With the threat of cyberwarfare increasing due to the war in Ukraine, Congress had passed an appropriations bill which included the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  While businesses may have wanted to report incidents to the FBI or law enforcement as a matter of course, there is now concrete guidance as to actual reporting requirements set forward by the Federal Government.  CIRCIA is one of the first pieces of legislation to give guidance on the front of cybersecurity and data breaches.  While this is not a perfect solution, businesses should know that they may now be subject to this reporting requirement moving forward.  So what entities are subject to this requirement?  What has to be reported? What are the penalties for a failure to report?

WHAT ENTITIES ARE COVERED?

The CIRCIA impacts "covered entities" as defined under the bill. "Covered entities" are the businesses that are (1) in a critical infrastructure sector as identified by the Cybersecurity and Infrastructure Security Agency (CISA), and (2) satisfy the definition and criteria established by the CISA Director. The CISA Director is required to give additional guidance in approximately 18 to 24 months after a notice of proposed rulemaking.  Essentially, covered entities will likely include many of the larger businesses initially identified as an essential business at the start/height of the Coronavirus Pandemic and may find themselves subject to the reporting requirements under CIRCIA.

Although the specifics are currently unclear, the CISA Director is required to base the rules on "(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety; (B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and (C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure."

Ultimately, while clarity may not be given for an additional two years, businesses can use this guidance to help guide whether they believe they may be subject to the new requirement.

WHAT HAS TO BE REPORTED?

Reports are supposed to be made either (a) within 72 hours after a covered entity believes a covered cyber incident has occurred, or (b) 24 hours after a ransom has been paid as a result of a ransomware attack. A "cyber incident" is any occurrence that actually jeopardizes the integrity, confidentiality or availability of information on an information system or the information system itself.  Following this, a covered cyber incident is a cyber incident of sufficient size, impact, and novelty of the attack's tactics as specified in the final rules set forth by the CISA Director. Essentially, if a computer network were to become compromised or there was a data breach, the event could be considered a "covered cyber incident." While the exact contents of the report are not specified in this legislation, various factors are set forth, including: (1) a description of the incident, (2) identification and description of the function of the systems, (3) networks and devices compromised, (4) description of the unauthorized access, (5) date range of the incident, (6) impact to the operations of the covered entity, (7) the vulnerabilities exploited and defenses in place, (8) the tactics used in the attack, (9) identifying information regarding the covered entity that suffered the attack,  and (10) the contact information for the covered entity.

WHAT HAPPENS WHEN NO REPORT IS MADE?

As the CIRCIA is written currently, the CISA Director can seek the information through subpoenas, in addition to Civil Actions via the Attorney General.  Failure to comply could then be followed by contempt of court.  However, it is worth noting that there are currently no fines or fine structures listed within CIRCA for noncompliance and a failure to report in a timely manner.

WHAT NOW?

While the CIRCIA is not in full force as rulemaking commences, if the CCPA and other data privacy laws can be any indicator, proactively establishing privacy measures, as well as incident response plans for when a hack occurs is crucial to a timely and organized response.

HOW NEWMEYER DILLION CAN HELP

Newmeyer Dillion can provide help implementing new cybersecurity policies to comply with CPRA, breach responses and incident response plans, as well as new reporting requirements from the Federal Government and state of California.