This post first appeared on Risk Management Magazine. Read the original article.
Hawaii’s Kilauea Volcano Erupts
On May 3, the Kilauea volcano on Hawaii’s Big Island erupted, triggering a magnitude-6.9 earthquake and beginning weeks of dangerous volcanic activity. As of mid-May, at least 23 fissures had opened on the island since the eruption, spewing lava, toxic gases and ash. When lava reached the Pacific Ocean, it also generated a toxic plume of “laze”—volcanic haze made up of steam, hydrochloric acid and fine glass particles. Almost 40 structures have been destroyed, including 26 homes, and some 2,000 residents have been forced to evacuate. The lava also threatened a nearby geothermal plant, requiring officials to remove 50,000 gallons of flammable liquids. President Trump officially declared a major disaster, freeing up federal assistance for emergency response and recovery. According to the governor’s office, protecting residents will cost more than an estimated $2.9 million.
Final Two States Pass Data Breach Laws
South Dakota and Alabama recently became the final two states in the union to pass data breach notification laws. While Alabama’s law may have been the last to pass, it is hardly the least—indeed, it is now one of the most stringent in the United States. Alabama became one of 15 states to establish statutory obligations to maintain reasonable security measures, and went farther by outlining factors that must go into such assessment. In an effort to address the rising cyberrisk posed by third parties, the law also applies not only to covered entities, but to service providers as well. The laws vary significantly on what they consider a reasonable timeframe for notification—South Dakota requires notifying affected residents within 60 days of discovery, while Alabama gives a covered entity 45 days and a third-party just 10 to notify the covered entity breached. Every state now has a data security law in place, and while that is positive progress in promoting cybersecurity efforts and protecting consumers, it also remains a complex patchwork of provisions that presents more regulatory risk and demands more serious compliance efforts.
Romaine Lettuce Spreads E. coli Outbreak
Romaine lettuce harvested and consumed in March spread the largest multi-state E. coli outbreak in over a decade. As of May 18, 172 people had been sickened across 32 states, including one person who died and 75 who were hospitalized, 20 with kidney failure. This approaches the scale of the 2006 E. coli outbreak from baby spinach, which sickened 200 and killed five. The romaine outbreak involved the strain E. coli O157:H7, which produces Shiga toxin and, in turn, causes more severe illness. With a four-day incubation period for E. coli and a two- to three-week process for reporting to the CDC, the scale grew as reports trickled in through April and May, but the outbreak was not actively spreading and any impacted lettuce was no longer in stores. Harrison Farms in Yuma, Arizona, was identified as the supplier linked to a small cluster of cases in Alaska, but investigators were still looking at dozens of farms to figure out where other heads were grown and where in the harvesting, processing, and distribution process contamination occurred. This was not the only major food-borne illness outbreak to make headlines recently— in April, after at least 35 people were sickened across nine states, Rose Acre Farms recalled more than 200 million eggs due to possible Salmonella contamination.
NRA Sues New York Over Insurance Fight
The National Rifle Association (NRA) filed suit against New York Governor Andrew Cuomo and the New York State Department of Financial Services for engaging in a “blacklisting campaign” designed to discourage insurers and banks from doing business with the group. The suit comes after the state imposed fines on broker Lockton and insurer Chubb for $7 million and $1.3 million, respectively, over their involvement with NRA-branded “Carry Guard” insurance policies. New York regulators said the program violated state law by providing liability insurance to gun owners for acts of intentional wrongdoing. The NRA’s suit alleges that the fines are part of a state effort that “involves selective prosecution, backroom exhortations and public threats with a singular goal—to deprive the NRA and its constituents of their First Amendment right to speak freely about gun-related issues and defend the Second Amendment.” The NRA also filed suit against Lockton for breach of contract after the broker said that it would end its partnership with the group and cooperate with New York regulators.
Wells Fargo Hit With $1 Billion Fine
In May, the U.S. Consumer Financial Protection Bureau and the Office of the Comptroller of the Currency fined Wells Fargo $1 billion for unfair practices in its auto loan and mortgage businesses. The penalty came after the bank charged thousands of customers for auto insurance they did not need. The extra fees caused up to 20,000 customers to default on their auto loans and many to have their cars subsequently repossessed. Wells Fargo also admitted that it improperly charged fees to mortgage customers to lock in preferential interest rates. In addition to the fine, the bank was ordered to make restitution to customers affected by the practices, develop and implement an effective enterprise-wide compliance risk management program, and allow the OCC to approve any senior executive officer or board appointments. Earlier in the year, in response to the pattern of “widespread consumer abuses and other compliance breakdowns” at the bank, the Federal Reserve prohibited Wells Fargo from growing its assets beyond 2017 levels until it could improve its governance and controls.