As reported here and here, new cybersecurity incident reporting requirements have been included as part of the new $1.5 trillion federal government funding package passed in mid-March 2022. For companies doing business in “critical infrastructure” sectors of the economy, they must report data breaches, “substantial cyber incidents,” and ransomware payments to the U.S. Department of Homeland Security (DHS) within 72 hours of discovery of the incident or within 24 hours of any ransomware payment. In particular, the reports must be filed with DHS’s Cybersecurity and Infrastructure Security Agency (CISA). Prior to the new legislation, cybercrimes were to be reported to the Federal Bureau of Investigation. The reporting requirements are expected to go into effect in 2023 after the CISA issues the relevant regulations.
As detailed here, examples of “critical infrastructure” sectors include:
- Critical manufacturing
- Defense industrial base
- Emergency services
- Financial and banking services
- Food and agriculture
- Government facilities
- Information tech
- Transportation systems and
- Water and wastewater systems
The new legislation is another example of governmental efforts to expand reporting requirements for cybercrime beyond what is required for data breaches and other exfiltration of consumer information. Similar reporting requirements have already been imposed by regulations on the banking and financial services sector. The need for cybercrime incident reporting has been spurred by a series of high-profile ransomware attacks in the energy, health care, meatpacking and accounting/payment processing sectors. What has become clear is that cybercrime is no longer just about money and stealing personal information and identities. Cybercrime can shut down whole industries and seriously damage the economy. For example, the well-known pipeline ransomware attack caused weeks of gasoline shortages on the East Coast and the South. The legislation was also prompted by continuing concerns about cybercrime and cyberespionage campaigns committed or instigated by State Actors — like the Russian Federation — or their proxies. As the media reports note, many ransomware criminals live and operate in Russia. The legislation was also prompted by the fact that only about 20%-25% of cybercrime and incidents are reported each year to federal authorities. For obvious reasons, many victims of cybercrime attempt to avoid reputational injury, investigations and potential civil judgments by “keeping quiet.”
According to reports, there do not seem to be any penalties or punishments for companies that fail to comply with the reporting requirements. However, the CISA can issue subpoenas and failure to respond to such subpoenas could result in legal action by the Department of Justice. Further, the to-be-issued CISA regulations may specify specific punishments. The legislation seems to incentivize reporting, rather than punishing non-reporting. For example, Senate Intelligence Committee Chair Mark Warner (D-Va) claimed that the new reporting requirements were not about “holding companies’ feet to the fire” but about helping to create a stronger defense against cybercriminals and adversaries like Russia, See Sen. Warner’s comments here. The incentives are that companies who timely report cyber incidents and ransomware payment will secure liability protections from being sued in court over the incidents that are reported.
If you have legal questions about reporting requirements, data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.