Client Alert

U.S. Congress Introduces Bill that Would Require Mandatory 24 Hour Cyber Breach Notification for Government Agencies, Contractors, and Operators of Critical Infrastructure

23 Jul 2021

This week, U.S. Senator Mark Warner (D-VA), chair of the Senate Intelligence Committee, and a broad group of bipartisan co-sponsors, introduced legislation that would require government agencies, contractors, and operators of critical infrastructure to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. The bill is a response to incidents like the SolarWinds and Colonial Pipeline hacks, which have put a fresh spotlight on the national security implications of cyber incidents and the need for greater information sharing. It expands on efforts by the Biden administration, such as the Executive Order on Improving the Nation’s Cybersecurity, to implement more expansive cyber breach notification requirements for entities that do business with the federal government. The bill, known as the Cyber Incident Notification Act of 2021, which has been previewed in the press for some time, has broad bipartisan and industry support and a strong chance of being enacted by Congress.

Cyber Incident Notification Act Requirements

The bill applies to “covered entities,” defined as federal agencies, government contractors, and critical infrastructure owners and operators. Under the scheme proposed by the legislation, these entities must report to CISA, an agency within the Department of Homeland Security (DHS), within 24 hours of detection of a “cybersecurity intrusion” or “potential cybersecurity intrusion.” Covered entities would also have to provide regular updates to CISA within 72 hours of discovering new information.

The bill directs CISA, in coordination with various other national security and intelligence agencies, to promulgate rules establishing guidelines and clear definitions for what constitutes a reportable “cybersecurity intrusion” within 270 days from the bill’s enactment. Among other things, the bill directs that the definition of “cybersecurity intrusion” shall include at a minimum any incident that:

  • Involves or is assessed to involve a nation-state;
  • Involves or is assessed to involve an advanced persistent threat cyber actor;
  • Involves or is assessed to involve a transnational organized crime group (as defined in section 36 of the State Department Basic Authorities Act of 1956 (22 U.S.C. § 2708));
  • Results, or has the potential to result, in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States;
  • Is or is likely to be of significant national consequence;
  • Is identified by covered entities but affects, or has the potential to affect, agency systems; and/or
  • Involves ransomware.

The bill also requires that any incident report must include, at a minimum, the following:

  • A description of the cybersecurity intrusion, including identification of the affected systems and networks that were, or are reasonably believed to have been, accessed by a cyber actor, and the estimated dates of when such an intrusion is believed to have occurred;
  • A description of the vulnerabilities leveraged, and tactics, techniques, and procedures used, by the cyber actors to conduct the intrusion;
  • Any information that could reasonably help identify the cyber actor, such as Internet protocol addresses, domain name service information, or samples of malicious software;
  • Contact information for the covered entity; and
  • Actions taken by the reporting entity to mitigate the intrusion.

To address concerns from industry groups and incentivize cooperation, the bill exempts information provided to CISA from Freedom of Information Act requests, as well as subpoenas, except for those issued by Congress for oversight purposes. The bill also includes a liability protection provision that shields entities that submit a report from liability due to the submission of a cybersecurity notification, and would prevent cyber incident notifications from being used as evidence in criminal or civil actions. CISA must also consult with the private sector on the implementing regulations related to the bill.

The bill also provides for penalties in the event a covered entity fails to make a required disclosure. For example, the administrator of the General Services Administration (GSA) can impose penalties on government contractors, including removal of the contractor from any GSA federal supply schedules. Entities that do not have government contracts will be subject to a fine of as much as 0.5% of gross revenue per day of delayed notice, although CISA will be required to establish a process for contesting civil penalties.

Other Legislative and Executive Activity

The Cyber Incident Notification Act may be incorporated into the FY 2022 National Defense Authorization Act (NDAA) and otherwise will be referred to the Senate Homeland Security and Government Affairs Committee, which has jurisdiction over CISA and which is considering several other cybersecurity-related legislative proposals.

Senators Gary Peters (D-MI) and Rob Portman (R-OH), chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee, are reportedly working on cyber incident reporting legislation focused on ransomware, which would require non-federal entities to notify the government if such entities make a ransom payment in response to a ransomware attack. The bill also reportedly would call for these entities to consider alternatives to making the ransom payment, including:

  • A search for potential alternative decryption methods;
  • An analysis of whether the non-federal entity can recover from the ransomware attack through other means; and
  • Appropriate consultation with federal entities, including DHS, the Federal Bureau of Investigation, and/or the Office of Foreign Assets Control.

As mentioned above, the Biden cybersecurity Executive Order, promulgated on May 12, 2021, is another source for regulation of cyber incident reporting. As we describe in a prior article, the Order requires changes to the Federal Acquisition Regulation that will impose more rigorous and uniform breach notification and information sharing requirements on federal contractors.

Conclusion

Although the pending legislation provides fairly detailed parameters for cyber incident reporting, it remains to be seen how the various stakeholders’ actions and recommendations will coalesce into implemented policy changes. What is apparent is that this is a rapidly changing area of law with potential implications for numerous stakeholders, including in particular those companies that do business with the government or that own or operate critical infrastructure.

Raymond Rif, a legislative and policy analyst in Morrison & Foerster’s National Security practice, contributed to this alert.

Close
Feedback

Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.