Banking and financial
A joint rule issued by federal banking agencies (OCC, the Board of Governors of the Federal Reserve, and FDIC) became effective this month and prescribes new requirements and criteria for banking organizations and bank service providers (BSPs) to follow in identifying and responding to qualifying cybersecurity incidents.
The new banking rule defines a reportable computer security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. Critically, the rule does not define actual harm, although it does provide examples of qualifying incidents, such as DDoS and ransomware attacks.
For banking organizations, only the subset of computer security incidents that fall within the definition of a notification incident are required to be reported. A notification incident, in turn, is defined as a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Banking organizations that have experienced a computer security incident that rises to the level of a notification incident are required to notify their primary federal regulator (OCC, the Board of Governors of the Federal Reserve, or FDIC) as soon as possible and no later than 36 hours after they have determined that a notification incident has occurred. The rule clarifies that time spent investigating and determining whether a notification incident has occurred does not count against the 36-hour clock.
For BSPs, the notification threshold is slightly different. BSPs that experience a computer security incident and have determined that it has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a banking organization customer for four or more hours, must notify at least one bank-designated point of contact at each affected banking organization as soon as possible. If a bank-designated point of contact has not been established, the rule requires notification of each bank’s CEO and CIO (or two other individuals with comparable responsibilities).
Telecommunications
In January 2022, the FCC circulated a Notice of Proposed Rulemaking (NPRM) that would introduce stricter notification requirements for telecommunications companies that fall victim to customer data breaches.
As part of the NPRM, the following updates are being considered:
- eliminating the current seven business day mandatory waiting period for notifying customers of a breach;
- expanding customer protections by requiring notification for inadvertent breaches; and
- requiring carriers to notify the FCC of all reportable breaches in addition to the FBI and U.S. Secret Service.
Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. According to the FCC, these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.
Securities
Under proposed rules issued in February 2022 from the SEC, registered investment advisers would be required to submit notification of incidents to the SEC within 48 hours after having a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident has occurred or is occurring.
A significant adviser cybersecurity incident is defined as a cybersecurity incident, or a group of related incidents, that:
- significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations; or
- leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in:
- substantial harm (including monetary loss or the theft of proprietary or personally identifiable information) to the adviser; or
- substantial harm to a client, or an investor in a private fund, whose information was accessed.
A significant fund cybersecurity incident is defined as a cybersecurity incident, or a group of related incidents, that:
- significantly disrupts or degrades the fund’s ability to maintain critical operations; or
- leads to the unauthorized access or use of fund information, which results in substantial harm to the fund or to the investor whose information was accessed
According to the proposed rules, notifications of incidents would be filed electronically with the SEC through the Investment Adviser Registration Depository platform.
Healthcare beyond HIPAA
The FTC has taken steps to signal renewed enforcement priority and possibly expand the notification requirements of its Health Breach Notification Rule (the Rule) governing personal health records (PHRs). Critics of the Rule have noted its broad reach and ambiguity. In January 2022, the FTC released guidance which interprets the Rule expansively and provides some attempted clarifications.
Generally, the Rule may require certain organizations that are not regulated by the Health Insurance Portability and Accountability Act (HIPAA) to notify consumers, the FTC, and, in some cases, the media. Notification obligations may result if there is unauthorized acquisition of unsecured identifiable health information in PHRs. Identifiable health information for purposes of the Rule is health information that identifies someone or could reasonably be used to identify someone.
According to the FTC, the Rule applies to:
- a vendor of PHRs;
- a PHR related entity (e.g., an entity that accesses information in a PHR or sends information to a PHR); or
- a third party service provider for a vendor of PHRs or a PHR related entity.
The latest FTC guidance may confirm that the Rule applies only to a breach of security of consumers’ identifiable health information in PHRs and not health information that employers hold about employees. In particular, the FTC seems most focused on health apps and connected devices that collect and share PHRs, which, according to the FTC, are subject to the Rule in many instances.
Additionally, the FTC reiterated that under the Rule a breach “is not limited to cybersecurity intrusions or nefarious behavior by hackers or insiders. Incidents of unauthorized access, including a company’s disclosure of covered information without a person’s authorization, triggers notification obligations under the Rule”.
Organizations that process personally identifiable health information may benefit from reviewing the Rule to determine whether it applies to them. If the Rule applies, an organization may consider reviewing its disclosure practices and the collection of authorizations from individuals. Organizations subject to the Rule may need to modify existing incident response plans and update training and operational guidance to comply.
The FTC also seems to prefer that organizations notify the FTC using a specific form, which may present challenges. The information requested on the form is expansive and may go beyond the requirements of the Rule. For example, the form requests that the organization describe the steps taken to investigate the breach, mitigate losses, and protect against future breaches.
Critical infrastructure
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act. Under the Act, “covered entities” that experience a “covered cyber incident” will be required to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA) no later than 72 hours after the entity reasonably believes that such an incident has occurred. In addition, covered entities will also be required to report any ransom payments made as a result of a ransomware attack to CISA no later than 24 hours after making the payment.
Under the Act, the term “covered cyber incident” is defined as a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the CISA Director in the final rule issued. Additionally, the term “covered entity” is defined as an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21, which satisfies the definition established by the CISA Director in the final rule issued.
Implications and key takeaways
- In 2022, there has already been a significant amount of activity among Federal agencies related to expanding cybersecurity incident reporting requirements and obligations.
- Organizations operating in banking, telecommunications, securities, healthcare, critical infrastructure and other industry sectors will want to take note of this recent activity and consider incorporating these new risks into their data security planning and budgeting.
Client Alert 2022-123
