After years of legislative debate, Congress passed a new law requiring key businesses to report certain data breaches—or “covered incidents”—to the government. Signed by President Biden on March 15, 2022, the law, part of the Strengthening American Cybersecurity Act, requires companies that operate critical infrastructure—financial institutions, utilities, and other organizations—to share information with the Cybersecurity and Infrastructure Security Agency (CISA) about certain cybersecurity incidents within 72 hours and ransomware payments to cyber criminals within 24 hours of payment.
Information Sharing on the “Battlefield”
Proponents of the law suggest it would encourage meaningful information sharing between the private sector and government agencies, a problem that the latter have repeatedly raised in the ongoing battle between cyber criminals and critical infrastructure in the US. The law’s authors, Sen. Gary Peters (D., MI) and Sen. Rob Portman (R., OH), emphasize the government’s “need to know the battlefield” and “where the bad guys are.” In the past, private companies often shared little information about major data breaches and cybersecurity incidents, including how the breach occurred and the extent of the breach’s damage, unless they involved US consumer data. Now, on the heels of the Colonial Pipeline cyberattack in 2021 and other high profile incidents, cyberattacks on critical infrastructure are a more likely—and potentially devastating—threat to the US. Jen Easterly, who will oversee the CISA’s reporting regime, said, “[p]ut plainly, this legislation is a game-changer,” and the government expects the law to foster transparency so private companies can quickly respond to and mitigate these types of attacks with the government’s resources and assistance.
Unclear Requirements Raise Concerns
Unlike Congress’ and some federal agency officials’ hopeful outlook on the new law, industry leaders are concerned with the law’s lack of clear requirements. In just two days since President Biden signed the law, critics in both government and the private sector have raised several concerns, among them:
1. Ambiguous scope: The law does not explicitly state which incidents are covered or when the 72-hour reporting window opens. Although the law does define “covered entities” as those companies who fit the Department of Homeland Security’s definition of “critical infrastructure,” it remains unclear if any threshold requirements will apply to certain critical infrastructure companies.
2. Broad interpretative power: In the absence of restrictive regulatory guidelines, government officials have broad discretion for interpreting the law. The concern is two-fold, as a broad interpretation may overwhelm companies caught in crisis with burdensome information requests, whereas a more narrow interpretation may limit cooperation and information sharing.
3. Unclear enforcement mechanism: CISA can subpoena private companies for information and refer uncooperative companies to the Department of Justice for civil penalties, but the law does not grant CISA authority to fine companies for violations and noncompliance. The specifics of whether or under what circumstances the Department of Justice would pursue civil penalties for noncompliance are somewhat unclear at this stage.
4. Liability: Industry groups fear that disclosing sensitive information related to a company’s security policies and procedures (or lack thereof) invites legal and regulatory liability. However, the law does seem to protect companies from public disclosures under the Freedom of Information Act.
5. Intra-department sharing: The law does not give CISA, located in the Department of Homeland Security, a deadline for sharing information with federal law enforcement agencies. Justice Department and FBI officials are concerned that delayed sharing could hinder investigations, and requested in a November 2021 statement before the US House of Representatives’ Committee on Oversight and Reform that the law have “one designated reporting intake mechanism . . . with reports going to both DOJ and DHS.”
What We Know and What Your Company Can Do Now
We have outlined initial action steps for companies that may fall under the law’s scope:
1. Covered entities: CISA must consider whether a breach at the company creates “national security, economic security, or public health and safety” consequences and whether the damage will disrupt “reliable operation of critical infrastructure.” Companies should determine if the products or services they provide, the data they collect, and/or the industry they serve impacts critical infrastructure.
2. Covered incidents: The law defines covered incidents as those that lead to “substantial loss of confidentiality, integrity, or availability of such information system or network.” The “sophistication or novelty” of attack and number of people affected will be considered. Complex ransomware or distributed denial-of-service attacks impacting critical functions or processes are more likely to trigger reporting requirements than other types of cyberattacks such as employee theft or small-scale wire fraud. As companies are preparing for cyber incidents, they should consider systems that impact critical functions or processes in particular.
3. Timelines: The reporting timeline begins when the “covered entity reasonably believes that the covered cyber incident has occurred.” Companies should review their incident response plans to evaluate how to efficiently diagnose and document potential cyberattacks. If a covered entity fails to provide an adequate response within 72 hours, CISA may issue to such covered entity a subpoena to compel disclosure of information, and if a covered entity fails to comply with the subpoena, CISA may refer the matter to the US Attorney General to bring a civil action against the covered entity. In addition, there’s a further requirement to report any payment of a ransom within 24 hours of doing so, which may increase potential exposure to enforcement under the US Department of Treasury’s Office of Foreign Assets Control (OFAC) requirements related to payments to sanctioned parties.
Among other concerns, the challenges with this new law include that, in the midst of a company crisis, these regulatory obligations further complicate the company’s response effort, alongside a myriad of data privacy notice obligations, increasing public company disclosures (including a proposed Securities and Exchange (SEC) requirement to file a disclosure within four (4) business days), and other obligations. As companies await further guidance from CISA or the Department of Homeland Security regarding the law’s scope, requirements, and enforcement, they should remain vigilant about rapidly evolving ransomware variants and evaluate their security measures, chief among them reporting mechanisms and processes.