New Critical Infrastructure Cybersecurity Implements New Signed Breach Notification Requirements Into Law | Benesch
The new law will require critical infrastructure entities to report certain covered cybersecurity incidents to government agencies within 72 hours; ransomware payments within 24 hours.
Under the new Critical Infrastructure Act, entities are required to report certain cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and to report ransomware payments to CISA within 24 hours.
The full scope of the law will be determined by regulations and future CISA regulations. Currently, the only clarification as to scope is that the requirements may apply to entities that operate in certain sectors (as noted below). Further, it is not clear what specific attributes or characteristics will bring an entity within the scope of the law and what types of cybersecurity incidents would trigger the notification requirements. The applicable regulations will be proposed at the latest within 24 months.
The new law was passed by Congress at a time when the federal government is continually adding new tools to its repertoire in a battle against the exponential increase in hacks, data breaches and ransomware attacks that have targeted both the public sector and the private sector. A number of recent cybersecurity incidents have targeted government agencies such as NASA and the FAA. For example, defense industry contractors and the Department of Defense are estimated to lose nearly $600 million per year due to cybersecurity incidents. Another example is the highly publicized SolarWinds hack that resulted in the largest breach of US government information in recent years.
Moreover, cybersecurity attacks against private entities that have considerable national impacts have also increased. For example, a ransomware attack on a Colonial Pipeline Company system in 2021 caused gas shortages in southern and eastern regions of the United States.
The new Critical Infrastructure Act is one of many recent attempts by the federal government to try to gain the upper hand in the face of growing cybersecurity threats. Other recent actions by the federal government in this area include a new DOJ initiative to combat poor cybersecurity practices by government contractors and new breach notification requirements for banks and their service providers.
The new Critical Infrastructure Act requires “Covered Entities” to report any “Covered Computer Incident” to CISA no later than 72 hours after the entity reasonably believes a Covered Computer Incident has occurred.
Covered entity is broadly defined in law to include any entity within a critical infrastructure sector, as defined in Presidential Policy Directive 21. This directive lists the following critical infrastructure sectors: (1) chemical products ; (2) commercial facilities; (3) communications; (4) critical manufacturing; (5) dams; (6) defense industrial base; (7) emergency services; (8) energy; (9) financial services; (10) food and agriculture; (11) government facilities; (12) health care and public health; (13) information technology; (14) nuclear reactors, materials and waste; (15) transportation systems; and (16) water and wastewater systems. In addition, whether an entity (and its services or products) is considered critical infrastructure depends on “the inability or destruction of these systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof.
These sectors may include banks, financial industry service providers, hospital systems, healthcare service providers, telecommunications providers, internet service providers, and transportation service providers.
Based on the foregoing, the potential applicability of the law is extremely broad, and its full scope will be unknown until CISA issues a final rule that better describes the factors used to determine whether an entity must comply with the law.
However, the new law provides guidance to CISA in its rule-making process, particularly in the definition of “covered entity.” CISA must consider: (1) the consequences that a cybersecurity attack against a given entity will have on national security, economic security, or public health and safety; (2) the likelihood that a given entity will be targeted by malicious actors; and (3) the damage or disruption that such an attack against a given entity would have on the reliable operation of critical infrastructure.
Entities that potentially fall into the above 16 categories and that provide extensive services to much of the United States should pay close attention to and engage with the CISA rulemaking process.
Covered Cyber Incident
If an entity is in fact considered a covered entity, the second step is to determine whether the law is triggered. This means that the entity must determine whether the actual cybersecurity incident falls within the definition of a “covered cyber incident”.
Under the new Critical Infrastructure Act, a covered cyber incident includes any substantial cyber incident suffered by a covered entity. In accordance with the definition of covered entity, this is also broadly defined and its full scope will be unknown until the CISA issues its final rule to better define when reporting requirements are triggered. However, like the rule-making process for defining the “covered entity,” the new law also explicitly provides guidelines for CISA rule-making.
The new law states that in determining the final rule definition of a “Covered Cyber Incident”, CISA must consider: (1) the sophistication or novelty of cybersecurity attacks, as well as their type, volume and the data subject to these attacks; (2) the number of people affected (directly or indirectly) by such attacks; and (3) potential impacts on industry controls (eg, programmable logic controls).
The new Critical Infrastructure Law imposes two main requirements that impose obligations on entities that fall within the scope of the law.
First, if an entity experiences a material “Covered Cyber Incident,” it must report that incident to CISA within 72 hours. Specifically, the reporting obligation is triggered, and the clock is ticking, when the entity has reasonable grounds to believe that a covered cyber incident has occurred. Therefore, even when the entity is not 100% certain that the incident has occurred, the reporting obligation may be triggered.
Second, an entity must report to CISA within 24 hours if it makes a ransomware payment as a result of a ransomware attack.
Finally, the new Critical Infrastructure Act also requires subsequent reports to be filed with CISA if material new or different information becomes available as a result of the relevant cybersecurity event. It is important to note that under the new law, third-party vendors are permitted to submit the aforementioned reports on behalf of an entity.
With the full scope of the new law unknown, but the potential for broad applicability, any entity that thinks it might fall foul of the new law’s requirement should engage in the process of developing CISA Rules, with particular attention to the CISA Law Guidelines for shaping and defining the scope of laws.
In light of the federal government’s many recent efforts to combat cybersecurity incidents, ransomware attacks, and data breaches in general, CISA will likely aim for broad definitions and broad applicability.