BlogLine

Summer cyber & privacy round-up 

9/9/24

By: Nicholas Jajko

2024 has been another busy year for data privacy regulation, bringing the passage of privacy laws in seven new states (New Jersey, Kentucky, Maryland, Nebraska, New Hampshire, and Rhode Island). Other developments are also worth spotlighting for current and prospective Freeman Mathis & Gary, LLP (“FMG”) clients: 

• FTC Amendment to Safeguards Rule Went into Effect Requiring Data Breach Reporting 

In October 2023, the Federal Trade Commission approved changes to the Safeguards Rule that required reporting of data breach events affecting at least 500 consumers, to the FTC no later than thirty (30) days after discovery. That requirement went into effect on May 13, 2024, and applies to non-banking financial institutions subject to the Gramm-Leach-Bliley Act. Following a 2021 update, the Safeguards Rule applies to regulated non-banking financial institutions including mortgage brokers, automobile dealerships that provide financing, tax preparers, collections agencies, and payday lenders, among others. The notice shall be made electronically through a web form on the FTC’s website. The notice must include certain details about the incident including a description of the event, the types of customer information involved, and the number of consumers affected or potentially affected. An event is considered “discovered” on the first day which the event is known to the financial institution. 

It is worth noting that the FTC’s rule only addresses reporting to the FTC and not individual notification. Therefore, non-banking financial institutions must still refer to the applicable state data breach notification laws to confirm individual notification requirements in addition to potentially applicable state regulator reporting requirements and deadlines.  

FMG’s Data Security, Privacy & Technology practice group attorneys are available to assist insureds report a breach event or incorporate the reporting into their written comprehensive information security programs. 

• SEC Reporting Requirements for Broker-Dealers, Investment Companies, Registered Investment Advisers, and Transfer Agents 

In 2023, the Securities and Exchange Commission (SEC) adopted rules requiring disclosure of material cybersecurity incidents for publicly traded entities (which itself has been the subject of further discussion). Now, in 2024, the Commission has turned its attention to updates to the Regulation S-P, which covers the broker-dealers, investment companies, registered investment advisers, and transfer agents who also fall under regulation of the SEC. Prior to the update, the Regulation S-P did not specifically require breach notification or regulatory reporting to the SEC for these regulated financial institutions. However, beginning in February 2026 for entities with net assets of $1B or more, and August 2026 for those smaller entities with less than $1B in net assets, notification to individuals of a breach event resulting in “access to or use of sensitive customer information without authorization” will be required unless the accessed or used information has not, and is not reasonably likely to be used in a manner resulting in substantial harm or inconvenience.  

Notice must be provided to individuals as soon as reasonably practicable but not later than thirty days after the financial institution becomes aware of the access to or use of customer information likely to result in substantial harm or inconvenience. No mandatory reporting to the Commission will be required.  

FMG clients in the investment advising and financial planning sector should be aware of the new SEC requirements coming in 2026. 

• OCR Announced 3^rd Settlement Agreement with Ransomware Victim Regulated Entity 

2024 was predicted to be the year of enforcement in the Data Security and Privacy sectors of the legal world and true to form, the Office for Civil Rights announced its third Resolution Agreement and Corrective Action plan with a ransomware victim since it began enforcing the Privacy and Security Rules; all three have come in the last ten months. The most recent agreement between OCR and a regional health system operating in Pennsylvania, Eastern-Ohio, and West Virginia purportedly arose from a 2017 “NotPetya” ransomware attack on its systems. According to the Resolution Agreement, OCR initiated its compliance review following media reports that the covered entity experienced a data security incident. Media coverage surrounding the incident also separately suggested the incident occurred through the health system’s connection with its business associate. Neither of the entities appear to be listed on the OCR’s breach reporting portal. Interestingly, while the civil penalty Resolution Amount of $950,000 was published publicly, the number of individuals impacted was not. This is in contrast to OCR’s first ransomware settlement agreement published in 2023 for the amount of $100,000 in an incident affecting 207,000 individuals and its second February 2024 settlement agreement in the amount of $40,000 affecting “over 14,000 patients.” 

FMG attorneys continue to monitor OCR’s publication of Resolution Agreements for trends in advising its covered entity and business associate clients of the risks associated with regulatory enforcement following ransomware events.     

For more information or legal assistance, contact Nicholas Jajko of FMG’s Data Security, Privacy & Technology Practice Section by email at nicholas.jajko@fmglaw.com or your local FMG attorney.