GDPR and CCPA Insurance Coverage Issues:

Addressing New Risk Exposures

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, SEPTEMBER 11, 2019

Presenting a live 90-minute webinar with interactive Q&A

Richard (Rich) DeNatale, Partner, Jones Day, San Francisco

Jennifer C. Everett, Attorney, Jones Day, Washington, D.C.

Fred E. Karlinsky, Shareholder, Greenberg Traurig, Ft. Lauderdale, Fla.

Aarti Soni, Senior Vice President, Marsh & McLennan, New York

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-877-447-0294 and enter your Conference ID and PIN when prompted.

Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately

so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the ‘Full Screen’ symbol located on the bottom

right of the slides. To exit full screen, press the Esc button.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the link to the PDF of the slides for today’s program, which is located

to the right of the slides, just above the Q&A box.

• The PDF will open a separate tab/window. Print the slides by clicking on the

printer icon.

FOR LIVE EVENT ONLY

GDPR & CCPA:ISSUES IN INSURANCE COVERAGE

Richard DeNatale

Jennifer C. Everett

GDPR: LESSONS FROM YEAR ONE

6

GDPR ONE YEAR ON: EU LANDSCAPE OF PROCEDURES AND CASES

• The GDPR took effect on May 25, 2018

• During the first year, Data Protection

Authorities (“DPAs”) received:

• 280,000 + cases

• 144,000 + individual complaints

• 89,000 + data breach notifications

• So far in 2019, DPAs report an uptick in

data breach notifications

7

Source: European Data Protection Board, 1 year GDPR – taking stock, May 22, 2019,

available at https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en

DATA BREACH: WHAT IS IT?

• What is a personal data breach?

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized

disclosure of, or access to, personal data transmitted, stored or otherwise processed.

• To whom and when is notice required?

➢Supervisory Authority: unless unlikely to result in a risk to the rights and freedoms of the

individuals concerned

➢ Individuals concerned: likely to result in a high risk to the rights and freedoms of the individuals

concerned

➢Additional area-specific notification obligations:

▪ Statutory (e.g. telecommunication service providers, critical infrastructure operators,

digital services providers, ad-hoc publicity)

▪ Contractually (e.g. data processing agreements, customer agreements, contractual

accessory obligation)

8

DATA BREACH: TIMING / RISK OF FINES

• Timeframe

1. Without undue delay

– Where feasible, within 72 hours to the supervisory authority

2. After having become aware of the breach

– Reasonable degree of certainty is sufficient

– Short initial investigation is possible

– The controller is usually “aware” when the processor has informed it of

the breach

• Risk of fines with respect to information disclosed in the notification?

9

DATA BREACHES: RECENT DEVELOPMENTS

Marriott International Data Breach

• July 9, 2019: UK‘s Information Commissioner‘s

Office (“ICO”) fined Marriott £99,200,396

(approximately USD $124 million, ~3% of

company’s global revenue)

• In 2016, Marriott International acquires Starwood

Hotels

• During due diligence, Marriott fails to discover

Starwood’s systems had been hacked in 2014.

• ~339 million guest records exposed

• ICO initiated investigation on behalf of other EU

member states

• Marriott cooperated with investigation and made

security improvements; ICO’s announcement

notes that it took Marriott two years to discover

the breach

British Airways Data Breach

• July 8, 2019: UK’s ICO fined British Airways

£183,390,000 (approximately $230 million, ~1.5% of

company’s 2017 global revenue)

• In June 2018, British Airways’ website was hacked,

diverting web traffic to a fraudulent website.

• 500,000 customers affected; British Airways notifies

ICO in September 2018

• ICO faults British Airways’ poor security measures

• ICO acknowledged that British Airways made

improvements to its security systems and cooperated

with the investigation

10

DATA SUBJECT RIGHTS: WHAT ARE THEY?

• Access – right to receive personal data and key processing information

• Rectification – right to rectify inaccurate personal data

• Erasure – right to have data erased where processing no longer necessary,

consent is withdrawn, right of objection used, processing is unlawful, etc.

• Restriction – right to restrict disputed processing

• Portability – right to receive or transfer personal data where processing

based on consent or contract

• Objection to certain processing/automated decisions – e.g. right to prevent

processing based on legitimate interests unless compelling legitimate grounds

11

DATA SUBJECT RIGHTS: EXPERIENCE UNDER THE GDPR

• Large numbers of access requests

➢Over 40,000 in past year in the UK

➢Most common UK complaint - 42% in 2016/17, 39% in 2017/18 (would be over 15,000

DSR complaints)

➢ Likely to increase (activism/awareness, employee litigation)

• Starting to see fines

➢Under GDPR in Hungary for Euro 3,000 (February 2019)

➢UK Magnacrest prosecution - £1,500 fine (February 2019)

➢UK prosecution of Cambridge Analytica - £15,000 fine (pre-GDPR)

• Other DSRs less common (initial increase in erasure requests after

GDPR)

12

ADDITIONAL GDPR ENFORCEMENT ACTIONS

• Outside of the data breach context, DPAs have levied fines for a broad range of GDPR violations.

• January 21, 2019: French DPA (the CNIL) fined Google € 50 million ($56 million)

– Fine resulted from Google’s alleged failure to comply with the GDPR’s (1) transparency and

notice requirements and (2) to obtain valid consent from users.

– The CNIL noted that unambiguous consent requires clear, affirmative user action. A pre-ticked

box does not constitute unambiguous consent.

• July 2019: Greek DPA fines PricewaterhouseCoopers (PwC) € 150,000 ($166k)

– Fine resulted from Google’s alleged failure to comply with the GDPR’s (1) transparency and

notice requirements and (2) to obtain valid consent from users.

– The CNIL noted that unambiguous consent requires clear, affirmative user action. A pre-ticked

box does not constitute unambiguous consent.

13

CCPA: RIGHTS AND REMEDIES

14

OVERVIEW: WHAT IS THE CCPA?

15

• Signed into law on June 28, 2018 by Governor Brown.

• Represents the latest change to California privacy law and toughest privacy law in the U.S.

• Creates statutory damages for data breaches.

• Grants consumers more control over and insight into the spread of their personal information online.

• Imposes on businesses additional obligations related to notice, disclosure, and response to consumer requests.

• Operative January 2020; AG enforcement between January and July 2020.

Businesses (“controller”)

Affiliates

For-profit entities doing business in CA and:

(1) Have annual gross revenues over $25,000,000;

or

(2) Hold personal information of 50,000 or more

consumers, households, or devices; or

(3) Derive at least 50% of annual revenues from

selling consumers’ personal information

Akin to controllers under the GDPR.

Covers affiliates where they:

(1) control or are controlled by a business that

meets the covered business criteria AND

(2) share common branding with the business

(e.g., shared name, service mark or trademark)

WHO IS REGULATED?

16

CCPA IN A NUTSHELL

17

Consumer

Rights

Notice &

Disclosure

Private

ActionSanctions

• Right to be

informed

• Right to access

• Right to deletion

• Right to opt-out

• Right to equal

service

• Disclose the categories of data

collected and the purposes for

which the categories of data will

be used.

• Disclose personal information

shared with third parties,

including when such data is

sold, sources of collection, with

whom data is shared, and how

to exercise consumer rights.

• Consumers have

right to sue where

data was stolen

or disclosed as a

result of a

security breach.

• Statutory

damages range

from $100 to

$750 per

violation, as a

result of a

breach.

• Businesses subject to civil

action for violations of

CCPA by the California

Attorney General.

• Penalties range from

$2,500 to $7,500.

CONSUMER RIGHTS

Consumer Rights

Right to be

Informed

Right to Access

Right to Deletion

Right to Opt-Out

Right to Equal

Service

18

TECHNICAL AND ORGANIZATIONAL MEASURES

Businesses must implement and maintain reasonable security procedures

and practices appropriate to the nature of the information to protect personal

information

19

Measures

Encryption Pseudonymization De-identification

Comply with recognized information security frameworks (e.g., NIST, ISO-27001,

California Center for Internet Security Critical Security Controls).

PUBLIC ENFORCEMENT FRAMEWORK

20

• California Attorney General enforces violations of the CCPA

• Businesses have 30 days to cure an alleged violation

• Penalties:

• Up to $2,500 per unintentional violation

• Up to $7,500 per intentional violation, in addition to the

$2,500 violation

• Portion of penalties go to “Consumer Privacy Fund”

PRIVATE RIGHT OF ACTION: LIABILITY FOR DATA BREACHES

• Consumers have private right of action when their non-

encrypted or non-redacted personal information is subject to

data breach.

oDamages between $100 - $750 per incident (or actual

damages), or

oSeek injunctive or declaratory relief

• For breach liability, definition of personal information follows

California state data breach notification law

oIndividual name + SSN, driver’s license/ID number, account

number, credit or debit card number, medical information, or

health insurance information

21

CCPA & GDPR: BRIEF COMPARISON

22

GDPR & CCPA

23

GDPR

Legal basis for processing

More extensive notice requirements

Different data subject rights

More extensive data processing agreements

Data transfer mechanisms

Different approach to minors

Commonalities

Data breach response obligations

Similar individual rights

Security measures to protect data

Require transparency

Contracts with service providers

CCPA

No legal basis for processing

Notices focus on 12-month look back

Focus on sell of data and right to opt out

Does not address data transfer mechanisms

Fewer obligations on service providers

Focus on sell of minors’ data

KEY INSURANCE ISSUES:

DO CYBER POLICIES PROVIDE ADEQUATE

COVERAGE?

24

CYBER INSURANCE OVERVIEW

➢ Evolution of cyber policies over 20 years has been marked by:

▪ Ongoing change – to respond to emerging risks and market demand

▪ Lack of standardization – more than 30 forms currently available

▪ Divergence in forms – robust vs. restrictive coverage

➢ Same themes apply to the insurance industry’s response to GDPR and CCPA exposures

25

CYBER INSURANCE OVERVIEW

Core coverages:

➢ Incident Response: coverage for cost of legal and forensic investigation, breach notifications, credit monitoring

➢ Network Interruption: coverage for lost revenue and extra expense resulting from network shutdown

➢ Privacy/Security Liability: Coverage for defense and settlement of third party claims

➢ Regulatory Coverage: Coverage for defense and settlement of government investigations

©2016 Jones Day

26

CYBER INSURANCE OVERVIEW

Additional coverages available:

▪ Professional / Technology Services: negligent errors & omissions in professional or technology services

▪ PCI claims

▪ Media content liability

▪ Cyber extortion / ransomware

▪ Data restoration costs

▪ Electronic funds theft

©2016 Jones Day

27

CYBER INSURANCE – KEY QUESTIONS

GDPR

CCPA

New statutory duties

Class action litigation

Risk of regulatory fines

28

COVERAGE FOR GDPR EXPOSURES

29

COVERAGE FOR GDPR EXPOSURES

➢ Many GDPR exposures can be insured under cyber policies

▪ Cost of providing notice

▪ Credit monitoring as remedial measure

▪ Legal fees and forensic consulting fees to investigate breach

▪ Defense and settlement of damages claims by individuals in national courts

▪ Legal fees to defend regulatory investigations by DPAs or Member States

30

COVERAGE FOR GDPR FINES

➢ Considerable debate over insurability of GDPR fines

➢ Three questions may determine coverage

1. What type of fine?

▪ Article 84 permits Member States to impose their own penalties, which may be criminal in nature.

▪ Article 83 authorizes administrative fines

o Two tiers (one tier capped at EUR 10,000,000 or 2% of worldwide revenue; the other capped at EUR 20,000,000 or 4% of worldwide revenue)

o Can be imposed for poor network security practices or violations of individual rights

o Can be imposed for intentional or negligent conduct

31

COVERAGE FOR GDPR FINES

2. Which jurisdictions are involved?

➢ EU member states take different positions on insurability

▪ Where did violation take place?

▪ Where do affected individuals reside?

▪ Where are policyholder and insurer located?

▪ Which Member State’s Data Protection Authority handles enforcement?

32

COVERAGE FOR GDPR FINES

3. What type of conduct?

▪ Article 83 fines may be imposed for intentional or negligent conduct

▪ Fines may be imposed on parties that bear little or no fault

o British Airways and Marriott matters

▪ Little case law addressing insurability of government fines based on negligence or strict liability

▪ Under English law, the argument that government fines cannot be insured is based (in part) on principle of ex turpi causa

o i.e., a party cannot recover insurance for loss that results from its own wrongdoing

o applied where defendant’s conduct involves an element of moral turpitude

33

HYPOTHETICAL

34

US-based multinational corporation has cyber policy from the London market. Its German subsidiary is hacked by criminal actors, who exploit a previously unknown vulnerability and steal personal data of 50,000 consumers.

Policyholder immediately reports breach to the German DPA; notifies affected individuals within 72 hours; and offers free credit monitoring services. It also eliminates the vulnerability and strengthens overall network security.

German DPA investigates and imposes administrative fine.

What is the public policy rationale for prohibiting insurance coverage?

COVERAGE FOR CCPA EXPOSURES

35

COVERAGE FOR CCPA EXPOSURES

Is your cyber insurance program adequate?

➢ New statutory obligations

▪ For the past 10-15 years, cyber policies have focused on the unauthorized disclosure of personal information

▪ CCPA (and GDPR) imposes new requirements for the handling, use, and transfer of information

➢ Violation of data processing requirements may not be covered under existing policies

➢ Sample policy language:

The Insurer will pay on behalf of the Insured:

Damages and Claims Expenses, in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim for theft, loss or unauthorized disclosure of Personally Identifiable Information …

36

HYPOTHETICAL

37

Ohio-based corporation, which does business in California, delays in undertaking a CCPA compliance review of its information security practices.

Company receives a request from Jane Doe, a California resident, to delete all personal data. Corporate compliance officer ensures that Ms. Doe’s data is deleted from all customer databases, but is unaware that the same data resides in other corporate locations.

After her data is compromised in a data breach, Ms. Doe files a class action under CCPA on behalf of all California residents who had requested deletion of their data, seeking damages for failure to delete and unauthorized disclosure.

Will claims be covered under existing cyber policies?

COVERAGE FOR CCPA EXPOSURES

➢ Class action litigation

▪ Anticipate surge in litigation once CCPA becomes effective

▪ Statutory damages remedy ($100 to $750) is likely to drive up cost of defense and settlement

➢ Existing cyber policies:

▪ May not provide sufficient policy limits for major litigation

▪ May not include clear coverage for statutory damages

38

COVERAGE FOR CCPA EXPOSURES

➢ Heightened risk of regulatory enforcement

▪ New enforcement authority of California Attorney General

▪ New civil penalties created under CCPA

▪ Questions of insurability – similar to GDPR

➢ Many existing cyber policies:

▪ Do not cover regulatory proceedings or

▪ Offer qualified coverage for government fines/penalties

➢ Sample policy language:

Loss means the amount the Insured is legally obligated to pay as a result of a Claim including: …

Civil fines or penalties assessed against an Insured Individual if, and to the extent, such fines or penalties are insurable as a matter of law

39

CLOSING THE COVERAGE GAP

40

CLOSING THE COVERAGE GAP

New regulatory landscape requires re-assessment of cyber insurance programs

1. Insuring agreement for Privacy Liability should cover both unauthorized disclosures and data processing violations

2. Review sufficiency of policy limits

3. Include express coverage for statutory damages

4. Include coverage for regulatory actions, with express reference to GDPR

5. Include coverage for fines to the fullest extent permitted by law

6. Consult with coverage counsel for optimal policy language

41

Richard DeNataleJones DaySan FranciscoOffice +1.415.875.5740rdenatale@jonesday.com

Rich DeNatale is one of the nation's foremost lawyers in the

field of cyber insurance. He has been retained to handle

insurance claims and strategy for more than 45 cyberattacks

and data breach incidents, including some of the largest in

history. He represented Sony Pictures in obtaining insurance

coverage for the cyberattack attributed to North Korea.

Rich has been recognized in Chambers as one of the leading

coverage lawyers in the United States. He has acted as lead

counsel in precedent-setting coverage litigation on data

privacy issues in both California and New York. He regularly

advises clients on cyber policy acquisitions and renewals.

©2016 Jones Day

RICHARD DENATALE BIO

42

Jennifer C. EverettJones DayWashingtonOffice +1.202.879.5494jeverett@jonesday.com

Jennifer Everett's practice focuses on cybersecurity, dataprivacy, and employment. She advises multinational clients ona wide range of privacy and data compliance issues, includingcyber governance, and developing global data protectioncompliance programs. Jennifer has particular experience inadvising companies on compliance with global data protectionlaws, including the EU General Data Protection Regulation,and the California Consumer Privacy Act.

Jennifer handles all aspects of U.S. and international databreach investigation and response, including advising clientson forensic investigations, notification and other legalobligations, and related regulatory investigations.

©2016 Jones Day

JENNIFER C. EVERETT BIO

43

44

Strafford Webinars

GDPR & CCPA Insurance Coverage Issues

Regulatory Strategies and Risk

954.768.8278

KARLINSKYF@GTLAW.COM

FRED E. KARLINSKY

45

© 2019 Greenberg Traurig, LLP

Fred E. KarlinskyShareholderCo-ChairInsurance Regulatory & Transactions Practice

Tel: 954.768.8278E-mail: Karlinskyf@gtlaw.com

46

The Shifting United States

Regulatory Landscape

47

© 2019 Greenberg Traurig, LLP

Cybersecurity &U.S. Regulation• Major data breaches involving large U.S. have

affected U.S. Consumers

• No uniform, comprehensive data security laws and regulations in the U.S. Competing Federal and State Laws and competing regulators (often the states) vie for center stage

• Uneven patchwork of laws and regulations creates problems for Companies doing business in the U.S.

• Companies forced to comply with contradictory or competing requirements

• EU GDPR only complicates matters further since they are not bound to US regulatory and litigation norms

This Photo by Unknown Author is licensed under CC BY-SA-NC48

© 2019 Greenberg Traurig, LLP

© 2019 Greenberg Traurig, LLP

• Federal approach: regulate certain sectors and information – especially the financial markets and banking system, where the public and trust is paramount.

• Health Insurance Portability and Accountability Act (HIPAA) – Protects privacy of protected health information

• Separate privacy laws protect specific areas of U.S. health-care system

• Family Educational Rights and Privacy Act (FERPA)

• Children’s Online Privacy Protection Act

49

Federal Cybersecurity Laws

© 2019 Greenberg Traurig, LLP

• State data breach laws have always been there, just never so visible.

• California Security Breach Information Act in 2003

• Followed by 48 states enacting breach notification laws

• Patchwork of sometimes conflicting provisions

• Differing categories of protected information

• Differing notification requirements

50

State Cybersecurity Laws

© 2019 Greenberg Traurig, LLP

California Consumer Privacy Act (CCPA)

• Takes effect on January 1, 2020

• Most comprehensive privacy law in United States

• Inspired by GDPR, but differs in some key respects

• Numerous requirements related to collecting and process of personal information of California consumers

• Failure to comply may lead to regulatory enforcement actions, steep fines, litigation, and loss of goodwill

51

© 2019 Greenberg Traurig, LLP

Cybersecurity & U.S. Insurance Industry

• New York Department of Financial Services: Cybersecurity Requirements For Financial Services Companies

• Chief Information Security Officer responsibilities and upward reporting to the Board of Directors; annual certification to DHS as well. Not just compliance here, but certifications too.

• National Association of Insurance Commissioners: Insurance Data Security Model Law

• Reporting standards

• Interaction with New York’s requirements

52

New York Department of Financial Services

Cybersecurity Regulation

53

© 2019 Greenberg Traurig, LLP

New York Cybersecurity Requirements for Financial Services Companies

• “Cybersecurity Requirements for Financial Services Companies”

• Insurance Companies, Banks and other Financial Services

• Annual Risk Assessment

• Informs written policies and procedures

• Assists entities in understanding their data vulnerabilities

• Cybersecurity Policy

• Detailed statement of a company’s information security policies and procedures

• Must cover certain specific items including software requirements and physical safeguards

54

© 2019 Greenberg Traurig, LLP

New York Cybersecurity Requirements for Financial Services Companies

• Third Party Service Providers

• Entities must have written policies for ensuring third party contractors do not compromise data

• Incident Response Plan

• Entities must prepare written plans to respond to data breaches describing procedures, designate roles and responsibilities for personnel, and plan to remediate/mitigate harm

• Designation of Key Personnel to oversee cybersecurity measures within company with training requirements and internal procedures to detect cyber risks

55

NAIC Data Security Model Law

56

© 2019 Greenberg Traurig, LLP

NAIC Insurance Data Security Model Law

• Requires “licensees” to:

• Develop an Information Security Program (ISP); Investigate Cybersecurity Events; and Notify Insurance Commissioner of Cybersecurity Events

• ISPs

• Administrative, technical, and physical safeguards are required

• Commensurate with size and complexity of licensee; Nature & scope of activities; Sensitivity of non-public information

• Developed based on internal Risk-Assessment

57

© 2019 Greenberg Traurig, LLP

• Key similarities between the Model and Regulation:

• Incident Response Plan

• Annual certification of compliance to Insurance Commissioner

• Insurance Commissioner authorized to inspect insurer documentation of efforts to improve Incident Response Plan

• Key differences between the Model and Regulation:

• Different exemptions

• NAIC Model provisions governing third-parties are more flexible than NYDFS Regulation

58

NAIC Model & NYDFS Cyber Regulation:Key Similarities & Differences

© 2019 Greenberg Traurig, LLP

• Early adopters: Alabama, Delaware, Ohio, Michigan, Mississippi, New Hampshire, and South Carolina

• Legislative activity in Nevada and Rhode Island

• Connecticut adopted NY DFS approach

• Expect variation between state requirements

• Compliance with inconsistent requirements will be a key issue for companies

59

NAIC Insurance Data Security Model Law: Adoption

Compliance Strategies

60

© 2019 Greenberg Traurig, LLP

Compliance 101Be Informed and Stay in the Lane!

• Inconsistent patchwork of U.S. federal and state laws, companies and boards of directors must be well-informed and stay well within the lanes established by regulators

• Robust compliance protocols must be in place

• Ensuring a culture of compliance within required timeframes (like it or not)

• But boards need to be more involved beyond “check-the-box” compliance as cyber risk is quickly morphing into entity risk, creating the need for a whole-company approach

• Cybersecurity is not just an IT problem; today its everyone’s problem, especially the board

© 2019 Greenberg Traurig, LLP

• Ever-evolving U.S. regulatory landscape is getting more punitive to deal with;

• The time is now to implement internal cybersecurity measures

• Even if non currently apply to your organization, they soon will

• Look to NYDFS Cybersecurity Regulation, the CCPA, and NAIC Model Law

62

Compliance Strategies

© 2019 Greenberg Traurig, LLP

Compliance Strategies

• Conduct regular risk and vulnerability assessments to stay on top of the evolving risks out there today.

• Written information security, cybersecurity, and privacy policies and procedures must be in place regardless of your organization’s size;

• Written guidelines must include:

• How risks will be identified, evaluated and prioritized;

• How systems and controls will be evaluated and tested for adequacy

• How risks will be accepted, mitigated or otherwise controlled for;

• Company cannot mitigate all conceivable risks, but should address risks by either mitigating, accepting, or transferring to a cybersecurity Insurance Carrier for a fair premium

63

© 2019 Greenberg Traurig, LLP

• Must develop Cybersecurity Program commensurate with:

• Size and complexity, as well as the type of data you collect, store or process; big difference between making widgets, and making aircraft parts for a DoD main contractor.

• Nature and scope of company’s activities will matter and vary greatly

• Third-party service providers have magnified risk identification and transfer issues; outsourcing to the cloud is fine, if you know and understand the risk

• Sensitivity of non-public information paramount

64

Compliance Strategies

© 2019 Greenberg Traurig, LLP

• Program developed based on risk-assessment coupled with regulatory landscape

• Risk and Vulnerability assessment results should be reviewed by Board of Directors

• Key areas: software protections & physical safeguards

• Third-party service provider/vendor due diligence policies must be implemented both contractually and on a risk-adjusted basis; some vendors are just more critical than others. Remember, you “own the cybersecurity” of your vendor for compliance purposes.

65

Compliance Strategies (Cont.)

© 2019 Greenberg Traurig, LLP

Contact Information

Fred Karlinsky

Shareholder and Co-Chair, Insurance Regulatory & Transactions Practice

Greenberg Traurig, P.A.

(954) 768-8278

Karlinskyf@gtlaw.com

66