New Law Alert: 72 Hours to Report Hacking/Ransomware Payment featured image

New Law Alert: 72 Hours to Report Hacking/Ransomware Payment

by John DiGiacomo

Partner

Internet Law

As reported here, new cybersecurity incident reporting requirements have been included as part of the new $1.5 trillion federal government funding package passed in mid-March 2022. For companies doing business in “critical infrastructure” sectors of the economy, they must report data breaches, “substantial cyber incidents,” and ransomware payments to the U.S. Department of Homeland Security (DHS) within 72 hours of discovery of the incident or within 24 hours of any ransomware payment. In particular, the reports must be filed with DHS’s Cybersecurity and Infrastructure Security Agency (CISA). Prior to the new legislation, cybercrimes were to be reported to the Federal Bureau of Investigation. The reporting requirements are expected to go into effect in 2023 after the CISA issues the relevant regulations.

As detailed here, examples of “critical infrastructure” sectors include:

  • Chemical
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Energy
  • Financial and banking services
  • Food and agriculture
  • Government facilities
  • Healthcare
  • Information tech
  • Nuclear
  • Transportation systems and
  • Water and wastewater systems

The new legislation is another example of governmental efforts to expand reporting requirements for cybercrime beyond what is required for data breaches and other exfiltration of consumer information. Similar reporting requirements have already been imposed by regulations on the banking and financial services sector. The need for cybercrime incident reporting has been spurred by a series of high-profile ransomware attacks in the energy, health care, meatpacking and accounting/payment processing sectors. What has become clear is that cybercrime is no longer just about money and stealing personal information and identities. Cybercrime can shut down whole industries and seriously damage the economy. For example, the well-known pipeline ransomware attack caused weeks of gasoline shortages on the East Coast and the South. The legislation was also prompted by continuing concerns about cybercrime and cyberespionage campaigns committed or instigated by State Actors — like the Russian Federation — or their proxies. As the media reports note, many ransomware criminals live and operate in Russia. The legislation was also prompted by the fact that only about 20%-25% of cybercrime and incidents are reported each year to federal authorities. For obvious reasons, many victims of cybercrime attempt to avoid reputational injury, investigations and potential civil judgments by “keeping quiet.”

According to reports, there do not seem to be any penalties or punishments for companies that fail to comply with the reporting requirements. However, the CISA can issue subpoenas and failure to respond to such subpoenas could result in legal action by the Department of Justice. Further, the to-be-issued CISA regulations may specify specific punishments. The legislation seems to incentivize reporting, rather than punishing non-reporting. For example, Senate Intelligence Committee Chair Mark Warner (D-Va) claimed that the new reporting requirements were not about “holding companies’ feet to the fire” but about helping to create a stronger defense against cybercriminals and adversaries like Russia, See Sen. Warner’s comments here. The incentives are that companies who timely report cyber incidents and ransomware payment will secure liability protections from being sued in court over the incidents that are reported.

If you have legal questions about reporting requirements, data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case