In their first congressional testimony together as a full commission, the Federal Trade Commissioners expressed support for comprehensive federal privacy legislation before the Senate Committee on Commerce, Science, and Transportation Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security on November 27. While the focus of the hearing was primarily on privacy and data security, the Commission’s written testimony provided updates regarding other consumer protection and competition matters.
The 9th U.S. Circuit Court of Appeals affirmed the district court’s ruling in Aqua Star (USA) Corp., vs Travelers Casualty and Surety Company of America. The case involved fraudulent emails purporting to be from the insured’s suppliers directing that the insured direct its payments to a new account purportedly opened by that supplier. Based on that fraudulent communication, the insured transferred $713,890 due its supplier to the fraudulent “new account.”
Spoofing and phishing are part of what is known as social engineering fraud. Social engineering fraud is typically a type of computer fraud where an employee is misled into believing he or she is communicating with a vendor and is tricked into sending money due that vendor to the fraudster. Many organizations take proactive measures to protect themselves through enhanced IT measures, employee training and the purchase of computer fraud and other types of cyber insurance.
A recent district court action in Washington illustrates how social engineering works and highlights the importance of understanding the limitations of the types of insurance coverages companies may have. The case is currently on appeal before the 9th U.S. Circuit Court of Appeals.
The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (“Model Law”) in October 2017. The purpose of the Model Law is to establish standards for data security and the investigation of and notification to the Insurance Commissioner of a Cybersecurity Event, but is not intended to create a private right of action.
The Model Law is based largely on the New York Department of Financial Services’ Cybersecurity Regulations, 23 NYCRR 500 (“NYDFS Cyber Regulations”), which took effect on March 1, 2017.  In fact, a drafting note to the Model Law indicates that compliance with the NYDFS Cyber Regulations is intended to constitute compliance with the Model Law.