Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

There are currently no policies or procedures that all organisations must have in place to protect against cyberthreats. However, there are numerous federal and state laws, regulations and mandatory standards that pertain to securing privately owned IT systems and data in the United States’ critical infrastructure sectors, resulting in a patchwork of regulatory requirements that organisations must follow.

For instance, organisations performing contracts requiring a security clearance from the US government are generally covered by the National Industrial Security Program and are obligated to follow the National Industrial Security Program Operating Manual (NISPOM). The NISPOM includes a wide range of information system security requirements, including identification and authentication management, passwords and scanning for malicious code. Other federal contractors and subcontractors at all tiers are also required to comply with various security requirements under the Defense Federal Acquisition Regulations Supplement (DFARS) and Federal Acquisition Regulations rules.

Covered entities under the Health Insurance Portability and Accountability Act (HIPAA) must implement technical policies that allow only authorised persons to access electronic protected health information and have measures that guard against unauthorised access to electronic protected health information when it is transmitted over an electronic network.

Under the Gramm–Leach–Bliley Act (GLBA), financial institutions are required to identify and control risks to customer information and customer information systems and to properly dispose of customer information. Appropriate measures that institutions must take include access controls on customer information systems and monitoring systems, and procedures to detect actual and attempted attacks on, or intrusions into, customer information systems.

A primary example of a state law requiring companies to develop policies and procedures to protect data and systems from cyberthreat is the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, which requires companies collecting personal information of Massachusetts residents to develop written information security programmes containing administrative, technical and physical safeguards that protect personal information.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Currently, there are no broad rules requiring all organisations to keep records of cyberthreats or attacks. Organisations within certain critical infrastructure sectors may be subject to sector-specific rules. For example, the DFARS rule requires companies to report cyber incidents affecting ‘covered defence information’ to the Department of Defense (DOD), and to maintain forensic evidence (including forensic images and packet captures) for 90 days in the event the DOD decides to conduct a further review and requests that evidence. Additionally, companies subject to the Payment Card Industry Data Security Standards (PCI-DSS) are required to maintain certain log and other forensic data for a period of time to facilitate forensic review and audit. Further, although companies subject to HIPAA are required to report breaches to the Department of Health and Human Services (HHS), breaches affecting under 500 individuals only need to be reported collectively in an annual report rather than in the immediate wake of the incident.

Because cybersecurity breaches may require disclosure and result in litigation or regulatory enforcement, organisations should be aware that they may be required to provide forensic evidence and information about any such attacks. Organisations should maintain records accordingly (consistent with standard preservation practices), including issuing hold notices as appropriate.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Numerous federal and state regulations require organisations to report cybersecurity breaches to regulatory authorities.

Public companies may be required to disclose, through public filings with the Securities and Exchange Commission (SEC), material breaches that affect the company’s products, services, relationships with customers or suppliers, competitive conditions or financial controls.

Defence contractors with ‘covered defence information’ on their systems that experience a cybersecurity breach must report the breach to the DOD.

Organisations covered by HIPAA are required to notify the Secretary of HHS following a breach of unsecured protected health information.

Financial institutions subject to the New York Department of Financial Services (NYDFS) cybersecurity requirements must report certain incidents to the NYDFS.

All US states, the District of Columbia and many US territories have also enacted state data breach notice laws, many of which require organisations to notify state attorneys general and other state regulatory agencies of security breaches involving sensitive, personally identifiable information that affect individuals in the state. These laws also require notice to individuals and, at times, the media, consumer credit reporting agencies, or both, of certain breaches that result in the loss of personally identifying information.

Time frames

What is the timeline for reporting to the authorities?

For notification to states regarding breaches affecting individuals in a state, most state laws require that notification be made without undue delay and in the most expedient time possible, though some states include specific time frames (typically 30 or 45 days).

Public companies may be required to disclose material breaches to the SEC through a Form 8-K, which is the ‘current report’ companies must file with the SEC to announce major events that shareholders should know about. Depending on timing, these breaches may instead be reported in typical quarterly or annual securities filings.

For breaches that affect covered defence information, reports must be sent to the DOD (via: within 72 hours of discovery of any cyber incident and must include specific, detailed data about the nature of the intrusion and any government projects possibly implicated. For breaches related to unsecured protected health information that affect 500 or more individuals, HIPAA-covered organisations are required to notify the Secretary of HHS without unreasonable delay and in any case no later than 60 days after a breach. For breaches that affect fewer than 500 individuals, the Secretary may be notified of such breaches on an annual basis.

Financial institutions subject to the NYDFS cybersecurity requirements must report cyber incidents to the NYDFS within 72 hours of determining that the incident either (i) requires notice to be provided to any government body, self-regulatory agency or any other supervisory body or (ii) has a reasonable likelihood of materially harming any material part of the entity’s normal operations.

Companies may also report breaches to law enforcement agencies, an action that the Federal Trade Commission has stated will be regarded favourably when considering whether to bring an enforcement action against a company.


Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Most states require organisations to report security breaches involving personally identifiable information to the individuals whose information was affected. Each state has its own rules, but typical requirements include that the notification be made in writing in the most expedient time possible. At the federal level, HIPAA and the GLBA require covered entities to report breaches of sensitive health or financial information respectively. Many state data breach laws include an exception for entities complying with these federal obligations.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

30 November 2020.