With respect to cybercrimes and protecting the security of business and government computer and internet systems, there is a clear and increasingly sustained push to require the reporting of “cyber-incidents” that affect the functionality of business which, in turn, might impact whole industries. This is not too surprising given recent hacks and ransomware attacks that have shut down pipelines and payroll systems like Kronos. See media report here. This is a new sort of reporting that is qualitatively different — and based on different public policy concerns — than the more-traditional concern for the protection and privacy of consumer personal data.

National and community banks are already subject to new rules published by financial regulators requiring cyber-incident reporting. See here. As described in the government bulletin, a cyber-incident requiring notification would include:

“… a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.”

In a major acceleration of this trend, the United States Senate recently passed its version of the Strengthening American Cybersecurity Act of 2022 (“SACA”). See media report here. The House is expected to take up the legislation and prospects for passage are favorable. As described in the article, the key features of the SACA (which incorporates separate legislation called the Cyber Incident Reporting Act) would require notification to the US Department of Homeland Security of cyber-incidents that

• Might result in a substantial loss of confidentiality, integrity or availability of data contained or protected on an information system or
• Might result in a serious impact on the safety and resiliency of operational systems and processes or
• Might cause a disruption of business or industrial operations

Under the proposed legislation, reporting of cyber incidents would be required by businesses in “critical infrastructure” sectors of the economy like firms in the banking and energy sectors. “Covered” incidents would have to be reported in fairly short time frames (between 48 and 36 hours in some circumstances).

Given recent major events, it is not surprising that ransomware cyberattacks receive substantial and detailed attention under the new legislation. Subject to additional rulemaking, the SACA would require reporting of at least the following information following a ransomware attack:

• Description of incident
• Timing including a range of dates of the attack (where applicable)
• Vulnerabilities exploited
• Defenses and response
• All available identifying information on the attacker(s) and/or those who are reasonably believed to be responsible for the incident
• Details of the demands made including amount, type of currency demanded, instructions and other details
• Response including whether payment refused, made and, if so, how much and how made
• And more

If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.