Cybersecurity

Privacy, Cyber & Data Strategy / White Collar, Government & Internal Investigations Advisory | GENIUS Act Establishes Federal Regulatory Oversight of Global Stablecoin Industry

July 25, 2025 By Drew Rolle, David Teske, John Lesko

Executive Summary

8 Minute Read

Our Privacy, Cyber & Data Strategy and White Collar, Government & Internal Investigations Teams examine how the GENIUS Act’s framework for stablecoin issuers will impact the cryptocurrency sector.

The Act restricts the issuance of payment stablecoins within the United States to “permitted payment stablecoin issuers” (PPSIs)
PPSIs must maintain reserves of high-quality, liquid assets that fully back their outstanding stablecoins on at least a one-to-one basis
Regulatory oversight is divided between federal and state authorities, with joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks

___________________________________________________

On July 17, 2025, during “Crypto Week,” the U.S. House of Representatives passed the landmark Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act). Signed into law by President Donald Trump the next day, the GENIUS Act establishes a comprehensive federal framework for the issuance of payment stablecoins, regulation of stablecoin issuers, and both federal and state oversight for stablecoin authorization, audits, and other obligations. Domestic and foreign issuers in the more than $250 billion stablecoin market now have a clear path to securing and maintaining regulatory compliance in the United States.

Demonstrating rare cross-aisle cooperation and a shared interest in modernizing financial regulations to match emerging blockchain and artificial intelligence (AI) technologies, the Act garnered 308 affirmative votes in the House and 68 in the Senate, surpassing the upper chamber’s filibuster threshold. The GENIUS Act addresses Trump’s key campaign and policy promise to bring clarity and control to the digital asset market.

Key Provisions of the GENIUS Act

Effective date

The GENIUS Act takes effect on the earlier of (1) January 18, 2027 (18 months after the date the Act is enacted into law); or (2) 120 days after the primary federal regulators responsible for stablecoins issue their final regulations to implement the Act.

Authorized issuance of stablecoins only

The Act restricts the issuance of payment stablecoins within the United States to only those entities that qualify as “permitted payment stablecoin issuers” (PPSIs). PPSIs must be either U.S.-based issuers authorized under the Act or foreign issuers that are registered and operate under a regulatory framework deemed comparable to the Act by U.S. authorities and are subject to supervision by the Office of the Comptroller of the Currency (OCC).

A domestic PPSI must meet the requirements of one of three main categories: (1) subsidiary of an insured depository institution that has received approval to issue payment stablecoins under Section 5 of the Act; (2) federal qualified payment stablecoin issuers, which encompass nonbank entities (excluding state-qualified issuers) approved by the OCC, uninsured national banks chartered and approved by the OCC, or a foreign bank that does business outside the United States and has opened one or more federally licensed branches or offices in a U.S. state (“federal branch”), approved by the OCC; or (3) state-qualified payment stablecoin issuers, which are entities legally established under state law and approved by a state payment stablecoin regulator, provided they are not an uninsured national bank, federal branch, insured depository institution, or subsidiary of any such entities.

Requirements for issuing stablecoins

PPSIs must maintain reserves that fully back their outstanding stablecoins on at least a one-to-one basis. These reserves must consist of high-quality, liquid assets such as U.S. coins and currency or credit with a Federal Reserve Bank, demand deposits at insured depository institutions, short-term U.S. Treasury securities, and other monetary securities described in Section 4(a)(1) of the GENIUS Act. Any PPSI must publicly disclose its redemption policies and publish monthly reports detailing the composition, average maturity, and custody location of its reserves. A PPSI’s CEO and CFO must certify the accuracy of those monthly reports, and the Act makes knowingly false certifications punishable by up to 10 or 20 years’ imprisonment under 18 U.S.C. § 1350. To ensure reserve quality and transparency, PPSIs are prohibited from pledging, rehypothecating, or reusing reserves except under limited conditions, such as meeting margin obligations for investments in permitted reserves or creating liquidity to redeem payment stablecoins.

Mitigating money laundering and illicit financing risk

The GENIUS Act designates permitted payment stablecoin issuers as “financial institutions” under the Bank Secrecy Act (BSA), requiring them to implement robust compliance programs to prevent money laundering, terrorist financing, sanctions evasion, and other illicit activity. PPSIs must annually certify that they have implemented an effective BSA/AML compliance program. False certifications are punishable by up to five years’ imprisonment. To ensure regulatory parity, the Act’s registration and inspection requirements for foreign issuers effectively subjects them to similar compliance standards when accessing the U.S. market. Issuers must also be technologically capable of assisting with asset freezes, seizures, and turnovers pursuant to lawful orders. The Act further strengthens enforcement by requiring both U.S. and foreign issuers to (1) maintain the technical ability to comply with such orders; and (2) comply with them. Foreign issuers that fail to do so may be designated “noncompliant” by the Treasury, triggering a ban on secondary trading of their stablecoins after 30 days. Violations of that ban carry steep penalties—up to $100,000 per day for digital asset service providers and $1 million per day for foreign issuers.

Regulatory oversight

Regulatory oversight is divided between federal and state authorities, with federal regulators overseeing federally chartered or bank-affiliated issuers, state regulators supervising state-chartered issuers, and joint oversight applying when state issuers exceed certain thresholds or opt into federal frameworks. Regulators are responsible for licensing, examining, and supervising PPSIs to ensure compliance with the Act’s requirements, including reserve backing, redemption policies, and risk management standards.

PPSIs with more than $50 billion in consolidated total outstanding issuance that are not subject to the reporting requirements of the Securities Exchange Act of 1934 are required to prepare an annual financial statement in accordance with generally accepted accounting principles (GAAP) and must disclose any “related party transactions,” as defined under GAAP. A registered public accounting firm must audit the annual financial statement, and the audit must comply with all applicable standards set by the Public Company Accounting Oversight Board. These audited financial statements must also be made publicly available on the PPSI’s website and submitted annually to the PPSI’s primary federal payment stablecoin regulator.

Civil and criminal penalties

Additional civil and criminal penalties are set out throughout the Act. Notably, entities other than PPSIs that issue payment stablecoins in the United States without proper approval may face civil penalties of up to $100,000 per day for violations. Individuals who knowingly issue stablecoins in the United States without being a permitted payment stablecoin issuer face up to five years’ imprisonment and fines up to $1 million for each violation. Additionally, individuals with certain felony convictions are prohibited from serving as officers or directors of a PPSI, and violations of that prohibition can result in imprisonment for up to five years. The Act expressly gives regulators discretion to refer violations of the Act to the Attorney General.

Modernizing anti-money laundering and financial crimes compliance

The GENIUS Act places a strong emphasis on leveraging blockchain technology and AI to modernize the detection of illicit financial activity involving digital assets. The Act mandates that the Secretary of the Treasury initiate a public comment period to gather insights on how regulated financial institutions are using or could use innovative tools—particularly blockchain and AI—to detect money laundering and related crimes. Blockchain technology is highlighted for its potential in transaction monitoring and transparency, especially in tracking digital asset flows and identifying suspicious patterns.

Rulemaking timeline

The Act mandates that all primary federal payment stablecoin regulators, the Secretary of the Treasury, and state payment stablecoin regulators must promulgate regulations to implement the Act within one year of its enactment (July 18, 2026). These regulations must be issued through a notice-and-comment process. Additionally, within 180 days of the Act’s effective date, the OCC, Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System shall submit a report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that confirms and describes the regulations necessary to carry out this Act.

Other Impending Crypto Legislation

The GENIUS Act is momentous for stablecoin issuers, but it does not resolve a number of crypto-native issues, which are the subject of a broader market structure bill known as the Digital Asset Market Clarity Act of 2025 (CLARITY Act). The CLARITY Act passed the House with broad bipartisan support, and a version is currently under Senate consideration. While the GENIUS Act focused narrowly on regulating stablecoin issuers, the CLARITY Act seeks to establish a robust regulatory framework for all digital assets and define the roles of the Securities and Exchange Commission and Commodity Futures Trading Commission in policing the digital asset markets. Most notably, for the first time, the CLARITY Act attempts to classify digital assets based on their characteristics, such as decentralization and blockchain maturity, with a goal of reducing regulatory uncertainty and fostering innovation in the cryptocurrency industry. Senator Tim Scott (R-SC), chair of the Senate Banking Committee, has made several public statements on the timeline for consideration of the CLARITY Act, with committee markup expected in September and full Senate action possible by late fall.

Conclusion

The GENIUS Act establishes a robust framework for the issuance and oversight of payment stablecoins in the United States. It sets clear standards to ensure transparency for the backing of permitted payment stablecoins, and it requires issuers, like traditional financial institutions, to quickly establish robust compliance programs to combat illicit uses of their stablecoins. With its strong bipartisan backing and goals of financial stability, consumer protection, and global competitiveness, the Act could lay the groundwork for a more transparent and trustworthy digital asset ecosystem.

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.

Originally published July 24, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Wave Goodbye to the Waiver Debate: Court Holds Data Breach Investigation Report Not Work Product from the Start

May 15, 2025 By Sam Bragg, Chris Thomson

Litigants in data breach class actions often fight over whether a data breach investigation report prepared in response to the breach is protected by the work-product doctrine. Common areas of dispute include whether the report was prepared in whole or in part for business—not legal—purposes, and whether the report relays facts that are not discernable from other sources. The fight becomes even more complicated, however, when the company that suffered the data breach is required to provide the report to regulators.

For example, in the mortgage industry, mortgagees regulated by the Multistate Mortgage Committee (MMC) are required to provide a “root cause report” following a data breach. Similarly, under Mortgagee Letter 2024-10, FHA-approved mortgagees must notify HUD of a cybersecurity incident and provide the cause of the incident. These reporting obligations involve production of information to regulators that typically overlaps with the content of data breach investigation reports.

Traditionally, one might think that disclosure of an investigation report (or its contents) to a regulator was a question of waiver. But recently, a federal district court in the Southern District of Florida bypassed the waiver analysis entirely by holding that reports provided to regulators weren’t protected by the work-product doctrine because they were primarily created for regulatory compliance rather than in anticipation litigation, even though, factually, they weren’t originally created for the purpose of regulatory compliance.

What Happened?

In a recent decision in a data breach litigation against a national mortgage loan servicer, the court considered whether investigative reports prepared by cybersecurity firms were protected under the work-product doctrine. These reports were initially withheld from discovery on the familiar grounds that they were prepared in anticipation of litigation following a data breach. But the plaintiffs argued that because the reports were disclosed to mortgage industry regulators, any work-product protections were waived.

Rather than address the waiver issue, the court analyzed whether the documents were privileged in the first place under the dual-purpose doctrine, which assesses whether a document was prepared in anticipation of litigation or for other business purposes. Under this doctrine (adopted by the First, Second, Third, Fourth, Sixth, Seventh, Eighth, Ninth, and D.C. Circuits), a document is protected if it was created “because of” the anticipated litigation, even if it also serves an ordinary business purpose. Notably, the court found that the reports were primarily created to comply with regulatory obligations, specifically those imposed by the MMC, even though they’d initially been prepared in anticipation of litigation. In the court’s view, the unredacted submission of the reports to the MMC, when demanded, evidenced that the predominant purpose for their creation was regulatory compliance.

The court ended with the suggestion that the defendants could have avoided this issue by creating a separate document for regulatory compliance, omitting sensitive findings related to litigation. Aside from this suggestion, there does not appear to be a legal framework under the which the disclosed reports would have been protected work product, at least in the court’s view.

Why Does it Matter?

The district court’s decision creates a new challenge for breach victims seeking to protect investigation reports from disclosure under the work-product doctrine. A key purpose of the doctrine is to allow parties to engage in pre-litigation investigations without the fear of disclosure. Data breach victims dealing with regulators have historically had to manage the risk that disclosing investigation reports (in whole or in part) to regulators could result in litigation over whether work-product protections were waived. But the decision appears to raise the stakes. The risk of disclosure is not limited to a waiver analysis, where parties can defend the disclosure based on the circumstances of the compelled disclosure and can rely on law requiring the narrow construction of privilege waivers. Now, parties must also consider whether using a report for a non-litigation purpose after the fact will lead to the conclusion that the report wasn’t prepared for litigation at all and therefore not privileged in the first place.

What Do I Need to Do?

Because this decision is by a federal district court, this is an area that should be monitored to determine whether a trend develops around the court’s rationale. And in the interim, the best option seems to be to follow the court’s suggestion: create separate documents for regulatory compliance and litigation purposes.

It is, of course, important to maintain a good relationship with regulators to try to circumvent these issues, but the two-report approach is a practical way to preempt the issue entirely. The reality is that many litigation-related items do not need to be submitted in a regulatory report. For example, an emerging issue in the cybersecurity space is whether following a data breach, the company that suffered the breach should bring claims against other related parties. Analyzing the merits of this type of litigation is plainly covered by the work-product doctrine but is not needed for regulatory reports. Thus, by following the two-report approach, sensitive findings related to that potential litigation can be omitted from the regulatory report, preserving the work-product protection for the litigation-related document. This approach could help companies navigate the complexities of dual-purpose documents and maintain the intended protections of the work-product doctrine.

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

March 8, 2024 By Nanci Weissgold, Anoush Garakani

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

the date/time of the incident,
a summary of in the incident based on what is known at the time of notification, and
designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae. Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days. Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement. It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing. Our Cybersecurity & Risk Management Team can assist.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

November 14, 2023 By Kristy Brown, Kimberly Peretti, Kate Hanniford, Ashley Miller, Lance Taubin

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entities, Class A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

November 3, 2023 By Kimberly Peretti, Kate Hanniford, Amy Mushahwar, Kathleen Benway, Lance Taubin

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition. The Amendment becomes effective 180 days after publication in the Federal Register. Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others. The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information. The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual. This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (https://www.ftc.gov), and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security. Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC. A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”