After years of legislative debate, Congress passed a new law requiring key businesses to report certain data breaches—or “covered incidents”—to the government. Signed by President Biden on March 15, 2022, the law, part of the Strengthening American Cybersecurity Act, requires companies that operate critical infrastructure—financial institutions, utilities, and other organizations—to share information with the Cybersecurity and Infrastructure Security Agency (CISA) about certain cybersecurity incidents within 72 hours and ransomware payments to cyber criminals within 24 hours of payment.

Information Sharing on the “Battlefield”

Proponents of the law suggest it would encourage meaningful information sharing between the private sector and government agencies, a problem that the latter have repeatedly raised in the ongoing battle between cyber criminals and critical infrastructure in the US. The law’s authors, Sen. Gary Peters (D., MI) and Sen. Rob Portman (R., OH), emphasize the government’s “need to know the battlefield” and “where the bad guys are.” In the past, private companies often shared little information about major data breaches and cybersecurity incidents, including how the breach occurred and the extent of the breach’s damage, unless they involved US consumer data. Now, on the heels of the Colonial Pipeline cyberattack in 2021 and other high profile incidents, cyberattacks on critical infrastructure are a more likely—and potentially devastating—threat to the US. Jen Easterly, who will oversee the CISA’s reporting regime, said, “[p]ut plainly, this legislation is a game-changer,” and the government expects the law to foster transparency so private companies can quickly respond to and mitigate these types of attacks with the government’s resources and assistance.

Unclear Requirements Raise Concerns

Unlike Congress’ and some federal agency officials’ hopeful outlook on the new law, industry leaders are concerned with the law’s lack of clear requirements. In just two days since President Biden signed the law, critics in both government and the private sector have raised several concerns, among them:

1. Ambiguous scope: The law does not explicitly state which incidents are covered or when the 72-hour reporting window opens. Although the law does define “covered entities” as those companies who fit the Department of Homeland Security’s definition of “critical infrastructure,” it remains unclear if any threshold requirements will apply to certain critical infrastructure companies.

2. Broad interpretative power: In the absence of restrictive regulatory guidelines, government officials have broad discretion for interpreting the law. The concern is two-fold, as a broad interpretation may overwhelm companies caught in crisis with burdensome information requests, whereas a more narrow interpretation may limit cooperation and information sharing.

3. Unclear enforcement mechanism: CISA can subpoena private companies for information and refer uncooperative companies to the Department of Justice for civil penalties, but the law does not grant CISA authority to fine companies for violations and noncompliance. The specifics of whether or under what circumstances the Department of Justice would pursue civil penalties for noncompliance are somewhat unclear at this stage.

4. Liability:  Industry groups fear that disclosing sensitive information related to a company’s security policies and procedures (or lack thereof) invites legal and regulatory liability. However, the law does seem to protect companies from public disclosures under the Freedom of Information Act.

5. Intra-department sharing: The law does not give CISA, located in the Department of Homeland Security, a deadline for sharing information with federal law enforcement agencies. Justice Department and FBI officials are concerned that delayed sharing could hinder investigations, and requested in a November 2021 statement before the US House of Representatives’ Committee on Oversight and Reform that the law have “one designated reporting intake mechanism . . . with reports going to both DOJ and DHS.”

What We Know and What Your Company Can Do Now

We have outlined initial action steps for companies that may fall under the law’s scope:

1. Covered entities: CISA must consider whether a breach at the company creates “national security, economic security, or public health and safety” consequences and whether the damage will disrupt “reliable operation of critical infrastructure.” Companies should determine if the products or services they provide, the data they collect, and/or the industry they serve impacts critical infrastructure.

2. Covered incidents: The law defines covered incidents as those that lead to “substantial loss of confidentiality, integrity, or availability of such information system or network.” The “sophistication or novelty” of attack and number of people affected will be considered. Complex ransomware or distributed denial-of-service attacks impacting critical functions or processes are more likely to trigger reporting requirements than other types of cyberattacks such as employee theft or small-scale wire fraud.  As companies are preparing for cyber incidents, they should consider systems that impact critical functions or processes in particular.  

3. Timelines:  The reporting timeline begins when the “covered entity reasonably believes that the covered cyber incident has occurred.” Companies should review their incident response plans to evaluate how to efficiently diagnose and document potential cyberattacks. If a covered entity fails to provide an adequate response within 72 hours, CISA may issue to such covered entity a subpoena to compel disclosure of information, and if a covered entity fails to comply with the subpoena, CISA may refer the matter to the US Attorney General to bring a civil action against the covered entity. In addition, there’s a further requirement to report any payment of a ransom within 24 hours of doing so, which may increase potential exposure to enforcement under the US Department of Treasury’s Office of Foreign Assets Control (OFAC) requirements related to payments to sanctioned parties.

Among other concerns, the challenges with this new law include that, in the midst of a company crisis, these regulatory obligations further complicate the company’s response effort, alongside a myriad of data privacy notice obligations, increasing public company disclosures (including a proposed Securities and Exchange (SEC) requirement to file a disclosure within four (4) business days), and other obligations.  As companies await further guidance from CISA or the Department of Homeland Security regarding the law’s scope, requirements, and enforcement, they should remain vigilant about rapidly evolving ransomware variants and evaluate their security measures, chief among them reporting mechanisms and processes.

Author

Cyrus Vance Jr. is a partner in Baker McKenzie's North America Litigation and Government Enforcement Practice as well as the Firm's Global Compliance and Investigations Practice. He is based in New York and serves as Global Chair of the Cybersecurity Practice.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Nick's practice focuses on privacy and cybersecurity, particularly in the healthcare and technology industries. His substantive technical experience, experience with the HIPAA Rules, and deep understanding of information security and privacy regulators' expectations, allows Nick to efficiently guide clients on compliance with emerging laws, regulatory oversight and obligations created through contract.

Author

Teresa advises on all aspects of dispute resolution, primarily complex business disputes, class actions, intellectual property and international arbitration. She is the Co-Chair of the North American Class Action Subgroup.

Author

Jessica is a partner in our San Francisco and Palo Alto offices. She has extensive experience in conducting internal corporate investigations for companies in the technology, financial services, energy, and health care industries, with a focus on technology companies headquartered in Silicon Valley. Jessica has helped a number of well-known public and private companies navigate high-profile crisis situations involving cutting-edge government enforcement and compliance issues. Jessica brings to the table a wide range of experience in both traditional and emerging white collar issues, including in international antitrust enforcement, trade secrets theft, false claims act violations, cyber-crime, information security and privacy, crypto-currencies and tokens, ICOs, and block-chain technology.

Author

Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.

Author

Jerome has extensive experience representing clients in government litigation and enforcement investigations before the SEC, DOJ, various United States Attorneys Offices and the Commodities Futures Trading Commission .

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Mason is an associate in Baker McKenzie's Chicago office.