212 views 2 mins 0 comments

Changes to Notification and Security Requirements Continue at the Federal Level

In Legal News
October 24, 2023
Changes to Notification and Security Requirements Continue at the Federal Level

In October 2023, Perkins & Coie published an update to existing federal breach notification laws. They write:

Following last year’s passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (rulemaking for which should formally commence in 2024), the major action on the federal front this year came from the SEC, which formalized disclosure requirements for public companies. We are also following proposed new or expanded rules from the FTC related to health data breaches, the FCC covering customer proprietary network information (CPNI), and the SEC for broker-dealers.

SEC

Public Companies

In July 2023, the SEC adopted a final rule establishing cybersecurity risk management, governance, and incident reporting requirements. These new requirements will apply to foreign private issuers and U.S. public companies.

The final rule went into effect on September 5, 2023, with compliance deadlines as early as December 2023.

Broker-Dealers and Market Entities

The SEC is also in the process of proposing new cyber rules for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively known as market entities) to address their cybersecurity risks. The proposed rule includes both internal requirements for improved cyber policies and procedures, and notification requirements to the SEC and the public following a “significant” cybersecurity incident (defined as an incident that significantly degrades operations or causes significant harm).

FCC

In 2023, the FCC proposed new rules regarding data breach reporting requirements for CPNI.

FTC

The FTC has proposed changes to the Health Breach Notification Rule (HBNR) that applies to “vendors of personal health data” and others not covered under Health Insurance Portability and Accountability Act (HIPAA).

For details on all of the above, read the update on Perkins & Coie’s website.