The Report focuses on providing general recommendations and advice to business entities on the legislative and regulatory rules governing the disclosure of data breach incidents, the history of cyber insurance policies and the general types of coverage provided, the role of privacy attorneys and insurance brokers, and "crisis communication" in the event of a data breach.  Although generally targeted towards entities that might seek coverage from a cyber insurance policy, the Report also may be useful to insurers to help them better understand how federal and state regulators are monitoring the insurance industry.  In addition, insurers may be subject to the same data breach disclosure laws, and it may be useful to know the rules that govern disclosure of such incidents.

Federal Laws and Regulation

According to the Report, more than two dozen cyber and data-security related bills have been introduced in Congress, spanning the purview of 15 different committees across the House and Senate tackling the issue.  The Report notes that the 114th Congress has introduced a "flood" of cyber security bills since early 2015.  Only two such bills have passed the House—HR 1560, the Protecting Cyber Networks Act, and HR 1731, the National Cybersecurity Protection Advancement Act.  Both are intended to promote information sharing "to help the public and private sectors, through a reciprocal process of sharing cyber threat indicators, improve their cyber defenses."^[1]  Cybersecurity legislation in the Senate is moving at a much slower pace.

The Report expects that federal legislation creating a national standard for data breach notification is the likely next step once the Congress addresses information sharing.  The Report states that the business community strongly supports the creation of a data breach standard because the state reporting laws and regulations make compliance "burdensome and confusing" when a data breach affects consumers across state lines.^[2]

The Executive Branch is also taking steps to address cyber security and data threats.  On January 13, 2015, President Obama sent three legislative proposals to Congress—Enabling Public-Private Sector Information Sharing, Modernizing Law Enforcement Authorities to Combat Cyber Crime, and Creating a National Standard for Data Breach Notification.  In February 2015, President Obama also announced the creation of the Cyber Threat Intelligence Integration Center (the "CTIIC"), focused on "connecting the dots regarding malicious foreign cyber threats to the nation" and U.S. national interests.^[3]  The President also convened a summit on "Cybersecurity and Consumer Protection" and issued the Executive Order (the "EO") "Promoting Private Sector Cybersecurity Information Sharing."  The EO: (i) encourages development of information sharing and analysis organizations; (ii) suggests common, voluntary standards for information sharing organizations; (iii) clarifies the Department of Homeland Security's (the "DHS") authority to enter into agreements with information sharing organizations; (iv) streamlines private sector companies' ability to access classified cybersecurity threat information; and (v) "ensures that information sharing enabled by this new framework will include strong protections for privacy and civil liberties."

The Report also notes that the DHS has brought together insurance carriers, brokers, and consumers to discuss how cyber insurance can play a role in both the mitigation and recovery from a data breach incident.  In February 2015, the National Protection and Programs Directorate (the "NPPD") at the DHS established a Cyber Incident Data and Analysis Working Group ("CIDAWG") comprised of cybersecurity professionals and insurers to discuss key findings about a number of different cybersecurity topics.  In July 2015, the NPPD and CIDAWG published a white paper entitled "The Value Proposition for a Cyber Incident Data Repository." CIDAWG will also produce reports on three other topics: (i) the cyber incident data points that should be shared in a repository; (ii) methods to incentivize voluntary sharing of cyber incidents; and (iii) a repository's structure and functions.

In November 2014, the U.S. Department of Treasury and Federal Insurance Office (the "FIO") assembled a meeting of insurance carriers and brokers to discuss cyber insurance.  Director of the FIO Michael McRaith stated that the government wants "to support the insurance industry as it seeks to protect itself from cyber incidents."^[4]  According to the Report, McRaith stated that Treasury and the FIO would like to work with state insurance regulators to push for voluntary protection standards.  The Report also notes that Treasury "also indicated that Treasury is concerned there are no underwriting standards for cyber insurance" and that Treasury and the FIO are "paying close attention to the burgeoning cyber insurance market."^[5]

New York Law Governing Data Breach Notification

While there are few uniform standards for data breach notification at the federal level, forty-seven states as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have established data breach notification laws in order to inform consumers when personal information has been compromised.  According to the Report, these laws establish standards related to: (i) who provides and receives notice; (ii) what information constitutes personal or private information; (iii) methods and timing of conveyance of notice; (iv) required content in the notice; and (v) applicable penalties for non-compliance.

New York's data breach notification statute provides that any person or business operating in New York state who owns or licenses computerized data, including private information, "shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization."^[6]  The notice of breach must be provided "in the most expedient time possible and without unreasonable delay."^[7]  Notice may be provided via a written, electronic, or telephone communication.  According to the Report, New York does not allow for a private right of action for affected individuals.^[8]

Because there are federal uniform standards for data breach notifications, an entity's compliance with the various state regulations would be difficult at best.  The Report advises that it is "absolutely essential" that an entity that has experienced a breach of consumer data consult with legal counsel and law enforcement to ensure compliance.^[9]

Insurance commissioners from the various states are also preparing recommendations for uniform rules on cyber insurance and data breach notifications.  In November 2014, the National Association of Insurance Commissioners formed a Cybersecurity Task Force focused on protecting data, making sure that regulated entities adequately protect their own data, and monitoring development of the cyber insurance market.  The Cybersecurity Task Force also drafted a "Cybersecurity Bill of Rights," which outlines consumer rights regarding personal, private information.  The Report notes that the Cybersecurity Task Force anticipates that state insurance commissioners will distribute the "Bill of Rights" to consumers in their states, but notes concern from the insurance industry that the document may create confusion, as it does not grant rights enforced by state laws or regulations.

John Imhoff is an associate in the insurance and reinsurance team of Clyde & Co in New York.

^[1] Symantec Corp., What Every CISO Needs to Know About Cyber Insurance 2 (2015) [hereinafter, the "Report"].

^[2] Id. at 3.

^[3] Id.; see also Fact Sheet: Cyber Threat Intelligence Integration Center (Feb. 25, 2015), https://www.whitehouse.gov/the-press-office/2015/02/25/fact-sheet-cyber-threat-intelligence-integration-center (last visited Nov. 9, 2015).

^[4] See The Report 4; see also Mark Hollmer, Feds Support Insurers Seeking Protection From Cyber Attacks, Claims Journal (Apr. 9, 2015), http://www.claimsjournal.com/news/national/2015/04/09/262735.htm (last visited Nov. 9, 2015).

^[5] The Report 4.

^[6] N.Y. Gen. Bus. Law § 899-aa-2.

^[7]Id.

^[8] The Report 6.

^[9]Id.