When Does Data Breach Notification go Beyond State Laws?
If anything is made clear by the wide variety of state data breach laws, it's that the proper disclosure of a data breach often varies depending on where your organization is located, whether or not the breach was found to be harmful, and the number of parties or individuals affected. Depending on these factors, state laws may deem it necessary for organizations to not only notify the affected parties of a breach, but also consumer reporting agencies (CRAs), law enforcement, and even their state's Attorney General.
Occasionally, however, even following these notification procedures isn't enough. Depending on the types of data that were compromised in the breach, organizations may also be obligated to comply with supplementary state and federal rules and regulations that entail additional notification requirements. All of the following rules and regulations are considered some of the most notable supplementary measures in place.
Final Data Breach Rules and Regulations
In this context, a "final rule" refers to the final stage in the Executive rulemaking process. Final rules that are created by federal agencies generally go into effect no less than 30 days after they are published in the Federal Register unless otherwise specified. This rulemaking process is similar to that of state agencies as well. The following rules and regulations have been finalized and are currently being enforced.
HIPAA Breach Notification Rule - 45 CFR §§ 164.400-414
- Who the rule applies to: All HIPAA-covered entities (and their business associates) that handle unsecured protected health information.
- Who is notified: All affected individuals, the media (if 500 or more individuals were affected), and the Secretary.
- How long organizations have to disclose the breach: All affected individuals and the media (if applicable) must be notified without unreasonable delay but within 60 days of discovery of the breach. If fewer than 500 individuals were affected, the Secretary must be notified within 60 days after the end of the calendar year. If 500 or more individuals were affected, the Secretary must be notified without unreasonable delay but within 60 days. All notifications to the Secretary are submitted through the Department of Health & Human Services website.
FTC Breach Notification Rule - 16 CFR §§ 318.1-9
- Who the rule applies to: All foreign and domestic vendors of personal health records (PHRs), PHR-related entities, and third-party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents. This does not apply to HIPAA-covered entities and their business associates.
- Who is notified: All affected individuals, the media (if 500 or more individuals were affected), and the Federal Trade Commission via their notification form.
- How long organizations have to disclose the breach: All affected individuals and the media (if applicable) must be notified without unreasonable delay but within 60 days of discovery of the breach. If fewer than 500 individuals were affected, the FTC must be notified within 60 days after the end of the calendar year. If 500 or more individuals were affected, the FTC must be notified within 10 business days of the discovery of the breach.
NYDFS Cyber Security Regulation - 23 NYCRR Section 500.17
- Who the rule applies to: All financial services companies being regulated under the New York Department of Financial Services.
- Who is notified: Superintendent of the New York Department of Financial Services.
- How long organizations have to disclose the breach: The Superintendent must be notified within 72 hours of a determination that a Cybersecurity Event has occurred.
Other Notable Data Breach Requirements and Guidance
While the rules and regulations above come from state and federal agencies and are more concrete in nature, the following data breach notification requirements and guidance do not fall under Executive branch agencies and/or are less defined.
FINRA Rules Related to Cybersecurity - 4530(b.) Reporting Requirements
- Who the rule applies to: All Broker-Dealers, Capital Acquisition Brokers, and Funding Portals regulated under FINRA.
- Who is notified: FINRA
- How long organizations have to disclose the breach: Promptly, but "not later than 30 calendar days, after the member has concluded or reasonably should have concluded that an associated person of the member or the member itself has violated any securities-, insurance-, commodities-, financial- or investment-related laws, rules, regulations or standards of conduct of any domestic or foreign regulatory body or self-regulatory organization."
SEC Corporation Finance Disclosure Guide: Topic No. 2
- Who the guidance applies to: Registrants and members of the legal and accounting professions.
- This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission.
H.R.2471 - 117th Congress (2021-2022): Consolidated Appropriations Act, 2022.
- The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which falls under the Consolidated Appropriations Act, 2022, mandates CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.
- CISA encourages critical infrastructure owners and operators to voluntarily share with CISA information on cyber incidents prior to the effective date of any final rule that may be published in the future.
Proposed Data Breach Rules and Amendments
Finally, like most of the rules, regulations, and guidance listed above, the following proposed rule and amendment are currently in the Executive rulemaking process, but have not been finalized, nor have they been published in the Federal Register as a final rule. If the proposed rules were to be published as final rules in the future, the following is what they would require.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure - Proposed Rule
- Who the proposed rule would apply to: All public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
- Who would be notified of a breach: U.S. Securities and Exchange Commission
- How long organizations would have to disclose the breach: If the cyber incident is deemed "material," within four business days.
Amendment to NYDFS Cyber Security Regulation - 23 NYCRR Section 500.17
- Who the rule would apply to: All financial services companies being regulated under the New York Department of Financial Services.
- Who would be notified: Superintendent of the New York Department of Financial Services.
- How long organizations would have to disclose the breach: The Superintendent must be notified within 72 hours of a determination that a Cybersecurity Event has occurred. Additionally, any information requested regarding the investigation of the cybersecurity event must be submitted to the Superintendent within 90 days of the discovery of the cyber event.
