Emerging Trend: Requiring Reporting of “Cyber-Incidents” Affecting Business Functionality featured image

Emerging Trend: Requiring Reporting of “Cyber-Incidents” Affecting Business Functionality

by John DiGiacomo

Partner

Internet Law

With respect to cybercrimes and protecting the security of business and government computer and internet systems, there is a clear and increasingly sustained push to require the reporting of “cyber-incidents” that affect the functionality of business which, in turn, might impact whole industries. This is not too surprising given recent hacks and ransomware attacks that have shut down pipelines and payroll systems like Kronos. See media report here. This is a new sort of reporting that is qualitatively different — and based on different public policy concerns — than the more-traditional concern for the protection and privacy of consumer personal data.

National and community banks are already subject to new rules published by financial regulators requiring cyber-incident reporting. See here. As described in the government bulletin, a cyber-incident requiring notification would include:

“… a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.”

In a major acceleration of this trend, the United States Senate recently passed its version of the Strengthening American Cybersecurity Act of 2022 (“SACA”). See media report here. The House is expected to take up the legislation and prospects for passage are favorable. As described in the article, the key features of the SACA (which incorporates separate legislation called the Cyber Incident Reporting Act) would require notification to the US Department of Homeland Security of cyber-incidents that

  • Might result in a substantial loss of confidentiality, integrity or availability of data contained or protected on an information system or
  • Might result in a serious impact on the safety and resiliency of operational systems and processes or
  • Might cause a disruption of business or industrial operations

Under the proposed legislation, reporting of cyber incidents would be required by businesses in “critical infrastructure” sectors of the economy like firms in the banking and energy sectors. “Covered” incidents would have to be reported in fairly short time frames (between 48 and 36 hours in some circumstances).

Given recent major events, it is not surprising that ransomware cyberattacks receive substantial and detailed attention under the new legislation. Subject to additional rulemaking, the SACA would require reporting of at least the following information following a ransomware attack:

  • Description of incident
  • Timing including a range of dates of the attack (where applicable)
  • Vulnerabilities exploited
  • Defenses and response
  • All available identifying information on the attacker(s) and/or those who are reasonably believed to be responsible for the incident
  • Details of the demands made including amount, type of currency demanded, instructions and other details
  • Response including whether payment refused, made and, if so, how much and how made
  • And more

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side