Federal Cyber Breach Reporting Rules Reach an Uneasy Balance
p Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 pp Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 ppBy Skye WitleyppNew data breach notification rules from the US Federal Trade Commission underline the growing tension between the governments efforts to increase its understanding of national cybersecurity threats and reduce overlap among dozens of reporting regulations ppThe consumer protection agency on Friday announced finalized amendments to its Safeguards Rule requiring lenders that arent banksincluding mortgage brokers and auto dealersto report information about the scope of security incidents affecting the unencrypyted data of 500 or more customers as soon as possible and within 30 days at most ppCompanies that retain consumers sensitive data can be subject to an array of more than 50 security incident reporting rules just at the federal level The FTC issued the new requirements as several arms of the executive branch work to streamline duplicative rules and strengthen the nations cybersecurity posture more broadly But even slight variations in when businesses must report a breach and with what detail can complicate compliance and add to companies todo lists during the critical days immediately after a cyberattack ppIt is a difficult patchwork to know all the different entities depending on what industry you are in that you have to notify after a security incident said Linn Freedman a cybersecurity compliance partner at Robinson Cole LLP ppThe US Homeland Security Department reached a similar conclusion in a Sept 19 report finding that variances in how a breach is defined and what triggers a report presented one of the most significant challenges to harmonizationppThe FTC has said the additional reporting requirements will equip it with new information about emerging data security threats as it broadens its cybersecurity regulatory efforts in step with the Biden administration ppBut adding one more regulator relationship to manage if a cyber incident occurs will be a key compliance stressor for companies said Nick Sanna the president of the FAIR Institute a nonprofit that provides resources for measuring information riskppThe market is screaming for simplification just adding to it goes in the opposite direction Sanna saidppThe updated Safeguards Rule is extending the Federal Trade Commissions reach for regulating cybersecurity onto a new set of businesses that will have to update their incident response plans in compliance said Melissa Krasnow a partner at VLP Law Group LLP who advises financial services providers on cybersecurity complianceppThe changes will affect businesses covered by the GrammLeachBliley Act of 1999 including payday lenders insurance providers loan collection agencies and tax preparation firmsppA lot of entities which may not have thought of themselves as being regulated would be regulated The issue is whether theyre aware theyre regulated and are complying Krasnow saidppThe FTCs new reporting requirements will take effect six months after the agency publishes the amendments in the Federal Register That means companies have some time to determine whether theyre regulated and how best to comply she said ppData breach reports will need to include details explaining what categories of information were breached for how long and an estimated number of affected consumers ppIn analysis attached to the finalized amendment the commission explained that the new information garnered would hasten the agencys ability to spot breaches deserving further investigation and save resources by eliminating the need to continually search for breach notifications posted by other sourcesppA lot of a regulators including the FTC often dont know when theres noncompliance or lack of compliance until theres a breach Krasnow said ppOne phenomenon the FTCs informationgathering efforts could illuminate is the extent of internal data leaks that dont involve a malicious actor hacking into a companys systems according to Sanna ppLenders should prepare to implement new processes for gathering and reporting cyberattack information to ensure their compliance with the amended rule he said ppIm not sure that a majority of those nonbank financial institutions have such granular data management practices in place Sanna saidppHolding such businesses to higher data management standards could help address a cyber resiliency concern banks have expressed in response to an open banking proposal the Consumer Financial Protection Bureau is championing ppThe CFPBs proposed rule would provide greater access to financial data for fintech third parties such as mobile payment service Venmo but banks have expressed worry about how well those entitiessubject to less stringent cybersecurity regulationmight protect or use the datappThe new amendments show that the FTC continues to push the envelope regarding expectations for nonbank financial services providers said financial regulations counsel Jonathan Joshua of Joshua Law Firm LLCppBut those debating the CFPB proposal shouldnt expect the FTCs rules to fully resolve their questionsppThe concerns raised by financial institutions are more than just the notification process for a breach said Peter Dugas who leads a regulatory intelligence center at advisory firm Capco RISC in an email to Bloomberg Law ppAddressing their full concerns would require additional data standards terms of access record keeping duration periods minimum data security programs and litigation protections for thirdparty breaches Dugas saidppSeveral groups that submitted comments to the FTC on the proposed Safeguard Rule changes expressed worry that yet another federal reporting requirement would divert attention away from responding to data breaches rather than help streamline compliance ppThe FTC contends that reporting breaches to the agency wont be burdensome because companies already have to collect similar information under breachreporting requirements in all 50 statesppThe US Cybersecurity and Infrastructure Security Agency plans to publish a proposed rule set next year requiring the financial sector and 15 other critical infrastructure sectors to report security breaches to the agency within 72 hours of discoveryand paid ransoms within 24 hours ppThe rulemaking at CISA part of the Homeland Security Department could help centralize cybersecurity data reported by lenders and others said Justin Herring a partner at Mayer Brown LLP practicing in cybersecurity regulation Whether it will make reporting easier in practice is another questionppWhat I think is much more uncertain is whether or not the CISA rule will make the reporting obligations that companies have actually streamlined Herring saidppTo contact the reporter on this story Skye Witley at switleybloombergindustrycomppTo contact the editors responsible for this story Adam M Taylor at ataylorbloombergindustrycom Tonia Moore at tmoorebloombergindustrycompp AIpowered legal analytics workflow tools and premium legal business news pp Log in to keep reading or access research tools p