Gerry Stegmaier is partner and Eric Manski is associate at Reed Smith. Views are the authors' own.
Despite the lack of near-term prospects for passage of a comprehensive federal privacy law, the federal government continues sector-specific cybersecurity regulation. It has recently proposed or implemented a variety of rules and guidance impacting incident response for the banking and financial services, telecommunications, securities, healthcare and critical infrastructure sectors. These developments will have far-reaching implications. Not only will companies operating in these sectors be affected, but vendors and suppliers, especially technology companies, can expect new demands from regulated customers and continued pressure to operationalize the proliferation of requirements and expectations.
Banking and financial
A joint rule issued by federal banking agencies (OCC, Board of Governors of the Federal Reserve, and FDIC) became effective this month and will prescribe new requirements and criteria for banking organizations and bank service providers (BSPs) to follow in identifying and responding to qualifying cybersecurity incidents.
The new banking rule defines a reportable computer security incident as an occurrence that results in actual harm to the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits. Critically, the rule does not define actual harm, although it does provide examples of qualifying incidents, such as DDoS and ransomware attacks.
For banking organizations, only the subset of computer security incidents that fall within the definition of a notification incident are required to be reported. A notification incident, in turn, is defined as a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Banking organizations that have experienced a computer security incident that rises to the level of a notification incident are required to notify their primary federal regulator (OCC, The Board, FDIC) as soon as possible and no later than 36 hours after they have determined that a notification incident has occurred. Notwithstanding the tight reporting timeline, the rule clarifies that time spent investigating and determining whether a notification incident has occurred does not count against the 36-hour clock.
For BSPs, the notification threshold for computer security incidents is slightly different than for banking organizations. BSPs that experience a computer security incident and have determined that it has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a banking organization customer for four or more hours, must notify at least one bank-designated point of contact at each affected banking organization as soon as possible. If a bank-designated point of contact has not been established, the rule requires notification of each bank’s CEO and CIO (or two other individuals with comparable responsibilities).
In January 2022, the FCC circulated a Notice of Proposed Rulemaking that would introduce stricter notification requirements for telecommunications companies that fall victim to customer data breaches.
In the notice, the following updates are being considered:
- Eliminating the current 7 business day mandatory waiting period for notifying customers of a breach;
- Expanding customer protections by requiring notification for inadvertent breaches; and
- Requiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.
Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. According to the FCC, these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.
Registered investment advisers and fund notification requirements
Under proposed rules issued in February 2022 from the Securities and Exchange Commission (SEC), registered investment advisers would be required to submit notification of incidents to the SEC within 48 hours after having a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring.
A significant adviser cybersecurity incident is defined as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in:
- Substantial harm to the adviser, or
- Substantial harm to a client, or an investor in a private fund, whose information was accessed
- Substantial harm could include: monetary loss or the theft of proprietary or personally identifiable information.
A significant fund cybersecurity incident is defined as a cybersecurity incident, or a group of related incidents, that
- Significantly disrupts or degrades the fund’s ability to maintain critical operations, or
- Leads to the unauthorized access or use of fund information, which results in substantial harm to the fund, or to the investor whose information was accessed.
According to the proposed rules, notifications of incidents would be filed electronically with the Commission through the Investment Adviser Registration Depository (IARD) platform.
Healthcare beyond HIPAA
The FTC has taken steps to signal renewed enforcement priority and possibly expand the notification requirements of its Health Breach Notification Rule governing personal health records (PHRs). Critics of the rule have noted its broad reach and ambiguity. In January 2022, the FTC released guidance which interprets the Rule expansively and provides some attempted clarifications.
Generally, the rule may require certain organizations that are not regulated by the Health Insurance Portability and Accountability Act (HIPAA) to notify consumers, the FTC, and, in some cases, the media. Notification obligations may result if there is unauthorized acquisition of unsecured identifiable health information in PHRs. Identifiable health information for purposes of the Rule is health information that identifies someone or could reasonably be used to identify someone.
According to the FTC, the rule applies to
- A vendor of PHRs;
- A PHR related entity (e.g., an entity that accesses information in a personal health record or sends information to a personal health record); or
- A third party service provider for a vendor of PHRs or a PHR related entity.
The latest FTC guidance may confirm that the rule applies only to a breach of security of consumers’ PHR identifiable health information and not health information that employers hold about employees. In particular, the FTC seems most focused on health apps and connected devices that collect and share PHRs, which, according to the FTC, are subject to the rule in many instances.
Additionally, the FTC reiterated that under the Rule a breach “is not limited to cybersecurity intrusions or nefarious behavior by hackers or insiders. Incidents of unauthorized access, including a company’s disclosure of covered information without a person’s authorization, triggers notification obligations under the Rule.”
Organizations that process personally identifiable health information may benefit from reviewing the rule to determine whether it applies to them. If the rule applies, an organization may consider reviewing its disclosure practices and the collection of authorizations from individuals. Organizations subject to the rule may need to modify existing incident response plans and update training and operational guidance to comply.
The FTC also seems to prefer that organizations notify the FTC using a specific form, which may present challenges. The information requested on the form is expansive, and may go beyond the requirements of the rule. For example, the form requests that the organization describe the steps taken to investigate the breach, mitigate losses, and protect against future breaches.
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act. Under the Act, “covered entities” that experience a “covered cyber incident” will be required to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA) no later than 72 hours after the entity reasonably believes that such an incident has occurred. In addition, covered entities will also be required to report any ransom payments made as a result of a ransomware attack to CISA no later than 24 hours after making the payment.
According to the Act, the term “covered cyber incident” is defined as a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the CISA Director in the final rule issued. Additionally, the term “covered entity” is defined as an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21, which satisfies the definition established by the CISA Director in the final rule issue.
Implications and key takeaways
Despite an emerging consensus that there are many benefits to a potential comprehensive federal privacy law in response to increasing state legislative activity, the federal government continues to actively regulate cybersecurity. The existing federal government approach continues to leverage the expertise Congress believes individual administrative agencies have within their particular mandates. While a single federal law may offer significant benefits in relation to a patchwork of competing state laws, whether such a law would be superior to existing federal approaches in particular regulated sectors has gone largely undiscussed. In the meantime, new federal, state and international regulations continue to proliferate often with little cost-benefit analysis being undertaken not only among the competing approaches themselves but also with respect to the costs of regulation generally with respect to other important values such as, for example, free speech.
In 2022, there has already been a significant amount of activity among Federal agencies in the sectors related to expanding cybersecurity incident reporting requirements and obligations with implications for businesses. Organizations operating in banking, telecommunications, securities, healthcare, critical infrastructure and other industry sectors will want to take note of this recent activity and consider incorporating these new risks into their data security planning and budgeting. Similarly, companies who act as vendors and suppliers to businesses in these sectors may face confusing and conflicting requirements which may drive a race to the bottom for operational compliance similar in many respects to complaints raised by the lack of a single federal breach notification law.
The nature, timing and scope of disclosures made to regulators and others continues to pose difficulties among many organizations as forensic and related investigative work (and legal advice) often takes time and the relevant and material facts and circumstances change over the course of the investigation. Efforts to meet “mandatory” reporting deadlines may contribute to false positives, do little to benefit consumers or others, and, at least in the EU has been acknowledged by regulators in a number of circumstances as taxing limited regulatory resources.
Ultimately, organizations which focus on broad, broad strategic privacy, security and information governance programs that are informed by law but go beyond law will be better positioned to adapt to new requirements. In particular, moving beyond tick-the-box compliance-focused approaches to risk-based controls schemes that are values-driven remains one of the most effective ways to develop sustainable practices in these areas.