On October 27th, the Federal Trade Commission (the “FTC”) announced that it approved an amendment to the Safeguards Rule promulgated under the federal Gramm-Leach-Bliley Act (the “Safeguards Rule”) requiring non-bank financial institutions subject to the FTC’s jurisdiction to report to the FTC data breaches affecting 500 or more people (the “Amendment”). 

The Safeguards Rule requires non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep customer information safe. In the process of adopting certain amendments to the Safeguards Rule in October 2021, the FTC also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The Amendment is the final version of the 2021 proposed supplemental amendment.

The Amendment requires financial institutions to notify the FTC as soon as possible and no later than 30 days after the discovery of a security breach involving the information of at least 500 people. A security breach will trigger the notification requirement if unencrypted “customer information” has been acquired without the authorization of the individual to which the information pertains. The Safeguards Rule defines “customer information” as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution or its] affiliates.” Note that the terms “nonpublic personal information” and “customer” have nuanced definitions in the Safeguards Rule.

The Amendment provides that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless there is reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

The notice to the FTC required by the Amendment must be submitted electronically on a form found on the FTC’s website, and it must include certain information about the event, including: 

  • a description of the types of information involved;
  • the date or date range of the data breach (if known);
  • a general description of the data breach; and
  • the number of consumers affected or potentially affected.

The Amendment becomes effective 180 days after publication in the Federal Register.

Last week, the Federal Trade Commission (the “FTC”) released a final rule amending the Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) promulgated under the Gramm-Leach-Bliley Act (“GLBA”). The final Safeguards Rule, approved by the FTC Commissioners along party lines, will require financial institutions to make significant changes in their information security programs. The FTC issued a Notice of Proposed Rulemaking proposing these changes in 2019.

The FTC has enforcement authority under the Safeguards Rule over financial institutions that are not banks, credit unions, insurance carriers, or SEC-registered investment advisers and investment companies.  Such financial institutions include non-bank lenders, check-cashing businesses, mortgage brokers, personal property or real estate appraisers, professional tax preparers and credit reporting agencies.

Under the current Safeguards Rule, these financial institutions are required to develop, implement, and maintain a reasonably designed, comprehensive, written information security program with appropriate administrative, technical, and physical safeguards relating to customer information. The final Safeguards Rule represents a significant shift towards more prescriptive requirements for information security, something towards which the FTC has been working for years.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The final Safeguards Rule amends the current rule in five primary ways:

  • By including more detailed requirements for the development and establishment of an information security program. The current rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address identified risks.  The final Safeguards Rule requires that such risk assessment be written and that such safeguards address:
    • access controls;
    • data inventory and classification;
    • encryption;
    • secure development practices;
    • authentication;
    • information disposal procedures;
    • change management;
    • testing; and
    • incident response.
  • Although financial institutions must comply with more specific requirements than under the current Safeguards Rule, they retain the flexibility to design an information security program that is appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of any customer information they possess.
  • By requiring the designation of a single individual responsible for implementing and overseeing the financial institution’s information security program (referred to as a “Qualified Individual”) and requiring periodic reports to boards of directors or other governing bodies by such Qualified Individual that will provide senior management with awareness of their financial institutions’ information security programs.
  • By exempting financial institutions that maintain information on fewer than 5,000 consumers from the requirements to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessments, prepare a written incident response plan, and prepare annual written reports for boards of directors or other governing bodies.
  • By expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The final Safeguards Rule now applies to “finders,” e., companies that bring together buyers and sellers of a product or service. Because the Safeguards Rule applies only to relationships and transactions that are “for personal, family, or household purposes,” finding services involving consumer transactions for customers (i.e., consumers with whom a financial institution has an ongoing relationship) will now be covered by the Safeguards Rule. This change will also bring the Safeguards Rule into harmony with other federal agencies’ safeguards rules, which include activities incidental to financial activities in their definition of financial institution.
  • By including several definitions and related examples, including of “financial institution,” in the Safeguards Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule promulgated under the GLBA (commonly referred to as the “Privacy Rule”). This will make the Safeguards Rule more self-contained and will allow readers to understand its requirements without having to reference the Privacy Rule.

Certain provisions of the final Safeguards Rule, including those relating to implementing safeguards, undertaking a written risk assessment, appointing a Qualified Individual, and conducting continuous monitoring or annual penetration testing, are effective one year after the date of publication of the final rule in the Federal Register; the remainder of the provisions are effective 30 days following publication.

In addition to the amendments to the Safeguards Rule described above, the FTC is also seeking comment on whether to amend the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the FTC. The proposed amendment would require financial institutions to report a data breach affecting or reasonably likely to affect at least 1,000 consumers.  This notice must be provided via a webform on the FTC’s website within 30 days of discovery of the breach and must include certain specified disclosures. The FTC announced that it would soon publish a supplemental Notice of Proposed Rulemaking, after which the public will have 60 days to submit comments.

If you are a financial institution, you likely won’t want to miss this FTC All Day Workshop today (Monday, July 13, 2020) because it will be a day full of panelist discussing all things information security and what proposed changes are being discussed.  Namely, “the workshop will continue to focus on some of the issues raised in response the FTC’s proposed amendment to the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.”  The FTC will be streaming it live from its website.

In 2019, the FTC published its request for public comment on its proposal to amend the Safeguarding Customer Information (“Safeguards Rule”).  In the Notice, the FTC outlined five “main modifications” to the current rule:  (1) “add provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program”; (2) “add[] provisions designed to improve the accountability of financial institutions’ information security programs;” (3) “exempt[] small businesses from certain requirements; (4) “expand[] the definition of ‘financial institution’; and (5) “include the definition of ‘financial institution’ and related examples in the Rule itself rather than cross-reference them from a related FTC rule, the Privacy of Consumer Financial Information Rule.”  And, here in July, 2020, these changes are still being discussed.

Indeed, the FTC extended the comment deadline until August 12, 2020 to allow for more input.  So, there is time to still get engaged if you want to have a voice in the proposed changes.  That first starts with watching today to learn where things stand, and then being on lookout for Consumer Privacy World’s detailed follow up on this important FTC update.

 

Originally posted on Squire Patton Boggs’ The Trade Practitioner blog 


On October 15, 2024, the U.S. Department of Defense (DoD) released its final rule to establish the Cybersecurity Maturity Model Certification (CMMC) Program (Final CMMC Program Rule). The CMMC Program allows the DoD to verify that defense prime contractors and subcontractors (defense contractors) have implemented security safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are maintaining required safeguards during the contract period of performance. The CMMC requirements apply to defense contractors that process, store or transmit FCI or CUI in the performance of a DoD contract or subcontract.

In a parallel effort, the DoD also has proposed an acquisition rule – 48 C.F.R Part 204 CMMC Acquisition Rule or (DFARS rule) – that will amend the Defense Federal Acquisition Regulation Supplement (DFARS) and contractually implement the CMMC Program (32 C.F.R. part 170) through DoD solicitations and contracts. In September we described the proposed DFARS rule, for which the comment period closed on October 15, 2024. The DoD estimates it will publish the final DFARS rule by mid-2025. The effective date of the final DFARS rule (which is 60 days after it is published in the Federal Register) is a key date since that effective date will initiate the CMMC Program’s phased rollout discussed below.

Continue Reading Navigating DoD’s CMMC Program Final Rule

The Consumer Financial Protection Bureau (the “CFPB”) recently issued a Notice of Proposed Rulemaking to implement Section 1033 of the Dodd-Frank Act (“Section 1033”). Section 1033 generally requires covered persons to make information concerning a financial product or service that a consumer has obtained from such person available to the consumer, subject to CFPB rulemaking.

The rule recently proposed by the CFPB to implement Section 1033 (the “Proposed Rule”) would require that certain entities make transaction and other account data more readily available to consumers and authorized third parties. It also would impose privacy and information security obligations and limitations on these entities, as well as on third parties authorized to collect and use that data. These requirements and limitations are discussed in more detail below.

Continue Reading CFPB Issues Notice of Proposed Rulemaking on Open Banking

The Federal Communications Commission (“FCC”) has adopted rules to address two fraudulent practices that “bad actors use to take control of consumers’ cell phone accounts and wreak havoc on people’s financial and digital lives without ever gaining physical control of the consumer’s phone.”

In its recent Report and Order and Further Notice of Proposed Rulemaking released November 16, 2023, the Commission first addressed the practice where bad actors are able to swap a consumer’s subscriber identity module (“SIM”) card to a wireless device associated with a different SIM (i.e., SIM card swap fraud). The agency also acted on wireless number porting fraud, where bad actors impersonate a customer and convince the provider to port the real customer’s telephone number to a new wireless provider and a device that the bad actor controls (i.e., port-out fraud). 

Continue Reading FCC Acts to Protect Consumer Data by Strengthening Customer Proprietary Network Information and Number Porting Rules

The Monetary Authority of Singapore has launched a public consultation to gather feedback on two sets of proposed rules which it will soon impose on Singapore financial institutions (FIs), with a view to improving existing consumer safeguards, including for such FIs’ digital prospecting and marketing activities. 

What do the proposed rules seek to achieve? 

The enhancements are aimed at raising industry standards across the financial sector in Singapore by requiring FIs to put in place additional controls when engaging in prospecting and marketing activities through both physical and digital means. As the world sees a resumption of roadshows post-pandemic, coupled with the increased use of digital applications and social media by FIs to market financial products, it is timely to introduce these new measures to strengthen market conduct in Singapore. 

What are the rules pertaining to digital marketing?

FIs will need to ensure that online advertisements do not disseminate misleading content. They must also put in place measures to monitor the activities and conduct of any third party service providers they appoint to generate leads online, or as introducers, through the dissemination of online advertisements and collection of prospective customers’ contact information, to ensure that these providers adhere with the FIs’ own data management policies and applicable laws such as Singapore’s Personal Data Protection Act (PDPA).

Currently, any advertisements of financial products and services are subject to the Financial Advisers Regulations, and Securities and Futures (Licensing and Conduct of Business) Regulations in Singapore. These regulations apply to advertisements disseminated via traditional media (print) as well as digital media (for instance, websites or social media platforms).  

With digital media, however, there are heightened risks, for example: 

  • Truncated or omitted key information that is disclosed to consumers due to social media application or product design. These may pertain to: (i) product features and risks; or (ii) terms and conditions, which could result in such advertisements presenting a misleading or an unbalanced view of financial products. 
  • Misleading advertisements that highlight unsubstantiated high returns without mentioning any specific products. The high returns are usually presented without highlighting how they can be achieved and do not include a description of the key risks or other important caveats.
  • Advertisements posted anonymously by representatives on websites and social media platforms using pseudonyms. Consumers would not know the identity of the person who posted the advertisement and whether the person is regulated by MAS or not. 
  • Representatives’ inappropriate use of digital platforms for prospecting (e.g., soliciting leads through online dating applications), and representatives’ use of third-party tools or service providers for generating leads online without their FIs’ authorisation.

What are the rules pertaining to physical prospecting at public places and telemarketing? 

It will soon be mandatory to disclose representatives’ identities and the FIs they represent. FIs will only be permitted to conduct prospecting activities at commercial premises. They will also need to provide customers with additional time to consider whether to make a purchase and limit the use of gift offers which may influence decision-making.

What other implementation details need to be taken note of? 

In addition to the measures proposed in its consultation papers[1], MAS reserves the right to impose additional or stricter measures to address any persistent conduct risks and issues, including limiting representatives to only re-posting their FI’s advertisements or, even more restrictively, prohibiting representatives from posting advertisements altogether, i.e., only allowing FIs themselves to post advertisements.

MAS is proposing a transition period of six to nine months for FIs to comply with the new digital prospecting and marketing guidelines[2]. Comments should be submitted using a specific form and link[3].

The above consultations will close on 30 June 2023.

For more information, contact the author, Charmian Aw, or your Squire Patton Boggs relationship partner.

 

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.


[1] https://www.mas.gov.sg/publications/consultations/2023/consultation-paper-on-enhancing-safeguards-for-digital-prospecting-and-marketing-activities;

https://www.mas.gov.sg/publications/consultations/2023/consultation-paper-on-enhancing-safeguards-for-prospecting-activities-at-public-places

[2] https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulations-guidance-and-licensing/financial-advisers/consultation-paper/annex-a-guidelines-on-standards-of-conduct-for-digital-prospecting-and-marketing-activities.pdf

[3] https://go.gov.sg/MAS-Digital-Marketing

On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023. Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1

The Federal Trade Commission (“FTC” or “Agency”) recently indicated that it considers initiation of pre-rulemaking “under section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”  This follows a similar indication from Fall 2021 where the FTC had signaled its intention to begin pre-rulemaking activities on the same security, privacy, and AI topics in February 2022. This time, the FTC has expressly indicated that it will submit an Advanced Notice of Preliminary Rulemaking (“ANPRM”) in June with the associated public comment period to end in August, whereas it was silent on a specific timeline when it made its initial indication back in the Fall. We will continue to keep you updated on these FTC rulemaking developments on security, privacy, and AI.

Also, on June 16, 2022 the Agency issued a report to Congress (the “Report”), as directed by Congress in the 2021 Appropriations Act, regarding the use of artificial intelligence (“AI”) to combat online problems such as scams, deepfakes, and fake reviews, as well as other more serious harms, such as child sexual exploitation and incitement of violence. While the Report is specific in its purview—addressing the use of AI to combat online harms, as we discuss further below—the FTC also uses the Report as an opportunity to signal its positions on, and intentions as to, AI more broadly.

Background on Congress’s Request & the FTC’s Report

The Report was issued by the FTC at the request of Congress, which—through the 2021 Appropriations Act—had directed the FTC to study and report on whether and how AI may be used to identify, remove, or take any other appropriate action necessary to address a wide variety of specified “online harms.” The Report itself, while spending a significant amount of time addressing the prescribed online harms and offering recommendations regarding the use of AI to combat the same, as well as caveats for over-reliance on them, also devotes a significant amount of attention to signaling its thoughts on AI more broadly. In particular, due to specific concerns that have been raised by the FTC and other policymakers, thought leaders, consumer advocates, and others, the Report cautions that the use of AI should not necessarily be treated as a solution to the spread of harmful online content. Rather, recognizing that “misuse or over-reliance on [AI] tools can lead to poor results that can serve to cause more harm than they mitigate,” the Agency offers a number of safeguards. In so doing, the Agency raises concerns that, among other things, AI tools can be inaccurate, biased, and discriminatory by design, and can also incentivize relying on increasingly invasive forms of commercial surveillance, perhaps signaling what may be areas of focus in forthcoming rulemaking.

While the FTC’s discussion of these issues and other shortcomings focuses predominantly on the use of AI to combat online harms through policy initiatives developed by lawmakers, these areas of concern apply with equal force to the use of AI in the private sector. Thus, it is reasonable to posit that the FTC will focus its investigative and enforcement efforts on these same concerns in connection with the use of AI by companies that fall under the FTC’s jurisdiction. Companies employing AI technologies more broadly should pay attention to the Agency’s forthcoming rulemaking process to stay ahead of the issues.

The FTC’s Recommendations Regarding the Use of AI

Another major takeaway of the Report pertains to the series of “related considerations” that the FTC has cautioned will require the exercise of great care and focused attention when operating AI tools. Those considerations entail (among others) the following:

  • Human Intervention: Human intervention is still needed, and perhaps always will be, in connection with monitoring the use and decisions of AI tools intended to address harmful conduct.
  • Transparency: AI use must be meaningfully transparent, which includes the need for these tools to be explainable and contestable, especially when people’s rights are involved or when personal data is being collected or used.
  • Accountability: Intertwined with transparency, platforms and other organizations that rely on AI tools to clean up harmful content that their services have amplified must be accountable for both their data and practices and their results.
  • Data Scientist and Employer Responsibility for Inputs and Outputs: Data scientists and their employers who build AI tools—as well as the firms procuring and deploying them—must be responsible for both inputs and outputs. Appropriate documentation of datasets, models, and work undertaken to create these tools is important in this regard. Concern should also be given to the potential impact and actual outcomes, even though those designing the tools will not always know how they will ultimately be used. And privacy and security should always remain a priority focus, such as in their treatment of training data.

Of note, the Report identifies transparency and accountability as the most valuable direction in this area—at least as an initial step—as being able to view and allowing for research behind platforms’ opaque screens (in a manner that takes user privacy into account) may prove vital for determining the best courses for further public and private action, especially considering the difficulties created in crafting appropriate solutions when key aspects of the problems are obscured from view. The Report also highlights a 2020 public statement on this issue by Commissioners Rebecca Kelly Slaughter and Christine Wilson, who remarked that “[i]t is alarming that we still know so little about companies that know so much about us” and that “[t]oo much about the industry remains opaque.”

In addition, Congress also instructed the FTC to recommend laws that could advance the use of AI to address online harms. The Report, however, finds that—given that major tech platforms and others are already using AI tools to address online harms—lawmakers should instead consider focusing on developing legal frameworks to ensure that AI tools do not cause additional harm.

Taken together, companies should expect the FTC to pay particularly close attention to these issues as they begin to take a more active approach in policing the use of AI.

FTC: Our Work on AI “Will Likely Deepen”

In addition to signaling what areas of focus may be moving forward when addressing Congress’ mandate, the FTC veered outside of its purview to highlight its recent AI-specific enforcement cases and initiatives, describe the enhancement of its AI-focused staffing, and provide commentary on its intentions as to AI moving forward. In one notable sound bite, the FTC notes in the Report that its “work has addressed AI repeatedly, and this work will likely deepen as AI’s presence continues to rise in commerce.” Moreover, the FTC specifically calls out its recent staffing enhancements as it relates to AI, highlighting the hiring of technologists and additional staff with expertise in and specifically devoted to the subject matter area.

The Report also highlights the FTC’s major AI-related initiatives to date, including:

Conclusion

The recent Report to Congress strongly indicates the FTC’s overall apprehension and distrust as it relates to the use of AI, which should serve as a warning to the private sector of the potential for greater federal regulation over the utilization of AI tools. That regulation may come sooner than later, especially in light of the Agency’s recent ANAPR signaling the FTC’s consideration of initiating rulemaking to “ensure that algorithmic decision-making does not result in unlawful discrimination.”

At the same time, although the FTC’s Report calls on lawmakers to consider developing legal frameworks to help ensure that the use of AI tools does not cause additional online harms, it is also likely that the FTC will increase its efforts in investigating and pursuing enforcement actions against improper AI practices more generally, especially as it relates to the Agency’s concerns regarding inaccuracy, bias, and discrimination.

Taken together, companies should consult with experienced AI counsel to obtain advice on proactive measures that can be implemented at this time to get ahead of the compliance curve and put themselves in the best position to mitigate legal risks moving forward—as it is only a matter of time before regulation governing the use of AI is enacted, likely sooner rather than later.

On November 18, 2021, the Office of the Comptroller of the Currency (the “OCC”), the Board of Governors of the Federal Reserve System (the “Board”), and the Federal Deposit Insurance Corporation (the “FDIC”) issued a final rule (the “Final Rule”) that requires any financial institution subject to their respective jurisdictions to notify its primary federal regulator of any “computer security incident” that rises to the level of a “notification incident,” as those terms are defined in the Final Rule, as soon as possible and no later than 36 hours after the institution determines that a notification incident has occurred.[1] The Final Rule also requires a service provider to a financial institution to notify each affected institution as soon as possible when the service provider determines that it has experienced a computer security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

The Final Rule follows a proposed rule announced by the same regulators in December 2020 (the “Proposed Rule”) and reflects some substantive revisions to the Proposed Rule.  The federal regulators received 35 comments from banks, service providers, and consumer advocacy groups, the majority of which supported the Proposed Rule and the need for prompt notice of significant data incidents involving financial institutions. However, some commenters took issue with definitions provided under the Proposed Rule and some of the specific notification provisions for financial institutions and service providers. The Final Rule takes effect April 1, 2022, and compliance is required beginning May 1, 2022.

For those financial institutions not subject to the jurisdiction of the OCC, the Board or the FDIC, note that the Federal Trade Commission (the “FTC”) is in the process of proposing amendments to the Safeguards Rule that would require nonbank financial institutions subject to the FTC’s jurisdiction to report certain data breaches and other security events to the FTC.

Relevant Definitions

Only those computer security incidents that rise to the level of notification incidents are required to be reported to federal regulators.

The Final Rule defines a “computer security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”  Note that this is more limited than the definition in the Proposed Rule, which would have included potential occurrences and occurrences that constituted a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.

The Final Rule defines a “notification incident” as “a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

Reporting by Financial Institutions

Under the Final Rule, a financial institution must notify its primary federal regulator of a notification incident (as defined above) as soon as possible and no later than thirty-six (36) hours after the institution determines that a notification incident has occurred.  Note that this provides financial institutions with half as much time to report an incident as is allowed under either the EU’s General Data Protection Regulation or the New York Department of Financial Services’ cybersecurity regulations.  The federal regulators believe that the more onerous timing requirement is offset by the narrowed definition of “computer security incident” in the Final Rule compared to the Proposed Rule.

A financial institution may give notice in writing or verbally (including email or telephone) to the institution’s designated point-of-contact at the institution’s primary federal regulator. The federal regulators anticipate that financial institutions will share general information about the facts known at the time of the incident. No specific information is required in the notification other than that a notification incident has occurred. The Final Rule does not prescribe any form or template. The notifications, and any information related to the incident, would be subject to the regulator’s confidentiality rules.

The introduction to the Final Rule acknowledges that a financial institution will need to undertake a reasonable investigation to determine whether a notification incident has occurred and explicitly provides that the 36-hour notification period only starts once the financial institution has finally determined that a notification incident has occurred.

Helpfully, the Final Rule also acknowledges that not all data incidents are reportable and provides a non-exhaustive list of events that would rise to the level of a notification incident:

  • Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
  • A service provider that is used by a financial institution for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
  • A failed system upgrade or change that results in widespread user outages for customers and financial institution employees;
  • An unrecoverable system failure that results in activation of a financial institution’s business continuity or disaster recovery plan;
  • A computer hacking incident that disables banking operations for an extended period of time;
  • Malware on a financial institution’s network that poses an imminent threat to its core business lines or critical operations or that requires it to disengage any compromised products or information systems that support its core business lines or critical operations from Internet-based network connections; and
  • A ransom malware attack that encrypts a core banking system or backup data.

The Final Rule provides that affiliated financial institutions each have separate and independent notification obligations. Each financial institution needs to make an assessment of whether it has suffered a notification incident about which it must notify its primary federal regulator. Subsidiaries of financial institutions that are not themselves financial institutions subject to the Final Rule do not have notification requirements under the Final Rule. However, if a computer security incident were to occur at such a subsidiary, the parent financial institution would need to assess whether the incident was a notification incident for it, and if so, it would be required to notify its primary federal regulator.

Reporting by Service Providers

Only service providers performing services for a financial institution and that are subject to the Bank Service Company Act (the “BSCA”) are subject to the Final Rule. The Final Rule does not further define the services that are subject to the BSCA.  The Final Rule requires a service provider to notify each affected financial institution customer as soon as possible after the service provider determines that it has experienced a computer security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a financial institution for four or more hours.”

Under the Final Rule, a service provider may comply with its duty by notifying a contact designated by the financial institution or, if no such contact has been designated, notifying the financial institution’s chief executive officer and chief information officer (or two individuals with comparable responsibilities).

The introduction to the Final Rule indicates that the federal regulators do not anticipate the Final Rule to add a significant burden to service providers, as many service providers are already subject to contractual requirements to provide notification to financial institutions in the event of a data incident.

Next Steps

In light of the Final Rule, we recommend the doing the following prior to the May 1, 2022, compliance deadline:

  • Financial institutions and service providers subject to the Final Rule should review their incident response plans and other relevant policies and procedures to ensure that they will be able to satisfy the onerous notice obligations under the Final Rule. For example, such plans and policies should provide for the escalation of suspected computer security incidents to a specific individual (preferably identified by his or her title) as soon as reasonably practicable.
  • Financial institutions should adopt procedures and develop relevant standards that will enable them to determine quickly whether a computer security incident rises to the level of a notification incident.
  • Financial institutions should include updated contact information for their primary regulators and service providers should document the appropriate points of contact for their customers specifically for the purpose of reporting computer security incidents.
  • Banks should update their form service provider agreements as well as agreements with current service providers to impose notice requirements that track the Final Rule.

[1] See 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC.