Our colleague  at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers in the financial services industry: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens). …

Read the full post here.

As 2017 comes to a close, recent headlines have underscored the importance of compliance and training. In this Take 5, we review major workforce management issues in 2017, and their impact, and offer critical actions that employers should consider to minimize exposure:

  1. Addressing Workplace Sexual Harassment in the Wake of #MeToo
  2. A Busy 2017 Sets the Stage for Further Wage-Hour Developments
  3. Your “Top Ten” Cybersecurity Vulnerabilities
  4. 2017: The Year of the Comprehensive Paid Leave Laws
  5. Efforts Continue to Strengthen Equal Pay Laws in 2017

Read the full Take 5 online or download the PDF.

Our colleagues at Epstein Becker Green have released a Take 5 newsletter focused on the financial services industry.  Following are the introduction and links to the stories:

For this edition of the Take 5 for financial services, we focus on a number of very well-publicized issues. The tidal wave of sexual harassment allegations that followed the Harvey Weinstein revelations has drawn the attention of companies, their human resources departments, and employment lawyers. The rule on chief executive officer (“CEO”) pay ratio disclosure, which goes into effect in 2018, is a required focal point that garners significant interest in an industry that is all about money. The hyper-charged political climate has brought social activism and heated political discussions into the workplace with increasing frequency—and with potential employment law implications. A heightened legislative focus on eliminating at least one recognized source of the gender pay gap has resulted in new rules that prohibit very common inquiries about past compensation during the interview process. Finally, data leaks are a mounting threat and cybersecurity is a growing concern throughout an industry that is saturated with the highly sensitive, and sometimes personal, financial information of its clients.

We address these important issues and what financial services employers should know about them:

  1. The Weinstein Effect: #MeToo Allegations in the Financial Services Industry
  2. CEO Pay Ratio: It’s Not Too Late to Calculate!
  3. Managing Employees’ Political and Social Activism in the Workplace
  4. Equal Pay Update: The New York City and California Salary History Inquiry Bans
  5. Insider Threats to Critical Financial Services Technologies and Trade Secrets Are Best Addressed Through a Formalized Vulnerability and Risk Assessment Process

Read the full Take 5 newsletter here and download the PDF.

It is highly likely that the National Association of Insurance Commissioners (“NAIC”) will adopt a model data cyber security law premised largely on the New York State Department of Financial Services (“NYSDFS”) cyber security regulations.  Recently, we discussed the NYSDFS’ proposed extension of its cyber security regulations to credit reporting agencies in the wake of the Equifax breach.  New York Governor Andrew Cuomo has announced, “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”  Upon adoption by the NAIC, the NYSDFS regulations requiring that NYS financial organizations have in place a written and implemented cyber security program will gain further traction toward setting a nationwide standard for cyber security and breach notification.  Indeed, although there are differences, the NAIC drafters emphasized that any Licensee in compliance with the NYSDFS “Cybersecurity Requirements for Financial Services Companies” will also be in compliance with the model law.

The NAIC Working Committee expressed a preference for a uniform nationwide standard: “This new model, the Insurance Data Security Model Law, will establish standards for data security and investigation and notification of a breach of data security that will apply to insurance companies, producers and other persons licensed or required to be licensed under state law. This model, specific to the insurance industry, is intended to supersede state and federal laws of general applicability that address data security and data breach notification. Regulated entities need clarity on what they are expected to do to protect sensitive data and what is expected if there is a data breach.  This can be accomplished by establishing a national standard and uniform application across the nation.”  Other than small licensees, the only exemption is for Licensees certifying that they have in place an information security program that meets the requirements of the Health Insurance Portability and Accountability Act.  According to the Committee, following adoption, it is likely that state legislatures throughout the nation will move to adopt the model law.

The model law is intended to protect against both data loss negatively impacting individual insureds, policy holders and other consumers, as well as loss that would cause a material adverse impact to the business, operations or security of the Licensee (e.g., trade secrets).  Each Licensee is required to develop, implement and maintain a comprehensive written information security program based on a risk assessment and containing administrative, technical and physical safeguards for the protection of non-public information and the Licensee’s information system.  The formalized risk assessment must identify both internal threats from employees and other trusted insiders, as well as external hacking threats.  Significantly, the model law recognizes the increasing trend toward cloud based services by requiring that the program address the security of non-public information held by the Licensee’s third-party service providers.  The model law permits a scalable approach that may include best practices of access controls, encryption, multi-factor authentication, monitoring, penetration testing, employee training and audit trails.

In the event of unauthorized access to, disruption or misuse of the Licensee’s electronic information system or non-public information stored on such system, notice must be provided to the Licensee’s home State within 72 hours.  Other impacted States must be notified where the non-public information involves at least 250 consumers and there is a reasonable likelihood of material harm.  The notice must specifically and transparently describe, among other items, the event date, the description of the information breached, how the event was discovered, the period during which the information system was compromised, and remediation efforts.  Applicable data breach notification laws requiring notice to the affected individuals must also be complied with.