Greetings from Portsmouth, New Hampshire!
Now that Memorial Day has come and gone, summer has unofficially started here in the Seacoast of Maine and New Hampshire. New graduates from colleges and universities are free from classes, the kiddos are in the home stretch of school, and the weather is (kind of) warming up.
It also means a lot of state legislative sessions are wrapping things up, for now. Illinois has been busy this week with a potential comprehensive privacy bill that may have failed to pass muster. We're also seeing an influx of updates to state data breach notification laws, for example — see New Jersey, Texas and Washington, to name a few — and, of course, California is updating CCPA amendments seemingly by the day. Stay tuned because we'll have more on these CCPA updates soon.
Closer to home for me here in Maine is news this week that the state legislature is preparing what could be one of the nation's strictest internet service provider laws. It essentially mirrors an Obama-era Federal Communications Commission rule that was nullified by President Donald Trump in 2017. If enacted, service providers would have to obtain express consent from users in order to sell their personal data. Though both the House and Senate have voted in support of the bill ... wait for it ... it still has to be accepted by the Senate before it goes back to the House for enactment, then back to the Senate for its enactment and then onto Gov. Janet Mills for her signature. It's all very confusing. But whose state legislative process isn't?
I also want to touch upon a significant development that may have been lost in all the GDPR anniversary news last week. In a first, Moody's downgraded its rating outlook on Equifax in the wake of its 2017 data breach. This was the first time a cybersecurity issue was cited as the reason for the downgrade. This is a big deal. We often refer to enforcement — and perhaps even negative media attention — as being a motivator for grabbing the attention of the C-suite in order to get executive backing to build out a privacy and cybersecurity program with a budget. Well, now you can add credit ratings to your quiver.
A spokesperson for Moody's spelled it out: "We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change. ... This is the first time the fallout from a breach has moved the needle enough to contribute to the change." And we're talking real dollars here. According to the CNBC report, "Moody's cited Equifax's recent $690 million first-quarter charge for the breach as contributing to the downgrade." This stems from projected class-action lawsuits and potential state and federal regulatory enforcement action. Moody's also estimated the company will spend a total of $400 million in 2019–20, in addition to another $250 million in 2021.
Most importantly, however, is that Moody's warned Equifax may not be alone and that it is building cyber risk into its credit-rating system, effectively elevating the outlook on company cybersecurity practices. It also cited the types of companies most at risk: financial, health care, securities, infrastructure providers and utilities.
There's some food for thought for the weekend.
If you want to comment on this post, you need to login.