The Office of the Comptroller of the Currency (the “OCC”), Treasury; the Board of Governors of the Federal Reserve System (the “Fed Board”); and the Federal Deposit Insurance Corporation (the “FDIC” and, collectively with the OCC and the Fed Board, the “Agencies”) issued a final rule detailing notification requirements for a “computer-security incident” that rises to the level of a “notification incident.” The new rule went into effect on April 1, 2022, with a compliance date of May 1, 2022. Given the recent history of computer-security incidents and their increase in severity in recent years in the banking industry, the Agencies believed that implementing a new breach notification rule was important to allow the Agencies to assess and respond to cyberattacks.

While this new rule targets banking organizations, it is important to recognize that the rule also implements new notification requirements for “bank service providers.” If your organization provides any services that are subject to the Bank Service Company Act (the “BSCA”), subject to a few exceptions, then your organization is likely subject to this new rule.

The ultimate responsibility for ensuring the appropriate Agencies are notified of a “computer-security incident” falls on the affected banking organizations. A banking organization that experiences a “notification incident” must notify the Agencies “no later than 36 hours after the banking organization determines that a notification incident has occurred.” Banking service providers need not notify the Agencies directly but do have an obligation to notify each of their affected banking organization customers “as soon as possible” after determining that the service provider “has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” However, any scheduled maintenance, testing, or software updates previously communicated to the service provider’s customers will not trigger the notification requirement.

Importantly, the Agencies note that this final rule operates independently of any contractual provisions between a bank service provider and its banking organization customers addressing breach notifications. As key takeaways, companies should:

  1. Understand whether their organization may qualify as a bank service provider.
  2.  Review existing contracts and templates to ensure any breach notification obligations align with this new rule. Having multiple reporting obligations and timelines can become difficult to track and manage, especially in the event of a cyberattack.
  3. Ensure existing policies and procedures are adequate to address the notification requirements identified in the new rule.

Taft’s privacy and data security attorneys can assist with questions related to the new rule or, more generally, breach notification obligations. Stay tuned to our Taft Privacy and Data Security Insights or download our app for more news and information.