On July 26, 2023, the Securities and Exchange Commission (SEC) announced changes to registrants' reporting requirements in Forms 8-K and 10-K which now require registrants to disclose material "cybersecurity incidents" and annually disclose information about registrants' cybersecurity risk management procedures and policies. 17 CFR Parts 229, 232, 239, 240, and 249.

Recognizing the risk that cybersecurity threats and incidents pose to public companies, investors, and market participants, the amendments now require registered entities to disclose material "cybersecurity incidents" in Form 8-Ks within four days of the registrant deeming the incident material to the registrant.

A "cybersecurity incident" means "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." "Information systems" is broad and includes resources owned or used by the registrant (i.e., incidents that impact vendors). A determination of materiality must be made "without unreasonable delay."

In addition, the amendments change Regulation S-K and require registrants to annually disclose in their Form 10-Ks: (i) cybersecurity risk management and strategy, (ii) management's role in assessing and managing material risks from cybersecurity threats, and (iii) the board of directors' oversight of cybersecurity risks.

Moreover, on March 15, 2023, the SEC proposed changes to Regulation S-P (which includes the Safeguards Rule and the Disposal Rule) that would require governed entities to enhance the protection of customer information as follows:

(1) Require governed entities to notify individuals of breaches of their data and have an "incident response program" that addresses unauthorized access to, or use of, customer information;

(2) Propose a new definition of "customer information" to be consistent with the Federal Trade Commission's definition, which would mean "any record containing 'nonpublic personal information' (as defined in Regulation S-P) about 'a customer of a financial institution,' whether in paper, electronic or other form that is handled or maintained by the covered institution or on its behalf"; and

(3) Expand these requirements to "transfer agents" (i.e., agents that transfer security certificates and records).

The passed and proposed amendments, as well as the SEC's recent penalties against registered entities for breach incidents, show that the SEC intends to become more active in regulating cybersecurity practices and incidents that may pose a material risk to registered institutions and the customer data they maintain.

The Federal Trade Commission (FTC) announced proposed amendments to the Health Breach Notification Rule (HBNR) during the second quarter of 2023.

The FTC's proposed amendments were announced in May 2023 and are aimed at strengthening breach notification requirements for entities that collect health information but are not necessarily entities covered by HIPAA's privacy or security requirements (Health Insurance Portability and Accountability Act). The amendments follow the FTC's first enforcement actions under the HBNR and expand the scope of the Rule.

In June, the FTC published the proposed changes which include:

(1) Clarifying the scope of the HBNR to include health applications;

(2) Amend the definition of breach of security/types of breaches subject to the HBNR;

(3) Revise the definition of personal health record (PHR) related entity;

(4) Clarify meaning for vendors of PHR to draw identifiable health information from multiple sources;

(5) Modernize the method of notice and expand the content of the notice.

The amendments are consistent with FTC policy statements since 2021 regarding the HBNR's applicability to health apps and connected devices that collect or use consumer health information. FTC investigations are expected to increase in volume and scope because the HBNR will apply to more organizations. In addition, the nature of reporting and notifications will likely increase incident response costs in order to comply with the HBNR's notice requirements.

States continue to enact privacy statutes or modify existing statutes to govern privacy. At the start of 2023, only a few states, including California, Virgnia, Utah, and Colorado, had laws governing privacy of personal information.

However, several additional states enacted laws in the second quarter of 2023 which will go into effect in the next 12-18 months:

(1) Montana (SB 384) and Oregon (SB 619) passed bills to generally revise consumer privacy laws and the use of personal data.

(2) Tennessee passed HB1181 in May 2023 to enact the "Tennessee Information Protection Act" which amended the Tennessee Code.

(3) Texas passed HB4 to regulate the collection, use, processing, and treatment of consumers' personal data and imposes civil penalties.

(4) Indiana passed SB0005 which established a new article in the Indiana Code related to consumer data protection. The new article establishes that consumers have specific rights with respect to personal data provided to a data controller, including (i) the right to know whether or not a controller is processing a consumer's data, (ii) the ability to correct inaccuracies regarding a consumer's personal data that was provided to a controller, (iii) the right to request that a controller delete the consumer's personal data, and (iv) the right to opt out of a controller's data processing measures.

In addition to privacy statutes, Rhode Island amended its breach notification statute to require the state and municipalities to increase offerings for individuals impacted by a data breach. Specifically, Rhode Island amended its Identity Theft Protection Act of 2015 to mandate that the state and municipalities offer five years of credit monitoring and fraud resolution services to individuals over 18 years old who are potentially impacted by a data breach, significantly more than most states' one to two-year requirement. The Act also now requires the state and municipalities to offer five years of credit monitoring to minors before they reach the age of 18, and for at least two years thereafter.

Moreover, the Act was amended to include shorter notification times. State and municipal agencies are required to issue notifications within 30 calendar days after confirming the breach incident. Other entities covered by the Act must issue notifications within 45 calendar days after confirming the breach. If more than 500 Rhode Island residents are affected, the entity is also required to notify the attorney general and major credit reporting agencies.

Similar to federal agencies, state agencies, including attorneys general, have increased the number of investigations following breach incidents, focusing on the reasonability and adequacy of cybersecurity measures in place and proper disclosures to individuals regarding the collection and use of personal information. Such investigations are costly to defend and may result in civil penalties in addition to costs incurred to comply with breach notification statutes and to defend potential lawsuits brought by impacted individuals.

The increasing patchwork of privacy and cybersecurity statutes, rules, and regulations on the state and federal level will likely result in further compliance costs to entities. In addition, these new laws create new grounds for governmental oversight that could result in a costly defense of regulatory investigations and exposure to civil penalties.

Indeed, federal and state regulators continue to enforce existing laws that may touch on privacy and cybersecurity with increasing frequency, and the addition of these new laws provide regulators with an increased ability to bring enforcement actions. Finally, the public disclosure requirements that many of these laws require expose companies to more potential lawsuits following any public notification resulting from an incident.

In light of these new legal requirements, companies that are hesitant to invest resources into privacy and cybersecurity measures should consider the mounting risks associated with forgoing such measures if a breach occurs.