Two cybersecurity bills were introduced over the past few weeks that have a potential impact on cybersecurity reporting and compliance in the U.S. Ransomware is front and center in both. This is likely part of a government-wide reaction to the recent attacks on meat producer JBS USA, Kaseya, and Colonial Pipeline.
The Ransom Disclosure Act
The Ransom Disclosure Act, introduced in early October by Senators Elizabeth Warren (D-Mass) and Representative Deborah Ross (D-N.C.), provides the Department of Homeland Security (DHS) with critical data on ransomware payments.
Specifically, the current version of the bill will likely:
- Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment. This disclosed information will likely include the amount of the ransom demand, the amount paid, the type of currency used for payment of the ransom, and any known information on the threat actor demanding the ransom.
- Require DHS to make the information from the prior year’s ransom disclosure public. This will likely exclude identifying information about the entities that paid ransoms.
- Require DHS to set up a website to facilitate ransom reporting.
Further, the legislation will direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks. Homeland Security will need to provide recommendations for protecting information systems and strengthening cybersecurity.
The Cyber Incident Notification Act of 2021
Earlier in October, the Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and ranking member Sen. Rob Portman (R-Ohio) introduced a bill The Cyber Incident Notification Act of 2021 that impacts company reporting which involves cybersecurity breaches and payments made for ransomware attacks. This bill also requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop a program to alert organizations to vulnerabilities exploited by ransomware. It further directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts with private industry.
The legislation would require the owners and operators of what is designated as critical infrastructure groups to report cyber incidents to CISA. This must happen within 72 hours. These critical infrastructure groups, nonprofits, state and local governments, and most other business organizations with over 50 employees must also report making ransomware attack payments within 24 hours. Note that the 50 employee threshold is the “small business” designation in the view of various federal government programs and would subject approximately half of American businesses to the rule.
The proposed legislation comes with teeth. The proposed legislation would grant the CISA Director the authority to issue subpoenas to organizations that fail to comply with its reporting requirements under the Bill. Entities that fail to comply with subpoenas would, of course, be referred to the Justice Department. Federal contractors that fail to comply with subpoenas would be subject to additional penalties from the General Services Administration.
Compliance Costs Never Seem to Go Down
Compliance costs never seem to go down. Perhaps with good reason. The needs for this legislation are not being questioned. The legislation clearly presents a silent incentive for most industries. If you can avoid paying ransoms, it seems you can avoid public disclosure in some cases, depending on relevant laws that may or may not apply, the state, and the industry. For example, in healthcare today for ransomware attacks that encrypt over 500 patient records – whether or not you pay, you must disclose it as an assumed data breach under HIPAA.
This was the earlier opinion several years ago by HHS/OCR on ransomware and HIPAA that became closely associated with major healthcare data breach reporting. In the event of a ransomware attack, it is to be assumed, at least in the healthcare industry, that the data has also been breached, and therefore it should be reported as such.
Deja Vu all over again.
We’re just a few steps away from the same thinking applied to other industries.
Roll the tape forward on this potential legislation as it heads towards finalization. If ransomware attacks are also declared crisply and clearly as data breaches, as HHS/OCR did for healthcare, how will that impact your enterprise? What new costs might you incur? How will you manage it? How do your governance and compliance teams treat incidents like these today?
There are other questions the details of which will need to be sorted out with precision. What is the definition of a cyber incident, exactly? So, if you leave your laptop in a coffee shop and lose it, is this a reportable cyber incident? Or just an active verified hacking attempt? How many security events in a major bank, for example, would qualify as cyber incidents under this proposed legislation? When do the governance, compliance, and operations teams note that time windows have passed the legislative threshold for reporting? You can see the challenges that await as this legislation is finalized.