On March 1, 2022, the Senate passed a data breach and cybersecurity bill that could vastly expand data breach notice requirements. The Strengthening American Cybersecurity Act (the “Senate Bill”), which now shifts to the House of Representatives, would require organizations in certain critical infrastructure sectors to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyberincident has occurred, among other measures intended to enhance the nation’s cybersecurity posture. Covered organizations would also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. These provisions are not limited to data breaches affecting personal data and would significantly expand the breadth of data breach reporting requirements to many commercial enterprises that have not focused on consumer privacy issues.
While the bill was criticized by FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco for shifting cyber-focus from the DOJ/FBI to DHS/CISA, it remains likely to pass the House, where similar legislation was supported last year as part of the annual defense authorization package. In addition to its breach reporting provisions, the Senate Bill would also require or encourage new cybersecurity measures for federal agencies, clarify the roles of certain cybersecurity officials and authorize the federal contractor cybersecurity FedRAMP program for five years.
Breach Reporting: New Time, New Place
Late last year, legislative proposals advanced in both the House and Senate to require breach reporting at the federal level either to the Critical Infrastructure Security Agency (CISA), the FBI, or both. No compromise was reached, however, and so the issue was deferred until this year. The new Senate Bill essentially adopts the prior House approach, requiring incident reporting to CISA by certain organizations within critical infrastructure sectors.
Critical infrastructure sectors cover a very wide range of businesses, from businesses in the chemical or national security sectors, to financial services, to health care, critical manufacturing, and information technology. The precise scope of organizations needing to comply with the proposed requirements (“Covered Entities”) would be determined through rulemaking by the Director of CISA (the “Director”).
The Senate Bill would create two new incident reporting requirements applicable to Covered Entities. First, Covered Entities would be required to report a “covered cyber incident” to the DHS within 72 hours of establishing a reasonable belief that such an incident has occurred. A “covered cyber incident” is defined generally as a “substantial” cyber incident, but the Senate Bill would give the Director rulemaking authority to further delineate the term’s parameters. Notably, a covered cyber incident is not limited to incidents in which personal data is compromised, as with various state breach reporting laws, and would likely include a wide variety of attacks, including ransomware, other sensitive information leaks, or, possibly, newly exploited vulnerabilities.
The Senate Bill would also require reporting in the event that a Covered Entity makes a ransom payment as a result of a ransomware attack. The clock for such notification would run even faster, requiring notification to DHS no later than 24 hours after the payment is made. Of course, the timing for both reporting requirements is substantially shorter than under typical state laws, which generally require notice “without unreasonable delay” or within month-plus periods such as 30 or 45 days. It is broadly consistent with expedited time frames under the European GDPR (72 hours), the New York Department of Financial Services regulations (72 hours) and the SEC’s newly proposed cybersecurity regulations (48 hours).
Many of the specifics of the reporting requirement remain to be established. The Senate Bill does not stipulate what information would be required within any breach report, leaving those details to be fleshed out by the Director. It does state that the Director’s rulemaking must include reporting of information such as the systems impacted, a description of the unauthorized access or other event, an estimated data range surrounding the incident, and the attack’s impact on the operations of the Covered Entity. Whatever the details, Covered Entities would be required to update or supplement a previously submitted report if substantial new or different information becomes available until such time as the Covered Entity determines that the incident has been fully mitigated and resolved (which the Covered Entity would need to report).
In addition to reporting the covered cyber incident or ransom payment, the Senate Bill would also require the Covered Entity to preserve data “relevant” to the covered cyber incident or ransom payment. Again, rulemaking by the Director would be required to further define what data is or is not considered “relevant,” but even with more specific rules, Covered Entities will likely be forced to make key decisions about preservation early on in the process of responding to an incident should the Senate Bill be enacted.
Information Sharing and Enforcement
The Senate Bill would require that DHS share certain information about threat indicators and security vulnerabilities disclosed through breach notifications; however, the Senate Bill contains limitations regarding the confidentiality of the information and the privacy of individuals. Regulators would generally be prohibited from using information submitted to DHS through the new reporting procedure in any regulatory action, and the bill includes protections against waiver of the attorney-client privilege, trade secret or other protections that could otherwise result from submission of breach reports. The bill would also create liability protections surrounding submission of the reports and restrict from discovery communications or materials created solely for the purpose of drafting or submitting such reports—a restriction whose boundaries creative plaintiffs’ attorneys are likely to push.
One critical exception to these protections, though, exists if an organization fails to timely report and subsequently fails to cooperate with requests for information made by the Director. At that point, the Director would be authorized to issue a subpoena and refer any information received pursuant to the subpoena to the Attorney General or another appropriate regulatory authority, who may use the information for a regulatory enforcement action or criminal prosecution.
While the act would not provide for direct penalties for non-compliance, it nevertheless does incentivize timely reporting and cooperation through the threat of waiver of some of its liability shielding measures in the event of noncompliance. The Senate Bill also would not appear to limit any securities, derivative, commercial, or consumer actions based on the underlying data breach itself.
Prospect of Passage
The Senate Bill passed by unanimous consent and seems to have substantial support in the House of Representatives. DOJ officials raised concerns regarding its failure to more directly involve the FBI in the bill’s reporting procedure (Director Wray going so far as to say that the bill “would make the public less safe from cyber threats”); however, the bill’s sponsor and other prominent legislators pushed back against these concerns.
While there are some differences, the Senate Bill also broadly follows the parameters set forth in legislation that passed in the House last year. As such, it appears likely to pass again. Outside of DOJ, Biden administration officials also appear broadly supportive, and so, at the moment, the prospect that the Senate Bill will be enacted into law in some form appear high. Ropes & Gray will continue to monitor developments.