Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

There are currently no policies or procedures that all organisations must have in place to protect against cyberthreats. However, there are numerous federal and state laws, regulations and mandatory standards that pertain to securing privately owned IT systems and data in the United States’ critical infrastructure sectors, resulting in a patchwork of regulatory requirements that organisations must follow.

For instance, organisations performing contracts requiring a security clearance from the US government are generally covered by the National Industrial Security Program and are obligated to follow the National Industrial Security Program Operating Manual (NISPOM). The NISPOM includes a wide range of information system security requirements, including identification and authentication management, passwords and scanning for malicious code. Other federal contractors and subcontractors at all tiers are also required to comply with various security requirements under the DoD (DFARS) and FAR rules.

Covered entities under HIPAA must implement technical policies that allow only authorised persons to access electronic protected health information and have measures that guard against unauthorised access to electronic protected health information when it is transmitted over an electronic network.

Under the GLBA, financial institutions are required to identify and control risks to customer information and customer information systems and to properly dispose of customer information. Appropriate measures that institutions must take include access controls on customer information systems and monitoring systems, and procedures to detect actual and attempted attacks on, or intrusions into, customer information systems.

A primary example of a state law requiring companies to develop policies and procedures to protect data and systems from cyberthreat is the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, which requires companies collecting personal information of Massachusetts residents to develop written information security programmes containing administrative, technical and physical safeguards that protect personal information.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Currently, there are no broad rules requiring all organisations to keep records of cyberthreats or attacks. Organisations within certain critical infrastructure sectors may be subject to sector-specific rules. For example, the DoD DFARS rule requires companies to report cyber incidents affecting ‘covered defence information’ to DoD, and to maintain forensic evidence (including forensic images and packet captures) for 90 days in the event DoD decides to conduct a further review and requests that evidence. Additionally, companies subject to the PCI-DSS are required to maintain certain log and other forensic data for a period to facilitate forensic review and audit. Further, though companies subject to HIPAA are required to report breaches to HHS, breaches affecting under 500 individuals only need to be reported collectively in an annual report, rather than in the immediate wake of the incident.

Because cybersecurity breaches may require disclosure and result in litigation or regulatory enforcement, organisations should be aware that they may be required to provide forensic evidence and information about any such attacks. Organisations should maintain records accordingly (consistent with standard preservation practices), including issuing hold notices as appropriate.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Numerous federal and state regulations require organisations to report cybersecurity breaches to regulatory authorities.

Public companies may be required to disclose, through public filings with the SEC, material breaches that affect the company’s products, services, relationships with customers or suppliers, competitive conditions or financial controls.

Defence contractors with ‘covered defence information’ on their systems that experience a cybersecurity breach must report the breach to DoD.

Organisations covered by HIPAA are required to notify the Secretary of HHS following a breach of unsecured protected health information.

Financial institutions subject to the NYDFS cybersecurity requirements must report certain incidents to NYDFS.

All US states, DC and many US territories also have enacted state data breach notice laws, many of which require organisations to notify state attorneys general and other state regulatory agencies of security breaches involving sensitive, personally identifiable information that affect individuals in the state. These laws also require notice to individuals and, at times, the media, consumer credit reporting agencies, or both, of certain breaches that result in the loss of personally identifying information.

Timeframes

What is the timeline for reporting to the authorities?

Public companies may disclose material breaches to the SEC through a Form 8-K, ‘current report’ companies must file with the SEC to announce major events that shareholders should know about. Depending on timing, these breaches may instead be reported in typical quarterly or annual securities filings.

For breaches that affect covered defence information, reports must be sent to DoD (via: http://dibnet.dod.mil/) within 72 hours of discovery of any cyber incident and must include specific, detailed data about the nature of the intrusion and any government projects possibly implicated. For breaches related to unsecured protected health information that affect 500 or more individuals, HIPAA-covered organisations are required to notify the Secretary of HHS without unreasonable delay, and in any case no later than 60 days after a breach. For breaches that affect fewer than 500 individuals, the Secretary may be notified of such breaches on an annual basis.

For notification to states regarding breaches affecting individuals in that state, most state laws require notification be made without undue delay and in the most expedient time possible, though some states include specific time frames (typically 30 or 45 days).

Financial institutions subject to the NYDFS cybersecurity requirements must report cyber incidents to NYDFS within 72 hours of determining that the incident either (i) requires notice to be provided to any government body, self-regulatory agency or any other supervisory body or (ii) has a reasonable likelihood of materially harming any material part of the entity’s normal operations.

Companies may also report breaches to law enforcement agencies, which the FTC has stated will be regarded favourably when considering whether to bring an enforcement action against a company.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Most states require organisations to report security breaches involving personally identifiable information to individuals whose information was affected. Each state has its own rules, but typical requirements include that the notification be made in writing in the most expedient time possible. At the federal level, HIPAA and the GLBA require covered entities to report breaches of sensitive health or financial information, respectively. Many state data breach laws include an exception for entities complying with these federal obligations.