On March 15, 2022, President Joe Biden signed into law new legislation that will require companies to report data breaches to the U.S. government. Part of the Strengthening American Cybersecurity Act, the new law will impact critical infrastructure operators including financial institutions and other private companies and comes with new obligations surrounding reporting of cybercrimes.
With its passing comes two integral timelines that businesses and companies should be aware of in order to ensure compliance. First, owners and operators of critical infrastructure must report certain covered cyber incidents, defined below, to the Cybersecurity and Infrastructure Security Agency (CISA), an agency of the U.S. Department of Homeland Security (DHS), within 72 hours. Additionally, ransomware payments to cyber criminals must be reported by affected critical infrastructure operators within 24 hours of the activity.
While final declaration by the Director of CISA is needed regarding which entities will be considered covered critical infrastructure before these obligations will take effect, past policy may provide guidance as to applicable sectors. These may include companies and organizations concerning commercial facilities, communications, energy, financial services, government facilities, healthcare and public health, information technology, and transportation systems, among other areas. Should your company or business fall under one of these categories, the reporting requirements under this law may be applicable to you.
Why now?
The law comes at a time when cyber-criminal attacks on critical U.S. infrastructure are on the rise. According to proponents of the law, the sharing of information between private companies and government agencies is imperative to keep the government informed about “where the bad guys are.” With the sharing of more information ideally comes more informed agencies who can better anticipate cyberattacks and protect critical U.S infrastructure. Quick communication between companies and the CISA will allow these attacks to be addressed and remedied with government assistance. Notably, such communication measures have been absent in the past as only breaches involving American consumer data were historically reported, while all other reporting was provided on a volunteer basis without firm deadlines.
To put the risk of cyberattacks into perspective, in 2020, victims of cybercrimes reported almost $30 million of ransomware-related loss. Additionally, according to cryptocurrency tracking, $406 million of loss due to extortion payments took place during the same year. Such financial loss incited the passing of legislation intended to provide insight into the world of cyber criminality through prompt communication and timely reporting of virtual crimes.
Steps to Take
As always, it is best to contact an attorney to ensure that you are prepared. The attorneys at Rock Fusco & Connelly, LLC can assist in determining whether your business is considered a covered entity. In preparation, consider the consequences of a potential cybersecurity breach based on the services or products you provide. More specifically, ask whether a company breach would create a “national security, economic security, or public health and safety” threat. If so, your company would likely be covered under the reporting requirements of the new cybersecurity law. Likewise, your business may be covered under the law if it is one that would likely be categorized as critical infrastructure based on the product or service provided, data collected, or industry served.
Next, examine the circumstances and situations within your business operations that may allow for a cybersecurity breach. Incidents that must be reported under the new legislation include those that result in a “substantial loss of confidentiality, integrity, or availability of such information system or network.” For example, more complex breaches in security, such as those involving the use of ransomware, will result in mandated reporting under the law, while smaller scale crimes such as wire fraud are less likely to have reporting requirements under the new law. Keep in mind the threat of both types of crimes and consider which attacks your company may be more susceptible to.
Finally, as previously discussed, major obligations under this new legislation involve a tight timeline for reporting a breach. Be aware of the scope of these timelines in preparation for the possibility of reporting a cyberattack. It may prove advantageous to develop policy surrounding effective documentation and reporting of these incidents in order to adhere with the timelines required by the law. Specifically, the timeline for reporting begins when the entity “reasonably believes that the covered cyber incident has occurred.” Thus, once such an attack is perceived, it must be reported to CISA within 72 hours. Penalties such as the possibility of a civil action brought upon a company by the Attorney General may be implemented should a company fail to adhere to this timeline. Relatedly, reporting a payment of ransom within 24 hours is imperative and failing to do so could result in involvement of the US Department of Treasury’s Office of Foreign Assets Control.
As the guidelines continue to be finalized and with the pending implementation of this new cybersecurity law, companies should assess whether their business will be covered by this legislation and should take steps to develop procedures for reporting cybercrimes in a timely manner. Above all else, businesses and companies must take necessary precautions to protect themselves from breaches in cybersecurity in order to avoid becoming victims of cybercrime.
If you have question or concerns regarding how this new law may impact you and your business, please contact the attorneys at Rock Fusco & Connelly.