Emerging Trend: Requiring Reporting of “Cyber-Incidents” Affecting Business Functionality featured image

Emerging Trend: Requiring Reporting of “Cyber-Incidents” Affecting Business Functionality

by John DiGiacomo

Partner

Internet Law

With respect to cybercrimes and protecting the security of business and government computer and internet systems, there is a clear and increasingly sustained push to require the reporting of “cyber-incidents” that affect the functionality of business which, in turn, might impact whole industries. This is not too surprising given recent hacks and ransomware attacks that have shut down pipelines and payroll systems like Kronos. See media report here. This is a new sort of reporting that is qualitatively different — and based on different public policy concerns — than the more-traditional concern for the protection and privacy of consumer personal data.

National and community banks are already subject to new rules published by financial regulators requiring cyber-incident reporting. See here. As described in the government bulletin, a cyber-incident requiring notification would include:

“… a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.”

In a major acceleration of this trend, the United States Senate recently passed its version of the Strengthening American Cybersecurity Act of 2022 (“SACA”). See media report here. The House is expected to take up the legislation and prospects for passage are favorable. As described in the article, the key features of the SACA (which incorporates separate legislation called the Cyber Incident Reporting Act) would require notification to the US Department of Homeland Security of cyber-incidents that

  • Might result in a substantial loss of confidentiality, integrity or availability of data contained or protected on an information system or
  • Might result in a serious impact on the safety and resiliency of operational systems and processes or
  • Might cause a disruption of business or industrial operations

Under the proposed legislation, reporting of cyber incidents would be required by businesses in “critical infrastructure” sectors of the economy like firms in the banking and energy sectors. “Covered” incidents would have to be reported in fairly short time frames (between 48 and 36 hours in some circumstances).

Given recent major events, it is not surprising that ransomware cyberattacks receive substantial and detailed attention under the new legislation. Subject to additional rulemaking, the SACA would require reporting of at least the following information following a ransomware attack:

  • Description of incident
  • Timing including a range of dates of the attack (where applicable)
  • Vulnerabilities exploited
  • Defenses and response
  • All available identifying information on the attacker(s) and/or those who are reasonably believed to be responsible for the incident
  • Details of the demands made including amount, type of currency demanded, instructions and other details
  • Response including whether payment refused, made and, if so, how much and how made
  • And more

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side