Cranking Up the Pressure: Federal Financial Regulators’ Proposed Rule on Computer-Security Incident Notification and How it Could Impact Banks, Fintech Firms, and other Bank Service Providers
From California to Europe, the final months of 2020 featured several high-profile developments in the privacy and data security fields. One development that received comparatively little attention was the release by federal financial regulators of a proposed rule that could significantly affect United States banks and the fintech firms and other service providers they work with.
The proposed rule—discussed in a Notice of Proposed Rulemaking jointly announced by the OCC, FDIC, and Federal Reserve Board on December 18—would introduce two new requirements:
- Banks would have to notify their primary federal regulators of any “computer security incident” that rises to the level of a “notification incident” within 36 hours after the organization believes in good faith that a notification incident has occurred; and
- Bank service providers would have to notify at least two individuals at each affected banking organization customer immediately after the bank service provider experiences a “computer security incident” that it believes in good faith could disrupt, degrade, or impair services provided to the banking organization for four or more hours.
Besides setting a record for the shortest notification deadlines among US data security and breach notification laws, the proposed rule would present significant practical challenges for covered organizations in their response to security incidents.
New Regulator Notification Triggers: “Computer Security Incidents” and “Notification Incidents”
Most existing data security and breach notification laws and regulations are triggered by unauthorized access to, or acquisition of, specific types of data and information. Under the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, for instance, covered financial institutions are required to notify their primary federal regulator of incidents involving “unauthorized access to sensitive customer information.”
The agencies’ proposed rule, by contrast, would introduce two new regulator notification triggers: “computer security incidents” and “notification incidents.”
The proposed rule defines a “computer security incident” as an occurrence that “(i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
A “notification incident” is in turn defined as any computer security incident “that a banking organization believes in good faith could materially disrupt, degrade, or impair—
(i) the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
(iii) those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
These triggers would expand significantly the universe of potentially reportable incidents for banking organizations and their bank service providers under most existing laws and regulations.
Notification Obligations and Deadlines – Banking Organizations
The proposed rule would require a banking organization to notify its primary federal regulator whenever it “believes in good faith that a notification incident has occurred.” The banking organization must provide that notification “as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.”
The proposed rule does provide some flexibility for the method of notification, which may be made “through any form of written or oral communication, including through any technological means (e.g. email, telephone, text, etc.).”
Notification Obligations and Deadlines – Bank Service Providers
The proposed rule imposes an even broader and more onerous notification obligation on “bank service providers.” The rule defines that term to include “any bank service company or other person providing services to a banking organization that is subject to the Bank Service Company Act.” Under Section 3 of the Act, these services include “check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.” Federal regulators have interpreted the Act to extend to technology service providers that provide data processing, internet banking, and mobile banking services.
Under the proposed rule, bank service providers would have to notify “at least two individuals at each affected banking organization customer” of any computer security incident “that it believes in good faith could disrupt, degrade, or impair services provided subject to the Bank Service Company Act . . . for four or more hours.” (emphasis added). And bank service providers must make that notification “immediately after the bank service provider experiences” a computer security incident that meets that test (emphasis added).
Practical Implications for Banking Organizations and Bank Service Providers
The agencies’ proposed rule, if adopted, could have several significant practical implications for banking organizations and bank service providers.
- The broad definition of “computer security incident” would require fintech firms and other bank service providers to identify, track, and potentially report to customers a broad range of incidents that aren’t likely reportable under current law, or even the (typically already onerous) incident response provisions in their current agreements with banking organizations. For instance, even a threatened violation of an acceptable use policy that a bank service provider believes in good faith “could” disrupt, degrade, or impair services provided to its customers for four or more hours could trigger a duty to notify customers. And that would be true whether or not the effect of the violation on the customer would be material or pose any real risk to the security of the service provider’s systems or its customers’ data.
- Banking organizations would similarly need to overhaul their incident response plans to account for the expanded notification duty and the time and resources necessary to determine whether an incident meets the vaguely defined and subjective standards for a “notification incident.” Those standards could prove especially challenging for banks to apply during the early stages of the response to an incident.
- The extremely short notification deadlines would require both banks and service providers to prioritize legal analysis in the earliest hours of the response to a security incident—a time when the focus typically is and should be on containment and forensic analysis. Those deadlines may be based, at least in part, on an overly optimistic estimate of the time necessary to evaluate and prepare the required notification. In the Notice of Proposed Rulemaking, the agencies estimate that to comply with the new notification obligation, a banking organization “may incur up to three hours of staff time to coordinate internal communications, consult with its bank service provider, if appropriate, and notify the banking organization’s primary federal regulator.” (Cue sarcastic comments by anybody who’s ever been involved in the response to a security incident.)
- Banking organizations and their bank service providers might seek to amend existing service provider agreements. While these agreements typically already include strict notification obligations with deadlines measured in hours rather than days, the proposed rule could lead to even more difficult negotiations around the precise triggers and timing for service providers’ incident notification obligations.
Through the Notice of Proposed Rulemaking, the agencies are seeking general comments as well as comments on 16 specific topics. Comments are due 90 days from the date the NPR is published in the Federal Register.