The U.S. and UK Cyber Landscape

Summary Written by Chris Cwalina, Ffion Flockhart, and Tristan Coughlin, all of Norton Rose Fulbright


The July 18, 2018 panel focused on four items: (1) The National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law; (2) The New York Department of Financial Service (“NYDFS”) Cybersecurity Regulation; (3) the EU General Data Protection Regulation (“GDPR”); and (4) US State Law Regulatory Updates.  Here is a quick overview of each. 

  • NAIC Insurance Data Security Model Law - In 2017, NAIC promulgated a model law that establishes a legal framework for requiring insurance organizations to operate sophisticated cybersecurity programs to protect the security of “Nonpublic Information” and “Information Systems”. The law applies to any individual or nongovernmental entity licensed, authorized, or registered under the insurance laws. Exceptions include licensees with fewer than 10 employees. South Carolina became the first state to adopt the Model Law on May 3, 2018, which will go into effect on January 1, 2019, with compliance requirements fully enacted by July 1, 2020. Several other states are in the process of adopting the NAIC model law.
  • NYDFS Cybersecurity Regulation – The NYDFS Cybersecurity Regulation was effective March 1, 2017 and is applicable to any organization that is regulated by DFS. Certain companies are exempted such as those with fewer than 10 employees, those with less than $5 million in gross annual revenue for three years, or those with less than $10 million in year-end total assets. Companies were required to be compliant with most provisions by August 28, 2017, however, certain provisions are still subject to the transition period.   
  • GDPR -- The GDPR became effective on May 25, 2018 in all EU Member States. The GDPR rules apply to almost all private sector processing of personal information by organizations in the EU or by organizations outside the EU which target EU residents. GDPR outlines specific responsibilities for organizations to ensure privacy and protection of personal data, provides individuals with certain rights, and provides regulators with certain tools to ensure compliance with the regulation. The maximum fines for non-compliance are the higher of € 20m and 4 percent of the organization’s worldwide turnover.
  • State Law Updates –  As of March 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. In addition, numerous U.S. states have recently introduced and passed new legislation to expand earlier data breach notification rules including to broaden the definition of personal information, mandate that certain information security requirements are implemented, and to mirror some of the significant protections provided by the GDPR. In 2018 alone,  Alabama, Arizona, California, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, South Dakota, Vermont, and Virginia, have enacted or updated their data breach notification laws. More states are expected to follow this trend.