How Regulations Requiring Cyber Incident Notifications Affect Your Business

What are the Regulations for Cyber Incident Reporting?

There are many regulations out there; however, we will cover some of the more “well-known” ones that might affect your business—depending on your industry and compliance requirements.

Federal Regulations 

Federally Regulated Banking Institutions 

Effective 4/1/2022 | Compliance by 5/1/2022
Notification Timeline: Within 36 hours of notification incident 

Federally regulated banking organizations must notify their primary federal regulator of any “computer-security incident” that is determined a “notification incident” within 36 hours after the organization defines that an incident has occurred. In addition, federally regulated bank service providers must notify each affected bank institution of such an incident “as soon as possible” an incident.

Freight Railroads, Passenger Rail, Rail Transit System

Effective 12/1/2021 
Notification Timeline: Within 24 hours of cyber security incident 

Freight Railroads, Passenger Rail, and Rail Transit Systems must report a “cybersecurity incident” to the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of identifying a covered incident. Included with these higher-risk freight railroads, passenger rail, and rail transit, TSA is also releasing guidance recommending that all other lower-risk surface transportation owners and operators voluntarily implement the same measures. 

Health Apps and Connected Devices that Collect or Use Consumers' Health Information 

Effective 09/15/2021 
Notification Timeline: Within 60 days of discovering the incident 

This Health Breach Notification Rule helps ensure that entities that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) will still face accountability when consumers’ sensitive health information is compromised. Health Apps and Connected Devices that Collect or Use Consumers' Health Information must notify affected consumers when their health data is breached and inform the Federal Trade Commission (FTC) within 60 days of discovering the incident. 

Designated Critical Pipeline Owners & Operators

Effective 05/28/2021 
Notification Timeline: Within 12 hours of incident identification

Organizations affected are specifically owners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility notified by TSA that their pipeline system or facility is critical. These organizations must report a cybersecurity incident to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of incident identification.
Check out the National Law Review for additional information on Federal Regulations.

Owners & Operators of Critical Infrastructure - Cyber Incident Reporting for Critical Infrastructure Act  (from the Consolidated Appropriations Act of 2022)

Effective 03/2022
Notification Timelines: Incidents 72 hours | Ransomware payments 24 hours

Owners and operators of critical infrastructure must report cyber incidents to the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. Read the Consolidated Appropriations Act, 2022

State Regulations

Colorado Entities 

Effective 01/05/2022
Notification Timelines: Incidents 72 hours | Ransomware payments 24 hours

Colorado law requires covered entities that experience a data breach to notify affected Coloradans and provide notice to the Office of the Attorney General if the breach affects 500 or more Coloradans.

GDPR Regulations for Personal Data

All Organizations Adhering to GDPR

Notification Timeline: Personal Data Breach Incident 72 hours 

To be in compliance with GDPR, controllers in an organization must notify the personal data breach to the supervisory authority competent following Article 55 unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, the organization must explain the delay.

What To Do if You are Not in Compliance with Notification Requirements

If these regulations on incident notifications have you thinking your business is not prepared to meet compliance standards, or if you believe that your organization missed a compliance notification requirement for a covered incident, you should contact your legal team for advice immediately. Need to improve your security posture overall? Use the button below to start a Security Assessment!

Start a Security Assessment Today!