Updates to Chapter 3
Breach Notice and incident reporting
UPDATES TO THE SECOND EDITION
3.1.1.3 PHR Vendors (Including Health and Fitness Apps)
On April 26, 2024, the Federal Trade Commission voted 3-2 to issue a final rule expanding the scope of the Health Breach Notification Rule, completing the rulemaking described in the book. Among other changes, the revision clarified that the Rule covers developers of many health applications; revised the definition of breach of security to include both data security breaches and intentional but unauthorized disclosures; allowed notice by email if the individual has specified email as the primary method of communication and the written notice sent by email is clear and conspicuous, but it defined email as “email in combination with one or more of the following: … text message, within-application messaging, or electronic banner”; and altered the Rule’s timing requirement to require entities, for breaches involving 500 or more individuals, to notify the FTC without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. In its announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC.”
[New] 3.1.1.3A Substance Abuse Treatment Records
Under 42 U.S.C. 290dd-2, records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States (referred to as “part 2 programs”) shall be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under 290dd-2(b). Section 290dd-2(g) authorizes the Secretary of Health and Human Services to prescribe regulations to carry out the purposes of the section. Pursuant to that authority, the Secretary has issued 42 C.F.R. part 2, which has long contained a breach notice requirement. Following a February 2024 amendment, Section 2.16 of the rule states that the HIPAA breach notification rules (subpart D of 45 CFR part 164) shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a HIPAA-covered entity with respect to breaches of unsecured protected health information.
3.1.1.4 Telecommunications Carriers and TRS Providers
The FCC’s January 2023 rulemaking referenced in the book was concluded in December 2023 when the Commission adopted substantial revisions to its breach notice rule. Report and Order, In the Matter of Data Breach Reporting Requirements, WC Docket No. 22–21, FCC 23–111, (adopted Dec. 13, 2023, released Dec. 21, 2023, published in the Federal Register at 89 Fed. Reg. 10002, Feb. 12, 2024). Specifically, the Commission (1) expanded the scope of the breach notification rules to cover not just CPNI, but all PII; (2) expanded the definition of “breach” to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier and such information is not used improperly or further disclosed; (3) required carriers to notify the Commission, in addition to the Secret Service and FBI, as soon as practicable, but no later than seven business days, after reasonable determination of a breach; (4) adopted a “harm-based trigger” for notifications to customers, such that carriers do not need to notify customers of a breach in cases where a carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed (“encryption safe harbor”), but covered entities still must notify federal agencies of breaches that affect 500 or more customers, regardless of harm; and (5) eliminated the mandatory waiting period for carriers to notify customers, and instead required carriers to notify customers of breaches of covered data without unreasonable delay after notification to Federal agencies, and in no case more than 30 days following reasonable determination of a breach, unless a delay is requested by law enforcement.
The rule will be codified at 47 C.F.R. 64.2011 for providers of telecommunications services (including interconnected Voice over Internet Protocol) and at 47 C.F.R. 64.5111 for telecommunications relay services. The Commission set the effective date as March 13, 2024. However, the rule requires OMB approval, which has not been forthcoming as of April 9, 2024. Moreover, Commissioner Carr dissented from the rule change on the ground that it was prohibited by Congressional Review Act (CRA), since Congress and the President had in 2017 nullified an earlier FCC data breach rule through a joint resolution of disapproval. The CRA prohibits an agency, after such disapproval, from enacting a substantially similar rule in the future without specific legislative authorization from Congress.
3.1.1.5 Securities Exchanges and Related Entities
On May 16, 2024, the SEC finalized amendments to Regulation S-P described in the book. The amended rule will require brokers and dealers (or “broker-dealers”), investment companies, SEC-registered investment advisers, funding portals, and registered transfer agents to provide timely notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The rule contains a harm standard: Notice will not be required if a covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. (A covered institution may consider encryption as a factor in determining whether the compromise of customer information could create a reasonably likely harm risk.) This notice must be provided as soon as reasonably practicable, but not later than 30 days, after the covered institution becomes aware that an incident has occurred. The amendments will also require covered entities to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information. Such incident response programs must include procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use. The rule becomes effective August 2, 2024, but the SEC adopted a compliance period of 18-months following the date of publication of the final amendments in the Federal Register for larger entities, and 24-months for smaller entities.
3.1.1.7 Breach Notice under the FTC Act
The FTC acted on its theory that the unfairness prong of section 5 of the FTC Act imposes a breach notification requirement in its February 2024 settlement with Global Tel*Link Corporation. The FTC complaint alleged that Global Tel*Link’s failure to timely notify all affected individuals of the incident was an unfair act or practice. The complaint separately alleged that Global Tel*Link had violated Section 5 when it issued publicly a statement that was false or misleading as to the severity of the Incident and the risk to individual consumers.
3.1.2 States
As noted in the book, states continue to amend their data breach statutes, including their definitions of “personal information.” Illustrative is Pennsylvania, which amended its breach notification law in June 2024, effective September 26, 2024. It expanded the definition of personal information to include an individual’s first name or first initial with last name in combination with: medical information in the possession of a state agency or state agency contractor; health insurance information; or a username or email address, in combination with a password or security question and answer that would permit access to an online account. Under the amendments, covered entities must also provide impacted individuals with 12 months of credit monitoring and access to a credit report, if the breach involves the person’s name and Social Security Number, bank account number, or driver’s license or state ID number. The amendments also require notice to the state attorney general, “without unreasonable delay,” of any breach affecting more than 500 Pennsylvania residents. On September 16, the state AG announced the launch of an online portal for entities to use in making that notification.
3.2 Notice of Cyber Incidents to the Investing Public
On June 24, 2024, the SEC issued yet further guidance on the incident reporting requirement, in the form of a series of interpretive questions and answers. Among the points:
If a registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety and the Attorney General declines to make such determination or does not respond before the Form 8-K otherwise would be due, the registrant must file the Item 1.05 Form 8-K within four business days of its determination that the incident is material. Requesting a delay does not change the registrant’s filing obligation.
If a registrant experiences a cybersecurity incident that it determines to be material and then it pays the ransom and the incident ends, that does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after it determined that it had experienced a material incident.
If an event ends prior to the materiality determination, including as a result of the registrant making a ransomware payment, that does not relieve the registrant of the requirement to make such materiality determination.
A ransomware payment that is small in size would not necessarily make the related cybersecurity incident immaterial.
If a registrant makes a ransomware payment and is reimbursed under an insurance policy for all or a substantial portion of the ransomware payment, that does not necessarily render the incident not material.
In June 2024, Erik Gerding, the Director of the SEC’s Division of Corporation Finance, issued yet a third statement aimed at clarifying the scope of the Commission’s July 2023 rules requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. In this latest response to the confusion spawned by the rules, Dir. Gerding explained that “nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.” Sharing information about a material cybersecurity incident with vendors, customers and peers “may assist with remediation, mitigation, or risk avoidance efforts and may facilitate those parties’ compliance with their own incident disclosure and reporting obligations … .” In addition, Dir. Gerding addressed Regulation FD, which requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders. He pointed out that there are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. “For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant) or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.” (Footnotes omitted.)
In May 2024, Dir. Gerding issued a statement reminding publicly traded companies that the SEC’s cybersecurity incident disclosure rules require public companies to disclose only material cybersecurity incidents under Item 1.05 of Form 8-K. If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, company should disclose that incident under a different item of Form 8-K (for example, Item 8.01). Since Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident that is determined by the registrant to be material, Gerding said, it could be confusing for investors if companies disclose under Item 1.05 either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made. Gerding also reminded companies that, in determining whether a cybersecurity incident is material, and in assessing the incident’s impact (or reasonably likely impact), companies should assess all relevant factors. That assessment should not be limited to the impact on “financial condition and results of operation,” and “companies should consider qualitative factors alongside quantitative factors.”
The May 2024 statement follows on one from December 2023, in which Dir. Gerding aimed to answer three questions: what must be disclosed, when must that information be disclosed, and why did the Commission use a materiality standard. Among other points, Dir. Gerding sought to reassure companies that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, Dir. Gerding encouraged public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur.
3.3.1 Sector-Specific Incident Reporting
3.3.1.9 [new] Financial Institutions Under the Jurisdiction of the FTC
Under a November 2023 amendment, the Federal Trade Commission’s Safeguards Rule requires non-banking financial institutions such as mortgage brokers to report to the Commission whenever “unencrypted customer information involving 500 or more consumers is acquired without authorization.” 16 C.F.R. § 314.4. The revised rule will come into effect on May 13, 2024.
3.3.2 Cyber Incident Reporting for Critical Infrastructure Act
On March 27, 2024, the Cybersecurity and Infrastructure Agency released a notice of proposed rulemaking setting out its initial approach to the CIRCIA reporting requirements. (Under the statute, a final rule is due by October 2025 but could be ready earlier.) Under the NPRM, CISA would require certain entities in critical infrastructure sectors—defined broadly enough to sweep in most large and medium (and some small) businesses—to promptly report covered cyber incidents and ransomware payments to CISA. Whether an incident is reportable would generally turn on the severity of the impact of the incident, except that all supply chain compromises or other incidents facilitated by third parties must be reported. The NPRM goes on to specify in detail the information that CISA proposes to collect through these reports. If adopted, the NPRM will require far more detail than is required under many existing incident reporting regimes. It will also provide protections and limitations on how this information can be used. CISA estimates that this rule will cover more than 300,000 companies and other covered entities. For more, see Paul Weiss, “CISA Issues Highly Anticipated, Far-Reaching Rules for Cyber Incident Reporting” (April 3, 2024).
___________________________________________________________________________
ARCHIVED UPDATES TO THE FIRST EDITION (last updated, February 10, 2023), INCORPORATED INTO THE SECOND EDITION
3.1 Federal Breach Notice
In May 2022, the FTC staff made an extraordinary statement on the FTC blog: “In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” Citing FTC complaints against CafePress, SkyMed and SpyFone, the blog said: “Taken together, these cases stand for the proposition that companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.” Note that the FTC statement is not limited to breaches affecting consumers; instead, it refers to protecting “consumers and other affected parties,” suggesting that the FTC Act sometimes requires B2B disclosure. But perhaps the most important line in the FTC blog is this: “Regardless of whether a [state or sector-specific federal] breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Many state data breach laws have a narrow definition of the elements of personal information whose compromise triggers a breach response, but the FTC has in recent years taken a broader view of protected personal information. Therefore, whenever breached data relates to individuals and may be used in ways that cause harm, notice would be required under the FTC staff view even if the breached data does not fit within the definition of “personal information” in any state or federal statute.
Beyond the FTC, breach notice has became a major theme of federal cybersecurity policy, and breach notice requirements have expanded from incidents involving personal information to also include incidents involving the operations of critical infrastructure and, under a March 2022 SEC proposal, all publicly owned companies. Note that some requirements are for notice to the public, others are for notice to the government:
— Critical Infrastructure
On March 15, 2022, the President signed legislation requiring critical infrastructure entities to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours after discovery and to report ransom payments in response to ransomware attacks within 24 hours. Called the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, the language was included as Division Y in H.R. 2471, the massive government appropriations bill for FY 2022. It is codified at 6 U.S.C. 2240 et seq.
If the CISA Director has reason to believe, whether through public reporting or other information, that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report, the Director may issue a subpoena to compel disclosure of the information.
This is not a public reporting statute. To the contrary, reports required under the law are for use only within the government and are exempt from disclosure under the Freedom of Information Act. The statute protects entities from liability based on reports voluntarily made. It states that no litigation shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed that is solely based on the submission of a covered cyber incident report or ransom payment report to CISA. However, if the Director has to issue a subpoena to get the information, it can be used in an enforcement proceeding. Also, a report submitted to CISA may be used, consistent with Federal or State regulatory authority specifically relating to the prevention and mitigation of cybersecurity threats to information systems, to inform the development or implementation of regulations relating to such systems.
“Covered cyber incident” and “covered entity” will be defined under a rulemaking by the director of CISA. CISA has 24 months to issue a Notice of Proposed Rulemaking (NPRM), so it could be some time before the law takes effect. In September 2022, CISA took an initial step in the process, issuing a Request for Information seeking public input on potential aspects of the proposed regulation prior to publication of the NPRM. CISA said it was particularly interested in input on definitions for and interpretations of the terminology to be used in the proposed regulations; the form, manner, content, and procedures for submission of reports required under CIRCIA; information regarding other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited; and other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations.
The statute, once fully implemented, is likely to generate more warnings and advisories from CISA. It says that CISA shall immediately review each cyber incident or ransom payment report to determine whether the incident is connected to an ongoing cyber threat or security vulnerability and, where applicable, it shall use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures.
— Federal Contractors
In May 2021, President Biden issued an executive order setting in motion a process to add a breach notification requirement to all federal government contracts for information technology and operational technology services. The contract clauses, once implemented, will require contractors to report “cyber incidents” to affected agencies. (The exact language of the EO: “It is the policy of the federal government that … information and communications technology (ICT) service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.”) In addition, cyber incidents involving civilian agencies must be reported to the Cybersecurity and Infrastructure Security Agency (CISA). EO 14028, Improving the Nation’s Cybersecurity (May 12, 2021), 86 Fed. Reg. 26633.
Note: For some years, there has also been a requirement that defense contractors must “rapidly report” – defined as within 72 hours – any “cyber incident” that affects “covered defense information,” following a review for evidence of compromise. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
— Pipelines
In May 2021, the Department of Transportation issued a directive requiring major pipelines carrying petroleum products to report cybersecurity incidents within 12 hours to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Transportation Security Administration, Security Directive Pipeline-2021-1, Enhancing Pipeline Cybersecurity (May 28, 2022). In May 2022, this was amended to require reporting within 24 hours. “Cybersecurity incident” is defined as
an event that, without lawful authority, actually, imminently, or potentially jeopardizes, disrupts or otherwise impacts the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system. This definition includes an event that—
1. Is under investigation as a possible cybersecurity incident without successful determination of the event's root cause or nature (such as malicious, suspicious, benign); and
2. May affect the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.
The directive also requires pipeline owners and operators to designate a Cybersecurity Coordinator who is required to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise. See updates to Chapter 9.2.16 for another major aspect of the TSA directive.
— Railroads
The Transportation Security Administration directives issued in December 2021 to freight railroad carriers and passenger railroad carriers and transit systems required covered entities to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security. CISA will in turn disseminate any reported information to the TSA. “Cybersecurity incident” is defined as
an event that, without lawful authority, jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system. This definition includes an event that is under investigation or evaluation by the owner/operator as a possible cybersecurity incident without final determination of the event's root cause or nature (such as malicious, suspicious, benign).
Elsewhere the directive states that a cybersecurity incident includes unauthorized access of an IT or OT system; discovery of malicious software; activity resulting in denial of service; and any other cybersecurity incident that results in operational disruption to the entity’s IT or OT systems or other aspects of its rail systems or facilities or an incident that has the potential to cause impact to a large number of customers or passengers or core government functions or impact to national security, economic security, or public health and safety.
Compare this definition with the one in the May 2021 directive to pipelines and note the subtle narrowing changes, especially the shift from “potentially jeopardizes, disrupts or otherwise impacts” to “is reasonably likely to jeopardize, , disrupt or otherwise impact.”
— Health and Fitness Apps
In September 2021, the FTC issued a policy statement on the Commission’s Health Breach Notification Rule, 16 C.F.R. Part 318. The Rule applies to entities that are not covered by HIPAA. When you stitch together the cross-referenced definitions in the Rule, it covers vendors of personal health records that contain individually identifiable health information created or received by health care providers. Further, the statute directing the FTC to promulgate the Rule requires that a “personal health record” be an electronic record that can be drawn from multiple sources. As noted in FN 3 in the book, the Rule had been interpreted as being very narrow, so narrow that it had never been invoked by the Commission.
The Commission’s September 2021 statement claimed that it was intended to clarify the scope of the Rule but in fact it expanded the Rule’s scope to include many health apps. As Commissioner Wilson pointed out in a dissenting statement, in order to get there, the policy statement had to assume that developers of mobile health apps are health care providers (because the app is a “health care service”). As Commissioner Wilson also pointed out, the policy statement leapfrogged over a pending FTC rulemaking (described in FN 3) that was supposed to rewrite the rule itself to include mobile apps.
The FTC policy statement states that the Rule already covers many developers of health apps and connected devices. For example, the policy statement says, an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. Similarly, an app that draws information from multiple sources is covered, even if the health information comes from only one source. For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from a phone’s calendar), it is covered under the Rule. In addition, the Commission statement reminds entities covered by the Rule that a “breach” is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, trigger notification obligations under the Rule.
In January 2022, the FTC issued extensive guidance on the Rule, restating and reframing the September 2021 policy statement.
— Banking Organizations
The book refers to a proposed notification requirement issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation. On November 18, 2021, the regulators issued a final rule that requires a “banking organization” to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.” As defined by the final rule, a computer-security incident is an occurrence that results in actual harm (the proposed rule had included potential harm, but that was dropped) to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. A notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to (the proposed rule had said “could”) materially disrupt or degrade, a banking organization’s (i) ability to carry out banking operations or deliver banking services to a material portion of its customer base, (ii) business line(s), whose failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, the failure or discontinuance of which would pose a threat to the financial stability of the United States. Notice must be given as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
The final rule also requires a bank service provider to notify each affected banking organization customer (that is, notify the bank to which the third party provides service, not consumers) as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. This notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organization’s own notification requirement.
The effective date of the new rule is April 1, 2022; the compliance date is May 1, 2022.
For the OCC, the new rule is codified at 12 C.F.R. part 53; for the Federal Reserve, it is at 12 C.F.R. part 225, subpart N; and for the FDIC, it is at 12 C.F.R. part 304 subpart C.
As noted in the book, this kind of a rule is not primarily focused on protecting consumers; rather, its first aim is to protect the operational integrity of banks and the banking system. Thus notification under the new rule supplements the breach notice requirement under the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, adopted in connection with the Gramm-Leach-Bliley Act. See 12 C.F.R. part 30, Appendix B, supp. A (OCC); 12 C.F.R. part 208, Appendix D-2, supp. A, 12 C.F.R. 211.5(l), 12 CFR part 225, Appendix. F, supp. A (Board); 12 C.F.R. part 364, Appendix B, supp. A (FDIC). That guidance requires a regulated financial institutions to notify its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information. Under that guidance, if the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.
— Telecommunications Carriers and TRS Providers
In January 2023, the Federal Communications Commission issued a Notice of Proposed Rulemaking to amend the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). The proposed updates would —
Eliminate the current provision stating that a carrier shall not notify customers or disclose the breach to the public until 7 full business days have passed after notification to the U.S. Secret Service and the FBI;
Require notification of inadvertent breaches; and
Require carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.
The proposal also seeks comment on (1) adopting a harm-based trigger for breach notifications and (2) whether to adopt minimum requirements for the content of customer breach notices.
Unlike many of the notice requirements discussed immediately above, the FCC action focused on breaches of customer data, not on direct compromises to the operations of the telecommunications infrastructure itself.
The FCC has a separate CPNI breach notice rule for providers of telecommunications relay services (TRS). 47 C.F.R. § 64.5111. (TRS are telephone transmission services that provide the ability for individuals who are deaf, hard of hearing, deaf-blind, or who have a speech disability to engage in communication by wire or radio with one or more individuals, in a manner that is functionally equivalent to the ability of a hearing individual who does not have a speech disability.) The January 2023 NPRM proposed changes to the TRS data breach reporting rule consistent with those proposed to the CPNI breach reporting rule.
For the definition of CPNI under the general FCC breach notice rule, 47 C.F.R. § 64.2011, the correct cite is 47 U.S.C. § 222(h)(1).
— Publicly Owned Companies
See updates to chapter 9.2.17 for a proposed SEC rule that would require publicly owned companies to give public notice, through the disclosure processes under the securities laws, of material cybersecurity incidents. First notice would have to be provided within four days and would have to be updated thereafter.
3.2.1 Definition of Personal Information
In July 2021, in Public Act No. 21-59, Connecticut amended its definition of personal information. Under the “first name or first initial and last name in combination with” prong, it added in combination with taxpayer ID number, passport, military or other government ID number, medical information, health insurance identifier, or biometric data. It added a new standalone prong: user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
3.2.4 Responsibility of Third Party Vendors
Third party vendors and their customers (the consumer facing business) must be explicit with each other about who is responsible for what, in terms of notice, in the event of a breach. Moreover, third party vendors need to follow-up with their customers to see if they gave notice. Those seem to be two lessons of the settlement that 27 states and the Sabre Corp. entered into in December 2020. Sabre runs a reservation system for hotel chains. When it suffered a breach, it notified the hotel chains (after some delay) and then left the matter of any notice to the hotels. Under most if not all state laws, that would seem to have fulfilled Sabre’s duty as a third party vendor (leaving aside the lack of promptness), but the state attorneys general were not satisfied. The settlement requires Sabre to “include in any future contract for travel services the roles and responsibilities to be undertaken by SABRE and the counterparty in the event of a breach.” Further, if Sabre does not provide notice directly to consumers, it shall ask its hotel chain customers if they are going to provide notice and when.
3.2.5 Notice to State Attorney General
A few state laws require reporting to government officials in addition to the Attorney General. In Arizona, where the breach notice law has long required, in cases affecting more than 1,000 individuals, notice to the state Attorney General and the three largest nationwide consumer reporting agencies, a 2022 amendment to the law requires an entity that suffers a breach affecting more than 1,000 Arizona residents to also notify the Arizona Department of Homeland Security. The New York state law, section 899-aa of the General Business Law, requires notice to the state Attorney General, the State Police, and the Department of State's Division of Consumer Protection.
3.2.7 When to Notify
In July 2021, Connecticut reduced its deadline for notice from ninety days to 60. See Public Act No. 21-59. Also, Connecticut law had said that notice had to be given within the specified number of days “after the discovery of such breach, unless a shorter time is required under federal law, subject to the provisions of subsection (d) of this section [delay for a reasonable period of time upon request of a law enforcement agency on the ground that notification will impede a criminal investigation] and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system.” The italicized language had suggested that notice could be delayed for a very long time as the data controller buttoned down all aspects of the attack and restored its system. The 2021 amendment deleted the italicized language, indicating that notice should begin upon the 60th day after discovery (subject to any law enforcement-requested delay). New language made it clear that additional affected persons identified after the 60 day deadline should be notified on a rolling basis “as expediently as possible.”
[New subchapter:] 3.4 Notice to Law Enforcement
Notice to, and cooperation with, law enforcement (often meaning the FBI) has become a best practice in the event of a breach and almost essential to mitigate legal risk:
“… a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.” FTC Business Blog, If the FTC comes to call (May 20, 2015).
“Companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach.” Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents (2018).
Guidance to insurance companies issued by the New York State Department of Financial Services states: “Cyber insurance policies should include a requirement that victims notify law enforcement.” NYS DFS, Cyber Insurance Risk Framework, Insurance Circular Letter No. 2 (Feb. 4, 2021).
“In the case of ransomware payments that may have a sanctions nexus, OFAC [the Treasury Department’s Office of Foreign Assets Control] will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response. OFAC will also consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack — e.g., providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible — to be a significant mitigating factor.” OFAC, Updated Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments (Sept. 21, 2021) at 5.
Insurance regulators took into account the timely and effective breach response of Anthem health insurance company, including the fact that “Anthem promptly communicated and cooperated with law enforcement and regulators,” in deciding not to impose fines or penalties on the company in connection with the massive 2015 breach it suffered. See Regulatory Settlement Agreement (2016).
Last updated: Oct. 19, 2024.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.