GDPR means that EU is now the most powerful regulator of privacy in the world!

The Washington Post article highlighted the importance of GDPR in that it “underscored the extent to which the European Union has emerged as the most powerful regulator of Silicon Valley, stepping in where Washington has failed — or simply been unwilling — to limit some of the United States’ most lucrative and politically influential companies.”  The May 29, 2018 article entitled “Europe, not the U.S., is now the most powerful regulator of Silicon Valley” included these comments about GDPR which:

…gives users the right to demand the deletion of data and object to new forms of data collection while requiring that companies get explicit consent for how they collect, process and use data — practices that had been all but unfettered in the United States.

Potential violators could face fines of up to 4 percent of global profits [actually “Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)”].

The article also quoted Rohit Chopra (“the new Democratic commissioner at the Federal Trade Commission, which for years has been the federal government’s most aggressive privacy regulator”) who said:

Ironically, many Americans are going to find themselves protected from a foreign law…This is not something we are accustomed to.

Are you in compliance yet? Of course since GDPR only went into effect on Friday, May 25 we still do not know the full impact of GDPR on you or the world!

GDPR will likely lead to more cyber insurance claims!

My friend Judy Greenwald reported at that AIG expects now that GDPR is in place that more “Companies will be more inclined to report breaches, with the impact on cyber claims similar to that witnessed in the U.S. after state breach notification laws come into effect.”  Judy’s May 24, 2018 report entitled “Security claims expected to surge with GDPR: AIG report” included quotes from Mark Camillo (London-based head of cyber for Europe Middle East Asia at AIG) in the AIG Europe report titled Cyber Insurance Claims: Ransomware Disrupts Business about serious cyber intrusions:

The combination of leaked National Security Agency tools plus state-sponsored capabilities triggered a systemic event.

The WannaCry outbreak, which hit hundreds of thousands of machines around the world, could have been worse in terms of scale and insured losses if a UK researcher hadn’t quickly found and activated the kill switch,…

Following the implementation of GDPR on May 25 it will be interesting to see what happens with cyber intrusions and insurance.

Beware! Cryptocurrency investment schemes now the target of many state regulators

The Washington Post reported that “Securities regulators across the United States and Canada announced dozens of investigations Monday into potentially deceitful cryptocurrency investment products, the largest coordinated crackdown to date by state and provincial officials on bitcoin scams.”  The May 21, 2018 article entitled “State regulators unveil nationwide crackdown on suspicious cryptocurrency investment schemes” included these observations from the North American Securities Administrators Association:

As many as 35 cases are pending or already completed, with some resulting in cease-and-desist letters warning the alleged schemes that their unregistered activity violates state securities law.

The enforcement actions, which have not been previously reported, take aim at efforts by groups in more than 40 jurisdictions to attract money from unsuspecting investors.

They target unregistered securities offerings that promise lucrative returns without adequately informing investors of the risks, according to state regulators.

The state agencies are also pursuing suspicious cases of initial coin offerings, or ICOs, a fundraising technique used by both legitimate and illegitimate cryptocurrency projects in ways that resemble initial public offerings of stock.

When something sounds too good to be true, it probably isn’t something you should trust!

South Carolina – First state to adopt a Cybersecurity Insurance Law!

The Charleston CEO announced that “Governor Henry McMaster signed the South Carolina Department of Insurance Data Security Bill into law today. South Carolina will be the first in the nation to pass a cybersecurity bill that requires insurers to establish a strong and aggressive cybersecurity program to protect their companies and their consumers from a data breach.” The May 14, 2018 article entitled  “S.C. Governor Signs Insurer Cyber Security into Law” and described that the law creates “for insurers, agents and other licensed entities covering data security, investigation and notification of breach. This includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event.”

Here are more details about the new law:

Protects consumer information: Safe-guarding individual insurance policy holder’s personal information is a high priority in the wake of several major insurance companies’ data breaches.

Establish data security standards: Requires insurance companies to mitigate the potential damage of a data breach. The law applies to insurers, insurance agents and other entities licensed by the SC Department of Insurance.

Strong protection & quick reaction: Requires insurance companies to develop, to implement and to maintain a secure information security program, investigate any cybersecurity events and notify the SC Department of Insurance of such events immediately.

This new cybersecurity insurance law was led by “South Carolina Insurance Director Raymond G. Farmer chaired the National Association of Insurance Commissioners Cybersecurity (EX) Working Group that drafted this important and timely law.”

This new cybersecurity insurance law will be the model for other states.

MAY 25, 2018 GDPR Penalties: May be significant and so here are 10 things you should know

My friend Zack Warren  (Editor-in-Chief of Legaltech News) recently wrote at that “While the maximum penalty of the greater between $20 million or 4 percent of an organization’s annual revenue may not be widely applied, compliance will still be expected for all organizations that touch EU citizens’ data in some way.”  The May 14, 2018 article entitled “10 Things You Should Know Before the GDPR Deadline Is Here” included these comments about #9 But the Work’s Not Done:

Although many in-house counsel are aware of changes that need to be made, those changes still need to actually be implemented.

An Association of Corporate Counsel report released in early May looked at what still needed to be done.

Some 47 percent of respondents reported that, in order to comply with GDPR, they must change data security standards.

Meanwhile, 45 percent said they must change their breach notification procedures to do so, and 43 percent said they need to modify incident response plans.

This is particularly pressing in the health care and financial services sectors, where a separate April survey found that 7 percent of health care companies said they are unlikely to be fully compliant by the deadline, while 3 percent of financial services companies reported they haven’t even begun the process to do so.

Here are all 10 things you should know:

  1. The Basics
  2. A Legitimate Interest
  3. The Issue of Consent.
  4. The Data Protection Officer
  5. Your Employee Data
  6. Ensuring Insurance
  7. Firms Doing Double Duty
  8. ALSPs to the Rescue
  9. But the Work’s Not Done
  10. A Marathon, Not a Sprint

Lots of companies are working hard to be in GDPR compliance, and some only watching…so it will be interesting to see how GDPR changes the world on May 25!