Hello and welcome to the inaugural edition of Troutman Pepper's Cyber Capsule. The Cyber Capsule gathers noteworthy news from the prior month and groups them here. You might be asking yourself why am I receiving this? Well, first, you are likely a friend of mine and/or Sadia's in the cyber space, or we poached your email from someone we may mutually know. Second, as we grow Troutman's IR practice, we hope to provide our trusted partners, you, with valuable resources and information. As always, our goal is to make your lives easier.

For our first edition, we have recapped last month's noteworthy developments, including updates to reporting rules and cybercrime sharing. Maybe we've completely missed the mark and this is of no value to you whatsoever (seems unlikely – but maybe). If that's the case, we want to hear from you. We'd appreciate your comments and suggestions – what is working, what is not, so we can curate content that best suits your needs.

TIMING IS EVERYTHING

Proposed and Enacted Reporting Rules

1. Rule Requiring Reporting of Significant Cyber Incidents within 72 Hours Takes Effect. Full compliance with the Rule requiring the Office of the Comptroller of the Currency, the Board of the Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation to report "significant" cybersecurity incidents withing 36 hours of discovery began on May 1, 2022.

2. USTelecom to SEC: Four Days is Unfair. On May 10, USTelecom asked the SEC to modify the recently proposed rule requiring publicly traded companies to disclose cybersecurity incidents within four business days. US Telecom noted that after four business days providers may only have limited information to disclose publicly and reporting limited information may give rise to speculation as to the cause and scope of the data security incident. US Telecom also made note that requiring such companies to disclose their defense strategies could provide threat actors with a playbook. Finally, US Telecom urged the SEC to work with other agencies to harmonize cyber reporting rules, so companies do not have to navigate and comply with disparate reporting deadlines.

3. California Agencies May Be Forced to Post a Security Breach Notification Online for 30 days. On May 4, 2022, the California state Assembly's Appropriations Committee approved AB 1711, a bill that would require an agency to post a notice on the agency's website for at least 30 days when a person or business operating a system on behalf of an agency experiences a breach.

4. Social Media Websites Subject to a 7-Day Breach Notification Requirement in New Jersey? On May 19, 2022, the New Jersey state Assembly proposed A 4050. If enacted, it would provide a private cause of action for social media users whose online accounts are hacked. It would also require social media websites to determine the scope of the breach of a user account within 24 hours of the discovery of the breach and provide notice of the breach to users within seven days of discovery of the breach.

SHARING IS CARING

Swapping Cyber Intel

1. Will Better Cybercrime Metrics Act Lead to Better Reporting? On May 5, 2022, President Biden signed the Better Cybercrime Metric Act. The Act requires Attorney General to enter into an agreement with the National Academy of Sciences to develop a taxonomy to categorize different types of cybercrime and cyber-enabled crime. The Attorney General and the National Academy of Sciences have 1 year to report to Congress a detailed taxonomy. The Act also calls for the Attorney General to establish, within 2 years, a category in the National Incident-Based Reporting System or the collection of cybercrime and cyber-enabled crime reports from Federal, State, and local officials.

CONSIDER THIS – IT'S A POTPOURRI

1. Agencies Advise on Blocking Cyber Attacks. On May 17, 2022, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation, along with allied nations, addressed common weaknesses threat actors often exploit to obtain access. The report discusses commonly exploited failures, including failure to implement multifactor authentication, incorrect application of privileges or permissions, open RDP, and out-of-date software.

2. California Senate Bill Could Create Confusion. A California Senate Bill SB 1059, which introduces new data broker registration requirements is pending in two California Senate committees. The new requirements would, in part, would mandate data brokers to report to the California Privacy Protection Act whether they experienced a data breach. Importantly, the definition of data breach is broader than California's data breach notification statute, and includes the unauthorized acquisition of personal information, as that term is broadly defined by the California Consumer Privacy Act. On May 19, the California Assembly's Appropriations Committee held a hearing on SB 1059 and is currently under submission which means that it is subject to further discussion but there has been no motion to advance the bill out of committee.

3. Forgot Password? May Take on a Different Meaning. The FIDO (Fast Identity Online) Alliance and the World Wide Web Consortium (W3C), have been working with tech companies over the past decade to develop a new login standard that works the same way across multiple browsers and operating systems without a password. Passwords are often forgotten, stolen, and recycled. So, instead of a password, a mobile device will store a passkey that will be used to authenticate an individual.

4. LockBit Rebrands Itself. LockBit has rebranded yet again. LockBit in its third iteration, is now "LockBit BLACK" LockBit BLACK's executable is now LBB[.]exe. On May 20, 2022, the Conti ransomware group took its internal infrastructure offline. It is predicted that Conti members will form smaller groups in the near future.

FORGET ME NOT

Pertinent Events From Months' Prior

1. Arizona to Require Notice of a Breach to Department of Homeland Security in Certain Instances. On March 29, 2022, Arizona Gov. Doug Ducey, signed into law HB 2164, which now requires entities notifying more than 1,000 individuals of a breach to also submit notice to the director of the Arizona Department of Homeland Security. This new requirement will take effect on or around July 23, 2022.

2. Maryland Modifies Data Breach Notification Law. The Maryland Senate and House passed a bill SB 0643 modifying the breach notification rules in the Maryland Personal Information Protection Act. SB 0643 specifies the contents of the notice that businesses must provide to the Maryland Attorney General before notifying consumers. The notice must now include: (i) the number of affected Maryland residents; (ii) a description of the incident, including when and how it occurred; (iii) remediations made or planned; and (iv) a sample notice to be sent to affected individuals. The current statute does not impose any specific content requirements for the notice required to the Maryland Attorney General.