Plotting a Course for Your 2025 Data Security Plan

Trying to plot the course for a data security plan in 2025 requires piecing together the
maps of various cartographers and decoding each map’s legends and keys.

The cartographers:

• Consumer Financial Protection Bureau
  On November 12, the CFPB published a report warning about alleged gaps in consumer protection caused by Gramm-Leach-Bliley Act exemptions relied upon by insurers as keys to safe passage around the obstacles of most state comprehensive privacy laws. The report also added a legend urging lawmakers to address these gaps because financial institutions are allegedly increasingly collecting and using large quantities of consumers’ financial data as a source of revenue.
  These actions may narrow the path for the use of consumer data by insurers navigating this perilous terrain.
• Federal and State Privacy Regulators and Legislation
  State privacy regulators have added caution signals to their maps that may result in insurers avoiding or slowing down on routes that could be interpreted as involving dark patterns (user interfaces that impact consumer choices), data brokers, and automated decision-making.
  In addition, to address the increased risk from cyberattacks, federal regulators and states continue to add important new features to their maps that reflect additional cybersecurity requirements: the latest NY DFS Part 500 requirements taking effect and recent amendments to the SEC’s Regulation S-P, to name a few.
• NAIC Privacy Protections Working Group
  The NAIC Privacy Protections Working Groupcontinues development of a model flight plan for insurers and has released drafts of the portion addressing service provider agreements, privacy
  notices, privacy rights, data sales, and the use and disclosure of sensitive personal information. The partial draft plan signals that the new draft model will incorporate new hazards in the form of additional obstructions on data use and disclosure, widened flight paths for enhanced customer privacy rights, and requirements on the use of service providers. The draft’s symbology portends that insurers will need to enhance their due diligence and oversight of service providers.
• Plaintiffs’ Bar
  The plaintiffs’ bar continues to chart out new class actions that challenge the use of various website technologies. The plaintiffs’ bar seeks to navigate toward statutory damages for alleged violations of common law privacy norms and wiretapping laws. A recent Northern District of California decision granting a motion for class certification against a large insurer in one such case appears to have marked out a channel for increasing demand letters to insurers.

To help decipher the work of these cartographers and plot a course that avoids obstacles:

• Review your data security program to ensure all required annual certification dates are understood (and prepare to meet them).
• Revisit existing and planned practices and associated notices and consents with an eye toward improvements to address changed business practices or technologies and the latest legal changes, regulatory enforcement priorities, industry trends, and private litigation risk.
• Document risk assessments, due diligence, oversight, and training activities.
• Consider enhancing due diligence and oversight of service providers’ privacy and cyber
  commitments.
• Evaluate service provider contracts to determine necessary (or even merely advisable) provisions going forward. Consider developing a template, which can either be incorporated into agreements or used as a checklist when reviewing others’ terms.
• Supplement employee training to address the latest threats.
• Refresh and rehearse your incident response plan, adjusting as needed to address changed business practices/technologies, compliance with the latest regulatory changes, and improvements deduced from recent tabletop exercises or data cybersecurity incidents.

Bon voyage!