In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment. CISA is the primary risk advisor on critical infrastructure, and FIO is the federal monitor of the insurance sector.

The GAO prepared this report pursuant to the Terrorism Risk Insurance Program Reauthorization Act of 2019, which, among other things, directed the GAO to conduct a study on: (1) the risks and potential costs of cyberattacks to U.S. public and private infrastructure; (2) whether states’ definition of cyber liability under a property and casualty line of insurance is adequate coverage for an act of cyber terrorism; (3) whether such risks can be adequately priced by the private market; and (4) whether the risk-share system established under the Terrorism Risk Insurance Act of 2002, which created the Terrorism Risk Insurance Program (TRIP), is appropriate for covering cyber terrorism events.

In the report, the GAO highlighted the significant and growing cybersecurity risks facing U.S. critical infrastructure and examined how the insurance market against cyberattacks is evolving, often in a way that means less coverage against potentially catastrophic financial losses. The report noted that although cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware, private insurers have been taking steps to limit their potential losses from cyberattacks with systemic effects. Coverage under TRIP, which requires the federal government to share certain insured losses with private insurers in the event of an act of terrorism, is limited to attacks that meet certification criteria specified by the program, among other requirements. As the GAO notes, even very large cyberattacks on critical infrastructure resulting in catastrophic losses and risk to national security might not be covered if they do not meet all the certification criteria. For example, one criterion is that the event must be a “violent act or an act that is dangerous” to human life, property, or infrastructure. Even though a data breach or denial of service attack may result in stolen data or IT system disruption, it may not necessarily be a violent act or dangerous to human life, property, or infrastructure. To date, the federal government has not certified any such acts of terrorism.

The report also noted that while CISA and FIO have taken some steps to understand the financial implications of cyber risk, neither agency has fully assessed the extent to which the risks to the nation’s critical infrastructure from catastrophic cyber incidents, and the potential financial exposures from these risks, warrant a federal insurance response. In their comments to the report, both DHS and Treasury agreed with the GAO’s recommendation to work together to produce such an assessment for Congress. DHS stated that it would review the aggregate data generated by incident disclosures under the Cyber Incident Reporting for Critical Information Act of 2022 (previously discussed here), once available, and work with Treasury in the interim to determine other data needed. Treasury confirmed that it had reached out to DHS to begin collaboration on this effort.

The Third Circuit recently issued an opinion upholding the federal cyber-stalking statute against a constitutional challenge in United States v. Ho Ka Yung. Yung was convicted of cyber-stalking after he instituted a campaign of harassment against a Georgetown Law alumnus interviewer and his family. Though he pled guilty, Yung preserved the right to appeal his conviction on the grounds that 18 U.S.C. §2261(A)(2), the federal statute criminalizing cyber-stalking, is unconstitutional because it criminalizes speech protected by the First Amendment. The Third Circuit upheld Yung’s conviction, finding that a narrower reading of the statute prevented the majority of protected speech from being swept into its purview.

The facts of this case serve as stark example of the real harm that can be inflicted through online behavior.

A year after being denied admission at Georgetown Law, Yung began a campaign of harassment online against the Georgetown alumnus who had interviewed him as part of the application process. Yung published false obituaries for the interviewer’s wife and son, created false social media profiles associating the interviewer with the Ku Klux Klan, and published blog posts in the interviewer’s name that bragged of raping women, a boy, and an eight-year-old girl. Yung posed as a female Georgetown applicant, accusing the interviewer of sexual assault. Yung’s harassment also targeted the interviewer’s family. Impersonating the interviewer’s wife, Yung published online ads, in one instance seeking a sex slave and instructing a man who responded to spy on the family, and in another instance claiming that she wanted men to use weapons to physically threaten her before initiating forcible sex. As a result of some of these ads, unknown men came to the interviewer’s home in the middle of the night on three consecutive nights. The online harassment caused real-life threats to the family’s safety.

In his First Amendment challenge, Yung did not argue that the conduct he was convicted for was protected by the First Amendment. Instead, Yung argued that the statute as a whole should be struck down for overbreadth because a significant portion of what it criminalizes is protected conduct. Statutes will only be found facially invalid when they prohibit a wide range of constitutionally protected activity in relation to their legitimate sweep. Courts are reticent to invalidate entire statutes, and as the Third Circuit demonstrated this week, the principle of constitutional avoidance dictates that when several interpretations are available, courts should choose the one that permits a statute to withstand a constitutional challenge.

The challenged federal cyber-stalking statute contains three elements. A person can be convicted if they (1) “use [] the mail, any interactive computer service or … system …, or any other facility of interstate or foreign commerce” at least twice, (2) do so “with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person,” and (3) put the victim “in reasonable fear of … death … or serious bodily injury,” or “cause[], attempt[] to cause, or … be reasonably expected to cause substantial emotional distress.” §2261(A)(2). Yung argued that this statue was unconstitutionally overbroad because it would criminalize mere online “trolling,” including large amounts of constitutionally protected speech like harsh political criticism or negative reviews of literary or artistic endeavors.

In its decision this week, the Third Circuit acknowledged that this broad reading is a plausible – if not the most natural – interpretation of the statute. Both “harass” and “intimidate” can be defined to cover a range of conduct that would clearly be protected by the First Amendment. Nonetheless, applying the doctrine of constitutional avoidance, the court interpreted both terms narrowly. The court held that to “intimidate” for the purposes of §2261(A)(2), a defendant must have put the victim in fear of bodily injury; to “harass,” the defendant must “distress the victim by threatening, intimidating, or the like.” Under these definitions, which the court referred to as “criminal” definitions of harassment or intimidation, the statute is not unconstitutionally overbroad.

While the facts of Yung exemplify the need for regulation of online behavior, the questions raised by the appeal demonstrate the challenges of drawing appropriate contours for that regulation.

The intent, action, and result elements of the cyber-stalking statute were all clearly met in Yung. Yung created countless pieces of threatening and abusive content targeting his victim, and he intentionally sent people to harass and threaten his victim’s family. In many cases, however, real harm will be effected online where one or more of the statute’s elements are murkier. The Third Circuit’s refined definitions of criminal harassment and intimidation may govern those cases, but the questions about how and where to draw the line when regulating online speech will continue to challenge courts. This week’s decision affirms that the constitution permits the government to use intent to intimidate or harass as tools for drawing that line.

The FTC recently reported that over $650 mm worth of cryptocurrency was stolen by hackers last year.  Thus far, over $320 mm in cryptocurrency has been stolen by hackers this year.  Not surprisingly, this surge in crypto breaches has led to litigation.  In our monthly webcast series, Ballard partners Phil Yannella, Greg Szewczyk and Margie Peerce discuss the emergence of  “crypto breach” litigation.  

They discuss the causes of action, defenses, and pro-active steps that companies can take to prepare for litigation in the wake of a crypto breach, including how to recover stolen crypto funds.

The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm.  According to the FTC, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act—“[r]egardless of whether a breach notification law applies.”

If read as a requirement to report breaches that otherwise don’t meet state reporting obligations, the FTC’s position would constitute a significant expansion of breach notification obligations in the United States.  This has raised eyebrows in privacy circles as a blog post is not a typical mechanism for announcing new guidance.  It could also further complicate the analysis of whether notification is necessary by introducing a subject element on top of the 50-state statutory framework.

But there is reason not to read the blog post quite so broadly.  Indeed, the blog post cites to four recent enforcement actions—all of which involved situations where notification was required by state breach notification statutes.  Two of those cases (CafePress and Uber) included allegations that the businesses had failed to notify consumers for several months, and even more than a year, after the breach.  The other two cases (SpyFone and SkyMed) included allegations that the businesses misled consumers through their public statements about their respective security breaches.

In other words, the cited enforcement actions are fundamentally delayed reporting or deceptive practice cases that give rise to consumer injury.  None of the cases cited by the FTC appear to involve breaches in which the defendant company did not have any state or federal reporting obligations.  Viewed in this light, the FTC blog post may not be articulating a new standard requiring companies to publicly report breaches that don’t otherwise require reporting, but rather highlighting that companies that delay reporting without a legal basis or mislead consumers about the status of a breach investigation increase the potential for consumer harm and therefore can constitute a violation of Section 5 of the FTC Act. 

In any event, while the FTC’s blog post may not signal a drastic new breach reporting obligation, it does likely signal that the FTC intends to be a prominent player in the breach response, data security, and privacy fields.  Businesses would therefore be wise to ensure that their practices are compliant and properly documented before crises strike. 

In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently.  The proposed amendments were initially made public on May 27 in a package of materials to be considered by the CPPA at its upcoming June 8 meeting.  The proposed amendments—which in effect are the draft CPRA regulations—were issued without advance notice, ahead of the schedule previously announced by the CPPA

The proposed regulations are broken into nine (9) substantive areas: General Provisions, Required Disclosures to Consumers, Business Practices for Handling Consumer Requests, Service Providers, Contractors and Third Parties, Verification of Requests, Special Rules Regarding Consumers Under 16 Years of Age, Non-discrimination, Training and Record Keeping, Investigations and Enforcement.  Notably absent are regulations relating to automated profiling, cybersecurity audits, and privacy risk assessments—all areas where guidance was largely expected. 

In general, the draft regulations are dense and highly technical, nearly doubling in length the current CCPA regulations.  And, the regulations may actually grow if subsequent drafts incorporate new sections that are not in the first draft.  In any event, if implemented in their proposed form, the CPRA regulations will require a substantial expansion of privacy compliance operations for many businesses subject to the law.  The details, potential compliance problems, technical requirements, and unanswered questions are far too numerous to address in a single blog post.  Over the next few weeks, we intend to analyze the proposed regulations in more detail, focusing on specific subject matter areas. 

At this stage, here our initial take-aways.

The Proposed Regulations Are Highly Pro-Consumer

Even for a privacy law as expansive as the CPRA, the proposed regulations are strikingly pro-consumer, capturing an array of concerns and proposals that privacy advocates have been articulating for several years.  The proposed regulations, for example, have detailed data minimization requirements that not only require businesses to collect, use, retain and share personal data in a manner consistent with the expectations of the average consumer, but would require businesses to obtain new consumer consent if they process personal data in a manner that isn’t consistent with these consumer expectations.  This form of the consumer right is not explicitly provided by the CPRA, and it could create significant operational costs for businesses.

Likewise, the proposed regulations explicitly address the use of “dark patterns” that limit consumer autonomy through subtle steering techniques.  The regulations provide a number of illustrative examples of prohibited dark patterns, such as consent banners that provide choices such as “Accept All” and “Ask Me Later” that are not symmetric or equal.  Businesses are also prohibited from providing mechanisms for exercising consumer rights that are more difficult in degree than the steps required for exercising pro-business options.  Font size for privacy policy links have to be no smaller than that used by businesses for other links.  There are prohibitions against the use of unnecessary jargon, and examples of disclosures that are confusing to consumers.  These proposals signal the CPPA’s focus on transparency and elimination of unnecessary and confusing privacy disclosures.  In addition to the substance of their disclosures, businesses will need to consider the presentation of consumer choices.

New Consumer Rights Will Require Big Compliance Changes

Not surprisingly, some of the most significant proposed regulations focus on the technical details surrounding the new rights the CPRA extends to consumers; specifically, the rights to opt out of the sharing of personal information, to limit the processing of sensitive personal information, and the right of correction.  The regulations contains many pages of details explaining businesses’ options for enabling consumers to exercise these rights that are likely to trigger compliance headaches.

The new right of correction, for example, will require many U.S. based companies to build new intake and processing mechanisms.  Whether a business must honor a correction request, the records that it may need to provide consumers to justify a decision not to honor a correction request, and the documentation to support a business decisions not to correct may require an adjudication process not dissimilar to FCRA correction mechanisms.  For companies that rely on personal data provided by third parties – as opposed to its own records – the correction process is even more complex.

In one of the few pro-business amendments, the proposed regulations do introduce a “disproportionate effort” defense for companies facing overly burdensome consumer request.  But in keeping with the general pro-consumer tilt of the CPRA, the standard for using this defense to a consumer request is high and requires companies demonstrate that the cost of compliance “significantly outweighs” the benefit to the consumer of honoring a request.  Business that fail to establish adequate procedures for honoring consumer requests cannot claim a disproportionate effort.

Regarding the new opt out rights, the regulations contemplate that businesses can enable these rights via “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or via a “My Privacy Rights” link that combines these different opt out rights or by recognizing browser opt out signals.  In fact, the proposed regulations make it mandatory for businesses to honor opt out signals when those signals become commonly used by businesses. The latter requirement appears to go beyond the text of the CPRA , which makes recognition of opt out signals optional. Notably, the proposed regulations explicitly reject the use of cookie banners as a mechanism for enabling opt outs for the sale or sharing of personal information on the grounds that the opt out only addresses collection of personal data, not sale or sharing.

One thorny operational issue involves the processing of browser opt out signals that conflict with specific privacy settings chosen by consumers, for example with loyalty programs where consumers consent to providing certain personal information.   In many cases, these conflicts must be resolved in favor of maximizing opt out rights unless the business obtains additional consumer consent.  The operational complexity of enabling opt out rights may trigger deeper consideration about what ad tech models businesses may want to utilize once the CPRA becomes effective.

First Party Obligations Are Now Third Party Obligations

One of the more notable ways in which the CPRA broadens consumer privacy rights is through the expansion of obligations on third parties.  Whereas the CCPA required that businesses push certain privacy obligations onto service providers through required contractual language, the CPRA goes even further by introducing “contractors” as a new category of service provider and expanding the provisions that must be included in a contract with a service provider or contractor to avoid vicarious liability.  The proposed regulations does allow a service provider or contractor to use personal data of consumers to improve its own applications.

The proposed regulations also modify the safe harbor afforded to businesses that meet the contractual requirements for service provider and contractor agreements by noting that businesses that don’t conduct any due diligence or auditing of their service providers or contractors may not be able to argue that they were unaware of a contractual violation. 

The proposed regulations also impose new obligations on third parties in a number of different ways.  Third parties that collect personal data on first party platforms are required under the proposed regulations to provide a notice at collection to these consumers, which is a wholly new obligation.  Businesses must also forward opt out requests, as well as consumer deletion requests to third parties processing that consumer’s personal data.  Third parties, in turn, must honor opt out requests unless they become a service provider or contractor and honor deletion requests.  Third parties that recognize browser opt out signals on first party sites must also honor the opt-outs.  In addition, the proposed regulations impose new contractual requirements for third parties subject to the CPRA.

The combined effect of these expanded obligations on service providers, contractors and third parties is to broadly share compliance obligations across the entire ecosystem in which a consumer’s data flows.  Businesses thus must analyze their own obligations as first parties as well as obligations they may face as third parties receiving consumer data through sharing arrangements.  Among other things, these expanded obligations will require improved data tracking and communication with third parties. 

Use of Third Parties Tools May Be Unavoidable For Some Companies

There are numerous provisions in the proposed regulations that incentivize, make easier or essentially require the use of third party tools.  For example, the regulations remove a requirement that authorized agents be registered in the state of California, opening the door for more third party services to serve as agents to help Californians exercise their consumer rights.  This change, coupled with the expansion of consumer rights under the CPRA – as well as four other state privacy laws – makes it quite likely that businesses will experience a significant surge in consumer requests once the CPRA becomes effective. 

Perhaps the most impactful proposed regulation, as noted, is the requirement that businesses honor opt out signals when they become commonly used.  When the technology  evolves to that point, it is likely businesses will need to utilize new tools to process browser opt out signals.  The proposed regulations appear to incentivize businesses to recognize these signals by allowing businesses who do so in a “frictionless” manner (a newly defined term) to avoid the need to separately provide Do Not Sell or Share and similar links on the website, provided that personal data is not sold or shared off-line.

The new requirements imposed on third parties will require enhanced data tracking, documentation, and communication with first parties.  For many business, it may not be possible to meet these enhanced technical requirements without the use of third party privacy compliance tools. 

CPRA Regulations May Complicate Plans for a Singular Approach to Privacy Compliance

Even before the release of the proposed regulations, California was arguably the most pro-consumer privacy law in the U.S.  The proposed regulations, as noted, moves the law in a decidedly more pro-consumer way.  Other states laws, particularly Utah and Virginia, are more business friendly and will not be subject to the same kind of detailed rule-making as California.  It is therefore a distinct possibility that when the CPRA regulations are finalized, they will impose significantly more onerous requirements than other states.

The complexity of the proposed CPRA regulations may cause companies to think twice about plans to adopt a singular “most restrictive law” approach to complying with the five new U.S. state privacy laws that become effective in 2023.  Much will depend on what shape the final CPRA regulations take and how closely other states hew to the CPRA model.  Colorado is also going through a rule-making process for the Colorado Privacy Act (CPA) and if the state lands somewhere close to California in its rule making, the calculus may again shift toward a singular model for businesses that are subject to multiple state privacy laws.  If other states pass Utah-style privacy laws in 2022 or 2023, businesses may begin to balkanize their privacy compliance programs.  The potential for this schism may push Congress to pass a federal privacy law.

Needless to say, there is more to come.  As businesses fully digest the proposed CPRA regulations, we are likely to see a significant push by the business community for relaxation of the proposed regulations.  We will provide more analysis about particular proposed regulations in the near future. 

The California Privacy Protection Agency (“CPPA”) scheduled a Board Meeting for June 8th, in which it will be discussing and possibly taking action with regard to the much anticipated CPRA enforcing regulations.  To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. This draft comes in the form of a 66 page redline of the current CCPA regulations.

At this time, it is unclear how final these draft regulations are or what additional changes will be made prior to them being officially released for public comment.  However, this initial draft may provide useful insight into their current status and possible trajectory.

As discussions surrounding these regulations develop, we will be releasing a series of posts addressing the specific elements we expect to have the biggest impact on businesses operating in California.

In this initial episode of Ballard Spahr’s new privacy and data security webcast series, Phil Yannella and Greg Szewczyk – co-chairs of the Privacy & Data Security Group – discuss regulatory scrutiny concerning the use of “dark patterns” to steer website visitors into purchasing products or making online choices they otherwise would not make.  This is an area of increased risk for online retailers, digital platforms and tech companies, among others.   Make sure to regularly check the CyberAdviser blog for more 15-20 minute webcasts on emerging trends in the privacy and data security world.

Connecticut is the next in a growing list of states to pass comprehensive data privacy legislation.  Last Friday, the Connecticut legislature passed, by large margins, Senate Bill 6 — which we are referring to as the Connecticut Data Privacy Act (CTDPA).  The law now awaits the Governor’s signature.

The CTDPA follows the form and content of other privacy laws passed in the prior year, including the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Privacy Act (UPA).  California, of course, passed the California Consumer Privacy Rights Act (CPRA) via ballot initiative in 2020.  All of these laws will become effective in 2023. Continue Reading Connecticut Poised To Become Fifth State to Enact a Privacy Law

Businesses with automatic renewal contracts—including subscriptions—should take note of Colorado’s new law that went into effect earlier this year on January 1, 2022.  While companies subject to other state’s auto-renewal laws and the Restore Online Shoppers’ Confidence Act (“ROSCA”) will be familiar with the three-prong approach of upfront clear disclosure, simple cancellation, and ongoing reminders, the Colorado law goes a step further by imposing notice obligations on month-to-month renewals.

Under the Colorado law, any automatic renewal contract must make the renewal terms and cancellation policy “clear and conspicuous” before the contract is accepted.  Clear and conspicuous is defined to mean in larger type than the surrounding text; in contrasting type, font, or color to the surrounding text of the same size; or set off from the surrounding text of the same size by symbols or other marks in a manner that clearly calls attention to the language.  The Colorado law also prohibits use of a link to present the offer unless it clearly discloses that it is a renewal contract.

The Colorado law also requires companies to provide a simple, cost-effective, easy-to-use mechanism for cancelling an automatic renewal contract or trial period offer.  Companies can comply with this requirement through a one-step online cancellation link that is located on the website and available immediately or after the consumer completes a reasonable authentication protocol.

However, perhaps the most notable aspects of the Colorado law are the provisions relating to ongoing reminders.  Similar to previously-existing laws in other states, contracts of one year or more require a renewal notice to be sent between twenty-five and forty days prior to each renewal.  But, the Colorado law also requires such notices for shorter contracts—e.g., month-to-month contracts—with such notice being given twenty-five to forty days before the anniversary of the initial enrollment.  This structure is similar to the new Delaware law, but that law applies only to merchandise and is therefore significantly narrower than the Colorado law.

The Colorado law contains various exemptions, including services regulated by the Federal Communications Commission, entities regulated by the Division of Insurance, bank or bank holding companies, financial institutions licensed under state or federal law, and air carriers.

 

The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting regulatory patchwork of varying disclosure and timing obligations. These tightened reporting obligations raise new challenges for financial institutions who must not only ensure that their own programs are aligned with the new requirements, but also be certain to pass along reporting obligations to service providers.

The abrupt shift in reporting obligations comes after an extended period of time when most financial institutions faced consistent reporting obligations. In 2005, the federal prudential regulators—including the Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Rather than specifying the number of hours or days within which a financial institution must report, the guidance allowed covered financial institutions to notify their primary federal regulator and affected customers “as soon as possible” after the discovery of incidents involving unauthorized access to or use of sensitive customer information.

Contrast this with the final rule issued by the Federal Reserve, FDIC, and OCC last November, which requires covered banking organizations to report within 36 hours after determining the occurrence of certain significant computer-security incidents. The final rule also requires bank service providers to notify their banking organization customers as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is likely to materially disrupt or degrade covered services for four or more hours.

Additionally, on March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, previously covered here, which requires entities in a critical infrastructure sector (which can include financial institutions) to report to the Cybersecurity and Infrastructure Security Agency (CISA) certain cyber incidents within 72 hours and ransomware payments within 24 hours of the payment. The Securities and Exchange Commission (SEC) recently published several proposed rules that would require various regulated entities to disclose certain cybersecurity-related incidents. The Federal Trade Commission (FTC) also tossed its hat into the ring and issued a proposal last December to require covered financial institutions to notify the FTC within 30 days after discovering a data breach affecting or reasonably likely to affect at least 1,000 consumers.

Below is a summary of the new reporting obligations proposed or soon to be effective for financial institutions:

Law/Proposal Who Reports To Whom Reporting Timeline Status/Effective Date
Final Rule, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers Banking organizations regulated by the Federal Reserve, FDIC, or OCC 

 

 

 

 Federal Reserve, FDIC, or OCC, depending on which agency is the banking organization’s primary federal regulator Report as soon as possible, but no later than 36 hours after determining a “notification incident” has occurred. A “notification incident” is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: 

(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or

(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

 

 Effective date: April 1, 2022. 

Compliance date: May 1, 2022.

On March 29, 2022, the Federal Reserve, FDIC, and OCC issued further guidance on the reporting requirements.

 
Bank service providers The affected banking organization Bank service providers must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is reasonably likely to materially disrupt or degrade covered services for four or more hours. If a banking organization customer has not previously provided a bank-designated point of contact, the bank service provider must notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means. 

 
Cyber Incident Reporting for Critical Infrastructure Act of 2022 Entities in a critical infrastructure sector (including those in the financial services sector, such as certain depository institutions, insurance companies, and financial services companies). The types of entities that constitute covered entities are to be further described in the forthcoming rulemaking process. 

 

 CISA Report a “covered cyber incident” not later than 72 hours after the covered entity reasonably believes that such an incident has occurred. A “covered cyber incident” means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria to be set by the CISA Director in the forthcoming rulemaking process. 

Report a ransomware payment not later than 24 hours after the payment.

 

 

 Enacted March 15, 2022. The new reporting obligations will not take effect until the CISA Director promulgates implementing regulations.
Proposed Rule, Standards for Safeguarding Customer Information Financial institutions subject to the FTC’s jurisdiction. This includes mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the SEC, and entities acting as finders. 

 

 FTC Notify as soon as possible and no later than 30 days after the discovery of any security event where the financial institution has determined misuse of customer information has occurred or is reasonably likely and at least 1,000 consumers have been affected or reasonably may be affected. Comment period closed February 7, 2022.
Proposed Rule, Amendments to Form PF To Require Current Reporting and Amend Reporting Requirements for Large Private Equity Advisers and Large Liquidity Fund Advisers Large hedge fund advisers 

 

 

 

 

 

 SEC File a current report via Form PF when a hedge fund that the adviser advises, with a net asset value of at least $500 million, experiences certain stress events. Such reporting events include when the adviser or reporting fund experiences a “significant disruption or degradation” of the reporting fund’s “key operations,” which could include cybersecurity events. File such current report within one (1) business day of the occurrence of such an event. 

 

 Comment period closed March 21, 2022.
Proposed Rule, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies Investment advisers registered or required to be registered under 15 U.S.C. § 80b-3 SEC Report the significant cybersecurity incident affecting the adviser or its fund or private fund clients promptly, but in no event more than 48 hours after having a reasonable basis to conclude that any such incident has occurred or is occurring, by filing Form ADV-C electronically on the Investment Adviser Registration Depository. 

Amend any previously filed Form ADV-C promptly, but in no event more than 48 hours after: (i) previously reported information pertaining to a significant cybersecurity incident becomes materially inaccurate; (ii) new material information pertaining to a previously reported significant cybersecurity incident is discovered; or (iii) the incident is resolved or related internal investigation is closed.

Publicly disclose in their brochures and registration statements cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years.

See further discussion of the proposal here.

 

 Comment period closed April 11, 2022.
Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (which include public financial institutions) SEC Report via Form 8-K material cybersecurity incidents within four (4) business days after the registrant determines that it has experienced a material cybersecurity incident. 

Provide updated disclosures via the registrant’s quarterly report (Form 10-Q) or annual report (Form 10-K) relating to previously disclosed cybersecurity incidents. Disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate.

For foreign private issuers, disclose material cybersecurity incidents via Form 6-K and Form 20-F.

See further discussion of the proposal here.

 

 Comment period closes May 9, 2022. 

 

Managing and meeting these new deadlines—and keeping track of the different content and submission requirements associated with each disclosure—can be challenging. Additionally, these requirements may trickle down even to companies not directly regulated by the above agencies, as many financial institutions may consider new default rules, such as requiring 24-36 hour reporting across the board for their service providers. As the cybersecurity regulatory landscape continues to evolve, companies should review their third-party service provider arrangements and incident response plans and stay on top of legislative and regulatory developments to ensure they are in a good position to meet increased expectations and accelerated reporting timelines.