A recent Wall Street Journal article stated that the excessive costs of responding to breaches have become a challenge for insurance companies. The article presents insurance company executives being particularly concerned with their clients not implementing basic data management controls such as having a designated employee that is responsible for information security, or having written information security programs.
All fifty states have data breach notification laws, and in recent years we have seen the emergence of a “reasonable security measures” requirement. The Alabama data breach notification law, which was signed into law on March 28, 2019 lays out considerations for determining reasonableness including: (1) designating an employee to coordinate security measures; (2) Risk identification and mitigation; (3) Making sure service providers have reasonable information…
