New Data Breach Reporting Requirements Take Effect
The Federal Trade Commission (FTC) is the latest federal agency to issue broad regulations regarding cybersecurity breaches. The FTC approved an amendment to the Safeguards Rule expanding coverage to include non-banking financial institutions.
This includes entities such as financial technology companies, mortgage brokers, credit counselors, financial planners, and tax preparers. Under the new notification obligation, these non-bank financial institutions covered by the FTC's Safeguards Rule must report specific notification events to the Commission.
These events (defined as access to unencrypted customer information without the permission of the customer) must be reported if they affect 500 or more consumers no later than 30 days after discovery. The Rule went into effect on May 13, 2024.
The Rule is in response to ever-increasing cybersecurity threats facing businesses of all sizes. All businesses should have basic cybersecurity practices and information security policies in place to protect intellectual property, financial data, employee data, and customer data—especially if that customer is the federal government or a regulated industry.
While this rule requires reporting after an event occurs, businesses should focus on adopting best industry practices to prevent breaches from occurring in the first place.
Cybersecurity in Defense Government Contracting
Core cybersecurity best practices should be standard operating procedures for all government contractors. These include using firewalls and antivirus software, enforcing multi-factor authentication, performing regular data backups, and conducting periodic risk assessments.
Furthermore, contractors must modify their information security programs based on those risk assessments and regularly test their system controls.
CMMC 2.0 Standards
The Department of Defense has released for public comment its proposed final rule for mandatory minimum cybersecurity standards under the Cybersecurity Maturity Model Certification (CMMC) 2.0, which lists three levels of cybersecurity.
Enforcement of CMMC 2.0 protects sensitive defense information and national security assets, aligning with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards.
Contractors must demonstrate compliance with CMMC 2.0 through self-assessments as well as utilization of CMMC Third-Party Assessor Organizations (C3PAOs). Implementation will occur over a period of time to allow contractors to adapt to the new requirements.
While not included at this time, it is likely that contracts issued under the Federal Acquisition Regulation (FAR) will ultimately require the same cybersecurity standards as the Defense Federal Acquisition Regulation Supplement (DFARS). Non-DoD contractors would be well advised to consider CMMC requirements when modifying and upgrading their systems.
Examples of Cyber Attacks
While data acquisition is the most frequent reason for cyber-attacks, the methods used vary widely. While some hacking exploits weaknesses in software, most breaches occur through the acquisition of poorly protected usernames and passwords.
Often, these credentials are obtained through:
Watering Holes: Cybercriminals gain control of legitimate websites without the owner's knowledge, turning an authorized and trusted website into a malicious one.
Phishing: Cybercriminals send a legitimate-looking email that tricks the recipient into divulging login information or downloading a malicious link or attachment, which often includes ransomware.
Man-in-the-Middle: Cybercriminals secretly establish a communication link that effectively allows them to eavesdrop on communications between two parties and make use of any passed information.
Cybersecurity Basics
Cybercriminals target companies of all sizes and almost 43% of cyber-attacks are primarily targeted at small companies. Putting basic cybersecurity practices in place will help you protect your business and maintain the trust of your customers.
Protect Your Files & Devices - Update your software including apps, web browsers, and operating systems and virus protection software.
Train users not to open messages from unrecognized senders, especially if they contain attachments, links, or downloads.
Secure your files - Back up important files offline, on an external hard drive, or in the cloud and make sure you store your paper files securely. Be careful not to overwrite all of your backups since ransomware in particular often has a delayed activation for the express purpose of also covering your backups.
Encrypt devices - Encrypt devices and other media that contain sensitive personal information.
Use multi-factor authentication - Require multi-factor authentication (like a temporary code) to access areas of your network with sensitive information.
Require strong passwords - Use passwords for all laptops/tablets/smartphones and do not leave devices unattended in public places. A strong password is at least 12 characters that are a mix of numbers/symbols/capital and lowercase letters. Also do not reuse passwords and don’t share them on the phone, in texts, or by email.
Train all staff - Create a culture of security by implementing a regular schedule of employee training.
Have a plan - Have a plan for saving data, running the business, and notifying customers if you experience a breach.
Cybersecurity Statistics
Currently, all 50 states have laws requiring covered entities to notify individuals of data breaches. Additionally, several sector-specific breach notification laws exist in the United States.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) mandate customer notification for breaches of individual data. Increasingly, states are enacting data privacy laws that protect consumer information and provide penalties for mishandling it.
Per the 2022 Internet Crime Report produced by the FBI’s Internet Crime Complaint Center (IC3), the IC3 received 800,944 reported complaints, with losses exceeding $10.3 billion due to cyberattacks on individuals, businesses, and critical infrastructure.
Accenture’s Cybercrime study reveals that 95% of cybersecurity breaches are attributed to human error. Even though 43% of cyber-attacks target small businesses, only 14% are prepared to face such an attack. Small businesses reportedly spend between $826 and $653,587 recovering from cybersecurity incidents.
C2 is a Professional Employer Organization (“PEO”) that provides outsourced HR services to businesses across a variety of service industries with a focus on federal government contractors.
Utilizing our PEO model allows our clients to transfer the responsibilities and liability of payroll, benefits administration, employee onboarding, and employee relations to C2 and to focus their attention on satisfying their clients and growing their business.
C2 blog posts are intended for educational and information purposes only.
More information about C2’s PEO and other related HR services is available at www.c2essentials.com.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><g d="M 0 0 L 24 0 L 24 24 L 0 24 Z M 24 12 C 24 5.373 18.627 0 12 0 C 5.373 0 0 5.373 0 12 C 0 17.628 3.875 22.35 9.101 23.647 L 9.101 15.667 L 6.627 15.667 L 6.627 12 L 9.1 12 L 9.1 10.42 C 9.1 6.336 10.949 4.442 14.959 4.442 C 15.719 4.442 17.031 4.592 17.567 4.74 L 17.567 8.064 C 17.106 8.029 16.643 8.014 16.181 8.02 C 14.214 8.02 13.453 8.765 13.453 10.703 L 13.453 12 L 17.373 12 L 16.7 15.667 L 13.453 15.667 L 13.453 23.912 C 19.396 23.195 24 18.135 24 12 Z M 16.699 15.667 L 17.372 12 L 13.452 12 L 13.452 10.703 C 13.452 8.765 14.212 8.02 16.18 8.02 C 16.791 8.02 17.283 8.035 17.567 8.064 L 17.567 4.74 C 17.03 4.591 15.718 4.442 14.957 4.442 C 10.947 4.442 9.099 6.335 9.099 10.42 L 9.099 12 L 6.625 12 L 6.625 15.667 L 9.099 15.667 L 9.099 23.647 C 10.522 24 11.997 24.09 13.452 23.912 L 13.452 15.667 L 16.698 15.667 Z" fill="transparent" height="24.00076625186135px" id="mo03AXhL4" width="24px"><path d="M 0 0 L 24 0 L 24 24 L 0 24 Z" fill="transparent" height="24px" id="X4NGqwN9e" width="24px"/><path d="M 24 12 C 24 5.373 18.627 0 12 0 C 5.373 0 0 5.373 0 12 C 0 17.628 3.875 22.35 9.101 23.647 L 9.101 15.667 L 6.627 15.667 L 6.627 12 L 9.1 12 L 9.1 10.42 C 9.1 6.336 10.949 4.442 14.959 4.442 C 15.719 4.442 17.031 4.592 17.567 4.74 L 17.567 8.064 C 17.106 8.029 16.643 8.014 16.181 8.02 C 14.214 8.02 13.453 8.765 13.453 10.703 L 13.453 12 L 17.373 12 L 16.7 15.667 L 13.453 15.667 L 13.453 23.912 C 19.396 23.195 24 18.135 24 12 Z" fill="rgb(8, 102, 255)" height="23.912px" id="wp0kawXKP" width="24px"/><path d="M 10.074 11.225 L 10.747 7.558 L 6.827 7.558 L 6.827 6.261 C 6.827 4.323 7.587 3.578 9.555 3.578 C 10.166 3.578 10.658 3.593 10.942 3.622 L 10.942 0.298 C 10.405 0.149 9.093 0 8.332 0 C 4.322 0 2.474 1.893 2.474 5.978 L 2.474 7.558 L 0 7.558 L 0 11.225 L 2.474 11.225 L 2.474 19.205 C 3.897 19.558 5.372 19.648 6.827 19.47 L 6.827 11.225 L 10.073 11.225 Z" fill="rgb(255, 255, 255)" height="19.55876633959939px" id="rQE9cOqAi" transform="translate(6.625 4.442)" width="10.942px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><g d="M 0 0 L 22 0 L 22 22 L 0 22 Z M 20.376 0 L 1.624 0 C 0.727 0 0 0.727 0 1.624 L 0 20.376 C 0 21.273 0.727 22 1.624 22 L 20.376 22 C 21.273 22 22 21.273 22 20.376 L 22 1.624 C 22 0.727 21.273 0 20.376 0 Z M 3.25 18.741 L 6.558 18.741 L 6.558 8.235 L 3.25 8.235 Z M 3.85 6.453 C 4.16 6.664 4.527 6.777 4.901 6.779 C 5.409 6.789 5.899 6.593 6.259 6.235 C 6.619 5.877 6.818 5.389 6.811 4.881 C 6.812 3.976 6.174 3.195 5.286 3.016 C 4.399 2.838 3.508 3.31 3.159 4.146 C 2.81 4.981 3.099 5.947 3.85 6.453 Z M 15.443 18.75 L 18.75 18.75 L 18.75 12.251 C 18.75 9.043 16.757 7.947 14.911 7.947 C 13.205 7.947 12.086 9.052 11.767 9.698 L 11.724 9.698 L 11.724 8.243 L 8.543 8.243 L 8.543 18.75 L 11.852 18.75 L 11.852 13.053 C 11.852 11.535 12.814 10.796 13.795 10.796 C 14.724 10.796 15.443 11.318 15.443 13.011 Z" fill="transparent" height="22px" id="cSefUkkiv" transform="translate(1 1)" width="22px"><path d="M 0 0 L 22 0 L 22 22 L 0 22 Z" fill="transparent" height="22px" id="g77oKxIqR" width="22px"/><path d="M 20.376 0 L 1.624 0 C 0.727 0 0 0.727 0 1.624 L 0 20.376 C 0 21.273 0.727 22 1.624 22 L 20.376 22 C 21.273 22 22 21.273 22 20.376 L 22 1.624 C 22 0.727 21.273 0 20.376 0 Z" fill="rgb(10, 102, 194)" height="22px" id="xNWzsGQxr" width="22px"/><path d="M 0.238 15.762 L 3.546 15.762 L 3.546 5.257 L 0.238 5.257 Z M 0.838 3.475 C 1.148 3.685 1.515 3.798 1.889 3.8 C 2.397 3.81 2.887 3.614 3.247 3.256 C 3.607 2.898 3.806 2.41 3.799 1.902 C 3.8 0.997 3.162 0.216 2.274 0.038 C 1.387 -0.141 0.496 0.332 0.147 1.167 C -0.202 2.003 0.087 2.968 0.838 3.475 Z M 12.431 15.772 L 15.738 15.772 L 15.738 9.272 C 15.738 6.064 13.745 4.969 11.899 4.969 C 10.193 4.969 9.074 6.073 8.755 6.72 L 8.712 6.72 L 8.712 5.264 L 5.531 5.264 L 5.531 15.772 L 8.84 15.772 L 8.84 10.075 C 8.84 8.557 9.802 7.817 10.783 7.817 C 11.712 7.817 12.431 8.339 12.431 10.032 Z" fill="rgb(255, 255, 255)" height="15.771623512903847px" id="cdNQ6QfFj" transform="translate(3.012 2.979)" width="15.738439668019623px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><path d="M 17.326 0 L 20.7 0 L 13.33 8.424 L 22 19.886 L 15.211 19.886 L 9.894 12.934 L 3.81 19.886 L 0.434 19.886 L 8.317 10.876 L 0 0 L 6.961 0 L 11.767 6.355 L 17.327 0 Z M 16.142 17.867 L 18.012 17.867 L 5.945 1.913 L 3.94 1.913 L 16.143 17.867 Z" fill="rgb(0, 0, 0)" height="19.886px" id="aCmdPBwVg" transform="translate(1 2)" width="22px"/></svg>)