introduction

On November 18, federal banking agencies [1] published the long-awaited final rule, [2] establish data security incident response notification requirements for “banking organizations” and “banking service providers” (terms defined below). This rule includes a 36-hour regulatory notification requirement that makes headlines for banking organizations. This final rule is expected to come into effect on April 1, 2022, and entities are required to comply by May 1, 2022. Covered entities should begin reviewing their violation response procedures now to ensure compliance. timely.

Final rule requirements

The final rule includes notification requirements between (1) banking organizations and their regulators, and (2) banking service providers and their customers of banking organizations. The following defined terms are important in understanding what is required under this rule:

  • Banking organization

    • The definition of banking organization differs depending on the applicable federal regulator:

      • FDIC: Banking Organization means an insured depository institution supervised by the FDIC, including all insured non-member state banks, branches of state licensed foreign banks, and insured state savings associations.

      • OCC: Banking organization means a national bank, a federal savings association or a federal branch or agency of a foreign bank.

      • Federal Reserve: A banking organization means a United States bank holding company, a United States savings and loan holding company, a member state bank, the United States operations of foreign banking organizations, and an on-board or agreement company.

    • Banking service provider means a banking service company or other person who provides covered services.

    • Computer security incident is an event that causes real prejudice to the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits.

    • Incident notification is an IT security incident that has materially disrupted or degraded, or is reasonably likely to significantly disrupt or degrade, a banking organization:

      • (1) Ability to carry out banking operations, activities or processes, or to provide banking products and services to a significant portion of its customers, in the normal course of its activities;

      • (2) The line of business (s), including related operations, services, functions and support, which, if failed, would result in a significant loss of income, profit or value franchise; Where

      • (3) Operations, including associated services, functions and support, if any, the failure or interruption of which would constitute a threat to the financial stability of the United States.

Notification of banking organizations to branches

Banking organizations should notify their applicable regulator “as soon as possible” and no later than “36 hours after the banking organization determines that a notification incident has occurred.” According to the regulator, there are subtle differences regarding the details of these notifications; however, as a general rule, such notifications should be made to the agency’s “designated point of contact” by email, telephone or “other similar method”.

The temporal aspect of this notification requirement is quite short compared to other data protection laws. For example, the EU’s General Data Protection Regulation (GDPR) requires notification “without undue delay, but no later than 72 hours after becoming aware of the data incident”. [3] Additionally, many US data breach laws require notification at any time within 30 days. The shortest state notification period is found in Illinois law, which requires notification to be made within 72 hours if a breach affects the personal information of more than 250 residents.

Although the final rule time limit requirement is shorter than other offense laws, the regulatory burden of this requirement on banking organizations is made somewhat uncertain by the definition of “notification incident”. Notification does not depend on the nature of the information involved, but is rather limited to incidents which have disrupted or degraded, or are reasonably likely to “disrupt or materially degrade”, the (1) ability of the banking organization to provide information. services, (2) trades, or (3) operations (see definition above for a precise formulation). In the definition of notification incident, these three points are limited by qualifying statements. For example, a disruption in the operations of the banking organization is only to be reported if the “failure or disruption” constitutes “a threat to the financial stability of the United States”. Much like the threat of consumer harm triggered in state breach notification laws, the outlines of when an incident requires notification (for example, is materially disruptive) will likely be defined over time and by experience.

It is also important to note that the 36 hour notification period does not begin until the bank “determines that a notification incident has occurred”. Other violation notification laws start the clock at an earlier stage in the violation investigation / remediation process. For example, the 72-hour window for regulatory notifications under the GDPR opens as soon as an entity “becomes[s] aware of “a violation”. Collectively, this “determination” that a notification incident has occurred and the aforementioned qualifying statements in the definition of “notification incident” soften an otherwise severe timing requirement.

Notifications from banking service providers to customers of banking organizations

Banking service providers are also required to notify “at least one bank designated point of contact with each affected bank organization customer as soon as possible when the bank service provider determines that they have experienced a security incident. information that has materially disrupted or degraded, or is reasonably likely to disrupt or materially degrade the Covered Services provided to that banking organization for four hours or more. ”It is important to note that the definition of“ computer security incident ”is much broader than that of “notification incident”; therefore, in practice, these notifications may occur much more frequently than the regulatory notifications described above. However, the effect of this rule may be limited because most service provider contracts already require notification, and in many cases, this notification is triggered by incidents. Less important data ents. For those who do not, amendments may be appropriate.

There is no specific deadline for banking service providers; however, the final rule requires the service provider to notify their banking organization’s “designated point of contact” “as soon as possible”. The point of contact designated by the bank is any email, phone number or other contact provided by the banking organization. If no point of contact has been provided, the notification should go to the managing director and the chief information officer of the banking organization or to “two persons with comparable responsibilities by whatever means”.

Current Cyber ​​Incident Reporting Requirements

While this rule provides the clearest and most comprehensive cyber incident reporting requirements to date, there are existing applicable laws that may require notification after a cyber incident. Notably, under the Gramm-Leach-Bliley Act and interagency guidelines establishing information security standards, federal regulators must be notified “as soon as possible” of unauthorized access or use of sensitive customer information. In addition, the Bank Secrecy Act requires banks to file a “suspicious activity report” when they detect criminal activity. These reports should be filed within 30 days or “as soon as possible” if the incident involves “unauthorized access or use of sensitive customer information”. In the additional information for the proposed version of this rule, [4] the agencies note that these “current cyber incident reporting requirements are neither designed nor intended to provide timely information to regulators regarding such incidents.” In addition to these federal requirements, each state has its own breach notification requirements. Although each state breach notification law is unique, state laws generally require consumers and state level regulators to be notified in certain cases. Many states only require notification if there is a risk of harm to consumers and do not include specific timing requirements.

Conclusion

Banking organizations and banking service providers should ensure that they have the necessary plans, policies and procedures in place to comply with these requirements. As part of these compliance efforts, covered entities should consider: (1) updating incident response plans to include the appropriate points of contact, (2) conducting training exercises in accordance with these new schedule requirements, (3) incorporation of applicable definitions into service provider contracts, and (4) updating / writing of incident response manuals. In addition, banking organizations and banking service providers should remain aware of other applicable state, federal, and international security incident reporting requirements. Troutman Pepper’s privacy professionals have extensive applicable compliance experience and are ready to help businesses navigate this challenging regulatory environment.


[1] Including the Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC).

[2] See https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank.

[3] Regulation (EU) 2016/679, art. 33.

[4] See https://www.federalregister.gov/documents/2021/01/12/2020-28498/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank.