Keypoint: New York’s Division of Financial Services (DFS) now requires Property and Casualty Insurers writing cyber insurance to comply with the Division’s Cyber Insurance Risk Framework to manage their risk.

In her letter introducing the Cyber Insurance Risk Framework, DFS Superintendent Linda Lacewell states that the increase in frequency and cost of ransomware has not only shown that cybersecurity is of critical importance to modern life, but also that cyber insurance plays a vital role in the mitigation and reduction of risk from ransomware.

According to its 2020 survey, DFS found a 180% increase in the number of ransomware claims between 2018 and 2019, with an increase of 150% on average for the costs associated with those claims. The problem continued in 2020, where DFS received nearly double the number of reports of ransomware attacks from the year prior. Not only are these trends a concern for consumer protection and infrastructure security, the escalating costs pressure the cyber insurance industry to raise prices, tighten its underwriting standards, and issue sweepingly broad exclusions.

Keypoint: It was a busy week for privacy law. Since the update we provided last week Virginia’s bill was signed into law, bills in Washington and Oklahoma advanced, and Utah’s bill failed to pass before its legislative session closed.

Last week, we provided an update on the status of proposed CCPA-like privacy legislation. In that article, we noted that the contents were “time-sensitive and subject to change.” Typical to privacy law, in just a week, the landscape of these proposed laws changed dramatically. Given these changes, we decided to publish another update and, like last week, waited until a weekend when state legislatures are quiet.

Before we get to our update, we wanted to provide three reminders.

First, we will be hosting a webinar on Virginia’s Consumer Data Protection Act on March 11. You can register for the webinar here. If you are unable to attend the webinar live, you can still register, and we will email a copy of the presentation and a link to the webinar recording to you.

Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Third, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Keypoint: Although weakened from its original version, the Oklahoma bill would (if enacted) provide substantial privacy rights to Oklahoma residents and, in some respects, provide more privacy protections than found in the CCPA.

On March 4, 2021, the Oklahoma House of Representatives passed the Oklahoma Computer Data Privacy Act by a vote of 85-11 with 5 excused. The bill, which is perhaps best described as a heavily-modified version of the California Consumer Privacy Act (CCPA), will now move to the Oklahoma Senate.

The Oklahoma bill was the subject of extensive reporting last month after a prior version of the bill, which included a private right of action, passed unanimously through the House Technology Committee. However, the private right of action was deleted in a significantly modified version of the bill that was introduced earlier this week.

Yet, even with the amendments, the bill is still notable for at least three reasons: scope of applicability, consent for collection, and opt-in to sales. Below is a high-level summary of the some of the bill’s more notable provisions.

Keypoint: Virginia joins California as the second state to enact state consumer data privacy legislation.

As first confirmed by Amy Miller at MLex, on March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA). The CDPA will go into effect on January 1, 2023. With the enactment of the CDPA,

Keypoint: CCPA-like privacy bills continue to be introduced and work their way through state legislatures.

Those who attended our recent webinar or who subscribe to this blog know that we have been closely tracking proposed CCPA-like legislation in state legislatures across the country. We also launched a 2021 State Privacy Law Tracker to keep pace with the latest developments.

Yet, even with these efforts, there still are numerous developments occurring on a near daily basis. Therefore, we decided to wait until a weekend (when state legislatures are quiet) to provide a summary of where these bills stand. Of course, the contents provided below are time-sensitive and subject to change.

On February 19, 2012, the Virginia House of Delegates voted overwhelmingly to pass the Virginia Consumer Data Protection Act (CDPA). The Senate previously voted in favor of passing the legislation. The General Assembly had been considering the CDPA in a special session after both chambers passed companion bills during the regular session. The Senate and

Let’s face it, tracking all of the proposed CCPA-like state privacy legislation has been nearly impossible. At last count, bills have been proposed in sixteen states, including Virginia, New York, Washington, Oklahoma, Arizona, Florida, Utah, Maryland, and Minnesota.

That’s why we created our new 2021 State Privacy Law Tracker.

The tracker identifies the states

creditcards1iStock_000036595886_Large

Keypoint: April 12, 2021 is the deadline to comment on a proposed rule that would require banking organizations and bank service providers to promptly report computer-security incidents.

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively the “agencies”) are requesting public comment on a proposed rule requiring banks to notify the applicable agency within 36 hours when the banks believe in good faith that a significant cybersecurity event has occurred. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2399 (Jan. 12, 2021).