May 28, 2022

Volume XII, Number 148

Advertisement
Advertisement

May 27, 2022

Subscribe to Latest Legal News and Analysis

May 26, 2022

Subscribe to Latest Legal News and Analysis

May 25, 2022

Subscribe to Latest Legal News and Analysis

President Biden Signs into Law the Cyber Incident Reporting Act, Imposing Reporting Requirements for Cyber Incidents and Ransomware Payments

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

Reporting Requirements

The Cyber Incident Reporting Act imposes four primary reporting and related requirements on “covered entities” in the event of a “covered cyber incident” or a ransomware payment. Covered entities are defined by reference to Presidential Policy Directive 21, setting forth 16 critical infrastructure industries.

First, a covered entity that experiences a “covered cyber incident” must report that incident to CISA no later than 72 hours after the covered entity reasonably believes that the covered cyber incident occurred. A “covered cyber incident” means an “occurrence” that actually “jeopardizes, without lawful authority, the integrity, confidentiality, or availability of” information on an information system or that information system, which is “substantial” and satisfies criteria to be established through future rule-making. The meaning of “substantial” will be subject to future rulemaking by CISA, as will the precise contents of what must disclosed in such a report, although the law provides that the following shall be included:

  • Identification and a description of the function of the affected information systems, networks that were, or are reasonably believed to have been affected by such cyber incident;

  • A description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information systems or network or disruption of business or industrial operations;

  • The estimated date range of such incident; and

  • The impact to the operations of the covered entity.[1]

Second, a covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity must report the payment to CISA not later than 24 hours after the ransom payment has been made. A “ransomware attack” is defined as an incident that includes “the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for ransom payment.”[2] Notably, this shorter 24-hour reporting requirement applies even if the ransomware attack does not meet the definition of a “covered cyber incident.” CISA will provide clarity as to the contents of such a report in subsequent rulemaking.

Third, a covered entity must “promptly” submit to CISA an update or supplement to a previously submitted covered cyber incident report if “substantial new or different information becomes available” or if the covered entity makes a ransom payment after submitting a covered cyber incident report. This ongoing supplemental reporting requirement remains in effect until the covered entity notifies CISA that the incident has concluded.

Fourth, a covered entity must preserve data relevant to the covered cyber incident or ransom payment.

Covered Entities and Application to the Health Care and Other Industries

The Cyber Incident Reporting Act calls for CISA to define “covered entity” in future rulemaking from among entities in a critical infrastructure sector, as defined in Presidential Policy Directive 21.  Presidential Policy Directive 21 identifies sixteen critical infrastructure sectors, including “Healthcare and “Public Health” as well as sectors covering broad segments of business such as “Commercial Facilities,” “Communications,” “Financial Services,” “Critical Manufacturing,” “Energy,” “Information Technology,” and “Transportation Systems” among others.

As “Healthcare and Public Heath” is an identified critical infrastructure sector, health care entities should anticipate being subject to the Cyber Incident Reporting Act as “covered entities” (which is not identical to the term as defined under the Health Insurance Portability and Accountability Act (“HIPAA”)). The Cyber Incident Reporting Act contains an exception to the reporting requirement for covered entities “required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe” and provided that the Federal agency receiving such reports has an agreement in place to share such information with CISA. As HIPAA does not require reporting of covered cybersecurity incidents or ransomware payments as defined under the Act to any Federal agency, HIPAA-covered entities are not excepted from the reporting requirements of the Cyber Incident Reporting Act at this time.

It should be noted also that the definition of “cyber incident” does not require that protected health information be involved in the incident. Thus, a HIPAA-covered entity could suffer a reportable cyber incident that is not a “breach” or “security incident” under HIPAA. In addition, the Cyber Incident Reporting Act has short 24 or 72 hour windows for reporting, in comparison to the longer time periods for reporting a breach of protected health information prescribed by the HIPAA breach notification rule.

Similarly, while we await the final rulemaking, further clarification and potential agency sharing agreements, other critical infrastructure entities should anticipate being subject to the reporting and data preservation requirements. This rule will significantly broaden existing breach reporting and incident response requirements for many organizations, and goes well beyond breach notification laws that are limited by data type as the reporting requirements extend here to all information and information systems held by the covered entity. The Act also expressly recognizes that businesses may need assistance of third party cybersecurity expertise in fulfilling their obligations, including providing that law firms and incident responders may submit the reports on their behalf.

Effective Date

The reporting requirements of the Cyber Incident Report Act will not go into effect until the final rules are promulgated under the Act. Presently, the law directs CISA, together with the Department of Justice and other federal agencies, to publish a notice of proposed rule-making within 24 months of the date of the enactment of the law, and that a final rule should be issued by CISA no later than 18 months after publication of the proposed rule-making.

ENDNOTES:

[1] Sec. 2242(b)(4).

[2] Sec. 2240(d)

©2022 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XII, Number 77
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Brian G. Cesaratto, Epstein Becker, Employment benefits Litigation Lawyer, Workforce Management attorney
Member

BRIAN G. CESARATTO is a Member of the Firm in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Cesaratto's practice includes complex commercial litigation, criminal defense, internal and law enforcement investigations, employment litigation, and computer and electronic data misappropriation and forensics.

212-351-4921
Allen R. Killworth Columbus Ohio Member Law Firm Healthcare Facilities Law Epstein Becker Green
Member of the Firm

Allen Killworth helps hospitals and health care facilities navigate federal and state regulatory issues. Health care providers seek his counsel on a variety of survey, certification, and licensure issues. Allen helps clients prepare for and respond to surveys, drafts plans of correction, and appeals adverse determinations.

Clients also look to Allen for advice on provider enrollment and regulatory issues related to initial organization, changes of ownership, and mergers and acquisitions of health care entities. Additionally, he assists providers...

614-872-2415
Alexander Franchilli, Epstein Becker Law Firm, Labor and Employment Litigation Attorney
Associate

Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green. 

Mr. Franchilli’s experience includes:

  • Representing employers in labor and employment law litigation involving breach of employment agreements, promissory notes, wage and hour violations, wrongful termination, and WARN Act violations

  • Litigating cases concerning unfair competition and breaches of non-competition agreements

  • Providing representation to employers in federal...

212-351-4748
Advertisement
Advertisement
Advertisement