At the start of 2023, the New York State legislature introduced several privacy-related bills.  One of those bills, S365, appears to be gaining momentum. It was reported and committed to the Internet and Technology Committee on April 25, was amended on May 18, and was further amended and recommitted to the Finance Committee on June 4. 

If it becomes law, S365 would require organizations to make disclosures regarding their data processing practices, impose limitations on sharing personal information, require data protection impact assessments in certain situations, and grant consumers an array of rights, including to access, correct, and/or delete their personal information. 

Among the other data privacy and security bills under consideration are the following:

  • A417 would restrict the disclosure of personal information and require that organizations make available to customers, free of charge, access to or copies of their personal information.
  •  A1366 would require advertising networks to post a clear and conspicuous notice on the home pages of their websites regarding their privacy policies and the data collection and use practices associated with their advertising delivery activities.
  •  S2277  would require any entity that conducts business in the state and maintains the personal information of 500 or more individuals to provide meaningful notice of their use of personal information. The law would also prohibit unlawful discriminatory practices relating to targeted advertising.
  • S3162, which would grant consumers the right to request that organizations disclose the categories of any specific personal information they collect, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Along with this flurry of legislative activity, State enforcement agencies have, in recent months, announced several notable data breach settlements.  For instance, lender and mortgage servicer OneMain agreed to pay $4.25M to resolve a New York State Department of Financial Services enforcement action and healthcare professional services provider PracticeFirst agreed to pay $550,000 – and to implement a variety of measures to bolster its data security program – to resolve an enforcement action by the State Attorney General.     

As is evident from the above, organizations that collect and process personal information related to New York residents need to be proactive in managing their data privacy and security risk.  The web of compliance obligations in this space is expanding quickly and the consequences of non-compliance are becoming more and more significant.

Jackson Lewis will continue to monitor the fast-changing landscape in New York and similar developments across the country and internationally.  If you have questions about New York’s proposed legislation or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Unhappy consumers, including patients, are free to express dissatisfaction with services they receive from providers on popular social media or online review platforms, such as Yelp and Google. At least in the healthcare industry, providers must be very careful when responding, if they respond at all.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

Yesterday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with a New Jersey provider of adult and child psychiatric services. According to the settlement, the provider “impermissibly disclosed the PHI of four (4) patients in response to their negative reviews posted on Google Reviews.” The OCR claimed that the provider included the complaining patient’s diagnosis and treatment of their mental health condition in the online response. The investigation that followed the complaint also revealed, according to the settlement materials, (i) responses by the provider to three other patients including protected health information and (ii) that the practice’s written policies and procedures were not HIPAA compliant.

While not admitting any wrongdoing, the practice agreed to pay $30,000 to OCR and to implement a corrective action plan (CAP) to resolve the potential violations. As a practical matter, the monetary settlement may be less of a burden than the CAP. According to the settlement materials, the CAP requires that the practice:

  • be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule, 
  • develop, maintain, and revise written policies and procedures to comply with the HIPAA Privacy Rule,
  • train all members of it workforce, including owners and managers, on the organization’s policies and procedures,
  • issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization, and
  • submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.

So, what should a small healthcare practice be doing to avoid a similar penalty and CAP:

  • Get complaint with HIPAA and Maintain Policies on Disclosures in Social Media! HIPAA covered healthcare providers should have policies and procedures related to the disclosures of PHI and more specifically with regard to disclosures of PHI on social media.
  • Train staff (including healthcare providers and owners) concerning these policies. Policies alone may not be enough. The OCR also may ask for sign-in sheets showing staff attended the training, along with the materials that the training was based on.
  • Maintain a HIPAA Notice of Privacy Practice. At a minimum, this should be posted in the office and on the practice’s website, as applicable.
  • Monitor social media activity by staff. Understand the social media channels that the practice engages in and consider periodically monitoring public social media activity by staff.
  • Cooperate with the OCR. Covered entities should absolutely make their case to the OCR in defense of a compliance review or investigation. At the same time, being responsive to the agency’s requests can go a long way toward resolving the matter quickly and with minimal impact. Having experienced legal counsel versed in the HIPAA Privacy and Security Rules to guide the practice can be tremendously helpful.

On May 19, 2023, Montana’s Governor signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins  CaliforniaColoradoConnecticut, IndianaIowaTennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law.  The law is scheduled to take effect on October 1, 2024.

When does the law apply?

The law applies to a person who conducts business in the state of Montana and:

  • Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
  • Controls and processes the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Hereafter these covered persons are referred to as controllers.

The following entities are exempt from coverage under the law:

  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;
  • Nonprofit organization;
  • Institution of higher education;
  • National securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934;
  • A financial institution or an affiliate of a financial institution governed by Title V of the Gramm- Leach-Bliley Act;
  • Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA);

Who is protected by the law?

Under the law, a protected consumer is defined as an individual who resides in the state of Montana.

However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

What data is protected by the law?

The statute protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable individual.

There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.

What are the rights of consumers?

Under the new law, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data
  • Access Personal Data processed by a controller
  • Delete personal data
  • Obtain a copy of personal data previously provided to a controller.
  • Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

What obligations do businesses have?

The controller shall comply with requests by a consumer set forth in the statute without undue delay but no later than 45 days after receipt of the request.

If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.

The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.

How is the law enforced?

Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.

For additional information on Montana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Yesterday, New York’s Department of Financial Services (“DFS”) announced another enforcement action under the state’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”).  According to the press release, OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for alleged violations of Reg 500.  

In the Consent Order, DFS pointed to several provisions of Reg 500 for which it alleged OneMain came up short:

  • 23 NYCRR § 500.03: requires all covered entities to implement and maintain a cybersecurity policy that is based on the covered entity’s risk assessment and addresses business continuity and disaster recovery planning and resources.
  • 23 NYCRR § 500.07: requires covered entities to limit user access privileges to information systems that provide access to Nonpublic Information (“NPI”);
  • 23 NYCRR § 500.08: requires covered entities to implement and maintain policies and procedures to protect information systems and NPI during application development and quality assurance operations;
  • 23 NYCRR § 500.10(a)(3): requires covered entities to provide cybersecurity personnel with cybersecurity training and verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures; and
  • 23 NYCRR § 500.11(a): requires covered entities to implement written policies and procedures that address, among other things, due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party service providers.

These provisions of Reg 500 describe controls one might find in just about any cybersecurity framework, not just one focused on entities that provide financial services. For example, under the HIPAA Privacy and Security Rules, simply adopting a set of policies and procedures that address the standards under the Security Rule would be insufficient if they were not based on a risk assessment. That is, cybersecurity policies and procedures should reflect the threats and vulnerabilities to the organization identified in a risk assessment. Likewise, the New York SHIELD Act requires covered entities to “select[] service providers capable of maintaining appropriate safeguards,” not just require those safeguards by contract. The same is true for fiduciaries of ERISA-covered retirement plans – fiduciaries must exercise prudence in the selection of entities providing services to the plan.  

Among the examples provided in the Consent Order was a folder containing passwords, that was named “PASSWORDS.” DFS acknowledged the folder was encrypted and password protected, but cautioned that “anyone with access to that internal shared drive, which included personnel in OneMain’s call center, could rename, move, or delete the folder.” New York’s Attorney General recently released a guide for businesses on effective data security that addresses strong password hygiene.

Another area of concern cited by DFS was the management of third-party service providers. Having a written vendor assessment policy is not enough. According to DFS, the required due diligence to assess the cybersecurity risk of vendors must be performed timely. Allowing vendors to commence work prior to completing the assessment process is problematic. Also problematic is failing to adjust a cybersecurity risk score assigned to a third-party vendor after the vendor experience a cybersecurity event that arguably warrants a change to its risk profile.  

This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers.” Superintendent of Financial Services Adrienne A. Harris.

The Consent Order points out that it is not enough to establish a written cybersecurity program. That program must be actively managed and adjusted based on changing circumstances.

On May 11, 2023, Tennessee’s Governor signed Senate Bill 0073, the Tennessee Information Protection Act, making the state the eighth state to pass consumer privacy legislation. Tennessee joins  CaliforniaColoradoConnecticutIndiana, IowaUtah, and Virginia which have previously passed consumer privacy statutes.

Tennessee’s law will take effect July 1, 2025.

When does this law apply?

The law will apply to persons that conduct business in the state of Tennessee or produce products or services that are targeted to Tennessee residents and that:

  • During the calendar year, control or process personal information of at least 100,000 consumers; or,
  • Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Covered persons hereafter are referred to as controllers.

Are there exemptions?

Among the entities not subject to the Act include Tennessee and state agencies, financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, and institutions of higher education.

There also are several categories of personal information exempted from the Act, including without limitation personal information protected by the Family Educational Rights and Privacy Act (FERPA) and the Driver’s Privacy Protection Act.

Who is protected by the law?

Under the statute, individuals referred to as “consumers” are protected. A consumer is defined as a natural person who is a resident of the state of Tennessee and acts only in a personal context.

What personal information is protected by law?

Under the statute, personal information is protected, which includes:

  • Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information
  • Characteristics of protected classifications under state or federal law;
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric data;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information;
  • Education information that is not publicly available information

Personal information also includes “sensitive data” which means:

  • Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal information collected from a known child; or
  • Precise geolocation data.

Personal information does not include information that is:

  • Publicly available
  • De-identified or aggregate consumer information

What are the rights of consumers?

Under the statute, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
  • Correct inaccuracies in the consumer’s personal information.
  • Delete personal information provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller.
  • Request information about personal information the controller sold or disclosed to third parties.
  • Opt-out of the controller selling the personal information of the consumer.

What obligations do controllers and processors have?

Under the statute, a controller shall respond to requests from a consumer without undue delay, but no later than 45 days from the date of receipt of the request. If the controller declines to take action upon a consumer’s request, the controller shall inform the consumer without undue delay but no later than 45 days from receipt.

The controller is required to take certain steps to ensure transparency of its processing including:

  • Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
  • Not process “sensitive data” without obtaining the consumer’s consent, provided that in the case of a child, the controller does so in accordance with the federal Children’s Online Privacy Protection Act.  

Controllers shall conduct and document a data protection assessment of each of the following processing activities:

  • The processing of personal information for purposes of targeted advertising
  • The sale of personal information
  • The processing of personal information for purposes of profiling where the profiling presents a foreseeable risk
  • The processing of sensitive data
  • The processing of personal information presents a heightened risk of harm to consumers.

Upon receipt of an authenticated consumer request, a controller must provide a “reasonably accessible, clear, and meaningful privacy notice” the contents of which are similar to but not as expansive as the California Consumer Privacy Act (CCPA).

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors are required and must include certain provisions, such as (i) instructions for processing personal information, (ii) the nature, purpose, and duration of the processing, and (iii) the type of data subject to the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors.

How is the law enforced?

The attorney general and reporter have exclusive authority to enforce the statute, which may include bringing an action in a court of competent jurisdiction.

The Act requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” Among the requirements for a privacy, program is that it discloses the commercial purposes for which the controller or processor collects, controls, or processes personal information. Maintaining such a program is not only important for compliance purposes, but it also provides an affirmative defense to a cause of action for a violation of the law.

For additional information on Tennessee’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

We have written several times about U.S. Department of Health and Human Services Office for Civil Rights’ “HIPAA Right of Access Initiative.” In its most recent enforcement action under the Initiative, the 44th such enforcement action, the OCR investigated a complaint made against a psychotherapist concerning the alleged refusal to provide medical records. Ultimately, and even after the OCR provided “technical assistance,” the OCR claimed the covered entity still failed to provide the records.

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.”

The settlement resulted in a $15,000 resolution amount and required compliance with a two-year corrective action plan (CAP). The CAP includes the following requirements for the solo practitioner:

  • Review and revise right to access policies within 30 days of the settlement, and review and adopt OCR recommend changes to such policies.
  • Provide to the OCR right to access training materials within 60 days of the settlement for OCR’s review and approval.
  • Following OCR’s approval of the training materials, provide training to all employees within 30 days and annually thereafter.
  • Provide the requested records to the complainant with 15 days of the settlement.
  • Within 90 days of receiving OCR’s approval of the right to access policies and procedures, and every 90 days thereafter, submit to OCR a detailed list of requests for access received by the healthcare provider, and documentation for any denials of access.
  • In the event an employee of the provider fails to comply with the right to access policies, the provider must notify OCR within 30 days and include a description of the failure and mitigation plan.
  • Within 120 days after OCR’s approval of the provider’s right to access policies and procedures, submit to OCR a report summarizing the status of implementation.
  • Within 60 days after the end of each year of the CAP, submit to OCR an annual report regarding the healthcare provider’s compliance with the CAP.   

For small providers, the HIPAA rules can be confusing; they also are more than 20 years old. So, smaller practitioners, particularly those newer to practice, simply may not be fully aware of the scope and obligations under of the HIPAA privacy, security, and breach notification rules. Compliance goes well beyond handing patients a template Notice of Privacy Practices and having a secure electronic medical record platform.

The full scope of the HIPAA rules is beyond the scope of this post, but at least for the right to access and considering the OCR’s Enforcement Initiative, here are some resources to help avoid patient complaints and an onerous OCR corrective enforcement action:

Ransomware is a scary term for many business leaders and CISOs who dread being hit with a malware attack that locks up their data and could shut down operations. They expect to find that oddly-worded ransom note advising how they could recover access to their data, for a sizable fee of course. For a variety of reasons, including improved controls, backups, a loathe for paying criminal threat actors, organizations are increasingly refusing to pay hackers.

Hackers have responded to these refusals with threats to disclose sensitive personal information online and even resorting to directly contacting the individuals whose data has been compromised.

A Wall Street Journal article this morning speaks to this disturbing trend in data breaches. Vastaamo, a psychotherapy treatment center in Helsinki, was hit with a cyberattack in 2020. The hackers exfiltrated sensitive patient mental health records of 33,000 patients and threatened to disclose them online unless Vastaamo paid the ransom – approximately 400,000 euros.

According to the article:

“When the clinic didn’t pay, the hacker pressed individual patients for payment with bullying emails…one victim said the hacker gave her 24 hours to pay around 200 euros in bitcoin, or her therapy records would be posted.”  

Going directly to the affected individuals, whether they be patients, employees, students, etc. allows the hackers to also apply significant pressure on the organization to pay a much larger sum.

The decision to pay or not to pay a ransom comes with a range of critical considerations, some of which are discussed here. In the fog of an attack, with the press, government agencies, affiliates, and/or patients or other affected individuals looking to the organization for answers, working to develop an effective strategy is far more difficult. Increasing preparedness will not make this process easy, however, tough decisions need to be made. But working through these kinds of scenarios and planning generally for an attack will better equip executives and the board to work through the facts of their case and make better decisions more quickly.

As noted in a prior post, New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act  an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide (the “Guide”).   

The Guide is based on the NYAG’s experiences in investigating and prosecuting organizations in the wake of data incidents.  It states that the NYAG received 4,000 data breach notifications in 2022 and penalized organizations millions of dollars for failing to comply with their data security obligations.

In the Guide, the NYAG recommends action in nine areas.  Specifically, it directs organizations to:

  1. Maintain controls for secure authentication to ensure only authorized individuals have access to data.
  2. Encrypt sensitive customer information
  3. Ensure service providers use reasonable security measures
  4. Know where the business is keeping consumer information
  5. Guard against data leakage in web applications
  6. Protect customer accounts impacted by data security incidents
  7. Delete or disable unnecessary accounts
  8. Guard against automated attacks
  9. Provide clear and accurate notice to consumers

The Guide recommends best practices related to each of the above recommendations and also highlights relevant cases the NYAG has investigated that implicate these areas.  Additionally, it incorporates by reference guidance the NYAG issued in 2022 regarding credential stuffing attacks, which outlines four areas in which safeguards should be maintained and certain safeguards may not be effective.

In light of the NYAG’s aggressive enforcement of the NY SHIELD Act, and the sharp rise in data breach-related litigation, organizations should take a close look at their data security programs – with the Guide as one reference point – to ensure they are appropriately managing risk.

If you have questions or concerns regarding your organization’s data security program, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The Federal Trade Commission updated its “Standards for Safeguarding Customer Information” (“Safeguards Rule”) and extended the compliance deadline to June 9, 2023. Some entities still may be wondering – “Do these regulations apply to my business?” and “What do I have to do?”

Back in 2021, we provided a high-level summary of the Safeguards Rule, and reiterate some of the requirements here. It is important to note that even if your entity or business is not a “financial institution,” the Safeguards Rule lays out a framework to safeguard personal information that you might use as a guide. Business that are not in “heavily regulated” industries often wonder – where do we get started, what are best practices. The Safeguards Rule may be a place to look. 

Who is Subject to the Safeguards Rule?

The Safeguards Rule applies to “financial institutions” subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act. If that seems as clear as mud, it is. But the regulations and FTC guidance provide some helpful examples. There might be some entities on the list that you would expect and some you might not have expected. We list some of the examples below:

  • mortgage lenders and brokers
  • payday lenders
  • finance companies
  • account servicers
  • check cashing companies
  • wire transferors
  • collection agencies
  • tax preparation firms
  • non-federally insured credit unions
  • investment advisors that aren’t required to register with the SEC
  • a retailer that extends credit by issuing its own credit card directly to consumers
  • an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
  • a personal property or real estate appraiser
  • a career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution
  • a business that prints and sells checks for consumers
  • a business that regularly wires money to and from consumers
  • a business that operates a travel agency in connection with financial services
  • a business that provides real estate settlement

Note, entities that maintain customer information concerning fewer than 5,000 consumers are exempt from some aspects of the Safeguards Rule, such as maintaining an incident response plan. Of course, such a plan is important to have should the entity have a security incident. Also, the business may be required to have such a plan under other laws, including state law, as well as under contracts with the business’s customers.

What do we have to do?

The June 9, 2023, deadline noted above was a six-month extension of the original compliance deadline for the updated Rule. The extension generally applies to the following items:  

  • designate a qualified person to oversee their information security program,
  • develop a written risk assessment,
  • limit and monitor who can access sensitive customer information,
  • encrypt all sensitive information,
  • train security personnel,
  • develop an incident response plan,
  • periodically assess the security practices of service providers, and
  • implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.

A business may not be able to tackle all of these items between now and June 9, 2023, but there are several items that could be addressed within that time. Importantly, the Safeguards Rule contemplates that not all covered financial institutions are the same. Specifically, the Rule provides that information security programs required under the Rule must contain administrative, technical, and physical safeguards that are

appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.

In short, covered financial institutions will need to address all of the applicable requirements but perhaps not to the same extent or in the same way as other covered financial institutions. Much will depend on a number of factors noted above, as well as the business’s risk assessment.   

On May 1, 2023, Governor Holcomb signed Senate Bill 5, Indiana’s comprehensive privacy statute (The Act). the Act will become operative on January 1, 2026, and make Indiana the seventh state, after CaliforniaColoradoConnecticutIowaUtah, and Virginia to enact a comprehensive consumer privacy statute.

Indiana beat Montana and Tennessee which both have consumer privacy statutes pending signature by their governors.

The Act applies to persons that conduct business in Indiana or produce products or services that are targeted to residents of the state and that, during a calendar year:

  • Control or process the personal data of at least 100,000 consumers who are residents of the state, or
  • Control or process personal data of at least 25,000 consumers who are residents of the state and derive more than 50% of gross revenue from the sale of personal data.

Like other states’ comprehensive consumer privacy laws, the statute provides consumers with the right to access personal data being processed, to delete personal data, and to opt out of the sale of their personal data.

For additional information on Indiana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.