Personal information security and breach notification requirements are topics that all independent insurance agencies need to be aware of and be prepared for operationally in the event of a loss of clients\' information.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only. 17 U.S. Code § 107 - Limitations on exclusive rights: Fair use Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only. 17 U.S. Code § 107 - Limitations on exclusive rights: Fair use Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
CBI Comments on TRIA - Certification ProcessJasonSchupp1
Centers for Better Insurance urges Treasury to decline to open the door to a formal petitioning procedure. The U.S. Constitution’s First Amendment already allows any interested person to bring to the Secretary of Treasury’s attention an event the person believes should or should not be subject to certification. Nothing in the Program’s existing rules abridges that right.
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Shawn Tuma
Presentation addresses issues in cybersecurity law of the evolving standards for data breach liability for companies as well as officers and directors. The event was sponsored by Above Security and the title of the event was Above Compliance – Navigating the Cybersecurity Landscape in Financial Services.
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
Egypt has recently enacted the first Personal Data Protection Law (PDPL), which has been published in the Official Gazette on 15 July 2020 and has entered into force on 16 October 2020. The PDPL reflects many of the requirements of the EU’s General Data Protection Regulation (GDPR). The Executive Regulations of the PDPL shall be issued within six (6) months from the entry into force of the PDPL. Organizations shall comply with the provisions of the PDPL and its Executive Regulations within a grace period of one (1) year from the issuance of the Executive Regulations.
The PDPL covers almost all aspects of personal data protection stated under the GDPR. In this presentation, you will find a summary of the important data protection provisions stipulated under the PDPL, and the similarities and differences between the GDPR and the PDPL.
An Indian Outline on Database ProtectionSinghania2015
One Business Processing Outsourcing company of India was in the eye of storm when one of its employees sold confidential financial information relating to customers of few British banks to an undercover reporter from the British tabloid ‘The Sun’. The incident sparked off a debate among the offshore industry circles, media and the legal world for the need of specific legislation for the protection for personal data in India which is absent currently.
The Personal Data Protection Bill 2018 is to be presented before the Parliament shortly with necessary amendments .This is bill applicable to India in lines of GDPR of the European uinion
Data Privacy - Security of Personal InformationJDP Consulting
Philippine Data Privacy Law (R.A. 10173) requires observance of Security of Personal Information.
Summary of Presentation:
1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties).
2) The standards for protection measures are two-fold: reasonable and appropriate.
3) Measures should be organizational, physical, and technical.
4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives.
5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Data Protection Bill 2019 Participative Role of General Publicijtsrd
Protection of data privacy is a very crutial aspect considering the advent of technology in every Sphere of human life. It directly depends of how privacy is understood and the legal framework present behind that to protect ones privacy in the way it is meant to be understood. Data protection bill would let us understand the variety of rights and obligation when the question is about protection of ones privacy. At the same time, non invasion into the privacy of others is also quintessential. The research article would elucidate in detail the matter crux of Data protection bill considering the practical implications of the rules therein mentioned. The author would also deal with the suggestions would help, safeguarding the privacy at the very ground level. N Parmesh ""Data Protection Bill 2019: Participative Role of General Public"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020,
URL: https://www.ijtsrd.com/papers/ijtsrd30250.pdf
Paper Url : https://www.ijtsrd.com/other-scientific-research-area/public-relations/30250/data-protection-bill-2019-participative-role-of-general-public/n-parmesh
Protecting Third Party Information under FOI LegislationRichard Austin
Examination of the protection available for vendor confidential information in public sector procurements in light of client concerns for public accountability and disclosure (including under FOI legislation).
Presented by The National Underwriter Company, and brought to you by FC&S Legal:
Insurance coverage experts Anjali C. Das and Jerold Oshinsky provide a timely presentation on cyber liability insurance--offering practical tools and guidance on key insurance coverage issues.
Also included: The latest cyber policies—including a discussion of key policy provisions and leading cases that have interpreted the new policies.
Viewers will also find vital information on:
• Examples of the kinds of claims asserted for data breach and privacy
• Coverage under traditional policies: ISO Pre-2001 CGL; ISO Post-2001 CGL
• The evolution of case law for coverage under traditional policies
• Why corporate boards should pay attention to cyber risk, including statistics, D&O Exposure, and D&O Policies
Creating standardized workflows for your agencies minimizes E&O risk and maximizes the return on your technology and training. With increased productivity and higher levels of customer service, your agency can become more profitable.
CBI Comments on TRIA - Certification ProcessJasonSchupp1
Centers for Better Insurance urges Treasury to decline to open the door to a formal petitioning procedure. The U.S. Constitution’s First Amendment already allows any interested person to bring to the Secretary of Treasury’s attention an event the person believes should or should not be subject to certification. Nothing in the Program’s existing rules abridges that right.
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Shawn Tuma
Presentation addresses issues in cybersecurity law of the evolving standards for data breach liability for companies as well as officers and directors. The event was sponsored by Above Security and the title of the event was Above Compliance – Navigating the Cybersecurity Landscape in Financial Services.
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
Egypt has recently enacted the first Personal Data Protection Law (PDPL), which has been published in the Official Gazette on 15 July 2020 and has entered into force on 16 October 2020. The PDPL reflects many of the requirements of the EU’s General Data Protection Regulation (GDPR). The Executive Regulations of the PDPL shall be issued within six (6) months from the entry into force of the PDPL. Organizations shall comply with the provisions of the PDPL and its Executive Regulations within a grace period of one (1) year from the issuance of the Executive Regulations.
The PDPL covers almost all aspects of personal data protection stated under the GDPR. In this presentation, you will find a summary of the important data protection provisions stipulated under the PDPL, and the similarities and differences between the GDPR and the PDPL.
An Indian Outline on Database ProtectionSinghania2015
One Business Processing Outsourcing company of India was in the eye of storm when one of its employees sold confidential financial information relating to customers of few British banks to an undercover reporter from the British tabloid ‘The Sun’. The incident sparked off a debate among the offshore industry circles, media and the legal world for the need of specific legislation for the protection for personal data in India which is absent currently.
The Personal Data Protection Bill 2018 is to be presented before the Parliament shortly with necessary amendments .This is bill applicable to India in lines of GDPR of the European uinion
Data Privacy - Security of Personal InformationJDP Consulting
Philippine Data Privacy Law (R.A. 10173) requires observance of Security of Personal Information.
Summary of Presentation:
1) Security of Personal Information is mandated of Personal Information Controller and their engaged Contractors (or 3rd Parties).
2) The standards for protection measures are two-fold: reasonable and appropriate.
3) Measures should be organizational, physical, and technical.
4) Strict confidentiality is required to be observed by: PIC Employees, PIC Agents, and PIC Representatives.
5) Notification requirement is mandated upon compromise of sensitive personal information and identity-fraud enabler information.
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Data Protection Bill 2019 Participative Role of General Publicijtsrd
Protection of data privacy is a very crutial aspect considering the advent of technology in every Sphere of human life. It directly depends of how privacy is understood and the legal framework present behind that to protect ones privacy in the way it is meant to be understood. Data protection bill would let us understand the variety of rights and obligation when the question is about protection of ones privacy. At the same time, non invasion into the privacy of others is also quintessential. The research article would elucidate in detail the matter crux of Data protection bill considering the practical implications of the rules therein mentioned. The author would also deal with the suggestions would help, safeguarding the privacy at the very ground level. N Parmesh ""Data Protection Bill 2019: Participative Role of General Public"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020,
URL: https://www.ijtsrd.com/papers/ijtsrd30250.pdf
Paper Url : https://www.ijtsrd.com/other-scientific-research-area/public-relations/30250/data-protection-bill-2019-participative-role-of-general-public/n-parmesh
Protecting Third Party Information under FOI LegislationRichard Austin
Examination of the protection available for vendor confidential information in public sector procurements in light of client concerns for public accountability and disclosure (including under FOI legislation).
Presented by The National Underwriter Company, and brought to you by FC&S Legal:
Insurance coverage experts Anjali C. Das and Jerold Oshinsky provide a timely presentation on cyber liability insurance--offering practical tools and guidance on key insurance coverage issues.
Also included: The latest cyber policies—including a discussion of key policy provisions and leading cases that have interpreted the new policies.
Viewers will also find vital information on:
• Examples of the kinds of claims asserted for data breach and privacy
• Coverage under traditional policies: ISO Pre-2001 CGL; ISO Post-2001 CGL
• The evolution of case law for coverage under traditional policies
• Why corporate boards should pay attention to cyber risk, including statistics, D&O Exposure, and D&O Policies
Creating standardized workflows for your agencies minimizes E&O risk and maximizes the return on your technology and training. With increased productivity and higher levels of customer service, your agency can become more profitable.
This is the second of a two-part series I did with QQ Solutions on Social Media for insurance agencies. This session was dedicated to LinkedIn - how to set up an account, a profile, and what to do once connected. We also covered social media aggregators and how to use them.
B. H. Burke & Co., Inc. presented at MAIA\'s Big Event 2011 in Boston. How to find producers, pay them, and what they should be doing (with new technology).
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
Information Security: The Trinidad & Tobago Legal ContextJason Nathu
Presentation to students completing the Information System Security, Ethics and Law of the Master of Information System & Technology Management at the Lok Jack Graduate School of Business on 12 July, 2015.
A summarized version of the 60 page Rule broken down by Kirk J. Nahra, a partner with Wiley Rein & Fielding LLP in Washington, D.C. He specializes in privacy and information security litigation and counseling for companies facing compliance obligations in these areas. He is the Chair of the firm’s Privacy Practice. He serves on the Board of Directors of the International Association of Privacy Professionals, and edits IAPP’s monthly newsletter, Privacy Officers Advisor. He is a Certified Information Privacy Professional, and is the Chair of the ABA Health Law Section’s Interest Group on eHealth, Privacy & Security.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Similar to IIAC Young Agents - Protecting Your Insureds\' Private Information (20)
2. Elemental Economics - Mineral demand.pdfNeal Brewster
After this second you should be able to: Explain the main determinants of demand for any mineral product, and their relative importance; recognise and explain how demand for any product is likely to change with economic activity; recognise and explain the roles of technology and relative prices in influencing demand; be able to explain the differences between the rates of growth of demand for different products.
What website can I sell pi coins securely.DOT TECH
Currently there are no website or exchange that allow buying or selling of pi coins..
But you can still easily sell pi coins, by reselling it to exchanges/crypto whales interested in holding thousands of pi coins before the mainnet launch.
Who is a pi merchant?
A pi merchant is someone who buys pi coins from miners and resell to these crypto whales and holders of pi..
This is because pi network is not doing any pre-sale. The only way exchanges can get pi is by buying from miners and pi merchants stands in between the miners and the exchanges.
How can I sell my pi coins?
Selling pi coins is really easy, but first you need to migrate to mainnet wallet before you can do that. I will leave the what'sapp contact of my personal pi merchant to trade with.
+12349014282
Abhay Bhutada Leads Poonawalla Fincorp To Record Low NPA And Unprecedented Gr...Vighnesh Shashtri
Under the leadership of Abhay Bhutada, Poonawalla Fincorp has achieved record-low Non-Performing Assets (NPA) and witnessed unprecedented growth. Bhutada's strategic vision and effective management have significantly enhanced the company's financial health, showcasing a robust performance in the financial sector. This achievement underscores the company's resilience and ability to thrive in a competitive market, setting a new benchmark for operational excellence in the industry.
BONKMILLON Unleashes Its Bonkers Potential on Solana.pdfcoingabbar
Introducing BONKMILLON - The Most Bonkers Meme Coin Yet
Let's be real for a second – the world of meme coins can feel like a bit of a circus at times. Every other day, there's a new token promising to take you "to the moon" or offering some groundbreaking utility that'll change the game forever. But how many of them actually deliver on that hype?
1. Elemental Economics - Introduction to mining.pdfNeal Brewster
After this first you should: Understand the nature of mining; have an awareness of the industry’s boundaries, corporate structure and size; appreciation the complex motivations and objectives of the industries’ various participants; know how mineral reserves are defined and estimated, and how they evolve over time.
The secret way to sell pi coins effortlessly.DOT TECH
Well as we all know pi isn't launched yet. But you can still sell your pi coins effortlessly because some whales in China are interested in holding massive pi coins. And they are willing to pay good money for it. If you are interested in selling I will leave a contact for you. Just what'sapp this number below. I sold about 3000 pi coins to him and he paid me immediately.
+12349014282
how to sell pi coins in South Korea profitably.DOT TECH
Yes. You can sell your pi network coins in South Korea or any other country, by finding a verified pi merchant
What is a verified pi merchant?
Since pi network is not launched yet on any exchange, the only way you can sell pi coins is by selling to a verified pi merchant, and this is because pi network is not launched yet on any exchange and no pre-sale or ico offerings Is done on pi.
Since there is no pre-sale, the only way exchanges can get pi is by buying from miners. So a pi merchant facilitates these transactions by acting as a bridge for both transactions.
How can i find a pi vendor/merchant?
Well for those who haven't traded with a pi merchant or who don't already have one. I will leave the what'sapp number of my personal pi merchant who i trade pi with.
Message: +12349014282 VIA Whatsapp.
#pi #sell #nigeria #pinetwork #picoins #sellpi #Nigerian #tradepi #pinetworkcoins #sellmypi
IIAC Young Agents - Protecting Your Insureds\' Private Information
1. Client Confidentiality – Protecting Your Insureds’ Private Information IIAC Young Agents Jason Hoeppner, CIC
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15. Personal Information "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. State Definition of Personal Information CT Individual’s first name (or first initial) and last name, in conjunction with one or more of the following: (1) Social Security Number (2) Driver’s (or motor vehicle operator’s) License number or other state/government ID number (3) (Financial) Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69. List of Some Encryption Software Whole-Disk Encryption: www.truecrypt.org www.pgp.com www.drivecrypt.com/ http://www.symantec.com/business/endpoint-encryption
70.
71.
72.
73.
74. Personal Information State Definition of Personal Information NJ, CT, & NH Individual’s first name (or first initial) and last name, in conjunction with one or more of the following: (1) Social Security Number (2) Driver’s (or motor vehicle operator’s) License number or other state/government ID number (3) (Financial) Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. NY Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person NJ Also: dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. VT Account information in which the number could be used without additional identifying information; access codes, or passwords and account passwords or PINs are also included.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
Editor's Notes
8/18/2010
Conn. Gen. Stat. 38a., Chapter 700 Property and Casualty Insurance (e.g.) http://www.cga.ct.gov/2011/pub/title38a.htm §38a-8 “Duties of Commissioner…” §38a-41 “Authority to do business…”
Administrative Actions: To minimize that potential, licenses and registrants are urged to follow these procedures.
Sec. 36a-1. (Formerly Sec. 36-1). General statement. This title shall be known as the "Banking Law of Connecticut" and shall be applicable to all Connecticut banks, Connecticut credit unions, mortgage lenders, mortgage correspondent lenders, mortgage loan originators and mortgage brokers, money order and travelers check licensees, check cashing service licensees, trustees under mortgages or deeds of trust of real property securing certain investments, corporations exercising fiduciary powers, small loan licensees, sales finance companies, mortgage servicing companies, debt adjusters, and to such other persons as subject themselves to the provisions of this title or who, by violating any of its provisions, become subject to the penalties provided in this title. [This would apply because the breach section pertains to any “person” which is further defined as] (48) "Person" means an individual, company, including a company described in subparagraphs (A) and (B) of subdivision (11) of this section, or any other legal entity, including a federal, state or municipal government or agency or any political subdivision thereof;
One caveat, I am not a lawyer, and although we will take time to answer questions at the end, I do want to remind folks that if they have a specific question pertaining to the laws in their states (or laws that do apply to them regardless), they should consult a lawyer. § - section 46 States as of October 2010.
Each state directly addresses “unauthorized” access and both NJ & CT specify that the access (or acquisition) is not secured by encryption. In other words, if someone has access to PI that is encrypted, it is not a breach here. Slightly different than IC-25!
Notice that NY’s definition does not trigger a breach… we’ll see on the next slide what information would constitute a breach. Again, only slightly different than IC-25.
Added the note about IC-25. (5/11/11) If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. (NH)
CT DOI – encryption doesn’t matter. And there is much more required in the notification, the other law doesn’t specify. (d)(1) Notice of a security breach pursuant to subsection (b) of this section is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination that the misuse of the personal information is not reasonably possible pursuant to the requirements of this subsection. If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title. The data collector may designate its notice and detailed explanation to the Vermont attorney general or the department of banking, insurance, securities, and health care administration as "trade secret" if the notice and detailed explanation meet the definition of trade secret contained in subdivision 317(c)(9) of Title 1.
NY – electronic notice - provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. NH - Electronic notice, if the agency or business' primary means of communication with affected individuals is by electronic means.
This is not in the breach notification law (Sec. 36a-701b).
Enacted November 12, 1999 effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm
Enacted November 12, 1999 effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. http://www.ftc.gov/privacy/glbact/glbsub1.htm#6809 (5) Nonaffiliated third party The term ''nonaffiliated third party'' means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution. (6) Affiliate The term ''affiliate'' means any company that controls, is controlled by, or is under common control with another company.
Enacted November 12, 1999 effective November 13, 2000 Compliance: July 1, 2001 http://ftc.gov/privacy/glbact/glboutline.htm
http://www.ftc.gov/privacy/glbact/glbsub1.htm#6803 There is more detail here. The disclosure required by subsection (a) of this section shall include - (1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 6802 of this title, and including - (A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to section 6802(e) of this title; and (B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution; (2) the categories of nonpublic personal information that are collected by the financial institution; (3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 6801 of this title; and (4) the disclosures required, if any, under section 1681a(d)(2)(A)(iii) of this title. (Pub. L. 106-102, title V, Sec. 503, Nov. 12, 1999, 113 Stat. 1439.)
Almost exactly the same as the other breach laws.
Think of a phone book…
As long as the risk of losing PI is determined to be low and the cost or resources needed to implement a solution to a compliance gap is prohibitive, you could say that your assessment is such that you will not need to do…
This is the one area that I think is a step back.
Each state directly addresses “unauthorized” access and both NJ & CT specify that the access (or acquisition) is not secured by encryption. In other words, if someone has access to PI that is encrypted, it is not a breach here.
As you will see, for the most part, the states we are discussing today are rather consistent in how they define a breach. NY – it is referred to as a “Breach of the security of the system”…
Note that CT does not have “good faith” language in its General Statute.
Notice that NY’s definition does not trigger a breach… we’ll see on the next slide what information would constitute a breach.
If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. (NH)
So, say a breach does occur…
Careful if this is the determination that we make.
NY – electronic notice - provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. NH - Electronic notice, if the agency or business' primary means of communication with affected individuals is by electronic means.
Only the states of NH, NY (and later we’ll see MA) specify what the breach notifications must contain, information-wise.