The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements. The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014. Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System. The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event: one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.
One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”
Four-hour Notification − Must be made within four hours of:
- Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
- Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
- Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.
There is no requirement to make four-hour notification if a one-hour notification is made for the same event.