Cybersecurity and data privacy are hot issues on the minds of many regulators, both in the U.S. (at the state and federal levels) and internationally. M&R advises companies on the ongoing compliance mandates in jurisdictions around the globe, and provides insight into how new and developing legislation will likely be enforced in a myriad of industries.
- Insurance/Financial Services – With the adoption of cybersecurity requirements by the New York Department of Financial Services and a pending data security model law proposed by the National Association of Insurance Commissioners (NAIC), insurance and insurance-related companies as well as brokers, agents and adjusters are now (or, outside New York, will soon be) under similar cybersecurity regulatory obligations as health care providers (under the Health Insurance Portability and Accountability Act (HIPPA)) and financial institutions (under the Gramm-Leach-Bliley Act (GLBA) and SEC regulations).
- Retail – The Federal Trade Commission has opined that inadequate cybersecurity measures could be deemed an “unfair trade practice” if there is a substantial likelihood that consumers could be injured as a result. While retail has traditionally been an industry with little cybersecurity regulatory oversight in the U.S., this model is quickly changing with the rapid increase in data breaches of large retail chains. We help our retail clients establish the cybersecurity and privacy policies to both improve on preparedness to resist a cyberattack, as well as the data minimization strategies to effectively mitigate any resulting harm to consumers.
- Healthcare – HIPAA’s Security Rule has been in effect behind the scenes since 2005, but it has received substantially less attention than more consumer-facing privacy rules. Nevertheless, with the ever-increasing risk of cyberattacks against healthcare providers (particularly the debilitating effects of ransomware attacks that can result in shutdowns and terminate treatment), it is incumbent upon such providers and their business affiliates to develop robust cybersecurity and data privacy programs. The firm crafts comprehensive and enforceable policies that are critical when it comes to demonstrating due diligence in the face of an OCR investigation.