• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Senate Passes Significant Cyber Bill Requiring Cyber Incident Reporting

March 3, 2022 By Kim Peretti and Kristen Bartolotta

The Strengthening American Cybersecurity Act of 2022, a bill that narrowly failed to become law last year, was passed in the Senate on Tuesday, March 1 as a package of cybersecurity measures that would require operators of critical infrastructure and federal civilian agencies to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). With bipartisan support, the bill was backed by Senator Gary Peters (D-Mich.) and Senator Rob Portman (R-Ohio). This marks the most significant cyber bill to make it through the Senate in the chamber’s history, and if passed would be the first significant cyber legislation to pass since the 2015 Cybersecurity Information Sharing Act, which gave companies legal cover to voluntarily share cyberthreat information with the government. The Strengthening American Cybersecurity Act of 2022 includes reporting of cyber incidents by critical infrastructure entities and federal agencies, establishes stricter cybersecurity requirements for federal agencies, and ensures that federal agencies migrate to cloud-based networks, among other provisions establishing CISA’s roles and responsibilities.

Title II of the bill includes reporting requirements for critical infrastructure, or “covered entities,” which would be defined by subsequent rulemaking. Required reporting in the bill for critical infrastructure owners and operators includes notice to CISA within 72 hours of experiencing any covered “cyber incident,” and within 24 hours of making a ransom payment as the result of a ransomware attack. A cyber incident is defined as any occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system. “Covered cyber incident” will also be defined by subsequent rulemaking, but at a minimum will include the occurrence of: (i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes; (ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability; or (iii) unauthorized access or disruption of business or industrial operations due to a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise. Reporting to the FBI is notably not included in the bill, however, the bill provides for a mechanism for CISA to share information with other agencies.

Though the specifics are also subject to subsequent rulemaking by CISA, the bill establishes certain minimum requirements for the contents of all reporting. The contents of a report of cyber incident shall include, where available and applicable:

  • A description of the covered incident
  • A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident
  • Any identifying or contact information related to each actor reasonably believed to be responsible for such cyber incident
  • The category or categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition
  • Information about the impacted entity, including state of incorporation or formation, legal entity name, trade names, or other identifiers
  • Contact information for the covered entity or an authorized agent of the entity

If passed, covered critical infrastructure entities would be required to supplement initial reporting whenever substantial new or different information becomes available. Subsequent reporting would be required until the entity notifies CISA that the cyber incident has been resolved. If a covered entity is required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, then that entity may be excepted from reporting obligations established in the Act.

Reporting of ransom payments will include, at a minimum, where available and applicable:

  • A description of the attack, including estimated date range of the attack
  • A description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack
  • Any identifying or contact information related to each actor reasonably believed to be responsible for the ransomware attack
  • The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made
  • Contact information for the covered entity or an authorized agent of the entity
  • The date of the ransom payment
  • The ransom payment demand, including the type of virtual currency or other commodity requested
  • The ransom payment instructions
  • The amount of the ransom payment

Reporting of ransom payments would be required even if the ransomware attack is not a covered cyber incident under the law.

The bill will now go to the House, where it is backed by Representative Yvette D. Clarke (D-NY) chair of the Homeland Security subcommittee on cybersecurity, and Representative John Katko (R-NY). As of now, no floor time or debate has been scheduled in the House.

Filed Under: Cybersecurity, Data Breach, Data Protection, Data Security, Legislation, National Security, Ransomware, Regulation Tagged With: cybersecurity, Data Breach Notification, Data Protection, ransomware, Senate, US Congress

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Kristen Bartolotta

Kristen Bartolotta is an associate in Alston & Bird’s Privacy, Cyber & Data Strategy Team. She advises clients on managing privacy and cyber risk, breach investigations and response, transactional diligence, and emerging technologies. Kristen also advises on privacy and security compliance at the state, federal, and international levels.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.