Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Data protection requirements for organisations vary by business sector. In particular, the healthcare and financial services sectors are both subject to specific and detailed cybersecurity requirements. For example, in the healthcare sector, Health Insurance Portability & Accountability Act (HIPAA) covered entities must ‘[i]mplement policies and procedures to prevent, detect, contain, and correct security violations’ and to restrict access to protected health information (PHI) only to authorised personnel.

State laws have also begun to develop policies and procedures that companies must put in place for cybersecurity protection. For example, Massachusetts’ cybersecurity regulations have long imposed specific security requirements regarding personal information, including the implementation of a written security programme and encryption of certain data. New York’s SHIELD Act similarly requires reasonable security for personal information and specifies measures that may satisfy that standard. And California privacy law creates a right of action for state residents if plaintiffs can prove that the impacted business failed to implement ‘reasonable’ security protocols to protect personal information.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

There is currently no broad rule requiring organisations to maintain records of cybersecurity incidents, though record-keeping is required by certain states if an organisation determines that notification is not required because an incident does not pose a significant ‘risk of harm’ to individuals. Healthcare entities subject to HIPAA and organisations that process credit card information, subject to the Payment Card Industry’s Data Security Standard, are required to maintain certain information, including records of incidents to facilitate reporting or audits.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted data breach notification laws. While these state laws are not uniform, they can generally be said to define a ‘breach’ as the unauthorised acquisition of or access to unencrypted computerised data that compromises the security, confidentiality or integrity of personal information. Most states also include a requirement that the incident is reasonably likely to cause harm to individuals. Organisations that experience a security breach may be required to notify affected individuals or state regulators (or both) of the incident. Under the state laws, the triggers for when regulatory authorities must be notified vary. While all states have a law that requires notice to data subjects in the event of certain breaches, a few states require no notice to regulators. In other states, such as New York or Massachusetts, regulators must be notified if a single resident receives notification of a cybersecurity breach, while in still others, such as California, notice is required only where a certain number of individuals are affected (often 500 or more, but this varies by state).

Sector-specific federal laws require reporting of cybersecurity breaches in certain circumstances. In the healthcare industry, entities covered by HIPAA must notify the Department of Health and Human Services following a breach of unsecured PHI, as those terms are defined within the statute. Financial institutions must often likewise report certain incidents to their primary regulator.

Time frames

What is the timeline for reporting to the authorities?

In the healthcare industry, entities covered by HIPAA must notify the Office of Civil Rights (OCR) within 60 days of the end of the calendar year in which a breach is discovered for breaches involving PHI of fewer than 500 individuals and without unreasonable delay in matters involving more than that number.

Under the state laws, the triggers for when regulatory authorities must be notified vary. While all states have a law that requires notice to data subjects in the event of certain breaches, a few states require no notice to regulators. In other states, such as New York or Massachusetts, regulators must be notified if a single resident receives notification of a cybersecurity breach, while in still others, such as California, notice is required only where a certain number of individuals are affected (often 500 or more, but this varies by state). Timelines for these notices also vary, with Vermont requiring notice within 14 business days of discovery of a breach that triggers notice and other states requiring notice without unreasonable delay and simultaneous with or before notice is sent to consumers.

Entities covered by the New York Department of Financial Services (NYDFS) Cybersecurity Regulation or some similar state insurance data security laws must generally report incidents within 72 hours after determining that a cybersecurity event has occurred that triggers notice.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted data breach notification laws. While these state laws are not uniform, they can generally be said to define a ‘breach’ as the unauthorised acquisition of or access to unencrypted computerised data that compromises the security, confidentiality or integrity of personal information. Most states also include a requirement that the incident is reasonably likely to cause harm to individuals. Organisations that experience a security breach may be required to notify affected individuals or state regulators (or both) of the incident. Timing of notices varies by state and sector, with Colorado, Florida and Maine requiring notice within 30 days of discovery of the notifiable event, while the NYDFS requires notice in 72 hours and one banking agency (the Federal Deposit Insurance Corporation) recently proposed a 24-hour notice requirement.

Several sector-specific federal laws also require reporting of certain breaches in particular circumstances. For example, in the healthcare industry, entities covered by HIPAA must notify the OCR within 60 days of the end of the calendar year in which a breach is discovered for breaches involving PHI of fewer than 500 individuals and without unreasonable delay in matters involving more than that number. Entities regulated by the Securities and Exchange Commission are expected to make prompt public disclosures regarding any cybersecurity incidents, in addition to disclosing general cybersecurity risk, and it has become increasingly standard and expected for organisations to issue a ‘current report’ (known as an 8-K), which is not a regularly scheduled disclosure, for the disclosure of material cybersecurity events.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

15 December 2021