Emerging Trend: Requiring Reporting of “Cyber-Incidents” Affecting Business Functionality featured image

Emerging Trend: Requiring Reporting of “Cyber-Incidents” Affecting Business Functionality

by John DiGiacomo

Partner

Internet Law

With respect to cybercrimes and protecting the security of business and government computer and internet systems, there is a clear and increasingly sustained push to require the reporting of “cyber-incidents” that affect the functionality of business which, in turn, might impact whole industries. This is not too surprising given recent hacks and ransomware attacks that have shut down pipelines and payroll systems like Kronos. See media report here. This is a new sort of reporting that is qualitatively different — and based on different public policy concerns — than the more-traditional concern for the protection and privacy of consumer personal data.

National and community banks are already subject to new rules published by financial regulators requiring cyber-incident reporting. See here. As described in the government bulletin, a cyber-incident requiring notification would include:

“… a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.”

In a major acceleration of this trend, the United States Senate recently passed its version of the Strengthening American Cybersecurity Act of 2022 (“SACA”). See media report here. The House is expected to take up the legislation and prospects for passage are favorable. As described in the article, the key features of the SACA (which incorporates separate legislation called the Cyber Incident Reporting Act) would require notification to the US Department of Homeland Security of cyber-incidents that

  • Might result in a substantial loss of confidentiality, integrity or availability of data contained or protected on an information system or
  • Might result in a serious impact on the safety and resiliency of operational systems and processes or
  • Might cause a disruption of business or industrial operations

Under the proposed legislation, reporting of cyber incidents would be required by businesses in “critical infrastructure” sectors of the economy like firms in the banking and energy sectors. “Covered” incidents would have to be reported in fairly short time frames (between 48 and 36 hours in some circumstances).

Given recent major events, it is not surprising that ransomware cyberattacks receive substantial and detailed attention under the new legislation. Subject to additional rulemaking, the SACA would require reporting of at least the following information following a ransomware attack:

  • Description of incident
  • Timing including a range of dates of the attack (where applicable)
  • Vulnerabilities exploited
  • Defenses and response
  • All available identifying information on the attacker(s) and/or those who are reasonably believed to be responsible for the incident
  • Details of the demands made including amount, type of currency demanded, instructions and other details
  • Response including whether payment refused, made and, if so, how much and how made
  • And more

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Internet Law

Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require […]

Read more about Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Internet Law

The Ninth Circuit Court of Appeals — located in San Francisco — partially struck down California’s Age-Appropriate Design Code Act (“CAADCA”). See Cal. Civ. Code §§ 1798.99.28 et seq. The CAADCA was passed in 2022 by the California State Assembly. The CAADCA was enacted to protect the online privacy of children — persons under the […]

Read more about 9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Put Revision Legal on your side