As California Goes, so Goes the Nation? Part One
Many of you probably read earlier this month that California's Office of Administrative Law ("OAL") approved the California Department of Insurance's ("DOI") proposal to repeal certain privacy regulations. And you yawned. Or you quickly skimmed over, confident in the knowledge that this is just, well, those crazy Californians (we'll eventually fall into the ocean so no need to worry). The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act (GLBA), so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. While California was the first "mavericky" state to pass data breach legislation (SB 1386) back in the early part of the last decade, many states long ago blew past California in passing and enforcing strict privacy and security regulations (e.g., Massachusetts and Connecticut). While other states have been taking steps over the last few years to galvanize privacy and security regulations, California has moved in the opposite direction - Governor Schwarzenegger has, on numerous occasions, vetoed legislation that would have enhanced California's breach notification law (to require, for example, notice to California regulators) and now the California DOI has repealed what some might consider to be standard notice and opt-out requirements for insurance agents and brokers. (Query whether this general trend will change when the Brown administration takes office in January, and/or depending on the ultimate results of the California Attorney General race. But that's fodder for a future post, maybe Part Two of this series.) Many of our followers have asked me to break down this newest California development, so here goes. (The DOI's proposed regulation text is here; the DOI's "Statement Supporting Change Without Regulatory Effect” is here.)
Continue Reading...Information Security Standards and Certifications in Contracting
When organizations contract for outsourced IT services, they look for assurances that the vendor will provide adequate security, often in the form of a security schedule or annex to the contract, or by reference to a widely accepted information security standard. In some cases, the customer insists as well on a certification or audit by an expert third party.
Business managers and lawyers often have only the vaguest notions of what these schedules, standards, and certifications mean. They rely on the organization’s IT staff or consultants for “the technical stuff.” But in the end it is the business managers and lawyers who determine what the organization needs, operationally and contractually. To do that well, they should have at least a basic understanding of the more common information security standards and certifications.
More Than Two Years Later, Federal Agencies Issue GLBA Final Model Privacy Form
On Tuesday, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), the Federal Trade Commission (FTC), the Commodity Futures Trading Commission (CFTC), and the Securities and Exchange Commission (SEC) (the "Joint Agencies") issued the Final Model Privacy Form under the Gramm-Leach-Bliley Act (GLBA). Financial institutions may rely on the model privacy form as a safe harbor to provide disclosures under the GLBA privacy rule (12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC)). Among other things, the Final Model Privacy Form is designed to be more consumer-friendly. The Final Rule can be found here. The opt-out model form can be found here. The no opt-out model form is here. For more on the history, read on.
Continue Reading...
