[1] For example, federally regulated banking organizations must notify their primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” within 36 hours after the banking organization determines that an incident has occurred. In addition, federally regulated bank service providers must notify each affected bank organizations of such an incident “as soon as possible” after determining it has experienced such an incident. See The Office of the Comptroller of the Currency (OCC), Treasury, the Board of Governors of the Federal Reserve System (Board) and the Federal Deposit Insurance Corporation (FDIC), Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, available at https://www.ots.treas.gov/news-issuances/news-releases/2021/2021-119a.pdf. Covered freight railroads, passenger rail and rail transit systems must report a “cybersecurity incident” to the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CIS) within 24 hours of identifying a covered incident. See https://www.tsa.gov/news/press/releases/2021/12/02/dhs-announces-new-cybersecurity-requirements-surface-transportation.
[2] Securities and Exchange Commission Statement and Guidance on Public Company Cybersecurity Disclosures, available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.
[3] OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sep. 21, 2021), available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf; OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Oct. 1, 2020), available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.
[4] AZ HB 2145; NY SB 6806; PA SB 726; TX HB 3892.
[5] HR 5936; S 2943, HR 5501.
[6] Available at https://www.flsenate.gov/Session/Bill/2022/7055/BillText/er/PDF.
[7] “Ransomware incident” is defined as “a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a state agency’s, county’s, or municipality’s data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.” Fla. Stat. § 282.0041(21).
[8] Fla. Stat. § 282.3186.
[9] High, severe and emergency-level “cybersecurity incidents” must be reported within 48 hours. Id. at §§ 282.318(3)(c)(9)(c)(I), 282.3185(5)(b)(1).
[10] The notice must include at a minimum: (1) a summary of the facts surrounding the incident; (2) the date on which the local government most recently backed up its data, the physical location of the backup, if the backup was affected, and if the backup was created using cloud computing; (3) the types of data compromised by the incident; (4) the estimated fiscal impact of the incident; (5) in the case of a ransomware incident, the details of the ransom demanded; and (6) a statement requesting or declining assistance from the Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, or the sheriff who has jurisdiction over the local government. Fla. Stat. § 282.3185(5)(a).
[11] A “high-level” incident is one “that is likely to result in a demonstrable impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.” Fla. Stat. § 282.318(3)(c)(9)(a)(III). A “severe-level” incident is one “that is likely to result in a significant impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence.” Id. at § 282.318(3)(c)(9)(a)(II). An “emergency-level” incident is one “that poses an imminent threat to the provision of wide-scale critical infrastructure services; national, state, or local government security; or the lives of the country’s, state’s, or local government’s residents.” Id. at § 282.318(3)(c)(9)(a)(I).
[12] Id. at §§ 282.318(3)(c)(9)(c)(II), 282.3185(5)(b)(2).
[13] Id. at §§ 282.318(3)(c)(14), 282.3185(6).
[14] Id. at § 282.3185(4).
[15] Id. at §§ 282.318(3)(c)(14), 282.3185(6).
[16] N.C.G.S. § 143-800(a), (b).