September 25, 2021

Volume XI, Number 268

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

Senators Introduce Cyber Incident Notification Act

On July 21, 2021, a bipartisan group of Senators introduced the Cyber Incident Notification Act of 2021 (the “Act”). The Act would require federal government agencies, federal contractors and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident.

The Act would require covered entities to notify the Cybersecurity and Infrastructure Security Agency (“CISA”) of the Department of Homeland Security (“DHS”) within 24 hours of “confirmation” of a cybersecurity incident, and supplement such notification with any newly discovered information within 72 hours of discovery.

To encourage information sharing, the Act would provide limited immunity to entities reporting cybersecurity incidents pursuant to the Act. For example, notifications provided to CISA would be exempt from disclosure under the Freedom of Information Act. In addition, information contained in such notifications would not be admissible in any civil or criminal action and would not be subject to subpoenas, unless Congress issued the subpoena for oversight purposes.

Enforcement of the Act would differ based on the covered entity’s status. Federal contractors who violate the Act would be subject to penalties determined by the Administrator of General Services, including potential removal from the Federal Contracting Schedule. Under the Act’s definition of the term, only entities that perform work in the federal supply chain would qualify as federal contractors. Entities that are not federal contractors would be subject to daily financial penalties equal to 0.5 percent of their gross revenue from the prior year.

The Act also would require the Director of CISA to promulgate an interim final rule within 270 days of enactment of the Act. The interim final rule would define when reporting obligations are triggered and provide guidance on the exact contents of the notification.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 215
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement