UPDATES TO THE SECOND EDITION

3.1.1.3 PHR Vendors (Including Health and Fitness Apps)

On April 26, 2024, the Federal Trade Commission voted 3-2 to issue a final rule expanding the scope of the Health Breach Notification Rule, completing the rulemaking described in the book. Among other changes, the revision clarified that the Rule covers developers of many health applications; revised the definition of breach of security to include both data security breaches and intentional but unauthorized disclosures; allowed notice by email if the individual has specified email as the primary method of communication and the written notice sent by email is clear and conspicuous, but it defined email as “email in combination with one or more of the following: … text message, within-application messaging, or electronic banner”; and altered the Rule’s timing requirement to require entities, for breaches involving 500 or more individuals, to notify the FTC without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. In its announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC.”

[New] 3.1.1.3A Substance Abuse Treatment Records

Under 42 U.S.C. 290dd-2, records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States (referred to as “part 2 programs”) shall be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under 290dd-2(b). Section 290dd-2(g) authorizes the Secretary of Health and Human Services to prescribe regulations to carry out the purposes of the section.  Pursuant to that authority, the Secretary has issued 42 C.F.R. part 2, which has long contained a breach notice requirement. Following a February 2024 amendment, Section 2.16 of the rule states that the HIPAA breach notification rules (subpart D of 45 CFR part 164) shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a HIPAA-covered entity with respect to breaches of unsecured protected health information.

3.1.1.4 Telecommunications Carriers and TRS Providers 

The FCC’s January 2023 rulemaking referenced in the book was concluded in December 2023 when the Commission adopted substantial revisions to its breach notice rule. Report and Order, In the Matter of Data Breach Reporting Requirements, WC Docket No. 22–21, FCC 23–111, (adopted Dec. 13, 2023, released Dec. 21, 2023, published in the Federal Register at 89 Fed. Reg. 10002, Feb. 12, 2024). Specifically, the Commission (1) expanded the scope of the breach notification rules to cover not just CPNI, but all PII; (2) expanded the definition of “breach” to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier and such information is not used improperly or further disclosed; (3) required carriers to notify the Commission, in addition to the Secret Service and FBI, as soon as practicable, but no later than seven business days, after reasonable determination of a breach; (4) adopted a “harm-based trigger” for notifications to customers, such that carriers do not need to notify customers of a breach in cases where a carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed (“encryption safe harbor”), but covered entities still must notify federal agencies of breaches that affect 500 or more customers, regardless of harm; and (5) eliminated the mandatory waiting period for carriers to notify customers, and instead required carriers to notify customers of breaches of covered data without unreasonable delay after notification to Federal agencies, and in no case more than 30 days following reasonable determination of a breach, unless a delay is requested by law enforcement.

The rule will be codified at 47 C.F.R. 64.2011 for providers of telecommunications services (including interconnected Voice over Internet Protocol) and at 47 C.F.R. 64.5111 for telecommunications relay services. The Commission set the effective date as March 13, 2024. However, the rule requires OMB approval, which has not been forthcoming as of April 9, 2024. Moreover, Commissioner Carr dissented from the rule change on the ground that it was prohibited by Congressional Review Act (CRA), since Congress and the President had in 2017 nullified an earlier FCC data breach rule through a joint resolution of disapproval. The CRA prohibits an agency, after such disapproval, from enacting a substantially similar rule in the future without specific legislative authorization from Congress.

3.1.1.7 Breach Notice under the FTC Act 

The FTC acted on its theory that the unfairness prong of section 5 of the FTC Act imposes a breach notification requirement in its February 2024 settlement with Global Tel*Link Corporation. The FTC complaint alleged that Global Tel*Link’s failure to timely notify all affected individuals of the incident was an unfair act or practice. The complaint separately alleged that Global Tel*Link had violated Section 5 when it issued publicly a statement that was false or misleading as to the severity of the Incident and the risk to individual consumers.

3.2 Notice of Cyber Incidents to the Investing Public 

In December 2023, Erik Gerding, the Director of the SEC’s Division of Corporation Finance, issued a statement intended to answer three questions: what must be disclosed, when must that information be disclosed, and why did the Commission use a materiality standard. Among other points, Dir. Gerding sought to reassure companies that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents.  Indeed, Dir. Gerding encouraged public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. 

3.3.1 Sector-Specific Incident Reporting 

3.3.1.9 [new] Financial Institutions Under the Jurisdiction of the FTC

Under a November 2023 amendment, the Federal Trade Commission’s Safeguards Rule requires non-banking financial institutions such as mortgage brokers to report to the Commission whenever “unencrypted customer information involving 500 or more consumers is acquired without authorization.” 16 C.F.R. § 314.4. The revised rule will come into effect on May 13, 2024.

3.3.2 Cyber Incident Reporting for Critical Infrastructure Act

On March 27, 2024, the Cybersecurity and Infrastructure Agency released a notice of proposed rulemaking setting out its initial approach to the CIRCIA reporting requirements. (Under the statute, a final rule is due by October 2025 but could be ready earlier.) Under the NPRM, CISA would require certain entities in critical infrastructure sectors—defined broadly enough to sweep in most large and medium (and some small) businesses—to promptly report covered cyber incidents and ransomware payments to CISA. Whether an incident is reportable would generally turn on the severity of the impact of the incident, except that all supply chain compromises or other incidents facilitated by third parties must be reported. The NPRM goes on to specify in detail the information that CISA proposes to collect through these reports. If adopted, the NPRM will require far more detail than is required under many existing incident reporting regimes. It will also provide protections and limitations on how this information can be used. CISA estimates that this rule will cover more than 300,000 companies and other covered entities. For more, see Paul Weiss, “CISA Issues Highly Anticipated, Far-Reaching Rules for Cyber Incident Reporting” (April 3, 2024).

___________________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION (last updated, February 10, 2023), INCORPORATED INTO THE SECOND EDITION

3.1 Federal Breach Notice

In May 2022, the FTC staff made an extraordinary statement on the FTC blog: “In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” Citing FTC complaints against CafePress, SkyMed and SpyFone, the blog said: “Taken together, these cases stand for the proposition that companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.” Note that the FTC statement is not limited to breaches affecting consumers; instead, it refers to protecting “consumers and other affected parties,” suggesting that the FTC Act sometimes requires B2B disclosure. But perhaps the most important line in the FTC blog is this: “Regardless of whether a [state or sector-specific federal] breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Many state data breach laws have a narrow definition of the elements of personal information whose compromise triggers a breach response, but the FTC has in recent years taken a broader view of protected personal information. Therefore, whenever breached data relates to individuals and may be used in ways that cause harm, notice would be required under the FTC staff view even if the breached data does not fit within the definition of “personal information” in any state or federal statute.

Beyond the FTC, breach notice has became a major theme of federal cybersecurity policy, and breach notice requirements have expanded from incidents involving personal information to also include incidents involving the operations of critical infrastructure and, under a March 2022 SEC proposal, all publicly owned companies. Note that some requirements are for notice to the public, others are for notice to the government:

— Critical Infrastructure

On March 15, 2022, the President signed legislation requiring critical infrastructure entities to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours after discovery and to report ransom payments in response to ransomware attacks within 24 hours. Called the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, the language was included as Division Y in H.R. 2471, the massive government appropriations bill for FY 2022. It is codified at 6 U.S.C. 2240 et seq.

If the CISA Director has reason to believe, whether through public reporting or other information, that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report, the Director may issue a subpoena to compel disclosure of the information.

This is not a public reporting statute. To the contrary, reports required under the law are for use only within the government and are exempt from disclosure under the Freedom of Information Act. The statute protects entities from liability based on reports voluntarily made. It states that no litigation shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed that is solely based on the submission of a covered cyber incident report or ransom payment report to CISA. However, if the Director has to issue a subpoena to get the information, it can be used in an enforcement proceeding. Also, a report submitted to CISA may be used, consistent with Federal or State regulatory authority specifically relating to the prevention and mitigation of cybersecurity threats to information systems, to inform the development or implementation of regulations relating to such systems.

“Covered cyber incident” and “covered entity” will be defined under a rulemaking by the director of CISA. CISA has 24 months to issue a Notice of Proposed Rulemaking (NPRM), so it could be some time before the law takes effect. In September 2022, CISA took an initial step in the process, issuing a Request for Information seeking public input on potential aspects of the proposed regulation prior to publication of the NPRM. CISA said it was particularly interested in input on definitions for and interpretations of the terminology to be used in the proposed regulations; the form, manner, content, and procedures for submission of reports required under CIRCIA; information regarding other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited; and other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations.

The statute, once fully implemented, is likely to generate more warnings and advisories from CISA. It says that CISA shall immediately review each cyber incident or ransom payment report to determine whether the incident is connected to an ongoing cyber threat or security vulnerability and, where applicable, it shall use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures.

— Federal Contractors

In May 2021, President Biden issued an executive order setting in motion a process to add a breach notification requirement to all federal government contracts for information technology and operational technology services. The contract clauses, once implemented, will require contractors to report “cyber incidents” to affected agencies. (The exact language of the EO: “It is the policy of the federal government that … information and communications technology (ICT) service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.”) In addition, cyber incidents involving civilian agencies must be reported to the Cybersecurity and Infrastructure Security Agency (CISA). EO 14028, Improving the Nation’s Cybersecurity (May 12, 2021), 86 Fed. Reg. 26633.

Note: For some years, there has also been a requirement that defense contractors must “rapidly report” – defined as within 72 hours – any “cyber incident” that affects “covered defense information,” following a review for evidence of compromise. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

— Pipelines

In May 2021, the Department of Transportation issued a directive requiring major pipelines carrying petroleum products to report cybersecurity incidents within 12 hours to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Transportation Security Administration, Security Directive Pipeline-2021-1, Enhancing Pipeline Cybersecurity (May 28, 2022). In May 2022, this was amended to require reporting within 24 hours. “Cybersecurity incident” is defined as

an event that, without lawful authority, actually, imminently, or potentially jeopardizes, disrupts or otherwise impacts the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system. This definition includes an event that—

1. Is under investigation as a possible cybersecurity incident without successful determination of the event's root cause or nature (such as malicious, suspicious, benign); and

2. May affect the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.

The directive also requires pipeline owners and operators to designate a Cybersecurity Coordinator who is required to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise. See updates to Chapter 9.2.16 for another major aspect of the TSA directive.

— Railroads

The Transportation Security Administration directives issued in December 2021 to freight railroad carriers and passenger railroad carriers and transit systems required covered entities to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security. CISA will in turn disseminate any reported information to the TSA. “Cybersecurity incident” is defined as

an event that, without lawful authority, jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system. This definition includes an event that is under investigation or evaluation by the owner/operator as a possible cybersecurity incident without final determination of the event's root cause or nature (such as malicious, suspicious, benign).

Elsewhere the directive states that a cybersecurity incident includes unauthorized access of an IT or OT system; discovery of malicious software; activity resulting in denial of service; and any other cybersecurity incident that results in operational disruption to the entity’s IT or OT systems or other aspects of its rail systems or facilities or an incident that has the potential to cause impact to a large number of customers or passengers or core government functions or impact to national security, economic security, or public health and safety.

Compare this definition with the one in the May 2021 directive to pipelines and note the subtle narrowing changes, especially the shift from “potentially jeopardizes, disrupts or otherwise impacts” to “is reasonably likely to jeopardize, , disrupt or otherwise impact.”

— Health and Fitness Apps

In September 2021, the FTC issued a policy statement on the Commission’s Health Breach Notification Rule, 16 C.F.R. Part 318. The Rule applies to entities that are not covered by HIPAA. When you stitch together the cross-referenced definitions in the Rule, it covers vendors of personal health records that contain individually identifiable health information created or received by health care providers. Further, the statute directing the FTC to promulgate the Rule requires that a “personal health record” be an electronic record that can be drawn from multiple sources. As noted in FN 3 in the book, the Rule had been interpreted as being very narrow, so narrow that it had never been invoked by the Commission.

The Commission’s September 2021 statement claimed that it was intended to clarify the scope of the Rule but in fact it expanded the Rule’s scope to include many health apps. As Commissioner Wilson pointed out in a dissenting statement, in order to get there, the policy statement had to assume that developers of mobile health apps are health care providers (because the app is a “health care service”). As Commissioner Wilson also pointed out, the policy statement leapfrogged over a pending FTC rulemaking (described in FN 3) that was supposed to rewrite the rule itself to include mobile apps.

The FTC policy statement states that the Rule already covers many developers of health apps and connected devices. For example, the policy statement says, an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. Similarly, an app that draws information from multiple sources is covered, even if the health information comes from only one source. For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from a phone’s calendar), it is covered under the Rule. In addition, the Commission statement reminds entities covered by the Rule that a “breach” is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, trigger notification obligations under the Rule.

In January 2022, the FTC issued extensive guidance on the Rule, restating and reframing the September 2021 policy statement.

— Banking Organizations

The book refers to a proposed notification requirement issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation. On November 18, 2021, the regulators issued a final rule that requires a “banking organization” to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.” As defined by the final rule, a computer-security incident is an occurrence that results in actual harm (the proposed rule had included potential harm, but that was dropped) to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. A notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to (the proposed rule had said “could”) materially disrupt or degrade, a banking organization’s (i) ability to carry out banking operations or deliver banking services to a material portion of its customer base, (ii) business line(s), whose failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, the failure or discontinuance of which would pose a threat to the financial stability of the United States. Notice must be given as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.

The final rule also requires a bank service provider to notify each affected banking organization customer (that is, notify the bank to which the third party provides service, not consumers) as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. This notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organization’s own notification requirement.

The effective date of the new rule is April 1, 2022; the compliance date is May 1, 2022.

For the OCC, the new rule is codified at 12 C.F.R. part 53; for the Federal Reserve, it is at 12 C.F.R. part 225, subpart N; and for the FDIC, it is at 12 C.F.R. part 304 subpart C.

As noted in the book, this kind of a rule is not primarily focused on protecting consumers; rather, its first aim is to protect the operational integrity of banks and the banking system. Thus notification under the new rule supplements the breach notice requirement under the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, adopted in connection with the Gramm-Leach-Bliley Act. See 12 C.F.R. part 30, Appendix B, supp. A (OCC); 12 C.F.R. part 208, Appendix D-2, supp. A, 12 C.F.R. 211.5(l), 12 CFR part 225, Appendix. F, supp. A (Board); 12 C.F.R. part 364, Appendix B, supp. A (FDIC). That guidance requires a regulated financial institutions to notify its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information. Under that guidance, if the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.

— Telecommunications Carriers and TRS Providers

In January 2023, the Federal Communications Commission issued a Notice of Proposed Rulemaking to amend the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). The proposed updates would —

• Eliminate the current provision stating that a carrier shall not notify customers or disclose the breach to the public until 7 full business days have passed after notification to the U.S. Secret Service and the FBI;

• Require notification of inadvertent breaches; and

• Require carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.

The proposal also seeks comment on (1) adopting a harm-based trigger for breach notifications and (2) whether to adopt minimum requirements for the content of customer breach notices.

Unlike many of the notice requirements discussed immediately above, the FCC action focused on breaches of customer data, not on direct compromises to the operations of the telecommunications infrastructure itself.

The FCC has a separate CPNI breach notice rule for providers of telecommunications relay services (TRS). 47 C.F.R. § 64.5111. (TRS are telephone transmission services that provide the ability for individuals who are deaf, hard of hearing, deaf-blind, or who have a speech disability to engage in communication by wire or radio with one or more individuals, in a manner that is functionally equivalent to the ability of a hearing individual who does not have a speech disability.) The January 2023 NPRM proposed changes to the TRS data breach reporting rule consistent with those proposed to the CPNI breach reporting rule.

For the definition of CPNI under the general FCC breach notice rule, 47 C.F.R. § 64.2011, the correct cite is 47 U.S.C. § 222(h)(1).

— Publicly Owned Companies

See updates to chapter 9.2.17 for a proposed SEC rule that would require publicly owned companies to give public notice, through the disclosure processes under the securities laws, of material cybersecurity incidents. First notice would have to be provided within four days and would have to be updated thereafter.

3.2.1 Definition of Personal Information

In July 2021, in Public Act No. 21-59, Connecticut amended its definition of personal information. Under the “first name or first initial and last name in combination with” prong, it added in combination with taxpayer ID number, passport, military or other government ID number, medical information, health insurance identifier, or biometric data. It added a new standalone prong: user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

3.2.4 Responsibility of Third Party Vendors

Third party vendors and their customers (the consumer facing business) must be explicit with each other about who is responsible for what, in terms of notice, in the event of a breach. Moreover, third party vendors need to follow-up with their customers to see if they gave notice. Those seem to be two lessons of the settlement that 27 states and the Sabre Corp. entered into in December 2020. Sabre runs a reservation system for hotel chains. When it suffered a breach, it notified the hotel chains (after some delay) and then left the matter of any notice to the hotels. Under most if not all state laws, that would seem to have fulfilled Sabre’s duty as a third party vendor (leaving aside the lack of promptness), but the state attorneys general were not satisfied. The settlement requires Sabre to “include in any future contract for travel services the roles and responsibilities to be undertaken by SABRE and the counterparty in the event of a breach.” Further, if Sabre does not provide notice directly to consumers, it shall ask its hotel chain customers if they are going to provide notice and when.

3.2.5 Notice to State Attorney General

A few state laws require reporting to government officials in addition to the Attorney General. In Arizona, where the breach notice law has long required, in cases affecting more than 1,000 individuals, notice to the state Attorney General and the three largest nationwide consumer reporting agencies, a 2022 amendment to the law requires an entity that suffers a breach affecting more than 1,000 Arizona residents to also notify the Arizona Department of Homeland Security. The New York state law, section 899-aa of the General Business Law, requires notice to the state Attorney General, the State Police, and the Department of State's Division of Consumer Protection.

3.2.7 When to Notify

In July 2021, Connecticut reduced its deadline for notice from ninety days to 60. See Public Act No. 21-59. Also, Connecticut law had said that notice had to be given within the specified number of days “after the discovery of such breach, unless a shorter time is required under federal law, subject to the provisions of subsection (d) of this section [delay for a reasonable period of time upon request of a law enforcement agency on the ground that notification will impede a criminal investigation] and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system.” The italicized language had suggested that notice could be delayed for a very long time as the data controller buttoned down all aspects of the attack and restored its system. The 2021 amendment deleted the italicized language, indicating that notice should begin upon the 60th day after discovery (subject to any law enforcement-requested delay). New language made it clear that additional affected persons identified after the 60 day deadline should be notified on a rolling basis “as expediently as possible.”

[New subchapter:] 3.4  Notice to Law Enforcement

Notice to, and cooperation with, law enforcement (often meaning the FBI) has become a best practice in the event of a breach and almost essential to mitigate legal risk:

• “… a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.” FTC Business Blog, If the FTC comes to call (May 20, 2015).

• “Companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach.” Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents (2018).

• Guidance to insurance companies issued by the New York State Department of Financial Services states: “Cyber insurance policies should include a requirement that victims notify law enforcement.” NYS DFS, Cyber Insurance Risk Framework, Insurance Circular Letter No. 2 (Feb. 4, 2021).

• “In the case of ransomware payments that may have a sanctions nexus, OFAC [the Treasury Department’s Office of Foreign Assets Control] will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response. OFAC will also consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack — e.g., providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible — to be a significant mitigating factor.”  OFAC, Updated Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments (Sept. 21, 2021) at 5.

• Insurance regulators took into account the timely and effective breach response of Anthem health insurance company, including the fact that “Anthem promptly communicated and cooperated with law enforcement and regulators,” in deciding not to impose fines or penalties on the company in connection with the massive 2015 breach it suffered. See Regulatory Settlement Agreement (2016).

Last updated: May 3, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.