October 31, 2023 at 12:22PM
New US law enforcement regulations allow for the delay of public disclosure of security breaches if a written request for an extension is granted. The amendment applies to breaches involving the theft of unencrypted data belonging to at least 500 consumers. The FTC estimates that the amendment will affect approximately 5% more incidents and 155 additional organizations. Different states have varying data breach reporting rules based on the number of affected residents. The new amendment will come into effect in 2024, 180 days after being published in the Federal Register. The SEC has also announced its own breach reporting rules with a four-day window. The DHS has proposed streamlining security incident reporting at the federal level with a single reporting portal.
Key Points from the meeting notes:
1. US law enforcement may request a delay in the public disclosure of an incident. The relevant agency needs to provide a written request for an extension, which can be granted for an additional 60 days beyond the initial 30-day window.
2. The amendment will only apply to security breaches involving the theft of unencrypted data from at least 500 consumers. The original proposal aimed for 1,000 affected consumers, but this was reduced to 500.
3. The FTC estimates that the amendment will result in the reporting of approximately 5 percent more incidents per year, affecting around 155 extra organizations.
4. The 500-consumer cutoff aligns with state laws in the US. In California, for example, similar disclosures are required if 500 state residents are affected, while in Alabama, the cutoff is set at 1,000 individuals.
5. Colorado has different rules, where notices must be sent to the Attorney General for breaches impacting 500-999 residents, and all consumer reporting agencies must be notified for breaches impacting 1,000 or more individuals. Regardless of size, any data breach must be reported to affected individuals within 30 days.
6. The amendment will become effective 180 days after its publication in the Federal Register, most likely in 2024.
7. The SEC has also introduced mandatory breach reporting rules with a stricter four-day window for public companies that experience “material” data breaches.
8. The Department of Homeland Security has proposed streamlining security incident reporting at the federal level, including the recommendation for a single reporting portal.