The recently enacted European Union (EU) General Data Protection Regulation (GDPR), the National Association of Insurance Commissioners (NAIC) Model Law and the New York State Department of Financial Services (NYDFS) Cybersecurity Act all address data privacy (the personal information of individuals) and data protection (using such personal information for business objectives), but from different perspectives. The EU regulation is focused on broad principles: the rights of EU data subjects and the requirements for companies to:
- Use and process the data only for lawful purposes;
- Limit use by third-party recipients of the data; and
- Give the data subjects the rights to access, portability, rectification and erasure (the “right to be forgotten”).
By contrast, the NYDFS and NAIC regulations are focused on the technical requirements of financial service companies to assess cyber risk in their systems, implement additional security and report breaches promptly. The NYDFS regulation became effective on March 1, 2017. The Department is requiring companies to file Certifications of Compliance with specific sections of 23 NYCRR Part 500 (NY Regulation) according to a timetable of various transition periods. For companies, understanding and prioritizing the risks with informed decision-making requires an understanding of the law as it unfolds.
Regulatory Landscape Part I: The New Privacy Order Created by GDPR
Regulatory Landscape Part II: Extra-Territorial Application of GDPR
Regulatory Landscape Part III: New York Department of Financial Services Regulation
Regulatory Landscape Part IV: NYDFS Cybersecurity Act - Risk of Third Party Service Providers
Regulatory Landscape Part V: NAIC Model Law
Regulatory Landscape Part VI: California Consumer Privacy Law
Regulatory Landscape Part VII: Conclusion