Two more state governors, those of Maine and North Dakota, have signed bills into law that adopt the National Association of Insurance Commissioners (NAIC) data security model law (Model Law). Maine and North Dakota join several other states that have already passed similar laws. Hawaii, Idaho, Illinois, Iowa, Minnesota, Rhode Island, and Wisconsin have similar bills pending.

What is the NAIC Model Law and to Whom Does it Apply?

According to the NAIC, the Model Law “seeks to establish standards for regulators and insurers in order to mitigate the potential damage of a data breach. The law applies to insurers, insurance agents and other entities licensed by the state department of insurance.”

What Does the Model Law Require?

The Model Law requires insurers and regulated entities licensed by state insurance departments to develop, implement, and maintain an information security program based on its risk assessment, with a designated employee in charge of the information security program. The Model Law also requires licensees to investigate a cybersecurity event and notify the state insurance commissioner. Licensees are required to implement an incident response plan.

Both the Maine and the North Dakota laws will not take effect right away. Maine’s Model Law is effective January 1, 2022, with one section regarding compliance with third-party service provider arrangements effective January 1, 2023. The North Dakota law takes effect on August 1, 2022, with one section regarding the obligation to document and report cybersecurity events and related incident response activities effective August 1, 2023.

Applus Technologies, Inc., a vendor of multiple state Departments of Motor Vehicles that assists states with vehicle inspections, recently announced that its systems have been affected by malware, disrupting motor vehicle inspections in Connecticut, Georgia, Idaho, Illinois, Massachusetts, New York, Texas, and Utah. As a result of the outage, vehicle inspections have not been able to be completed since March 30, 2021.

This is obviously very inconvenient for those individuals whose inspection stickers have or will expire shortly, as they are at risk of being issued a citation for an expired inspection sticker, on top of having to take time off to take their car to get inspected.

To address this concern, the Massachusetts Registry of Motor Vehicles (RMV) said, “[R]ecognizing the inconvenience Applus’ outage is causing, the RMV has been in communication with law enforcement to request cooperation and discretion in citing those with an expired sticker who may have attempted to visit a station this week.” The RMV has extended a grace period of one month to drivers who were unable to get their inspection stickers because of the outage.

After inspections were delayed a week, on April 7, 2021, Applus forwarded a software patch to service stations to try to fix the problem. However, it is being reported that Applus forwarded the patch to service stations on flash drives! Flash drives are notorious for being used to plant malicious malware and ransomware in users’ systems. Sending a patch on a flash drive is completely contradictory to security best practices.

Applus has stated that it does not believe that any customer (i.e., service station) financial information has been compromised, but is working with a forensic expert.

Lesson learned: get your inspection sticker in plenty of time before it expires.

This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.”  Some additional provisions of the model law include a broad prohibition on secondary data sharing, an opt-out of first-party advertising, and a private right of action in addition to enforcement by state Attorneys General.

While the introduction of a model privacy law is an interesting development, we also continue to track state privacy laws in multiple states right now, as several states have recently introduced consumer privacy legislation. Connecticut, Massachusetts, Illinois, Minnesota, New York and Utah recently saw the introduction of new privacy legislation. As legislative sessions move forward into 2021, we expect even more states to follow suit.

Our list of pending state privacy legislation includes:

We will continue to provide updates as these bills move forward.

Canon U.S.A. Inc. (Canon) was hit with a class action lawsuit in the U.S. District Court for the Eastern District of New York this week for the ransomware attack that exposed current and former employees’ personal information in November 2020. The plaintiffs reside in Ohio, New York, Florida and Illinois, and allege that Canon was negligent in protecting employee data and violated state trade practice laws by failing to guard against such an attack. The plaintiffs further allege that Canon failed to notify the affected individuals in a timely manner.

The attack on Cannon occurred in August 2020 and affected current and former employees from 2005 to 2020, as well as their beneficiaries and dependents. The information affected included Social Security numbers, driver’s license numbers, financial account numbers, electronic signatures, and dates of birth. The plaintiffs are seeking certification of a nationwide class.

Home Depot has agreed to settle a multi-state enforcement action by 46 U.S. states and Washington, D.C. arising from the data breach that occurred in 2014. Home Depot has agreed to pay $17.5 million to put the enforcement action behind it. The investigation was led by the Attorneys General of Connecticut, Illinois and Texas.

The multi-state investigation followed Home Depot’s data breach that affected 40 million customers who used self-checkout terminals in its U.S. and Canadian stores between April 10, 2014, and September 13, 2014. According to the investigation, hackers used a vendor’s username and password to infiltrate Home Depot’s network and deployed malware to access the customers’ payment card information. In addition to the credit card information, at least 52 million people’s email addresses were exposed.

In announcing the settlement, Connecticut Atty. Gen. William Tong stated that companies collecting sensitive personal information “have an obligation to protect information from unlawful use or disclosure… Home Depot failed to take those precautions.” In addition to the monetary settlement, Home Depot has agreed to hire a Chief Information Security Officer, upgrade its security procedures and provide employee training. Home Depot denies liability in the matter.