The federal banking agencies are poised to propose new rules that could spell out banks’ obligations to notify their regulators promptly about a data breach.
The rulemaking, which has not been previously reported, would represent the first update in 15 years of banks’ responsibilities to report a cyber intrusion to the government. Officials from the Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency have been involved in the talks in recent months, according to sources.
The FDIC is poised to take the first public action on the issue with the agency’s board scheduled to vote Tuesday on a proposed rulemaking dealing with “computer-security incident notification.” An FDIC spokesman declined on Monday to comment further.
Banks have long been subject to a smorgasbord of breach-notification laws in various states, which contain rules for alerting both state agencies and customers that have been affected by breaches.
At the federal level, banks are subject to interagency guidance that was last revised in 2005, two years before the launch of the first iPhone. That guidance states that financial institutions should establish incident response programs, which can be tailored to the size and complexity of their operations. It is seen as less up-to-date than many state laws that have been modernized as cyber threats have evolved.
The 2005 guidance lacks specificity in some areas. For example, it states that banks should notify their primary regulator “as soon as possible” about incidents involving unauthorized access to sensitive customer information, establishing an ambiguous time frame that can be subject to interpretation.
It is unclear exactly what will be in the proposal voted on by the FDIC board. In their recent discussions, the U.S. bank regulators have discussed a requirement that banks notify their primary federal overseer within one to three days of a cyber breach, according to one source.
Under the European Union’s General Data Protection Regulation, which took effect in 2018, companies are generally required to notify their regulators of personal data breaches within 72 hours.
The U.S. guidance from 2005 lacks the formal authority that a rule would carry, though Nathan Taylor, a lawyer at Morrison Foerster who represents companies that have suffered data breaches, said that banks may treat the existing guidance as mandatory. “My advice to clients consistently has been to always notify the regulators first,” he said.
Taylor said that under the current guidance, regulators expect banks to alert them promptly about severe incidents, but they may allow for aggregated notification regarding less severe breaches, particularly given that large banks are targets of frequent attacks.
The impact of any proposed new rules on the U.S. banking industry will depend on their scope, according to Taylor. “This could be dramatic or mundane, and everything in between,” he said.
Spokespeople for the Fed and the OCC declined to comment on the interagency discussions.
Cyber intrusions have been a recent focus of U.S. bank regulators, with FDIC Chair Jelena McWilliams last year calling the issue
"We now live in a world of ever-increasing cybersecurity risks, which can produce consequences that spread by the minute or the second, rather than by the hour or the day," McWilliams said in a 2019 speech.
Members of Congress have been discussing federal data breach notification standards for years, but they have failed to pass legislation, even after the 2017 Equifax data breach that compromised the personal information of roughly 148 million Americans. Rep. Blaine Luetkemeyer, R-Mo., introduced a bill in 2018 that would require financial institutions to notify customers in the event of a breach involving their personal information.
But consumer advocates have criticized most of the federal data breach notification standard proposals because they would preempt tougher state regulations.
In August, the OCC reached
While much of Capital One’s most sensitive data was protected as a result of tokenization, roughly 140,000 Social Security numbers were exposed, as were 80,000 bank account numbers. More than 100 million individuals in the U.S. and Canada were affected in some way.
Capital One has said that the company was alerted to a configuration vulnerability on July 17, 2019, and that it determined two days later that an outside individual had gotten unauthorized access.
A Capital One spokesperson said in an email Monday that the McLean, Va., company notified its regulators “promptly,” and provided regular updates, though neither Capital One nor the OCC have specified exactly when the notification occurred.