A new federal Cyber Incident Reporting law was enacted in March 2022 and it brings with it new compliance requirements for covered entities—important for any company or organization working within critical infrastructure. We spoke with Steve Stransky of Thompson Hine about the steps companies can take to improve their readiness to comply with this new regulation.
What is CIRCIA? What do companies need to know in order to comply with it?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a new federal law that was included in a spending bill that President Biden signed into law in March. It requires a subset of critical infrastructure entities in the United States to report to the federal government when they’ve been subject to a cyber incident within 72 hours and then report within 24 hours in the event that they make a or submit a ransom payment.
What’s interesting is that this legislation has actually been up for debate for several years. Congress came very close to passing a similar law last year. There’s been broad consensus on many aspects of the law. Many think that the impetus behind Congress finally passing the law was the Russia-Ukraine conflict.
What type of organizations or entities does this law apply to?
Essentially, the law delegates authority to the Department of Homeland Security (DHS) to determine that. And it could apply to the 16 different critical infrastructure agencies: your health care organizations, your financial institutions, critical manufacturing, nuclear power plants, water, electrical, telecommunications. Essentially, any type of organization that fits within those critical infrastructure entities could be within the scope of the law. DHS is given authority to potentially narrow that scope of the law based on how it defines a cyber incident that requires reporting.
The public, particularly the critical infrastructure agencies, will have an opportunity to provide feedback on whether they agree with DHS’s proposed regulations or potentially offer alternative regulations or alternative language that DHS could consider as incorporating into the final regulations themselves. DHS has 36 months to finalize all aspects of its regulations, but there’s anticipation that DHS will actually craft these regulations much sooner—maybe before the end of the year—because they have momentum with the law right now.
Are the specific reporting requirements reasonable for organizations to comply with?
Other data breach regulations, such as those regulating breaches of personal information or controlled unclassified information, have a 72-hour breach notification requirement and therefore this timeframe is not unprecedented.
So the 72-hour window is not new. It certainly is onerous, but the regulation of the law actually accounts for that. The requirement is that these covered entities have to provide notice when they’re subject to a covered cyber incident within 72 hours. To the extent they discover new information related to the incident, they have to supplement the reporting. There’s no timeline around any new information found—it just has to be done “promptly.”
The Department of Homeland Security recognizes that within the first 72 hours, organizations aren’t going to have all the information that they need to satisfy the reporting requirement. They do the initial disclosures in order to try to satisfy as much of the requirement as possible, recognizing that there’s going to be supplemental reporting to follow.
What’s interesting is that the ransomware payment reporting is contingent on when the payment is actually made, and not when the incident takes place. So you could have an incident that goes on for days or weeks and a ransomware payment is actually made several days or weeks after. That triggers an additional reporting obligation at that point, within the 24-hour notice of the report of the payment being made, which is separate from the 72-hour notice of the incident itself.
Does compliance with this legislation shield a company from potential civil class action suits?
There’s some liability protections within the law, but they’re narrow. It essentially says that if an organization or one of these covered entities does make a cyber incident report or ransomware payment report to the Department of Homeland Security that they’re shielded from lawsuits based solely on the report being made. This type of reporting is also shielded from disclosure pursuant to the Freedom of Information Act and similar federal and state public records laws.
How can companies best comply with this law? What steps can they take right now?
Under the federal incident reporting law, there’s no requirement that an organization have an incident response plan. But in order to comply with this type of data breach reporting law or security incident reporting law, you absolutely need a comprehensive incident response plan that is not just available but has been practiced to ensure that it actually aligns with your organization’s expectations, business models, and so forth.
Most importantly is having a good team and process in place for when you’re subject to any type of cyber incident that could potentially implicate the new federal cyber incident reporting law. Your information security team is going to be the first responders, making sure that they’re able to bring in legal and compliance and ethics and H.R., as well as outside counsel, your breach coach, outside IT consultants. Having a comprehensive process for escalating and notifying these individuals should absolutely be built into your incident response plan.
My incident response templates all have an annex that lists every single person that’s on the team, as well as their secondary members in case the primaries are unavailable for some reason. You want to make sure you have the appropriate team members who can easily and quickly be assembled in order to respond to the incident.
What’s interesting about the law in particular is that it allows organizations to rely on third parties, like a law firm, to actually provide the cyber incident and ransomware payment notification to the federal government, and the law has additional requirements like evidence preservation. Making sure your incident response plan again has procedures built into place that you’re practicing with your IT consultant on how to preserve evidence will be key.
Who are you giving access to your environment? What are their privileges? How are they preserving evidence themselves? Are you issuing litigation holds? Those processes should be built into your incident response plan.. You should also be practicing this as part of a tabletop exercise, penetration testing—again, engaging with counsel because the law itself ensures that to the extent you’re providing information about an incident to the federal government, you’re not waiving any privileges around that information.
We’re grateful to Steve, for outlining the key concerns around this federal regulation that may indeed impact a large number of covered entities.
Click here to learn more about Thompson Hine.
You can also click here to learn more about developing a comprehensive incident response plan (IRP) for your organization.