Cyber Incident Reporting For Critical Infrastructure Act Signed Into US Law As Part Of Omnibus Appropriations Legislation – Technology | #cybersecurity | #cyberattack


On March 15, 2022, President Biden signed into law the
Consolidated Appropriations Act, 2022, H.R. 2471. Division Y of
this omnibus appropriations legislation-the Cyber Incident
Reporting for Critical Infrastructure Act of 2022-will create
significant new rules requiring US critical infrastructure entities
to report cybersecurity incidents and ransom payments to the US
government. This legislation marks a significant expansion of legal
requirements to report cybersecurity incidents and ransom
payments.

Critical infrastructure entities will be well-served to consider
whether the new reporting requirements will apply to their
businesses, whether changes to their cyber programs are necessary
to meet these requirements and whether they should participate in
the forthcoming rulemaking process, either directly or through
industry groups. To that end, we highlight below elements of this
new law.

1. Cyber Incident/Ransom
Reporting Requirements

The legislation imposes its new reporting requirements on
critical infrastructure entities that will be identified through
rulemaking by the Director of the Cybersecurity and Infrastructure
Security Agency (CISA), within the US Department of Homeland
Security (DHS). The legislation requires such covered entities to
report certain substantial cyber incidents to CISA within 72 hours
of “reasonably believ[ing]” that such a covered cyber
incident has occurred. Covered entities also need to disclose
within 24 hours any ransom payments made. This applies to
any payments, including in situations that do not
otherwise trigger the incident reporting requirement. Reporting
entities would also be required to supplement their initial reports
as “substantial new or different information becomes
available.” Relatedly, reporting entities are required to
preserve data relevant to their disclosures. These reporting
requirements do not apply to entities that, “by law,
regulation, or contract,” are already required to report
“substantially similar information to another Federal agency
within a substantially similar timeframe.” However, the
relevant agency must have an “agency agreement and sharing
mechanism” in place with CISA for this exception to apply.

The scope of these reporting requirements remains to be
determined in a rulemaking required by the legislation. For
example, the legislation defines a “covered cyber
incident” as one that is “substantial” and meets a
“definition and criteria” set by CISA through rulemaking.
The final rule would also delineate incident report content
requirements, ransom report content requirements and the scope of
data preservation requirements. These reporting and preservation
requirements would take effect after implementation of the final
rule, at a date specified therein. The legislation requires that a
notice of proposed rulemaking be issued within 24 months of its
enactment and a final rule would need to follow within 18
months.

The legislation also provides for voluntary reporting and the
reporting of additional information beyond what is legally
required. Both types of reporting would receive the same
protections as those applicable to mandatory reports (see
below).

2. Use of Third
Parties

The legislation clarifies how covered entities may leverage the
support of third-party vendors to satisfy these new obligations.
Specifically, a covered entity may rely on “an incident
response company, insurance provider, service provider, Information
Sharing and Analysis Organization, or law firm” to submit
incident or ransom payment reports. Entities that make or
facilitate a ransom payment on behalf of a covered entity are
expressly not required to submit ransom payment reports. However,
any third party that “knowingly makes a ransom payment on
behalf of a covered entity impacted by a ransomware attack shall
advise the impacted covered entity of the responsibilities of the
impacted covered entity regarding reporting ransom payments.”
Thus, entities that facilitate ransom payments for covered entities
have a “responsibility to advise” their customers of
their obligations under the new law.

3.
Enforcement

The legislation includes enforcement mechanisms to ensure
compliance with the new reporting requirements. Specifically, CISA
may issue subpoenas to require disclosure after initially
requesting disclosure from a covered entity it believes has
experienced a reportable cyber incident or made a reportable ransom
payment. An entity has 72 hours to respond to such initial request
before CISA may issue a subpoena. Failure to comply with the
subpoena may result in a civil lawsuit to seek enforcement and
possibly contempt of court. This enforcement procedure does not
apply to state, local, tribal or territorial governments.

The legislation also withholds certain protections from those
covered entities that fail to provide information in accordance
with requirements. Specifically, if CISA concludes that information
provided in response to a subpoena “may constitute grounds for
a regulatory enforcement action or criminal prosecution, the
Director may provide such information to the Attorney General or
the head of the appropriate Federal regulatory agency, who may use
such information for a regulatory enforcement action or criminal
prosecution.” Information provided in compliance with the law
on a voluntary basis or in response to an initial request is not
subject to this risk.

4. Data
Use

The legislation sets out CISA’s responsibility for reviewing
and disseminating incident and ransom payment reports to federal
agencies. However, there are limitations on how this information
may be used, subject to the exception noted above. Specifically,
such information may only be used:

  • for a cybersecurity purpose;
  • to identify a cyber threat or security vulnerability;
  • to respond to, prevent or mitigate “a specific threat of
    death, a specific threat of serious bodily harm, or a specific
    threat of serious economic harm, including a terrorist act or use
    of a weapon of mass destruction”;
  • to respond to, investigate, prosecute, prevent or mitigate
    “a serious threat to a minor, including sexual exploitation
    and threats to physical safety”; or
  • to prevent, investigate, disrupt or prosecute an offense
    arising out of a reported cyber incident or ransomware attack or
    other enumerated offenses.

Besides these specified uses, the federal government is subject
to limits on how it can use reported information. For example,
neither the federal government nor any state, local, tribal or
territorial government may use reported information “to
regulate, including through an enforcement action, the activities
of the covered entity or entity that made a ransom payment, unless
the government entity expressly allows entities to submit reports
to [CISA] to meet regulatory reporting obligations of the
entity.”

DHS is required to share cyber incident and ransom payment
reports and other related information, such as subpoena responses,
with the relevant Sector Risk Management Agencies and “other
appropriate Federal agencies” within 24 hours of receipt,
subject to further direction by the President.

5.
Protections

The legislation also establishes protections for reported
information that largely track those that were first implemented
for certain voluntarily disclosed information in the Cybersecurity
Information Sharing Act of 2015. Specifically, reports submitted in
response to applicable reporting obligations or under the
legislation’s provisions for voluntary disclosures would:

  • “[be] considered the commercial, financial, and
    proprietary information of the covered entity when so designated by
    the covered entity”;
  • “[be] exempt from disclosure under [the Freedom of
    Information Act] as well as any provision of State, Tribal, or
    local freedom of information law, open government law, open
    meetings law, open records law, sunshine law, or similar law
    requiring disclosure of information or records”;
  • “[be] considered not to constitute a waiver of any
    applicable privilege or protection provided by law, including trade
    secret protection”; and
  • “not be subject to a rule of any Federal agency or
    department or any judicial doctrine regarding ex parte
    communications with a decision-making official.”

The legislation also provides a suit dismissal provision
associated with the new reporting requirements. Specifically,
“[n]o cause of action shall lie or be maintained in any court
by any person or entity and any such action shall be promptly
dismissed for the submission” of a mandatory incident or
ransom payment report. This suit dismissal provision does not apply
to an action brought by the federal government to enforce a
subpoena against a covered entity. This provision also only applies
to “litigation that is solely based on the submission of a
covered cyber incident report or ransom payment report” to
CISA-a new standard that did not appear in the Cybersecurity
Information Sharing Act of 2015.

Finally, no report submitted to CISA pursuant to this legislation
or “any communication, document, material, or other record,
created for the sole purpose of preparing, drafting, or submitting
such report[] may be received in evidence, subject to discovery, or
otherwise used in any trial, hearing, or other proceeding in or
before any court, regulatory body, or other authority of the United
States, a State, or a political subdivision thereof.”

6. Other
Provisions

This legislation also includes several provisions to further
enhance the cybersecurity ecosystem and public-private information
sharing.

  • Cyber Incident Reporting Council: The legislation calls for the
    creation of a Cyber Incident Reporting Council led by the Secretary
    of Homeland Security to “coordinate, deconflict, and harmonize
    Federal incident reporting requirements.”
  • Ransomware Vulnerability Warning Pilot Program: The legislation
    provides for the creation of a new pilot program to “develop
    processes and procedures for, and to dedicate resources to,
    identifying information systems that contain security
    vulnerabilities associated with common ransomware attacks, and to
    notify the owners of those vulnerable systems of their security
    vulnerability.” There would be no duty for owners and
    operators of allegedly vulnerable information systems to “take
    any action as a result of a notice of a security
    vulnerability.”
  • Joint Ransomware Task Force: The legislation calls for the
    establishment of a new joint task force chaired by CISA “to
    coordinate an ongoing nationwide campaign against ransomware
    attacks, and identify and pursue opportunities for international
    cooperation.” The National Cyber Director, in coordination
    with DHS, would determine appropriate participants from federal
    agencies.
  • Coordination of Reports Submitted to Other Agencies: The
    legislation requires other federal agencies that receive incident
    reports to submit those reports to CISA.

Visit us at
mayerbrown.com

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.



Original Source link

Leave a Reply

Your email address will not be published.

− four = 1