*Source: Huffington Post, May 28, 2018
WhatsApp BLOCK: Millions of UK Users Now Banned from Chat APP*:
- WhatsApp has enforced a major change which has left millions of users of Britian banned from using chat app.
- The Facebook-owned messenger for iOS, Android and desktop will no longer allow people under the age of 16 to use it.
- Until recently, WhatsApp had allowed those aged 13 years-old and above to join the messaging service in the UK.
- However, on Friday May 25 2018 the new General Data Protection Regulation (GDPR) kicked into force.
- The EU's data privacy laws give the public more rights over how personal information is used and it raises the amount that firms can be fined if they breach it.
- As a result, those who do not meet the new minimum age requirement for WhatsApp will no longer be able to use the hugely-popular messaging service.
- Our goal is simply to explain how we use and protect the limited information we have about you.
- Any WhatsApp users that did not verify their age before GDPR going live yesterday will have to do so now to continue using the chat app.
- It plans to keep the over-13 age restriction, which previously applied to the UK, in the rest of the world.
- It also confirmed it will launch a feature in the coming weeks that will enable users to download a copy of the data WhatsApp has collected on them – another requirement of GDPR.
- The newly enforced GDPR regulations require clear consent from users for companies to access their data.
- The regulations also give users greater powers to access and control how their data is used, and the right to have personal data erased.
*Source: Express, May 27, 2018