Colorado is poised to become one of the first states to regulate how insurers can use big data and AI-powered predictive models to determine risk for underwriting. The Department of Insurance recently proposed new rules that would require insurance companies to establish strict governing principles on how they deploy algorithms and how they submit to

The SolarWinds cyber-attack is on everyone’s mind this week, given that most experts believe this cyber-attack will have broad impact across both the public and private sectors. For more details about the SolarWinds attack,  please read this. The sheer breadth of this attack led me to reflect on the role of cyber-liability insurance for

On July 20, 2020, the Connecticut Insurance Department issued a bulletin to licensees reminding them that the Connecticut Insurance Data Security Law (“Act”) becomes effective on October 1, 2020 and providing guidance on compliance.

The Act requires “all persons who are licensed, authorized to operate or registered, or required to be licensed, authorized or registered

For those of you who don’t know, a fun fact is that Robinson+Cole one of the oldest law firms in Connecticut, and among our claims to fame is that we represented Mark Twain and Helen Keller. We are quite proud of our history and our reputation, and rightfully so. We are steeped in Connecticut law,

The use of drones use has grown rapidly in recent years, especially in the commercial sector, where the Federal Aviation Administration projects that the number of units in the commercial small drone fleet will exceed 420,000 units by 2021. As businesses continue to incorporate drones into their everyday operations, they also will want to set

Earlier this year, Governor Charlie Baker signed into law an Act to Protect Access to Confidential Healthcare (the PATCH Act), which prevents information regarding “sensitive health care services” from being shared with anyone other than the patient in the form of Explanation of Benefits (EOB) and Summary of Payment (SOP) forms. When more than one person is covered by the same medical insurance plan, sensitive health care information can be disclosed through the use of these common forms, sometimes including information on sexual assault, domestic violence, mental health disorders, or sexual and reproductive health. When the EOB or SOP is provided to the named policyholder—rather than the specific beneficiary that the services described therein relate to—the beneficiary’s confidentiality can be compromised. 
Continue Reading Massachusetts PATCH Act, Requires Additional Protection for Certain Confidential Health Care Information

On March 1, 2018, the New York Department of Financial Services (NYDFS) “cybersecurity regulations” (23 NYCRR Part 500) took effect, placing a number of cybersecurity requirements on banks, insurance companies, and other financial services institutions and licensees regulated by the NYDFS (“Covered Entities”).

To aid in compliance with the regulation, the NYDFS recently added new

On March 1, 2018, the one year transition period within which banks, insurance companies, and other financial services institutions and licensees regulated by the New York Department of Financial Services (“Covered Entities”)  must have implemented a cybersecurity program ends. By March 1, the Covered Entities must be in compliance with the following requirements:

23 NYCRR

On February 15, 2018—that is, today—banks, insurance companies and other financial services institutions and licensees regulated by the New York Department of Financial Services (DFS) are required to file their first certification of compliance with DFS’s far reaching cybersecurity regulation (23 NYCRR Part 500) (the “Regulation”).

The Regulation, which became effective on March 1, 2017,

On October 12, 2016, the U.S. Court of Appeals for the Sixth Circuit denied a petition for an en banc rehearing of its September 12 decision in Galaria, et al. v. Nationwide Mutual Insurance Company (Nos. 15-3386/3387). In that decision, a divided Sixth Circuit panel revived a suit against Nationwide arising from the 2012 theft by hackers of personal information of approximately 1.1 million individuals.

In Galaria, the plaintiffs brought claims alleging invasion of privacy, negligence, bailment, and statutory violations of the Fair Credit Reporting Act (FCRA) following the breach. The complaint alleged that the defendant failed to secure the plaintiffs’ data against a breach. A federal district court dismissed those claims, holding in part that the plaintiffs lacked Article III standing because they failed to allege a cognizable injury in fact. To establish standing under Article III of the U.S. Constitution, a plaintiff must suffer an injury in fact, fairly traceable to the defendant’s challenged conduct, that is likely to be redressed by a favorable judicial decision.Continue Reading Sixth Circuit: Substantial Risk of Harm and Mitigation Costs Sufficient to Confer Standing in Data Breach Case