Data security notification requirements could become much stricter under a proposed rulemaking from the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. The proposal, published January 12, 2021, would impose new security incident notification requirements on federally regulated “banking organizations” and, notably, their service providers. If adopted, the proposed rule would expand upon existing notification requirements—adding a 36-hour notice window—and would, for the first time, impose direct notification obligations on service providers.
The proposed regulation distinguishes incidents that required notification and a general “computer-security incident,” defined as “an occurrence that
- Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or
- Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
Under the proposed regulation, banking organization are required to provide notice only for computer-security incidents that rise to the level of a “notification incident,” that is, those incidents that “could materially disrupt, degrade, or impair:
- Its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Any business line, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- Those operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
Requirements for Banking Organizations
The proposed rule broadens the scope of events that require notice and shrinks the time in which banks must provide that notice. Under the proposed definitions, covered banking organizations would be required to notify their primary federal regulator of any “notification incident” as soon as possible and no later than 36 hours after the bank believes in good faith that the notification incident occurred. These requirements broaden the definition of notifiable events to include those that do not necessarily involve customer information but that do result in material disruption and shorten the timeframe—previously a flexible “as soon as possible”—to a strict 36-hour limit.
The proposed rule also places new obligations on banking organization service providers who experience a computer-security incident. Under those obligations, service providers suffer a computer-security incident that “could disrupt, degrade, or impair services” for “four or more hours” must immediately notify two or more employees at each banking organization customer affected by the incident.
The proposed rule may be part of a broader trend that began with the New York Department of Financial Services’ cybersecurity rules, requiring covered entities (including certain banks) to report a range of incidents, including “cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity,” to the Department within a short 72-hour timeframe.