In the week prior to Thanksgiving, the U.S. Government announced two new regulations/policies regarding consumer protection and cybersecurity, which are seemingly unrelated. However, make no mistake, these announcements are not just requiring more self-reporting for cybersecurity failures, but are the first step towards transforming civil violations into prison sentences.
Now found in 12 C.F.R. § 53, the Office of the Comptroller of the Currency (OCC) for the Department of Treasury, the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) announced the issuance of a new rule, which will become effective on April 1, 2022, with compliance enforced 12 months later. This new rule requires a “banking organization” to alert its “primary federal regulator” within 36 hours of a cybersecurity incident that requires consumer notification (referred to as a “notification incident”).
The intent is to promote early awareness of emerging threats to banking organizations and the broader financial system, thereby preventing systemic indicators of compromise. Previously an action left to information sharing analysis centers and organizations, the U.S. Government took that voluntary information sharing model and made it compulsory for the following types of entities: national banks, federal savings associations, and federal branches and agencies of foreign bank, as well as all U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. Only financial market utilities designated under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act (designated FMUs) are excluded from compliance.
1 day before the OCC, FDIC, and the Federal Reserve Board announced the new rule, the Federal Trade Commission (FTC) (second-favorite federal agency) expanded its federal criminal referral program. In its November 18, 2021 policy statement, the FTC makes clear that it will be collaborating with other federal and state criminal law enforcement agencies to enforce previously-ignored civil regulations that demand stronger cyber-hygiene from regulated entities.
In the name of consumer protection, the FTC will now publicly report (similar to the HIPAA “Wall of Shame”) its referral of criminal behavior to promote open-source knowledge of its efforts and mission. Boasting its previous collaborations with entities like the Los Angeles District Attorney’s Office and the Department of Justice, both of which resulted in prison sentences for violations of consumer regulations, the FTC wants to expand the use of its investigative cyber tools to provide law enforcement “access to millions of reports from consumers regarding potential violations of law.”
It’s funny, a few years ago, comments such as “there’s no market for this [cybersecurity]” and “I think this is just a fancy trend” were lodged by otherwise intelligent professionals about the future market and importance of cybersecurity. Now, ads for CrowdStrike®, McAfee®, and various VPNs are on international race cars and the biggest consumer in the world, the U.S. Government, continues to advertise its agenda to fight cybercrime through every mechanism available – policy, legislation, penalties, third-party products, and talent-farming.
The grace-period to seriously consider and reassess current electronic infrastructure and regulatory compliance is over. Get an experienced attorney to sit down with the chief information officer (or similar individual) to ensure compliance, safety, and liability mitigation.