Security and privacy incidents have become commonplace. Today, businesses can be juggling up to hundreds of minor incidents, such as misdirected emails or stolen laptops, at any given moment. Nearly half (47%) of organizations have also experienced a major data breach in the last year. As geopolitical threats continue to rise, the Cybersecurity and Infrastructure Security Agency (CISA) has advised private and public organizations alike to keep their “Shields Up” for the foreseeable future.
These relentless breaches have created a global tidal wave of security and privacy regulation, including in Texas. Currently, there are more than 180 data privacy laws in over 120 countries, with more on the way. This problem is compounded by growing customer pressure on companies to shore up their data security and privacy programs, which often leads to a complex web of contract addenda and additional security and reporting requirements.
Regulation and legal obligations make incidents more costly. In fact, when a security or privacy incident occurs, more than 70% of the costs are attributed to legal and compliance issues, compared to only 30% to security. Unfortunately, incidents are quite common, with mid-sized companies juggling an average of 3-4 incidents at a time and enterprises managing hundreds of incidents concurrently. Throwing money at the problem is cost prohibitive.
To minimize costs and legal risk, banks should be preparing for current and impending legal requirements ahead of the inevitable occurrence of an incident. Both state and federal regulations are increasing pressure on Texas banks to raise the bar for their security and privacy programs. Unfortunately, not all of these regulations are well known or understood. Here are the key regulations that every Texas bank should be tracking.
Texas Identity Theft Enforcement and Protection Act
The Texas Identity Theft Enforcement and Protection Act was enacted on April 1, 2009, and established breach notification requirements that were later updated in June 2019 to add additional reporting specifications. This update stipulates that any person doing business in the state of Texas is required to report a breach to any affected individual within 60 days of the discovery of the breach. Furthermore, if the breach involves 250 or more Texans, the person must also report the breach to the Attorney General within 60 days.
According to the recent update, this report must include: “(1) a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach; (2) the number of residents of this state affected by the breach at the time of notification; (3) the measures taken by the person regarding the breach; (4) any measures the person intends to take regarding the breach after the notification under this subsection; and (5) information regarding whether law enforcement is engaged in investigating the breach.”
To comply with the incident reporting window and requirements, banks should ensure that they have an incident reporting system in place that can quickly identify what actions need to be taken, capture all completed tasks for the record and generate a tailored report for each incident.
Computer-Security Incident Notification Requirements
The 60-day notification requirement increases the reporting pressure on banks, but pales in comparison to the much more stringent notification requirement in the federal banking regulation, the Computer-Security Incident Notification Requirements. This guidance requires banking organizations to notify regulators of an incident in as little as 36 hours — the shortest timeline of global incident response laws. These requirements apply to all banking organizations and bank service providers regulated by the Treasury’s OCC, the Federal Reserve Board and FDIC.
As of May 1, 2022, regulators expect all of these organizations to be in compliance. The exact definition of a notifiable incident differs for banking organizations and bank service providers.
For banking organizations, this generally includes events that materially disrupt or degrade certain operations, such as ransomware attacks, distributed denial of service attacks or failed system changes.
For banking service providers, notifiable incidents are those that materially disrupt or degrade covered services for four or more hours, such as a watering hole attack, data exfiltration or drive-by download attack. While the notification threshold for this regulation is higher than for other global incident notification requirements, the window for notifying is the shortest worldwide.
Looking ahead to 2023
Looking ahead to the next legislative session in January 2023, Texas banks should keep an eye out for additional security and privacy legislation. Recently, Lt. Gov. Dan Patrick set the legislative agenda for the Texas Senate and called out cybersecurity and privacy as top priorities. He put focus on “recommendations for legislation to improve resilience and protection against cybersecurity attacks and ensure the privacy protection of the citizens of Texas.”
Other states have leaned into security and privacy legislation, especially for the financial sector. For example, New York’s 23 NYCRR 500 requires financial institutions to report qualified cybersecurity events to the state’s department of financial services within 72 hours. Virginia and Colorado have recently passed privacy laws that broadly apply to any company with data from residents of their states, regardless of company size or revenue. They specify types of personal data covered, a series of privacy rights for their residents and “reasonable security practices.” These privacy laws are gaining traction and are being held up as models for enactment by other states.
While Texas has steered clear of stringent security and privacy legislation in the past, the shifting global privacy landscape is elevating the importance of privacy on the agenda. The Biden administration’s increased attention on security and privacy is leading to a rise in federal reporting requirements, including the United States Cyber Incident Reporting for Critical Infrastructure Act of 2022 that will require a 72-hour incident notification rule for critical infrastructure sectors (to be further defined but likely to include financial services) and an SEC proposal to require every publicly traded company to report a security or privacy incident within four days.
To mitigate legal risk and ensure business continuity, banks should be proactive in preparing for security and privacy incidents, as well as the accompanying legislation. Banks can start by investing in technology that can keep track of the dynamic regulatory and compliance landscape so internal teams are not overwhelmed with it. Banks should also take the time now to get all regulatory and contractual requirements broken down into discrete action plans that can be implemented if and when an incident occurs. Running incident simulations and tabletop exercises can ensure that an organization is ready to respond quickly when necessary.
Banks must assume that incidents and breaches will remain part of the status quo. Bolstering cyber defenses is critical; however, preparing for the privacy and legal response to an incident will be key to generating greater cost savings, minimizing legal risk and reducing customer churn in the long run.