The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification. On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016. After learning of the incident, Yes Bank did not report the breach, which RBI viewed as a violation of the bank’s obligation to report within 6 hours of discovery.
This $1 million fine represents a dramatic escalation in breach notification enforcement. To date, there have been relatively few such cases, and most have resulted in resolutions with much smaller penalties. Following the criticism of Yahoo! and Equifax for their untimely breach notifications, the Yes Bank fine may be a sign that regulators are starting to aggressively enforce breach notification laws. Like Yes Bank, many U.S. institutions have very short breach notification deadlines, including those that are subject to the 72-hour notification requirements in the New York Department of Financial Services (“NYDFS”) cyber rules, and the thousands of U.S. companies that will be subject to the European Union’s General Data Protection Regulation come May 2018.
Traditionally, breach notification requirements were designed to alert people that their personal information had been stolen, so that they could take steps to prevent fraud and identity theft. But increasingly, regulators have been using these obligations to gather information on threats and alert other private companies of increased risks, so that they can take appropriate precautions. U.S. companies are certainly encouraged to share information on cyber threats. The U.S. Department of Homeland Security maintains an Automated Indicator Sharing program, which facilitates almost real-time information sharing on cyber threats. Companies can also share information with other private sector entities through various Information Sharing and Analysis Centers or ISACs. But information sharing has generally not been mandatory, and many companies have declined to do so. Some have found it difficult to share cyber threat information without also sharing sensitive company or client data. Others believe that they have devoted far more resources to cybersecurity than their competitors, and are therefore reluctant to just hand over what their view as a valuable competitive advantage.
Following the Bangladesh Bank hack, and noting that “banks are hesitant to share cyber-incidents faced by them,” RBI required the banks that it regulates to report all unusual cybersecurity events, including unsuccessful attacks, within 6 hours of discovery, to allow it to issue a timely warning to other banks. Similarly, a recent FAQ posted on the NYDFS website notes that certain significant and unusual cyber attacks should be reported, even if unsuccessful, “to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries.” So, it seems that if companies do not see the value of sharing threat information following a breach to the industry as a whole, regulators are becoming inclined to force hub-and-spoke threat sharing through existing breach notification regimes.
We will keep a close eye on this significant development, which will make it even more important that companies are able to ascertain all of their various state and federal notification obligations quickly following a breach. The Davis Polk Cyber Breach Portal, which will launch early next year, has many resources to help with notification rules, including a simple, query-based tool that assists clients in quickly assessing their cyber breach notification obligations in 48 states and under HIPAA and Gramm-Leach Bliley. The Portal is current being beta tested by a select group of clients.
The listed lawyers gratefully acknowledge the assistance of law clerk Zachary Shapiro in preparing this post.