With respect to cybercrimes and protecting the security of business and government computer and internet systems, there is a clear and increasingly sustained push to require the reporting of “cyber-incidents” that affect the functionality of business which, in turn, might impact whole industries. This is not too surprising given recent hacks and ransomware attacks that have shut down pipelines and payroll systems like Kronos. See media report here. This is a new sort of reporting that is qualitatively different — and based on different public policy concerns — than the more-traditional concern for the protection and privacy of consumer personal data.

National and community banks are already subject to new rules published by financial regulators requiring cyber-incident reporting. See here. As described in the government bulletin, a cyber-incident requiring notification would include:

“… a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.”

In a major acceleration of this trend, the United States Senate recently passed its version of the Strengthening American Cybersecurity Act of 2022 (“SACA”). See media report here. The House is expected to take up the legislation and prospects for passage are favorable. As described in the article, the key features of the SACA (which incorporates separate legislation called the Cyber Incident Reporting Act) would require notification to the US Department of Homeland Security of cyber-incidents that

• Might result in a substantial loss of confidentiality, integrity or availability of data contained or protected on an information system or
• Might result in a serious impact on the safety and resiliency of operational systems and processes or
• Might cause a disruption of business or industrial operations

Under the proposed legislation, reporting of cyber incidents would be required by businesses in “critical infrastructure” sectors of the economy like firms in the banking and energy sectors. “Covered” incidents would have to be reported in fairly short time frames (between 48 and 36 hours in some circumstances).

Given recent major events, it is not surprising that ransomware cyberattacks receive substantial and detailed attention under the new legislation. Subject to additional rulemaking, the SACA would require reporting of at least the following information following a ransomware attack:

• Description of incident
• Timing including a range of dates of the attack (where applicable)
• Vulnerabilities exploited
• Defenses and response
• All available identifying information on the attacker(s) and/or those who are reasonably believed to be responsible for the incident
• Details of the demands made including amount, type of currency demanded, instructions and other details
• Response including whether payment refused, made and, if so, how much and how made
• And more

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

The SEC’s Cybersecurity Disclosure Rules: Public Company Obligations

For public companies, the Securities and Exchange Commission issued final cybersecurity disclosure rules in July 2023 (effective December 2023) that impose two distinct disclosure obligations. First, companies must report material cybersecurity incidents on Form 8-K within four business days of determining that the incident is material—a standard focused on whether a reasonable investor would consider the incident important to an investment decision. Second, companies must provide annual disclosure in Form 10-K regarding their cybersecurity risk management programs, governance practices, and the expertise of board members overseeing cybersecurity risks.

The SEC’s materiality standard for cybersecurity incidents integrates traditional securities law materiality principles into the cybersecurity context. An incident is material if there is a substantial likelihood that a reasonable investor would consider it important. Factors relevant to materiality include: the scope of the incident and data exposed; the operational impact on the company’s business; the anticipated financial costs of remediation and litigation; and any regulatory or legal exposure created by the incident. Companies should have documented processes for making materiality determinations promptly and consistently.

State-Level Cyber Incident Reporting for Critical Sectors

Several states have enacted their own cyber incident reporting requirements that apply to businesses operating critical infrastructure within their borders. New York’s Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500) requires covered financial institutions to report cybersecurity events to the DFS within 72 hours of determining that a cybersecurity event has occurred. The regulation was significantly expanded in 2023 to require prompt notification of extortion payments and to impose more detailed requirements on large, ‘Class A’ covered entities.

California has similarly expanded its cybersecurity and data breach notification requirements through the California Consumer Privacy Act (CCPA) and its amendment through Proposition 24 (CPRA). The CPRA established the California Privacy Protection Agency with enforcement authority and created a private right of action for security breaches involving certain categories of sensitive personal information. Businesses subject to CPRA must implement and maintain reasonable security procedures and practices, and failure to do so exposes them to both regulatory enforcement and private litigation.

The Role of Cyber Insurance in Incident Response and Reporting

Cyber insurance has become an essential component of a business’s cybersecurity program, but the intersection of insurance obligations and legal reporting requirements is complex. Most cyber insurance policies require prompt notification to the insurer of a covered cybersecurity event—often within 24 to 72 hours of discovery, and sometimes within an even shorter timeframe. Failure to provide timely notice to the insurer may result in denial of coverage, even for otherwise-covered losses.

Critically, the scope of a business’s legal reporting obligations under CIRCIA, state breach notification laws, and sector-specific regulations may differ significantly from what constitutes a ‘covered event’ under the cyber insurance policy. A business that reports to CISA because it has experienced a substantial cyber incident may not have experienced a covered ‘data breach’ under its insurance policy if personal information was not accessed. Conversely, a minor data breach involving personal information may not trigger CIRCIA reporting but may trigger insurance notification obligations.

International Cyber Incident Reporting: GDPR and Global Obligations

For businesses with operations or customers in the European Union, the General Data Protection Regulation (GDPR) imposes a 72-hour breach notification requirement to the applicable supervisory authority whenever a personal data breach occurs that is likely to result in a risk to the rights and freedoms of natural persons. Article 33 of the GDPR requires notification to supervisory authorities within 72 hours of becoming aware of the breach, and Article 34 requires direct notification to affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

The GDPR’s 72-hour notification timeline runs from when the controller becomes aware of the breach—not from when the breach is fully investigated or when all affected individuals are identified. This creates practical pressure to make an initial report to regulators quickly, followed by supplemental information as the investigation progresses. Fines for failure to notify under the GDPR can reach €10 million or 2% of global annual turnover, whichever is greater.

Building Your Cyber Incident Reporting Program

A comprehensive cyber incident reporting program integrates legal, technical, and operational functions. Key components include: a documented incident classification framework identifying when events trigger reporting obligations under various legal regimes; pre-drafted notification templates for regulators, customers, and the public; pre-arranged relationships with external counsel and forensic investigators; a clear decision-making hierarchy for materiality determinations and reporting timelines; and regular tabletop exercises simulating incident response scenarios.

The internet law and cybersecurity attorneys at Revision Legal can help your business design a cyber incident reporting program, assess obligations under applicable federal and state regulations, and respond effectively when an incident occurs. Contact us today.