In a third party vendor contract, we want to require the vendor to notify us of data breaches within 24 hours. However, the vendor told us that there is no regulation or regulatory guidance that requires a 24 hour turnaround time for reporting incidents. Do you know of any regulatory guidance that imposes a specific time frame for a vendor to report data breach incidents to us? If so, what verbiage is required?

No, we are not aware of any guidance that imposes a specific time frame for a vendor to report a data breach to your financial institution. The Interagency Guidance regarding unauthorized access to customer information requires third party service providers to notify a financial institution “as soon as possible” after a data breach. However, the agencies note that “requiring notice within 24 hours of an incident may not be practicable or appropriate in every situation.” Consequently, the Guidance does not specify a number of hours or days by which a third party service provider must give notice to the financial institution. Similarly, the Illinois Personal Information Protection Act (PIPA) requires third party collectors of personal information to notify information owners “immediately following discovery” of a data breach, without imposing a specific deadline.

For resources related to our guidance, please see:

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“An institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.”)

70 Federal Register 15736, 15739 (“In response to comments on the timing of a service provider's notice to a financial institution, the final Guidance adds that a financial institution's contract with its service provider should require the service provider to take appropriate action to address incidents of unauthorized access to the institution's customer information, including by notifying the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program. The Agencies determined that requiring notice within 24 hours of an incident may not be practicable or appropriate in every situation, particularly where, for example, it takes a service provider time to investigate a breach in security. Therefore, the final Guidance does not specify a number of hours or days by which the service provider must give notice to the financial institution.”)

Personal Information Protection Act, 815 ILCS 530/10(b) (“Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”)