Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Feds Hope to Tighten Timeline for Agency Reporting of Cyberattacks as Congress Debates Federal Data Breach Notification Law

Share

On December 6, 2021, in the Memorandum for the Heads of Executive Departments and Agencies, the Office of Management and Budget took a more aggressive position on strengthening the nation’s cybersecurity posture. Under this memorandum, federal agencies are now mandated to report “major” cyberattacks within one hour of discovery to the Cybersecurity and Infrastructure Security Agency (CISA) and to the Office of Management and Budget (OMB). It also directed that affected agencies update reports within one hour of determining that an already-reported incident is determined to be “major.”

A “major” incident is defined in the Memorandum as either:

  • An incident that is likely to result in demonstrable harm to the national security interests, the foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people; or
  • A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, the foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

This new approach to heightened cybersecurity requirements squares with other recent federal cyber reporting directives, including:

  • Notification of cyber threats from federally regulated banking organizations
  • Notification of cyber threats against covered freight railroads, passenger rail and rail transit systems
  • Notification of cyber threats against health apps and connected devices that collect or use consumers’ health data
  • Notification of cyber threats against designated critical pipeline owners and operators

Additionally, Congress is currently debating new cybersecurity-related legislation for non-federal-agency “covered entities” (the term “covered entities” is not explicitly defined in the bill but directs that the term will be defined through consideration of several factors). The U.S. Senate is in negotiations about a defense policy spending bill (H.R. 4350) that includes definitions of terms such as “covered entity,” “covered cybersecurity incident,” and “cybersecurity threat.” The bill would task the Director of the Cybersecurity and Infrastructure Security Agency (Director) with establishing “reporting timelines for covered entities to submit promptly to the office covered cybersecurity incident reports, as the Director determines reasonable and appropriate based on relevant factors, but in no case may the Director require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.”

Not only would this legislation impact reporting requirements, if passed, but it would also provide definitions at the federal level for many terms that are now defined predominantly at the state level. Given the lack of a comprehensive national standard for cybersecurity laws, it will be important to monitor not only how federal lawmakers define relevant terms, but also whether they implement federal reporting timelines in any new legislation.

Other new proposed bipartisan legislation — including the Cyber Incident Notification Act of 2021 — is still working its way through the legislative process. This proposed legislation in response to the attacks against Colonial Pipeline and Solar Winds is still pending and is also designed to help tighten federal cyber security reporting requirements.

About the Author: Jane Blaney

Jane Blaney assists clients seeking solutions related to insurance matters, with concentrated knowledge in health insurance, health insurance regulation and technology services. View Jane's full bio on the Faegre Drinker website.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
December 20, 2021
Written by: Jane Blaney and Jason G. Weiss
Category: Cybersecurity
Tags: CISA, cyberattack

Post navigation

Previous Previous post: FTC Staff Report on ISP Privacy Practices Paves the Way for an FTC Privacy Rulemaking in the New Year
Next Next post: New York Department of Financial Services Issues New Guidance on Multi-Factor Authentication and Cybersecurity Frameworks

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT