Federal Cyber Breach Reporting Rules Reach an Uneasy Balance

New data breach notification rules from the US Federal Trade Commission underline the growing tension between the government’s efforts to increase its understanding of national cybersecurity threats and reduce overlap among dozens of reporting regulations.

The consumer protection agency on Friday announced finalized amendments to its Safeguards Rule requiring lenders that aren’t banks—including mortgage brokers and auto dealers—to report information about the scope of security incidents affecting the unencrypyted data of 500 or more customers “as soon as possible,” and within 30 days at most.

Companies that retain consumers’ sensitive data can be subject to an array of more than 50 security incident reporting rules just at the federal level. The FTC issued the new requirements as several arms of the executive branch work to streamline duplicative rules and strengthen the nation’s cybersecurity posture more broadly. But even slight variations in when businesses must report a breach, and with what detail, can complicate compliance and add to companies’ to-do lists during the critical days immediately after a cyberattack.

“It is a difficult patchwork to know all the different entities, depending on what industry you are in, that you have to notify” after a security incident, said Linn Freedman, a cybersecurity compliance partner at Robinson & Cole LLP.

The US Homeland Security Department reached a similar conclusion in a Sept. 19 report, finding that variances in how a breach is defined and what triggers a report presented one of “the most significant challenges to harmonization.”

The FTC has said the additional reporting requirements will equip it with new information about “emerging data security threats” as it broadens its cybersecurity regulatory efforts in step with the Biden administration.

But adding one more regulator relationship to manage if a cyber incident occurs will be a key compliance stressor for companies, said Nick Sanna, the president of the FAIR Institute, a nonprofit that provides resources for measuring information risk.

“The market is screaming for simplification, just adding to it goes in the opposite direction,” Sanna said.

Expanded Monitoring

The updated Safeguards Rule is “extending the Federal Trade Commission’s reach” for regulating cybersecurity onto a new set of businesses that will have to update their incident response plans in compliance, said Melissa Krasnow, a partner at VLP Law Group LLP who advises financial services providers on cybersecurity compliance.

The changes will affect businesses covered by the Gramm-Leach-Bliley Act of 1999, including payday lenders, insurance providers, loan collection agencies, and tax preparation firms.

“A lot of entities which may not have thought of themselves as being regulated would be regulated. The issue is whether they’re aware they’re regulated and are complying,” Krasnow said.

The FTC’s new reporting requirements will take effect six months after the agency publishes the amendments in the Federal Register. That means companies have some time to determine whether they’re regulated and how best to comply, she said.

Data breach reports will need to include details explaining what categories of information were breached, for how long, and an estimated number of affected consumers.

In analysis attached to the finalized amendment, the commission explained that the new information garnered would hasten the agency’s ability to spot breaches deserving further investigation and save resources by eliminating the need to “continually search for breach notifications posted by other sources.”

“A lot of a regulators, including the FTC, often don’t know when there’s noncompliance or lack of compliance until there’s a breach,” Krasnow said.

One phenomenon the FTC’s information-gathering efforts could illuminate is the extent of internal data leaks that don’t involve a malicious actor hacking into a company’s systems, according to Sanna.

Lenders should prepare to implement new processes for gathering and reporting cyberattack information to ensure their compliance with the amended rule, he said.

“I’m not sure that a majority of those non-bank financial institutions have such granular data management practices in place,” Sanna said.

Fintech Resiliency?

Holding such businesses to higher data management standards could help address a cyber resiliency concern banks have expressed in response to an open banking proposal the Consumer Financial Protection Bureau is championing.

The CFPB’s proposed rule would provide greater access to financial data for fintech third parties such as mobile payment service Venmo, but banks have expressed worry about how well those entities—subject to less stringent cybersecurity regulation—might protect or use the data.

The new amendments “show that the FTC continues to push the envelope” regarding expectations for non-bank financial services providers, said financial regulations counsel Jonathan Joshua of Joshua Law Firm LLC.

But those debating the CFPB proposal shouldn’t expect the FTC’s rules to fully resolve their questions.

“The concerns raised by financial institutions are more than just the notification process for a breach,” said Peter Dugas, who leads a regulatory intelligence center at advisory firm Capco RISC, in an email to Bloomberg Law.

Addressing their full concerns would “require additional data standards, terms of access, record keeping, duration periods, minimum data security programs, and litigation protections for third-party breaches,” Dugas said.

Reporting Patchwork

Several groups that submitted comments to the FTC on the proposed Safeguard Rule changes expressed worry that yet another federal reporting requirement would divert attention away from responding to data breaches, rather than help streamline compliance.

The FTC contends that reporting breaches to the agency won’t be burdensome because companies already have to collect similar information under breach-reporting requirements in all 50 states.

The US Cybersecurity and Infrastructure Security Agency plans to publish a proposed rule set next year, requiring the financial sector and 15 other critical infrastructure sectors to report security breaches to the agency within 72 hours of discovery—and paid ransoms within 24 hours.

The rulemaking at CISA, part of the Homeland Security Department, could help centralize cybersecurity data reported by lenders and others, said Justin Herring, a partner at Mayer Brown LLP practicing in cybersecurity regulation. Whether it will make reporting easier in practice, is another question.

“What I think is much more uncertain is whether or not the CISA rule will make the reporting obligations that companies have actually streamlined,” Herring said.

Reproduced with permission. Published Oct. 31, 2023. Copyright 2023 by Bloomberg Industry Group, Inc. (800-372-1033) http://www.bloombergindustry.com