Immediate Vault Immediate Access

On Data Privacy Day, Catch Up on These Critical Risk Management and Data Security Issues

Happy Data Privacy Day! Whether it is cyberrisk, regulatory risk or reputation risk, data privacy is increasingly intertwined with some of the most critical challenges risk professionals face every day, and ensuring security and compliance of data assets is a make or break for businesses.

buy prevacid online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/prevacid.html no prescription pharmacy

In Cisco’s new 2021 Data Privacy Benchmark Report, 74% of the 4,400 security professionals surveyed saw a direct correlation between privacy investments and the ability to mitigate security losses. The current climate is also casting more of a spotlight on privacy work, with 60% of organizations reporting they were not prepared for the privacy and security requirements to manage risks with the shift to remote work and 93% turning to privacy teams to help navigate these pandemic-related challenges. Amid COVID-19 response, headline-making data breaches and worldwide regulatory activity, data privacy is also a critical competency area for risk professionals in executive leadership and board roles, with 90% of organizations now asking for reporting on privacy metrics to their C-suites and boards.

“Privacy has come of age—recognized as a fundamental human right and rising to a mission-critical priority for executive management,” according to Harvey Jang, vice president and chief privacy officer at Cisco. “And with the accelerated move to work from anywhere, privacy has taken on greater importance in driving digitization, corporate resiliency, agility, and innovation.”

In honor of Data Privacy Day, check out some of Risk Management’s recent coverage of data privacy and data security:

CPRA and the Evolution of Data Compliance Risks

Also known as Proposition 24, the new California Privacy Rights Act (CPRA) aims to enhance consumer privacy protections by clarifying and building on the expectations and obligations of the California Consumer Privacy Act (CCPA).

Frameworks for Data Privacy Compliance

As new privacy regulations are introduced, organizations that conduct business and have employees in different states and countries are subject to an increasing number of privacy laws, making the task of maintaining compliance more complex. While these laws require organizations to administer reasonable security implementations, they do not outline what specific actions should be taken. Proven security frameworks like Center for Internet Security (CIS) Top 20, HITRUST CSF, and the National Institute of Standards and Technology (NIST) Framework can provide guidance.

Protecting Privacy by Minimizing Data

New obligations under data privacy regulation in the United States and Europe require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach.

buy ocuflox online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.”

3 Tips for Protecting Remote Employees’ Data

As COVID-19 continues to force many employees to work from home, companies must take precautions to protect sensitive data from new cyberattack vulnerabilities. That means establishing organization-wide data-security policies that take remote workers into account and inform them of the risks and how to avoid them. These three tips can help keep your organization’s data safe during the work-from-home era.

What to Do After the EU-US Privacy Shield Ruling

It was previously thought that the EU-US Privacy Shield aligned with the EU’s General Data Protection Regulation (GDPR), but following the CJEU’s recent ruling, the Privacy Shield no longer provides a mechanism for legitimizing cross-border data flows to the United States. This has far-reaching consequences for all organizations that currently rely on it. In light of the new ruling, risk professionals must help their organizations to reevaluate data strategies and manage heightened regulatory risk going forward.

The Risks of School Surveillance Technology

Schools confront many challenges related to students’ safety, from illnesses, bullying and self-harm to mass shootings. To address these concerns, they are increasingly turning to a variety of technological options to track students and their activities. But while these tools may offer innovative ways to protect students, their inherent risks may outweigh the potential benefits. Tools like social media monitoring and facial recognition are creating new liabilities for schools.

2020 Cyberrisk Landscape

As regulations like CCPA and GDPR establish individuals’ rights to transparency and choice in the collection and use of their personal data, one can expect to see more people exercise these rights.

buy doxycycline online www.soundviewmed.com/wp-content/uploads/2023/10/jpg/doxycycline.html no prescription pharmacy

In turn, businesses need to ensure they have formal and efficient processes in place to comply with such requests in the clear terms and prompt manner these regulations require, or risk fines and reputation fallout. These processes will also need to provide sufficient documentation to attest to compliance, so if businesses have not yet already, they should be building auditable and iterative procedures for “data revocation.”

Data Privacy Governance in the Age of GDPR

As personal information has become a monetizable asset, risk, compliance and data experts have increasingly been forced to address the regulatory and operational ramifications of the rapid, mass availability of personal customer and employee data circulated both inside and outside of organizations. With new data protection regulations, Canadian and U.S. companies must reassess how they process and safeguard personal information.

Key Features of India’s New Data Protection Law

Among the new data protection laws on the horizon is India’s Personal Data Protection Bill. While the legislation has not yet been approved and is likely to undergo changes before it is enacted, its fundamental structure and broad compliance obligations are expected to remain the same. Companies both inside and outside India should familiarize themselves with its requirements and begin preparing for how it will impact their data processing activities.

RIMS Virtual Advocacy Week: A Q&A with Florida Insurance Commissioner David Altmaier

Today, RIMS is taking its annual Legislative Summit online, kicking off the first RIMS Virtual Advocacy Week. Featuring a full slate of networking, a panel on pandemic insurance, updates on the 2020 U.S. elections, and hands-on advocacy with members of Congress, RIMS Virtual Advocacy Week is still open for last-minute registrations, if you want to join in on the action.

On Wednesday, September 16, the agenda includes a fireside chat with Florida Insurance Commissioner David Altmaier, who is also president-elect of the National Association of Insurance Commissioners (NAIC). Commissioner Altmaier has held the position for four years and has been with the Florida Office of Insurance Regulation office for nearly 12.

Altmaier recently appeared on RIMScast to discuss the issues he will address in Wednesday’s session, most notably the impact COVID-19 has had on the landscape of business interruption coverage. Check out the highlights below, and download the episode for Commissioner Altmaier’s full interview and a deeper dive into other topics such as ORSA reports, the Terrorism Risk Insurance Act (TRIA) and the National Flood Insurance Program (NFIP).

What playbook did you use to prepare and react to COVID-19?

David Altmaier:  Our response initially looked a lot like what we would do for an inbound hurricane: We assembled what we call our “incident management team,” and started to look at the types of needs of consumers from an insurance standpoint. We put into place mechanisms that we thought would be helpful as the pandemic began to take hold in Florida and around the United States. And we saw insurance commissioners around the country doing the same thing, obviously, as the pandemic unfolded and we started to see other risks and concerns emerge.

COVID-19 has been at the forefront of all of our regulatory discussions going back to March of this year. and that will continue to be at the forefront of our discussions even after the pandemic has concluded.

Business interruption insurance is closely tied to it and has emerged as one of the more pressing insurance issues as a result of the pandemic. We have seen issues like telemedicine and catastrophe response in a virtual setting, for example, also come up as a result. [That has] impacted how we go to work every day and how we interact with our stakeholders, and I think those will be some worthy discussion topics as well.

How can the risk management community drive meaningful change in regulations, policies and legislation?

DA: As discussions take place about an event that we haven’t seen in a really long time, like a pandemic, there will be a lot of ideas that come up in terms of how to react to the current pandemic, as well as how to prepare for future pandemics. And I think that, as we have those conversations, there’s going to be a multitude of stakeholders whose viewpoints are important.

Risk managers are certainly going to be at the top of that list because they are going to understand the risks that the insurance industry faces. We see ideas of what level of responsibility the insurance industry [should have] in terms of covering things like business interruption insurance. Their expertise will be invaluable as we begin to work with state and federal leaders in crafting policies that can assist with the current pandemic, as well as future pandemics.

Own Risk and Solvency Assessment, or ORSA, is a framework heralded by the NAIC. Why should risk and insurance professionals look to ORSA reports for guidance?

DA: ORSA reflects how our insurance market, along with other majors of our economy, evolves over time and responds to new and emerging risks. It’s a constantly changing environment that regulators are trying to evolve along with, and our teams here in the insurance departments are trying to make sure that we stay ahead of the curve in terms of identifying those emerging risks.

The ORSA report is a glimpse into the thought process for our larger companies and groups into the boardroom and into the C-suites. [It features] theories on their own risk and how their unique position in the marketplace might expose them […] and require them to take steps to mitigate those risks. It’s a really critical piece of information for regulators to have as we build our own supervisory plans, going forward. Obviously, the pandemic that has occurred—like with any catastrophe—potentially highlights things that may have previously not been considered.

Let’s talk about force majeure. The pandemic has inspired new legislation to be drafted that affects the language of insurance policies in an effort to cover interruption. Where does the NAIC stand on that?

DA: NAIC sent feedback to Congress early on, in early to mid-March, with our thoughts that requiring carriers to cover losses that weren’t previously contemplated under the policy forms could do a lot more long-term harm than short-term good.

We have seen some state houses file state legislation that would be similar, in that it would require carriers to cover business interruption losses even if the policy forms didn’t contemplate that. We’ve sort of left it to individual insurance commissioners in those states to work with their legislatures on what’s best for their market.

OSHA Revises Stance on COVID-19 Record-Keeping and Enforcement

The Occupational Safety and Health Administration (OSHA) recently issued two enforcement memos regarding COVID-19. The first of these memos revised OSHA’s requirements for employers as they determine whether individual cases of COVID-19 are work-related. The second revised OSHA’s policy for handling COVID-19-related complaints, referrals, and severe illness reports. The changes in these revisions include:

Record-Keeping and Reporting

OSHA’s position for months has been that cases of COVID-19 are subject to record-keeping and reporting requirements if they are work-related. On May 26, 2020, OSHA’s new memorandum superseded the previous April 10, 2020 memorandum on the subject of work-relatedness.

The April 10 memorandum essentially provided most employers latitude to assume that cases of COVID-19 were not work-related, absent evidence to the contrary. The May 19 memorandum revises OSHA’s position, requiring employers to investigate COVID-19 cases more heavily before concluding whether they are work-related.

The primary thrust of the agency’s revised position is that OSHA enforcement officers should consider three primary factors when evaluating whether an employer’s determination of work-relatedness was reasonable:

  • The reasonableness of the employer’s investigation into work-relatedness;
  • The evidence available to the employer; and
  • The evidence that a COVID-19 illness was contracted at work.

Regarding the first, OSHA stated that it is sufficient in most circumstances for an employer, when it learns of an employee’s COVID-19 illness, to (1) ask the employee how he or she believes they contracted COVID-19; (2) while respecting employee privacy, discuss with the employee his or her work and out-of-work activities that may have led to the COVID-19 illness, and (3) review the employee’s work environment for potential COVID-19 exposure.

Employee privacy rights are a potential trap for unwary employers when inquiring about exposure outside of the workplace. Such discussions could implicate a variety of employment laws, including state-specific laws.

Regarding the second factor, OSHA directed employers to consider the evidence “reasonably available” at the time they makes their work-relatedness determination. If employers later learn more information related to an employee’s COVID-19 illness, then employers shall also consider that information.

OSHA elaborated on the third factor by listing certain types of evidence that weigh in favor of or against work-relatedness. For example, OSHA stated that COVID-19 illnesses are likely work-related when several cases develop among employees who work closely together and there is no alternative explanation. OSHA also stated that an employee’s COVID-19 illness is likely work-related if it was contracted shortly after lengthy, close exposure to a particular customer or coworker who has a confirmed case of COVID-19 and there is no alternative explanation.

OSHA justified its revised position on work-relatedness by stating that the nature of COVID-19 and the ubiquity of community spread frequently make it difficult to accurately determine whether a COVID-19 illness is work-related, especially when employees have experienced potential exposure both in and out of the workplace. OSHA might also have been motivated by some organizations calling for it to take a more aggressive response to COVID-19.

Complaints, Referrals and Illness Reports

The second memo, also issued on May 19, 2020, was related to complaints, referrals, and severe illness reports. Specifically, in geographic areas where community spread of COVID-19 has significantly decreased, OSHA will return to its normal pre-COVID-19 methods for prioritizing reported events for inspections. 

OSHA will continue to prioritize cases of COVID-19 to some degree, but will increasingly conduct these efforts by phone or other remote methods. In geographic areas experiencing either sustained elevated community transmission or a resurgence in community transmission, OSHA will continue to heavily prioritize COVID-19, including conducting on-site inspections, especially in high-risk workplaces.

Action Items and Final Takeaways

OSHA’s enforcement approaches regarding the COVID-19 pandemic continue to evolve. The agency will likely continue to closely monitor employers’ compliance with COVID-19-related requirements even after states and localities lift stay-at-home orders.

Professionals with questions on how OSHA’s recent enforcement policies affect a business or organization should consider consulting with legal counsel. Also, OSHA distributes by email an informative twice-monthly newsletter called “QuickTakes,” open for subscription. OSHA’s regulations on injury and illness recordkeeping and reporting, found at 29 C.F.R. Part 1904, also include helpful questions and answers about these topics.

Finally, employers should bear in mind that the negative consequences of choosing not to comply with OSHA’s record-keeping and reporting requirements often outweigh the potential negative consequences of bringing injuries and illnesses to OSHA’s attention.

Managing Coronavirus Business Interruptions

The novel coronavirus 2019-nCoV, now called COVID-19, has continued to spread through China and beyond, with more than 1,800 deaths reported as of this writing. The virus’s spread has also had major impacts on business operations around the world, slowing or shuttering international companies’ operations in China and prompting travel restrictions and evacuations.

Businesses around the world are taking travel precautions and creating or updating existing response plans to address these risks. Dr. Adrian Hyzler, chief medical officer of healthcare, assistance and risk management company Healix, told the RIMScast podcast that “Companies have to think on their feet and have crisis meetings, twice, sometimes three times a week just to try and keep up with the changes in government regulations and what they have to do to try and manage the situation.”

But companies may not be able to manage all of the issues resulting from COVID-19-related business interruptions, and some may even fail to fulfill their contractual obligations because of supply chain complications, risking severe penalties. If this occurs, companies throughout the supply chain have options for protecting themselves or recovering from lost business.

If contracts allow, companies may attempt to invoke force majeur clauses, which, according to international law firm Reed Smith, “excuse a party’s performance of a contract if an unforeseen event beyond its control prevents performance.” To prepare for these complications, Reed Smith recommends that companies:

  • review their contracts to determine what, if any, rights and remedies they have as a result of the delayed performance of contracts due to force majeure; 
  • provide timely notice of a force majeure event; 
  • prepare for potential litigation concerning failure-to-supply issues and the application of force majeure clauses, including by taking (and documenting) reasonable steps to mitigate the impact of the novel coronavirus; 
  • update form force majeure clauses to take into account, to the extent possible, modern risks to contractual performance, including diseases, epidemics or quarantines.

Reed Smith also noted that if a company intends use a force majeur clause to avoid financial penalties for business interruptions as a result of COVID-19, they should “take (and document) reasonable steps to mitigate the impact of the novel coronavirus. While these steps may prove futile, they are essential predicates to mounting a valid force majeure defense.”

There may also be insurance options for covering COVID-19-related losses. When speaking with the RIMScast podcast, Reed Smith’s Richard P. Lewis said that depending on a company’s exposures, some options for covering losses include contingent business interruption coverage, event cancellation policy, supply chain insurance or travel insurance. But, Lewis said, “The first big category would be first party insurance. That would be property insurance and more specifically a first party or property insurance policies providing ‘time element coverage’ that is impacted by time, usually known as business income or business interruption insurance.”

Lewis also said while property (like a factory that is shut down after the outbreak) may not have suffered actual physical damage, there could be legal precedent for claiming physical loss or damage “if the building can’t be used for its intended purpose.” Anderson Kill P.C.’s Finley T. Harckham also noted that in case law, people becoming sick on a property will not count as property damage, but contaminants at a property (including pathogens like COVID-19) could qualify.

U.S. companies, Lewis said, will be dealing with “contingent exposures, meaning the property affected is their customers’ or suppliers’ and not their own property.” However, if those companies have their own property, coverage is likely dependent on whether it was “closed by the order of a civil authority because of the actual presence of a virus and not the suspected presence of a virus.” Harckham noted that these restrictions would likely trigger civil authority coverage, which many insurance policies contain.

However companies attempt to cover their losses, Lewis recommended “Just make sure that if if this thing goes to court that you’re able to prove your losses. And that means to document them and to have witnesses who are able to explain what it is you lost and be able to testify at trial with that if it comes to that.”

To hear the full conversations with Hyzler and Lewis, listen to the RIMScast episode “What Risk Professionals Should Know About the Coronoavirus” here.