On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve Board and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” The proposed rule also would affect certain bank service providers, such as those providing data processing.

In a recent legal update, “US banking regulators propose a rule for 36-hour notice of breach,” Norton Rose Fulbright New York Office Partner David Kessler and Senior Counsel Susan Ross discuss the details of the proposed rule and analyze its possible effect on US banking organizations.

Norton Rose Fulbright has a global data protection, privacy and cybersecurity practice composed of more than 80 data protection, privacy and cybersecurity lawyers based in many of the world’s key risk jurisdictions.