While new comprehensive state privacy laws took most of the headlines this year, security threats and incident response remain key risk factors for privacy compliance programs and the subject of important legal developments. This post summarizes key developments with respect to state and federal breach response requirements that arose in 2022.

Industry-Agnostic State Data Breach Notification Laws

Several states adopted significant alterations to their generally applicable breach notification statutes over the course of 2022.

• Arizona: Arizona’s data breach notification statute now requires entities to notify the director of the Arizona Department of Homeland Security regarding incidents involving more than 1,000 Arizona residents, in addition to the state attorney general. That modification took effect on July 22, 2022.
• Indiana: Indiana added a 45-day breach notification deadline to its data breach notification statute. The statute previously only required notification “without unreasonable delay.” That modification took effect on July 1, 2022.
• Maryland: Maryland amended several components of its data breach notification statute, including:
  • Expanding the definition of personal information to include various forms of genetic information in combination with the individual’s first name or initial and last name.
  • Tightening several notification deadlines by requiring:
    • Notice to individuals within 45 days after the business discovers or is notified of the breach, rather than the previous deadline of 45 days from completing its investigation;
    • Businesses that maintain personal information on behalf of the information’s owner to notify the owner within 10 days of discovery or notification of the breach, rather than the previous deadline of within 45 days of discovery or notification; and
    • Notice delayed beyond the 45-day notification period pursuant to law enforcement requirements be delivered within seven days after law enforcement determines notice will not impede its investigation.
  • Adding content requirements for notifications to the attorney general, including the number of affected Maryland residents, a description of the breach “including how and when it occurred,” remediation steps the business has taken or plans to take, and a copy of the notice sent to affected individuals.
  • Altering the substitute notice provisions to require notification to major print or broadcast media in geographic areas where affected individuals likely reside. Substitute notice previously only required notice to a statewide media source.

These modifications took effect on October 1, 2022.

• Pennsylvania: Pennsylvania modified its breach notification statute in several ways, including by:
  • Expanding the definition of personal information to include the following data elements in combination with an individual’s first name or initial and last name:
    • Medical information;
    • Health insurance information; and
    • Username or email address, in combination with a password or security question and answer that would permit access to an online account.
  • Excluding publicly available information made available from widely distributed media from the definition of personal information.
  • In the case of breaches involving “personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account” allowing notification “in electronic or other form.” That notification must direct the affected individual “to promptly change the person’s password and security question or answer, as applicable or to take other steps appropriate to protect the online account with the entity and other online accounts for which the person whose personal information has been materially compromised by the breach of the security of the system uses the same user name or e-mail address and password or security question or answer” to the extent the entity has sufficient contact information for the affected individual.
  • Allowing the use of “electronic notice” more broadly, by including it among the generally-accepted methods of providing notice, if the electronic notice “directs the person whose personal information has been materially compromised by a breach . . . to promptly change the person’s password and security question or answer, as applicable or to take other steps appropriate to protect the person’s online account to the extent the entity has sufficient contact information for the person.”
  • Triggering general notice requirements upon a “determination” a breach has occurred, rather than from “discovery” of a breach. “Determination” is defined as “[a] verification or reasonable certainty” that a breach occurred.
  • Adding an exemption for covered entities and business associates that are subject to and in compliance with HIPAA.

These modifications will take effect on May 2, 2023.

State Financial Services Data Security Laws

Kentucky, Maryland, and Vermont adopted laws based on the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law, which contains investigation and notification requirements for cybersecurity events applicable to licensees of state insurance regulators.  In so doing, those states joined Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee, Virginia, and Wisconsin, which have also adopted laws implementing the NAIC’s model.

Maryland’s law took effect on October 1, 2022 and repealed prior insurance breach reporting requirements adopted in 2019. Kentucky and Vermont’s laws will take effect on January 1, 2023.

Kentucky and Maryland’s laws both generally align with the NAIC model’s breach reporting requirements, although both require notification to state insurance regulators within 3 business days of determining a cybersecurity event occurred—rather than the NAIC model’s 72-hour deadline.

Vermont’s law omits most cybersecurity event notification requirements included in the NAIC model, but does include requirements for investigations of potential cybersecurity events.

Additionally, the New York Department of Financial Services (NYDFS) issued two sets of proposed amendments to its Cybersecurity Rule in 2022. The latest proposal would make several key changes with respect to cybersecurity event notification requirements, including:

• Expanding the categories of cybersecurity events that must be reported to NYDFS within 72 hours to include unauthorized access to privileged accounts, deployment of ransomware within a material part of the covered entity’s systems, and any cybersecurity event affecting a third-party service provider that also affects the covered entity.
• Creating an express duty for covered entities to update and supplement the information provided in the initial cybersecurity event report and to provide any further information requested by NYDFS within 90 days of the request.
• Introducing new requirements to notify NYDFS within 24 hours of making a ransomware payment and to provide additional information within 30 days, including a written description of why payment was necessary, available alternatives, and diligence conducted to address compliance with applicable laws and regulations related to the payment.
• Requiring annual testing of incident response and business continuity and disaster recovery plans, as well as training on those plans for all employees necessary for their implementation.

Federal Developments

2022 also saw several federal developments with significant implications for breach response

• Federal Trade Commission (FTC) Blog Post Interpreting the FTC Act to Compel Breach Disclosures

The FTC issued a blog post announcing a “de facto breach disclosure requirement” under FTC Act Section 5 in situations where failure to disclose a security breach prolongs or increases potential harm to consumers. The FTC specifically stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” The post further noted that delayed notification “prevent[s] parties from taking measures to mitigate harm” and misleading statements about the response will “hinder consumers from taking critical actions to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts.” The FTC also highlighted prior enforcement actions to flag that organizations’ failure to timely notify of an incident or misrepresent the nature of the incident, responsive measures, or investigation will increase the risk of Section 5 enforcement actions.

Our previous discussion of the FTC’s blog post is available here.

• Securities and Exchange Commission (SEC) Proposed Regulation Compelling Cybersecurity-related Disclosures

The SEC proposed rule amendments to require disclosures from publicly traded companies regarding “material cybersecurity incidents” and related cybersecurity issues. The SEC’s proposal describes cybersecurity incidents as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Relevant case law sets the standard for materiality, but the proposal generally articulates that standard as whether “there is a substantial likelihood that a reasonable shareholder would consider it important.”

If adopted, the amendments would require a report via Form 8-K within four days from a determination that a cybersecurity incident is material, which must be made “as soon as reasonably practicable after discovery.” Other disclosures that would be required under the SEC’s proposal include:

• Updating previously reported cybersecurity incidents.
• Policies and procedures to identify and manage cybersecurity risks and management’s role in implementing those policies and procedures.
• The Board of Directors’ expertise, if any, in overseeing cybersecurity risk.

Our previous discussion of the SEC’s proposal is available here.

• Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and Federal Reserve Computer-Security Incident Notification Requirements

Computer-security incident notification rules promulgated by the FDIC, OCC, and Federal Reserve took effect on April 1, 2022 and had a compliance date of May 1, 2022.

The rules require a covered banking organization to report a “notification incident” to its primary federal regulator within 36 hours of determining a “notification incident” occurred, with such determination to occur within a “reasonable time.” A “notification incident” is defined as a “computer-security incident” that

Has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade a banking organization’s: (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” A “computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.

Bank service providers are also required to notify covered banking organizations as soon as possible after determining a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours has occurred. There is no specific deadline for service providers imposed by the rule, though covered banking organizations will likely impose tight deadlines via contract.

Similar, but not identical, requirements were also proposed by the National Credit Union Administration for credit unions.

• Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA, which became law on March 15, 2022, will require members of critical infrastructure sectors to report certain types of events, including reports of “substantial” cyber incidents within 72 hours and ransom payments within 24 hours. CIRCIA defines a cyber incident as “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or an information system.”

Several key components of CIRCIA’s requirements, including the parties it covers and what will qualify as a “substantial” incident, will be further developed through regulations. The Cybersecurity and Infrastructure Security Agency (CISA) is required to publish a notice of proposed rulemaking within 24 months of the enactment of CIRCIA, and to issue a final rule setting forth the regulatory requirements within 18 months of the publication of the notice of proposed rulemaking.

* * * *

The patchwork of US privacy, data security, and breach notification requirements continues to evolve and become more complex, especially for businesses in regulated industries. Businesses should ensure their incident response plans appropriately address the changing and, in some cases, expanded scope of breach notification requirements. For example, while state breach notification laws have generally only addressed incidents impacting personal information, several of the new requirements discussed in this post focus on impacts to electronic systems and may require plan adjustments to align to that scope.