A number of data privacy and cybersecurity regulations took effect in 2018 and there are countless more on the horizon. Keeping up with the ever-growing obligations can be a daunting task. The penalty for non-compliance includes steep fines and an increasing risk of litigation.These timely updates emphasize the importance of defensible data compliance - to avoid both regulatory consequences and litigation.
Pennsylvania Supreme Court Rules that Employers Have Duty to Protect Employee Data
The Pennsylvania Supreme Court recently ruled that one of the state’s largest private employers had a duty to use reasonable care to protect employees’ sensitive information and is possibly liable for a data breach. The mistakes of a third-party do not alleviate the responsibility of the employer to protect employee data. The groundbreaking ruling could open the flood gates for the plaintiffs’ bar to expand the precedent into other states. A wave of litigation is coming, and the time for compliance is now.
"Negligence is now a viable cause of action for inadequate data security under Pennsylvania law." - Ballard Spahr
Senator Calls for New Regulations in the Wake of the Marriott Hack
The recent breach of Marriott International, Inc. was one of the largest in history. Upwards of 400 million records were compromised, including passport numbers, email addresses, and credit card numbers (many of which were still active as of September 2018). Marriott’s failure to encrypt millions of those breached records coupled with their failure to eliminate sensitive data for which they had no legal or business need has legislators calling for stricter laws and regulations addressing data minimization.
“It’s unacceptable that Marriott was retaining sensitive data like passport numbers for so long, and it’s unconscionable that it kept this data unencrypted.” – Senator Mark Warner (The Wall Street Journal)
Ohio is the Second State to Adopt NAIC Insurance Data Security Model Law
Ohio followed South Carolina and adopted the NAIC’s Insurance Data Security Model Law. Regulators expect more states to follow suit. The NAIC Model Law has three foundational requirements for all licensees. They must (1) identify Nonpublic Information to ensure adequate protection, access, retention, and deletion, (2) define and periodically evaluate the schedule of retention of Nonpublic Information and the mechanism for its destruction when no longer needed, and (3) have oversight of third-party service provider arrangements, exercise due diligence, and require providers to take steps to protect Nonpublic Information.