Tag Archive for: requirements

Computer-Security Incident Rule Creates New Notification Requirements for Banking Organizations and Bank Service Providers | Steptoe & Johnson PLLC

/in


On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule (the “Computer-Security Incident Rule” or the “Final Rule”) establishing computer-security notification requirements for banking organizations and their bank service providers. The Final Rule, which has an effective date of April 22, 2022, and mandatory compliance date of May 1, 2022, contains two major components.

 

First, a “banking organization” must notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization determines the notification incident has occurred. Second, a “bank service provider” must notify each affected banking organization customer as soon as possible of a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. The purpose of the Computer-Security Incident Rule’s notification requirements is to provide earlier awareness of emerging threats to banking organizations and the broader financial system.

 

The Final Rule defines a “computer-security incident” as an occurrence that, “(i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

 

A “computer-security incident” that would rise to the level of a “notification incident” triggering the Final Rule’s notification requirements includes, but is not limited to:

  • A ransomware or malware attack that encrypts a core banking system or backup data;
  • A large scale distributed denial of service attack that disrupts customer account access for an extended period of time;
  • A failed system upgrade or change that results in widespread user outages for customers and banking organization…

Source…

Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity “Safe Harbor” – Technology

/in



United States:

Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity “Safe Harbor”


To print this article, all you need is to be registered or login on Mondaq.com.

On June 16 and July 6, 2021, Connecticut Governor Ned Lamont
signed two new cybersecurity laws that continue the national trend
of expanding cyber incident disclosure obligations, shortening
notification timelines, and incentivizing the implementation of
recognized cybersecurity standards. Both laws take effect on
October 1, 2021.

“An Act Concerning Data Privacy Breaches” Amends
Connecticut’s Existing Data Breach Law

The amended data breach law includes three key changes:

  • The time businesses have to notify affected Connecticut
    residents and the Office of the Attorney General of a data breach
    has been shortened from 90 days to no later than 60 days after
    discovery of the breach;


  • If notice cannot be effected within the new 60-day window, a
    novel and significant amendment requires companies to provide
    preliminary substitute notice to individuals, and follow up with
    direct notice as soon as possible; and


  • The law significantly expands the definition of “personal
    information” that may trigger notification obligations to
    include an IRS identity protection personal identification number,
    certain medical information, biometric information, a user name or
    email address in combination with a password or security question
    and answer (regardless of whether or not the individual’s name
    is accessed in combination with it), and a number of other data
    elements commonly included in other states’ data breach notice
    laws.

“An Act Incentivizing the Adoption of Cybersecurity
Standards for Businesses” Establishes a Cybersecurity
“Safe Harbor” Statute

The new law will establish…

Source…

Federal Banking Agencies Propose Computer-Security Incident Notification Requirements | Weiner Brodsky Kider PC

/in


The FDIC, Board of Governors of the Federal Reserve System, and OCC (the Agencies) recently issued a joint notice of proposed rulemaking that would require a banking organization to notify its primary federal regulator of any computer-security incident that the banking organization believes in good faith rises to the level of a notification incident.  Comments must be received by April 12, 2021.

The proposal would require a banking organization to notify its primary federal regulator as soon as possible and no later than 36 hours after determining that a notification incident has occurred.  The proposal explains that a computer-security incident includes occurrences that: (i) result in actual or potential harm to the confidentiality, integrity, or availability of an information system; or (ii) violate or immediately threaten to violate security policies, procedures, or acceptable use policies.  The proposal explains that a notification incident includes a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair various banking operations.

Additionally, the proposal would require a bank service provider that provides services described in the Bank Service Company Act to notify at least two individuals at affected banking organization customers immediately after a computer-security incident that it believes in good faith could disrupt, degrade, or impair services for four or more hours.  The Agencies explain that a bank service provider is not expected to determine if the computer-security incident rises to the level of a notification incident because it may not know if the service is critical to the banking organization’s operations.

The Agencies explain that the notification requirement is intended to serve as an early alert to the banking organization’s primary federal regulator.  No specific information is required in the notice, and it can be provided through any form of written or oral communication.

Source…

Zoom improves password requirements and introduces longer meeting IDs in latest update – Android Central

/in

Zoom improves password requirements and introduces longer meeting IDs in latest update  Android Central
“android security news” – read more