Partner
As reported here, new cybersecurity incident reporting requirements have been included as part of the new $1.5 trillion federal government funding package passed in mid-March 2022. For companies doing business in “critical infrastructure” sectors of the economy, they must report data breaches, “substantial cyber incidents,” and ransomware payments to the U.S. Department of Homeland Security (DHS) within 72 hours of discovery of the incident or within 24 hours of any ransomware payment. In particular, the reports must be filed with DHS’s Cybersecurity and Infrastructure Security Agency (CISA). Prior to the new legislation, cybercrimes were to be reported to the Federal Bureau of Investigation. The reporting requirements are expected to go into effect in 2023 after the CISA issues the relevant regulations.
As detailed here, examples of “critical infrastructure” sectors include:
The new legislation is another example of governmental efforts to expand reporting requirements for cybercrime beyond what is required for data breaches and other exfiltration of consumer information. Similar reporting requirements have already been imposed by regulations on the banking and financial services sector. The need for cybercrime incident reporting has been spurred by a series of high-profile ransomware attacks in the energy, health care, meatpacking and accounting/payment processing sectors. What has become clear is that cybercrime is no longer just about money and stealing personal information and identities. Cybercrime can shut down whole industries and seriously damage the economy. For example, the well-known pipeline ransomware attack caused weeks of gasoline shortages on the East Coast and the South. The legislation was also prompted by continuing concerns about cybercrime and cyberespionage campaigns committed or instigated by State Actors — like the Russian Federation — or their proxies. As the media reports note, many ransomware criminals live and operate in Russia. The legislation was also prompted by the fact that only about 20%-25% of cybercrime and incidents are reported each year to federal authorities. For obvious reasons, many victims of cybercrime attempt to avoid reputational injury, investigations and potential civil judgments by “keeping quiet.”
According to reports, there do not seem to be any penalties or punishments for companies that fail to comply with the reporting requirements. However, the CISA can issue subpoenas and failure to respond to such subpoenas could result in legal action by the Department of Justice. Further, the to-be-issued CISA regulations may specify specific punishments. The legislation seems to incentivize reporting, rather than punishing non-reporting. For example, Senate Intelligence Committee Chair Mark Warner (D-Va) claimed that the new reporting requirements were not about “holding companies’ feet to the fire” but about helping to create a stronger defense against cybercriminals and adversaries like Russia, See Sen. Warner’s comments here. The incentives are that companies who timely report cyber incidents and ransomware payment will secure liability protections from being sued in court over the incidents that are reported.
If you have legal questions about reporting requirements, data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), enacted as part of the Consolidated Appropriations Act of 2022, represents the most significant federal cyber incident reporting mandate in U.S. history. CIRCIA requires CISA to promulgate final rules establishing the specific reporting requirements, and the agency issued a Notice of Proposed Rulemaking in April 2024. The proposed rule would require covered entities to report covered cyber incidents to CISA within 72 hours of discovery and ransom payments within 24 hours.
The scope of ‘covered entities’ under CIRCIA is broad, encompassing organizations in all 16 critical infrastructure sectors identified by the Presidential Policy Directive 21. Significantly, CIRCIA defines ‘covered cyber incidents’ to include incidents that cause substantial loss of confidentiality, integrity, or availability of information systems; serious impacts on safety and resiliency of operational systems; and disruptions of business or industrial operations. This functional definition captures a wider range of incidents than traditional data breach notification laws, which focus primarily on unauthorized access to personal information.
CIRCIA operates alongside—not in place of—the existing patchwork of federal and state data breach notification laws. Organizations subject to CIRCIA must understand how these regimes interact. The key distinction is that CIRCIA focuses on operational and national security impacts of cyber incidents, while traditional breach notification laws focus on the exposure of personal information. A single cyber incident may trigger both CIRCIA reporting obligations and obligations under state data breach notification laws.
Federal sector-specific breach notification requirements include: the HIPAA Breach Notification Rule (45 C.F.R. Part 164) for healthcare entities and their business associates; the FTC’s Health Breach Notification Rule (16 C.F.R. Part 318) for vendors of personal health records; the SEC’s cybersecurity incident disclosure rules (17 C.F.R. §§ 229.106, 240.13a-11) for public companies, requiring Form 8-K disclosure of material cybersecurity incidents within four business days of determination of materiality; and the OCC’s 36-hour notification rule for banks and their service providers.
Ransomware attacks present particularly complex legal obligations because they typically implicate both the operational impact reporting required by CIRCIA and the personal data breach notification required by state and federal privacy laws. When ransomware encrypts an organization’s systems, the organization must simultaneously assess whether it has experienced a ‘covered cyber incident’ triggering CIRCIA reporting, whether personal data was accessed or exfiltrated before encryption (which may trigger separate breach notification obligations), and whether any sanctions considerations affect the decision to pay the ransom.
On the sanctions front, the Office of Foreign Assets Control (OFAC) has warned that payments to ransomware actors that are subject to U.S. sanctions may violate the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1705, and carry civil and criminal penalties. OFAC’s October 2020 advisory identified numerous ransomware actors designated as Specially Designated Nationals, including groups associated with state sponsors of terrorism and foreign governments. Before paying any ransom, organizations should conduct OFAC screening of any known or suspected threat actors.
The complexity of cyber incident reporting obligations makes a documented, tested incident response plan essential for any organization in a critical infrastructure sector. An effective incident response plan addresses:
The emerging federal cyber incident reporting regime represents a significant new compliance burden for businesses in critical infrastructure sectors. Revision Legal’s internet law and cybersecurity attorneys can help you assess your reporting obligations under CIRCIA and applicable sector-specific regulations, develop a legally sound incident response plan, respond to government inquiries following a cyber incident, and defend against regulatory enforcement actions. Contact us today to discuss your cybersecurity compliance needs.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?