For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach. There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities.
But that seems to be rapidly changing, with the Notice of Proposed Rulemaking formally published last week by the Cybersecurity and Infrastructure Security Agency (“CISA”) making CISA that latest federal government authority to require entities within its reach to provide notice to regulators in just 72 hours, far faster than the common 30-day state requirement – and also provide notice within 24 hours of any payment in a ransomware incident. The proposed CISA rule would implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) passed by Congress two years ago and covers various critical infrastructure sectors, as defined by CIRCIA, including communications, education, emergency services, financial services, public health, IT, and transport.
CISA joins other government agencies that have proposed rules that substantially narrow the timing requirements for regulatory notice. The SEC now requires notice by covered entities of data breaches within four days. The National Credit Union Administration’s final rule requiring federally chartered and federally insured credit unions to provide notice within 72 hours went into effect in September. The New York Department of Financial Services has required covered entities for provide notice within 72 hours for a number of years. And of course, the European Union set the original 72-hour notice precedent back when it first passed the General Data Protection Regulation (“GDPR”).
So what is driving this shift toward rapid data breach notice to regulators? It certainly isn’t coming from practitioners, who have seen first-hand on many occasions how difficult it is to get on top of a data security incident in just a few days, as well as the risks associated with reporting on an incident without complete information. But as nation-state and terrorist actors have become increasingly brazen in cyberattacks, federal authorities have increased pressure on the victims of cyberattacks to avoid negotiating with the threat actors and/or paying ransoms. The shortened time frames for notice – particularly related to critical infrastructure sectors – is part and parcel of those efforts. Additionally, with cybersecurity and data privacy playing such a huge part in modern business, it is not surprising that more government agencies are wanting to get involved in these areas and take steps that they believe will provide additional protections for consumers.
Thus far, we have not seen any states modify their state data breach notification laws to adopt something along the lines of a 72-hour notice across all business sectors, but it would not be at all surprising to see that on the horizon. The good news is that even among the narrowest of reporting time frames, there is still room for interpretation. For example, the CISA regulation calls for notice “72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.” The Notice of Proposed Rulemaking defines a “covered cyber incident” incredibly broadly, but there is certainly ambiguity in assessing when a company would “reasonably believe” that such an incident occurred. Similarly, the SEC notice requirement turns on a determination of “materiality,” which is open to interpretation.
The ongoing shift toward faster notice requirements makes it more important than ever for companies to have a plan in place to handle data security incidents before they happen, train their staff on handling such incidents, and get counsel involved quickly when an incident happens.