October has been a busy month in the area of cybersecurity-related legislation.  Here’s a quick update:

  • Cybersecurity Bill Trimmed by NAIC: The National Association of Insurance Commissioners, which sets standards for the insurance industry, released a trimmed-down version of its Cybersecurity Bill of Rights. The first version of the Bill had 12 points for consumer’s rights in the event of a data breach. This most recent one had six, which you can view here. This newest version is less dense than the previous, and it leaves out references to the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act. According to the bill, insurance consumers should have the right to the following: (1) know the kind of information their insurance companies collect; (2) expect insurance companies to have a privacy policy posted online; (3) expect insurance companies to take reasonable steps to protect personal information; (4) get a notice when there’s been a breach; (5) get at least one year of identity theft protection in the event of a breach; and (6) an additional set of rights in the event someone’s identity gets stolen.
  • Cyber security bill advances in Senate: The Cybersecurity Information Sharing Act has advanced in the Senate. The bill encourages companies to share best practices and data regarding cybersecurity incidents. While it received bi-partisan support, some politicians and industry leaders oppose the bill. Rand Paul, for example, has been critical of the bill for granting what he calls “legal immunity” to companies who share information. And, as this ABC story notes, “Apple, Twitter and some of the biggest names in Silicon Valley have come out swinging against [the]controversial cyber security bill that could soon be put to a vote in the U.S. Senate.” Apple’s primary concern is that it infringes on the privacy of its customers and on consumers in general. The Bill still has a ways to go—it has to make it through the Senate and then through reconciliation with a house version passed earlier this year.
  • Earlier this month, California passed the California Electronic Communications Privacy Act. The law is aimed at law enforcement, and requires police to procure a warrant before obtaining someone’s personal electronic information; it also requires the government to procure a warrant before it compels a business to produce a customer’s sensitive personal electronic information.