Increase in Cyber-Attacks Leads to Influx of New Privacy Data Breach Reporting Obligations
Originally published by Fisher Phillips (Monica Snyder Perl), GBS & Leavitt Group’s preferred partner for employment law. Republished with permission. Some content by Leavitt Group.
In the wake of Russia’s invasion of Ukraine, and amid growing concerns regarding the threat of increased cyberattacks targeting infrastructure and other critical industries, there has been a flurry of federal activity to implement new requirements for the reporting of cyber-attacks – including a new federal law that will introduce mandatory reporting obligations on many businesses. This activity impacts entities in both the public and private sector and furthers the federal government’s efforts to improve the nation’s cybersecurity, especially in light of the impending threat of increased cyberattacks. What do businesses need to know about the influx of legislation and regulatory activity that could soon impact your operations?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022
Notably, the Consolidated Appropriations Act, 2022 (H.R. 2471) included this Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was passed as part of the omnibus spending bill on March 15. These reporting requirements will not be effective until the final rules are effective and published, which could take as long as 36 months.
CIRCIA would require mandatory reporting by critical infrastructure of substantial cyber incidents and ransomware payments. The Act imposes new mandatory reporting requirements for entities in the critical infrastructure sector –
- chemical, commercial facilities,
- critical manufacturing,
- emergency services,
- food and agriculture,
- healthcare and public health, and,
- information technology areas.
Under the new law, these entities must report to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):
- a covered cyber incident no later than 72 hours after the covered entity reasonably believes the incident occurred, and
- any ransom payment for a ransomware attack within 24 hours of making the payment as a result of a ransomware attack, even if the ransomware attack is not a covered cyber incident.
Incidents that require reporting under the Act include:
(i) a substantial loss of confidentiality, integrity, or availability of a system or network;
(ii) a serious impact on operational systems and processes; or,
(iii) a disruption of business or industrial operations.
A report of a covered cyber incident under the Act must include:
- a description of the affected information systems, networks, or devices;
- a description of the unauthorized access;
- the estimated date range of the incident;
- the impact to the operations of the covered entity;
- a description of the vulnerabilities exploited and the security defenses that were in place;
- information related to each actor reasonably believed to be responsible for the cyber incident;
- the category or categories of information that were, or are reasonably believed to have been, accessed or acquired; and,
- the name of the entity and its contact information.
Similar information is required for reports of ransom payments, such as:
- the type of virtual currency or other commodity requested;
- the ransom payment instructions, including information regarding where to send the payment, if applicable; and
- the amount of the ransom payment.
Supplemental reporting is also required if substantial new or different information becomes available and until the covered entity notifies CISA that the incident has concluded and has been fully mitigated and resolved. All reports will be treated as confidential and will not constitute a waiver of any applicable privilege or protection provided by law.
Consequences for Failure to Report Cyber Incident
If CISA has reasonable grounds to believe that an entity has experienced a reportable cyber incident or made a reportable ransom payment, yet has failed to submit a required report, CISA may obtain information about the cyber incident or ransom payment by engaging the entity directly. The entity will have 72 hours to respond to CISA’s request, after which time CISA may issue a subpoena. If the entity fails to comply with the subpoena, the Act allows for a referral of the matter to the U.S. Attorney General, who can then bring a regulatory enforcement action or criminal prosecution against the offending entity.
Other Cybersecurity Legislation and Regulations
Rail & Pipeline Sector
The Transportation Security Administration (TSA) has also imposed mandatory reporting requirements on rail and pipeline sectors, which have been in effect since December 31, 2021. (See the TSA Security Directive for Pipelines 2021-01 and Executive Order).
Under these reporting requirements, those entities are required to report to CISA within 24 hours of a cybersecurity incident certain information including, but not limited to:
(i) the affected systems or facilities;
(ii) a description of the incident;
(iii) any known threat information, including information about the perpetrator, if available;
(iv) a description of the impact or potential impact on operations or systems; and,
(v) a summary of planned or considered responses.
The directive includes many other components, one of which may mandate a 12-hour notice window, conducting a risk assessment,
Publicly Traded Companies
In addition, on March 9, the U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity rules for publicly traded companies to enhance and standardize public cybersecurity disclosures. The rules would become effective once final rules are published, which could take months. Be sure you are signed up to receive news alerts so that you will be notified if and once final regulations are released. (Fisher Phillips subscription).
Under the SEC’s proposed rule, public companies would be required to report to the agency within four (4) business days of the determination of a material cybersecurity incident the following information:
(i) when the incident was discovered and if it is ongoing;
(ii) a brief description of its nature and scope;
(iii) whether any data was stolen, altered, accessed, or used for unauthorized purposes;
(iv) the effect of the incident on the company’s operations; and,
(v) whether the incident has been remediated or is being remediated.
As noted above, the reporting requirements related to the Cyber Incident Reporting for Critical Act will not be effective until the final rules are effective and published, which could take as long as 36 months. However, the regulation of data privacy and security appears to be at the forefront of everyone’s mind, and employers should act now to build effective practices to address these new and impending obligations. In light of these new laws, companies in sectors affected by the new reporting requirements should pay careful attention to the government’s deadlines and reporting requirements. If you haven’t already, the time is now to implement comprehensive cybersecurity risk management processes.
It is worth noting that companies, regardless of industry, may already be subject to the Health Insurance Portability and Accountability Act (HIPAA). Self-funded health plans (including level-funded, Flexible Spending Accounts (FSA), Health Reimbursement Arrangements and some Employee Assistance Programs (EAP)) are subject to HIPAA, which includes data privacy and security rules that mandates reporting for security incidents. Leavitt Group is your Trusted Advisor for all of your insurance compliance needs and offers a comprehensive solution to clients at no cost. Contact your Leavitt Group representative to access this solution.
GBS will continue to monitor developments to ensure you are informed and prepared for any additional compliance mandates applicable to your business.