New Federal Cybersecurity Reporting Requirements

President Biden signed the Consolidated Appropriations Act, 2022 on March 15^th.  The Act had significant funding earmarked for cybersecurity, which is always interesting for government contractors.  More remarkable, however, is Division Y, which imposes significant cybersecurity incident reporting obligations on private companies.

Division Y, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requires covered entities to report “substantial” cyber incidents within 72 hours.  Many of the details of this reporting requirement are undefined, but companies within critical infrastructure sectors now have a burdensome reporting requirement that did not exist before.  This reporting requirement highlights growing tension within the government as it struggles with how to address cybersecurity concerns.

First, this reporting requirement is significant.  Most organizations today cannot meet a 72-hour reporting requirement.  Many organizations struggle with state data breach reporting requirements, which are often 30 days, or the HIPAA requirement, which is 60.  Reporting is more than raising your hand when there is a breach.  Most organizations want some understanding of the facts prior to a report.  Senior leadership will want to weigh in on the messaging and potentially inform other stakeholders.  There may also be conflicting obligations, especially as these organizations operate primarily in the private sector with complex contractual relationships.

Second, the Department of Justice may now target some breach victims—those who allegedly misrepresented their compliance with notoriously complicated government cybersecurity obligations.  There has always been an unwillingness among some data breach victims to coordinate with law enforcement because they feared law enforcement would provide the information to their regulators.  The government went so far as to state that the FBI would not do so.   Now, there is the opposite concern.  Companies will be forced to disclose breaches to their regulators who may then refer them to DOJ for enforcement action.

Third, this may the first move towards a broader federal data breach notification law.  There have been requests for a single data breach notification law from every corner, but previous proposals have gotten bogged down in the details.  This may be a trial run to show how a federal requirement for all businesses would function.

Organizations should already have a plan in place for addressing data breaches, including notification requirements.  They should test these plans through tabletop exercises, preferably conducted by a third party.  Companies subject to these new requirements need to update their plans accordingly and begin testing their ability to comply.  The middle of a breach is not the time to find out that your breach reporting plans don’t work as planned.