NIST Releases Cybersecurity Framework 2.0

Share

On February 26, 2024, the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework 2.0 (CSF 2.0). CSF 2.0 represents the first major update to the Cybersecurity Framework, which was first released in February 2014. CSF 2.0 provides an increased focus on entities’ governance functions and broadens the CSF’s scope. For companies subject to state and federal standards demanding “reasonable security,” CSF 2.0 is particularly important because it could very well become the de facto standard of care under various cybersecurity and data privacy laws.

Focus on Governance

CSF 2.0 builds on the five high-level functions from CSF 1.0 (Identify, Protect, Detect, Respond, and Recover) by introducing a new core function—Govern. This function focuses on ensuring that an organization’s cybersecurity risk management strategy, expectations, and policies are established, communicated, and monitored. In particular, this new core function emphasizes that an organization’s cybersecurity framework must be (i) based on the organization’s individual circumstances, goals, and risk appetite; (ii) well established and communicated within the organization to ensure compliance and continuity; and (iii) continually reviewed and improved.

Continue reading “NIST Releases Cybersecurity Framework 2.0”

NAIC Privacy Protections Working Group Meets to Discuss New Model Privacy Law

Share

On June 5-6, 2023, the NAIC Privacy Protections (H) Working Group (“PPWG”) held an in-person interim meeting (“session”) to continue its work on drafting a new model privacy law, the Insurance Consumer Privacy Protection Model Law #674 (“Model Law”). Model Law #674 is intended to replace the current Models #670 and #672. The session was intended to be a drafting session focused on certain provisions of the current exposure draft not yet covered during the three preceding PPWG open drafting calls.

During the session, the working group covered third-party service providers, definitions of “insurance transactions” and “additional permitted transactions,” marketing (and joint-marketing agreements), consent to marketing (opt-in versus opt-out), and consumer privacy notices. The PPWG announced it intends to release a new exposure draft (version 1.0) of the Model Law by the end of June to address many of the comments the working group has received and discussed to date. There will be no 60-day comment period for this draft and instead, open calls to discuss drafting will restart once the new exposure draft is released.

Continue reading “NAIC Privacy Protections Working Group Meets to Discuss New Model Privacy Law”

How We Spent Our Summer Vacation or Summary of CCPA Amendments

Share

The long anticipated amendments to the CCPA were passed by the California Legislature in early September and now await Governor Newsom’s signature.  Some of the changes were “clean up” amendments to update cross references, standardize language, and generally address issues of drafting.  What follows is a summary of the most significant and substantive amendments:

Continue reading “How We Spent Our Summer Vacation or Summary of CCPA Amendments”

Another Big Blockchain Initiative Announced in Health Care Insurance Industry

Share

Several large health insurance companies, including Aetna, Anthem, and Healthcare Service Corporation, have announced a collaboration with PNC Bank and IBM to utilize blockchain technology to “improve transparency and interoperability in the health care industry” and “address a range of industry challenges, including promoting efficient claims and payment processing, to enable secure and frictionless healthcare information exchanges, and to maintain current and accurate provider directories.”

Continue reading “Another Big Blockchain Initiative Announced in Health Care Insurance Industry”

Sixth and Second Circuits Rule In Favor of Insurance Policy Holders in Computer Fraud Provisions Cases

Share

Policy holders alleging that computer fraud provisions of their insurance policies extended to fraud that stemmed from an intercepted email and a spoofing attack notched wins before two separate appellate courts recently. The first involves Travelers Casualty and Surety of America and American Tooling Center Inc., and the second involves Chubb Ltd. and Medidata Solutions Inc.

Continue reading “Sixth and Second Circuits Rule In Favor of Insurance Policy Holders in Computer Fraud Provisions Cases”

DC Circuit Deepens Circuit Split on Data Breach Class Standing

Share

***09/06/17 UPDATE***

On Wednesday, September 6, the DC Circuit Court of Appeals granted an unopposed motion to stay its decision that reversed a district court order dismissing a potential class action arising from a 2014 data breach Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108.  The order stays the mandate until December 7, 2017.

***ORIGINAL POST***

Last month, a three-judge panel on the United States Court of Appeals for the District of Columbia unanimously reversed a district court order dismissing a potential class action arising from a 2014 data breach,  Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108.  In reversing that order, the court permitted a health insurance company’s customers to proceed against that carrier, CareFirst, which serves one million customers in the District of Columbia, Maryland and Virginia.
Continue reading “DC Circuit Deepens Circuit Split on Data Breach Class Standing”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy