Kids’ Health Insurer’s Website Vulnerable for 7 Years

Data Breach Today

Delayed Implementation of Thailand?s Personal Data Protection Act

Hunton Privacy

The implementation of Thailand’s Personal Data Protection Act B.E. Those data controllers for whom compliance has been deferred include agencies and operators of prescribed businesses specified in the Royal Decree on Agencies and Businesses Not Subject to the PDPA B.E.


Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

First American Title Insurance Co. Faces Charges in NY

Data Breach Today

Company Could Be Fined $1,000 for Each Violation of State Cybersecurity Law The New York State Department of Financial Services has filed civil charges against First American Title Insurance Co.,

30,000+ Italian sales agents’ personal data, IDs leaked by Ariix Italia

Security Affairs

A database allegedly belonging to Ariix Italia was exposed online on an unsecured Amazon S3 bucket, it includes 30,000+ Italian sales agents’ personal data. As of June 5, the Ariix Italia data bucket has been closed and is no longer accessible. What data is in the bucket?

Sales 81

Insurance Customers’ Personal Data Exposed Due to Misconfigured NAS Server


The vulnerability also exposed login credentials for a massive national insurance claims database, Upguard says. Cloud Security Privacy Vulnerabilities Web Security NAS server ransomware UpGuard WannaCry


DLA Piper Privacy Matters

The Finnish Parliament has approved the new general Act on the Secondary Use of Social Welfare and Health Care Data (Laki sosiaali- ja terveystietojen toissijaisesta käytöstä, based on government proposal HE 159/2017) in March 2019. This fragmentation has, unsurprisingly, lead to a heavy administrative burden for the secondary users of social and health care data by parallel and slow licence procedures with various authorities. By Joonas Dammert. Background.

Group-IB and CryptoIns introduce the world’s first insurance against cyber threats for cryptocurrency exchanges

Security Affairs

Group-IB and Swiss insurance broker ASPIS that owns CryptoIns project, have developed the world’s first scoring model for assessing cryptocurrency exchanges. Group-IB, an international company that specializes in preventing cyber attacks, and a Swiss insurance broker ASPIS SA that owns CryptoIns project, have developed the world’s first scoring model for assessing cryptocurrency exchanges cybersecurity, allowing the exchanges’ clients to ensure their assets.

Striking a balance between security and usability of sensitive data

OpenText Information Management

Last year, the number of personal records exposed by cyber attacks on the financial services industry was an incredible 446,575,334 – more than triple from the year before. The financial and reputational damage from these data breaches can be immense.

EUROPE: Are GDPR fines insurable in the countries where you operate?

DLA Piper Privacy Matters

DLA Piper and Aon have launched a guide ‘ The price of data security ‘, ahead of the General Data Protection Regulation (GDPR), effective from 25 May 2018. The guide reviews the insurability of GDPR fines across Europe, which can reach up to €20 million or, if higher, up to 4% of a group’s annual global turnover. It also looks at insurability of costs associated with GDPR non-compliance (e.g. Criminal penalties are almost never insurable.

Adventures in cyber litigation: Frozen crypto-assets and the role of cyber insurance

Data Protection Report

Persons Unknown & Ors. Given the level of interest in the case, we have prepared a deeper-dive into the facts and the implications of the decision, with a focus on the important role played in the case by cyber insurance.

A guide to the GDPR for insurance companies

IT Governance

The EU General Data Protection Regulation (GDPR) is designed to harmonise data protection laws across the EU, but certain industries will have to respond differently in order to achieve compliance. A report published by research and consultancy company Celent highlights the challenges that the GDPR presents to insurers. Insurers are data controllers: a person, public authority, agency or body that determines the purpose of processing personal data.


Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?

HL Chronicle of Data Protection

In the past two years, multiple state bills that have been introduced in the US to provide for cybersecurity requirements and standards to the insurance sector, with recent legislative activity taking place in particular within the States of Ohio, South Carolina, and Michigan. The entering into effect of multiple state laws in this area may present challenges for insurance providers operating in states where such cybersecurity requirements are provided for.

Personal Data Stores – Get ready for a step change


Personal Data Stores – Get ready for a step change. What if Facebook, Google, Amazon etc all started paying you for the personal data you create whilst browsing their sites? With many organisations making millions from selling targeted advertising using user generated profiles and given that Forrester say that more than $2 billion is spent each year on ‘third party data about individuals’ is clear that this is an attractive market.

Europe's insurers face tough questions on AI

Information Management Resources

The EU's General Data Protection Regulation will require firms to get consent to use personal data in automating decisions. Compliance Customer data Data ownership Artificial intelligence Machine learning GDPR

FTC Files Complaint Against Medical Testing Lab for Exposing Consumers’ Personal Data

Hunton Privacy

LabMD”) for failing to protect consumers’ personal data. According to the complaint, LabMD, which performs various laboratory tests for consumers, exposed the personal information of more than 9,000 consumers on a peer-to-peer (“P2P”) file-sharing network. Specifically, a LabMD spreadsheet that was found on the P2P network contained names, Social Security numbers, dates of birth, health insurance information and medical treatment codes.

Poorly Configured Server Exposes Most Panama Citizens' Data

Dark Reading

Compromised information includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data

Spanish DPA Publishes Report on Data Processing Activities in Relation to COVID-19

Hunton Privacy

The Spanish Data Protection Authority (the “AEPD”) recently published a report on data processing activities carried out by data controllers in the private and public sectors as a result of the spread of the COVID-19 virus (the “Report”). The Report first notes that the EU General Data Protection Regulation (“GDPR”) contains necessary safeguards and rules with respect to personal data processing in a general health emergency.


Financial Regulators Announce Proposed 36-Hour Notification Requirement for Notification Incidents

Hunton Privacy

Federal Law Consumer Protection Gramm Leach Bliley Act Personal Data United States

Bankers Life Hack Affects More Than 566,000

Data Breach Today

Company Says Medicare Supplemental Plan Policyholders Among Those Impacted Bankers Life is notifying more than 566,000 individuals, including Medicare supplemental insurance policyholders, that their personal information was exposed in a hacking incident. Employee credentials were compromised, enabling unauthorized access to certain company websites containing personal data

How to Save on Cyber Insurance and Be Harder to Hack

Adam Levin

Cyber insurance is still evolving, and as such you can still get good deals even if your cybersecurity is not completely up to snuff. Each has reported—or worse have been discovered to have—extremely sensitive customer data stored on cloud servers that were not properly secured.

The Tragedy of the Data Commons

John Battelle's Searchblog

A theme of my writing over the past ten or so years has been the role of data in society. Increasingly, I’ve been worrying a hypothesis: Like a city built over generations without central planning or consideration for much more than fundamental capitalistic values, we’ve architected an ecosystem around data that is not only dysfunctional, it’s possibly antithetical to the core values of democratic society. No, this post is about the business of health insurance.

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Data Protection Report

Following the now famous €50m fine imposed on Google LLC in January 2019, [1] the French Data Protection Authority (the CNIL ) published a decision taken on 28 May 2019 [2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management. The user stated that he was able to access other users’ personal information from his website account by changing the URL address.

German DPA Imposes 1.3 Million EUR Fine on Insurance Group for Violation of Data Protection Law

Hunton Privacy

On December 29, 2014, the Commissioner for Data Protection and Freedom of Information of the German state Rhineland-Palatinate issued a press release stating that it imposed a fine of €1,300,000 on the insurance group Debeka. According to the Commissioner, Debeka was fined due to its lack of internal controls and its violations of data protection law. Debeka purportedly wanted this address data to market insurance contracts to these employees.

Sales 40

Washington State Legislators Approve Amendments to Data Breach Law

Hunton Privacy

The Bill was requested by Attorney General Ferguson and would strengthen Washington’s data breach law. The request to amend the current law followed Attorney General Ferguson’s third annual Data Breach Report , which found that data breaches affected nearly 3.4 State Law Legislation Personal Data Personal Information Social Security Number State Attorney General Washington

Colorado Amends Data Breach Notification Law and Enacts Data Security Requirements

Hunton Privacy

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Attorney General Notification: If an entity must notify Colorado residents of a data breach, and reasonably believes that the breach has affected 500 or more residents, it must also provide notice to the Colorado Attorney General.

Riding the State Unemployment Fraud ‘Wave’

Krebs on Security

states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims.

CNIL Unveils 2017 Inspection Program and 2016 Annual Activity Report

Hunton Privacy

On March 28, 2017, the French Data Protection Authority (“CNIL”) published its Annual Activity Report for 2016 (the “Report”) and released its annual inspection program for 2017. The CNIL estimates that the GDPR will lead to the appointment of a data protection officer in at least 80,000 to 100,000 organizations in France. European Union International CNIL Consent Data Protection Authority EU Regulation France Internet Legislation Personal Data Right to Be Forgotten

U.S. Treasury Expresses National Perspective In Response to NAIC Insurance Data Security Model Law

Data Matters

Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries. The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance , identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. On October 26, 2017, the U.S.

Irish Data Protection Bill in Final Committee Stage Before the Irish Legislature

Hunton Privacy

On May 16, 2018, the Irish Data Protection Bill 2018 (the “Bill”) entered the final committee stage in Dáil Éireann (the lower house and principal chamber of the Irish legislature). The Bill implements Ireland’s national legislation in areas where the EU General Data Protection Regulation (“GDPR”) provides a margin of maneuver to Member States, and specifies the investigative and enforcement powers of the Irish Data Protection Commission.


CNIL Provides Update on Compliance Pack Regarding Connected Vehicles

Hunton Privacy

On October 3, 2016, at the Paris Motor Show, the French Data Protection Authority (“CNIL”) reported on the progress of a new compliance pack on connected vehicles. The compliance pack on connected vehicles will contain guidelines regarding the responsible use of personal data for the next generation of vehicles. This may include the implementation of easily configurable dashboards in order to ensure that individuals keep control over their data.

Thousands of Humana customers have their medical data leaked online by threat actors

Security Affairs

Experts found a DB containing sensitive health insurance data belonging to customers of US insurance giant Humana. An SQL database containing what appears to be highly sensitive health insurance data of more than 6,000 patients has been leaked on a popular hacker forum.

Mic Drop: California AG releases long-awaited CCPA Rulemaking

Data Protection Report

In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.” The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law.

French DPA Publishes a Compliance Pack Regarding Connected Vehicles

Hunton Privacy

On October 17, 2017, the French Data Protection Authority (“CNIL”), after a consultation with multiple industry participants that was launched on March 23, 2016, published its compliance pack on connected vehicles (the “Pack”) in line with its report of October 3, 2016. The data collected in the vehicle is shared outside of the vehicle for the purposes of providing a specific service to the individual ( e.g. , when a pay-as-you-drive contract is purchased from an insurance company).

China Releases National Standard on Personal Information Security

Hunton Privacy

On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. Encryption measures must be adopted whenever sensitive personal information is retained.

CNIL Launches Work on Compliance Pack Regarding Connected Vehicles

Hunton Privacy

On March 23, 2016, the Chairwoman of the French Data Protection Authority (“CNIL”) opened proceedings that will lead to the release of a compliance pack on connected vehicles. The CNIL announced that the compliance pack will contain guidelines regarding the responsible use of personal data for the next generation of vehicles. It will assist various stakeholders in the industry prepare for the General Data Protection Regulation.

New Jersey Moves Forward With Shopper Privacy Bill

Hunton Privacy

On September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act , must now be approved by the New Jersey Assembly. State Law Consumer Protection Gramm Leach Bliley Act HIPAA New Jersey Personal Data Personal Information

The True Global Effect of the GDPR

HL Chronicle of Data Protection

“European data protection rules will become a trademark people recognise and trust worldwide” That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. This article was first published in Data Protection Leader in April 2018.


These 3 GDPR Requirements You Must Support Today are Nothing Compared With What’s Coming


On May 25, 2018 GDPR (General Data Protection Regulation) went into effect. The primary objectives of the GDPR are to give control back to their EU citizens and residents over their personal data, to simplify the regulatory environment for international business, and to unify regulations within the European Union. Consumer personal data collected within your company is often distributed to multiple systems and organizations, resulting in duplication.


CIPL and AvePoint Release Global GDPR Readiness Report

Hunton Privacy

On November 9, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and AvePoint released the results of a joint global survey launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). Telecommunication and technology companies were the most represented respondents, followed by insurance and financial services companies, as well as pharmaceutical and healthcare companies.

California Consumer Privacy Act: The Challenge Ahead — Introduction to Hogan Lovells’ Blog Series

HL Chronicle of Data Protection

privacy laws which generally focus on specific sectors or issues, the CCPA applies broadly to businesses that collect personal information about California residents and aims to create significant new consumer privacy rights. Effective immediately, the CCPA preempts local laws regulating the collection and sale of consumer personal information by businesses. Clinical trial data exception. The CCPA’s private right of action is limited to data breach violations.