Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Senators Introduce Bipartisan Legislation To Require Federal Contractors and Operators of Critical Infrastructure to Disclose Cyber Intrusions

Share

A bipartisan group of 14 United States senators recently introduced proposed legislation that would require federal contractors and operators of critical infrastructure to disclose any cyber intrusion within 24 hours. A copy of the proposed legislation can be found here.

Currently, there is no federally mandated reporting requirement for cyberattacks on American infrastructure targets. The newly proposed legislation is designed to prevent these attacks from going unreported and uninvestigated.

This proposed legislation, titled the “Cyber Incident Notification Act of 2021,” is a clear response to recent attacks on Colonial Pipeline and Solar Winds and is designed “[t]o ensure timely Federal Government awareness of cyber intrusions that pose a threat to national security, enable the development of a common operating picture of national-level cyber threats, and to make appropriate, actionable cyber threat information available to the relevant government and private sector entities, as well as the public, and for other purposes.” Under the proposed legislation, federal contractors, agencies and critical infrastructure operators would be required to report cyber intrusions to the Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) within 24 hours of discovery.

While the 24-hour window for reporting is clear, the proposed legislation does not appear to clearly define what constitutes a cyber intrusion and, in particular, what constitutes a “potential” cyber intrusion. Instead, it appears the legislation would leave it to CISA and other agencies, such as the FBI, to define what events rise to the level of required notification. This could lead to confusing and inconsistent results.

Another significant consequence of the proposed legislation is that it positions CISA as the federal hub for intrusion notifications, instead of the FBI’s Internet Crime Complaint Center, which has been the de facto reporting agency to date. That said, the bill is unclear about which agency would take the lead on the actual investigation of any cyber intrusions and about how that process would work.

To incentivize federal agencies and contractors to report intrusions in a timely manner, the current version of the bill includes the following safeguards:

  • Federal liability protection barring the notification from being used against the victim of the cyber security incident in court. This protection would not apply, however, if the lawsuit is brought by the federal government.
  • The bill would exempt any pertinent information about the attack from inquiries brought under the Freedom of Information Act.

The proposed legislation also includes significant penalties for failure to make the required notifications within the specified time. First, CISA would be authorized to assess a civil penalty “not to exceed 0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues.” Additionally, government contractors that do not comply with this statute, if it’s passed, risk removal from the federal contracting schedules program run by the Government Services Administration.

The bill is still in its initial phases, and, as of now, there has been no substantive move on corresponding legislation in the House of Representatives. If the bill passes, however, it will greatly change the way cyberattack notification is conducted for federal contractors and operators of critical infrastructure.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

About the Author: Jane Blaney

Jane Blaney assists clients seeking solutions related to insurance matters, with concentrated knowledge in health insurance, health insurance regulation and technology services. View Jane's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

August 25, 2021
Written by: Jason G. Weiss and Jane Blaney
Category: Cybersecurity
Tags: cyber risk management, cyberattack, federal legislation

Post navigation

Previous Previous post: Faegre Drinker on Law and Technology Podcast: Practical Tips To Keep Phishing Attacks at Bay
Next Next post: Fall Cybersecurity Enforcement Update: State and Federal Regulators Increase Scrutiny on Victims of Cyberattacks

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT