News and Alerts for April 25, 2022
Connecticut’s Data Privacy Bill Advances, Excludes Financial Institutions
Connecticut is moving forward with comprehensive data privacy legislation that would resemble Virginia’s VCDPA. The state senate last week unanimously voted to advance Senate Bill 6. The House and Governor Ned Lamont must approve the bill before it becomes law. If it does, the provisions would take effect July 1, 2023, and apply to businesses that possess data on at least 100,000 Connecticut residents—or 25,000 residents if the business makes money by selling personal data. However the provisions would not apply to data generated solely by processing payment transactions. The provisions of the bill currently exclude government agencies, nonprofits, schools, financial institutions, and healthcare providers. Rights granted to citizens would include the right to know, and delete—and the bill takes particular aim at protecting the rights of children and their data.
US Commerce Department Announces Data Transfer Forum
U.S. Department of Commerce Secretary Gina Raimondo announced Thursday the creation of the Global Cross-Border Privacy Rules Forum. Canada, Japan, the Republic of Korea, the Philippines, Singapore, and Chinese Taipei will join the forum, which will focus on facilitating international data transfers and certification programs built on shared data privacy values. With the announcement of the partnership came the CBPR Declaration, which lays out chartering principles and objectives of the Global CBPR forum, which according to IAPP include “a certification system based on the Asia-Pacific Economic Cooperation CBPR and PRP Systems, a periodic review of members’ data protection and privacy standards, and promotion of interoperability with other data protection and privacy frameworks.”
Intelligence Agencies Flag Russian Attack
Cybersecurity agencies in multiple countries, including the U.S., Canada, the U.K., New Zealand, and Australia, issued a Cybersecurity Advisory last week warning organizations against malicious Russian cyber activity. According to the advisory, “Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks,” and that multiple cybercrime groups have promised support for the Russian government in the form of attacks against countries that support Ukraine. Russian-motivated attacks aren’t the only problem worthy of an alert. This week the Department of Health and Human Services issued an alert to healthcare providers, warning them of the Hive ransomware group.
Kentucky Adopts NAIC Model Law for Insurance
Kentucky’s governor just signed into law House Bill 474, which deals with data insurance. The law is modeled after a model law created by the National Association of Insurance Commissioners (“NAIC”), and applies to NAIC licensees with 50 or more employees—or entities who are registered under the insurance laws of Kentucky. Those to whom the law applies will be required to adopt a certain set of data security protocols, like developing written information security programs, conducting risk assessments, and reporting cybersecurity events to the insurance commissioner within 72 hours. The law will take effect on January 1, 2023, but affected entities will have 1-2 years to comply with its provisions.
BREACH REPORT
* * * * * * *
To read our coverage on tools, proven strategies, and tactics being utilized in the market today that can help organizations stay in compliance with certain data privacy laws, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.