As the crisp breeze of autumn sets in, it's time to cozy up with a pumpkin spice latte and delve into the significant changes that have unfolded in the realm of privacy and cybersecurity laws over the summer. With a lack of universally applicable regulations governing security and data breaches, both federal and state regulators are stepping up by issuing their own guidelines, leading to additional liability exposure for organizations.
On July 26, 2023, the Securities and Exchange Commission (SEC) made pivotal changes to registrants' reporting requirements in Forms 8-K and 10-K. The amendments now mandate registrants to promptly disclose material "cybersecurity incidents" and provide annual insights into their cybersecurity risk management procedures and policies.
The SEC's amendments introduce a clear definition of a "cybersecurity incident" as any unauthorized occurrence jeopardizing the confidentiality, integrity, or availability of a registrant's information systems. This broadened scope includes incidents impacting vendors, and the determination of materiality must be made "without unreasonable delay."
March 15, 2023, marked the SEC's proposal of changes to Regulation S-P. The proposed alterations aim to compel governed entities to elevate customer information protection through mandatory breach notifications, incident response programs, a refined definition of "customer information," and the extension of requirements to "transfer agents."
In the second quarter of 2023, the Federal Trade Commission (FTC) proposed amendments to the Health Breach Notification Rule (HBNR). These changes strengthen breach notification requirements for entities collecting health information not covered by HIPAA. The proposed amendments cover the scope, types of breaches, the definition of personal health record (PHR) related entities, and notice methods and content.
States are actively enacting and modifying privacy statutes. In the second quarter of 2023, several states introduced laws that will become effective in the next 12-18 months. From general revisions of consumer privacy laws in Montana and Oregon to the establishment of new articles related to consumer data protection in Tennessee and Indiana, these laws showcase a diverse landscape of regulatory changes.
Rhode Island took a bold step by amending its breach notification statute, mandating increased offerings for individuals impacted by a data breach. These amendments include extended credit monitoring and fraud resolution services, shorter notification times, and mandatory notifications to the attorney general and major credit reporting agencies if more than 500 Rhode Island residents are affected.
In conclusion as the patchwork of privacy and cybersecurity laws continues to expand on both state and federal levels, entities should brace for escalating compliance costs and heightened governmental oversight. These regulatory changes not only pose challenges but also open doors to potential legal and financial implications. In an era of increasing regulatory scrutiny, companies must recognize the mounting risks associated with neglecting investments in privacy and cybersecurity measures. Stay tuned for further updates as the regulatory landscape evolves.
Still haven’t found what you're looking for? Chat, email or Call our Customer Care Pro’s!
1400 Broadfield Boulevard Suite 200 | Houston, TX 77084 United States © 2024 Rural Telecommunications of America, Inc. All rights reserved.