Choose Site

On October 24, 2017, during a joint meeting of the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee and Plenary, the NAIC officially adopted the Insurance Data Security Model Law (Model Law) to establish standards for data security and the investigation of and notification requirements following a cybersecurity event.

Previously, the Model Law had advanced through the NAIC Innovation and Technology Task Force and the Cybersecurity Working Group during the NAIC's 2017 Summer National Meeting on August 7.

In the wake of several major data breaches over the last several months, new data security and data breach notification bills have been introduced in the US Congress, and others may also be in progress.

Two key bills currently introduced are:

  • Bill S. 1815, the Data Broker Accountability and Transparency Act of 2017 (DBAT Act), which would set new accountability and transparency requirements for data brokers selling consumers’ sensitive information; and
  • Bill H.R. 3806, the Personal Data Notification and Protection Act of 2017 (PDNP Act), which would provide for a single national data breach notification standard.

On January 23, the Federal Trade Commission (FTC) released “Cross-Device Tracking: An FTC Staff Report,” which explains how cross-device tracking is used to track consumers across multiple devices, sets out the benefits and challenges of tracking, and discusses industry efforts to manage these challenges, as well as outlines recommended best practices with respect to transparency, choice, and security. The report follows the FTC’s November 2015 Cross-Device Tracking Workshop, an information-gathering event attended by various organizations, academics, industry experts, and consumer advocates.

What Is Cross-Device Tracking?

Cross-device tracking links a single consumer’s activity across multiple devices, such as smartphones, computers, tablets, or other Internet-connected devices. The report outlines how companies may cross-device track consumers via “deterministic” (tracking consumers using an identifying characteristic, such as a login) and “probabilistic” (inferring which consumer is using a device without logging in, such as tracking an IP address) techniques.  

On January 3, the Office of Management and Budget (OMB) issued Memorandum M-17-12, which clarifies how federal agencies should prepare for and respond to data security breaches involving personally identifiable information (PII). Memorandum M-17-12 updates existing OMB guidelines in accordance with the Federal Information Security Modernization Act of 2014 (FISMA) and implements those recommendations set out in OMB Memorandum M-16-04.

Memorandum M-17-12 is specifically directed towards agencies' Senior Agency Officials for Privacy (SAOPs) and other senior agency officials, managers, and staff who assist in evaluating risk of harm caused by breaches. However, private sector entities may also use the guidelines set forth for preparing for and responding to breaches to inform their applicable internal processes and procedures.

On January 3, several US trade associations and internet service providers (ISPs) submitted petitions requesting that the Federal Communications Commission (FCC) reconsider its broadband privacy rules mandating consumer opt-in before using data for marketing purposes.

Among those groups submitting petitions are the United States Telecom Association, NCTA - Internet and Television Association, Competitive Carriers Association, Association of National Advertisers, American Association of Advertising Agencies, American Advertising Federation, Data & Marketing Association, Interactive Advertising Bureau, and Network Advertising Initiative.

On March 31, the Federal Communications Commission (FCC), voting 3-2 along party lines, adopted a Notice of Proposed Rulemaking (NPRM) to establish a set of regulatory data security and privacy rules for broadband Internet access service providers (ISPs). If approved, these proposed rules would regulate how ISPs use and share consumer data. The FCC has commenced a comment period—comments are due May 27, 2016, and reply comments are due June 27, 2016.


In its 2015 Open Internet Order (Order), the FCC reclassified ISPs as “common carriers,” which are subject to certain privacy protections of Title II of the Communications Act of 1934 (Act). Although section 222 of the Act (Section 222) was included, the FCC conceded that its existing Consumer Proprietary Network Information (CPNI) rules were specific to voice services and would not apply to ISPs. The FCC noted then that this NPRM would be forthcoming. (See our LawFlash discussing the Order: FCC Adopts Open Internet (Net Neutrality Rules).)

Beyond imposing new rules on ISPs, the FCC’s reclassification may have ultimately dispossessed the Federal Trade Commission (FTC), much to its opposition, of its jurisdiction over ISP privacy violations, because common carriers are an exception to the FTC’s consumer marketplace enforcement authority. In the NPRM, the FCC reasons that “the current federal privacy regime, including the important leadership of the [FTC] . . . does not now comprehensively apply the principles of privacy protection to these 21st century telecommunications services provided by broadband networks. That is a gap that must be closed...”

A recent article in CIO magazine highlights the potential security risks posed by using USB thumb drives. The premise of the article—that the firmware in these devices is generally not protected and can be replaced with malware that can infect your systems—sends chills down the spine of the risk-adverse lawyers and sourcing professionals involved in negotiating IT services contracts and associated security requirements.