Russian Aggression Prompts Senate to Pass Cybersecurity Legislation

On February 28, 2022, a unanimous U.S. Senate, stirred by Russia’s invasion of Ukraine, passed the bipartisan “Strengthening American Cybersecurity Act of 2022.” The Act would impose new cyber incident and ransomware reporting requirements on government contractors, federal government award recipients, and companies operating in critical infrastructure sectors. While there may be amendments as the Act is considered in the House, we expect that the core components of the Act will be signed into law shortly. Below we summarize the main elements of the legislation that create, in some circumstances, new obligations on companies.

Companies Operating in Critical Infrastructure Sectors

Under the Act, companies operating in critical infrastructure sectors are potentially subject to new mandatory reporting requirements in the event of a cyber incident or ransomware payment. The Act would direct the Cybersecurity and Infrastructure Security Agency (“CISA”) to define as “covered entities” a subset of critical infrastructure entities based on how their disruption or compromise impacts “national security, economic security, or public health and safety”; the likelihood of being targeted by a malicious cyber actor; and the relative vulnerability of those entities to disruption. Federal government policy, which the Act incorporates by reference, defines the critical infrastructure sectors as 16 broad groups, including the energy, financial services, food and agriculture, healthcare and public health, transportation, critical manufacturing, and communications sectors. 

Covered entities will have two primary reporting requirements. First, any covered entity that “reasonably believes that a covered cyber incident has occurred” must report the incident to CISA within 72 hours. The Act directs CISA to promulgate a definition of a covered incident that includes, at minimum, unauthorized access, retrieval, or blocking of data from an information system or damage to the information system itself. Second, if a covered entity makes a ransomware payment to restore its systems, it must report such payment to CISA within 24 hours. Under either reporting requirement, covered entities are responsible for updating CISA with new information regarding the data incident until the entity “notifies the agency that the covered cyber incident at issue has concluded and has been fully mitigated or resolved.” Finally, companies would be required to preserve information regarding data incidents in accordance with final procedures developed by CISA. 

The exact reporting requirements will be dictated by further CISA rulemaking. Reports will, however, include a description of the unauthorized access, an estimated date range, the impact on the covered entities operations, and an assessment of what vulnerabilities were exploited. If an entity fails to submit a report, CISA will have the authority to issue a subpoena and the Department of Justice may bring a civil action to enforce compliance.

Government Contractors and Award Recipients

The Act will also require federal contractors and award recipients to follow reporting requirements similar to those imposed on federal agencies. All federal agencies must meet incident reporting guidelines dictated by CISA and under the Act would be responsible for reporting “major incidents” to an array of government entities including congressional leadership and CISA within 72 hours. If the Act becomes law, the Director of the Office of Management and Budget (“OMB”) will have six (6) months to promulgate rules that define a “major incident,” which must include the following:

• Incidents likely to have an impact on national security, homeland security, economic security, civil liberties, or public health and safety of the people of the United States; 
• Incidents likely to result in the inability of the agency to provide one or more critical services;
• Incidents likely to have a significant privacy impact on one or more individuals or a significant number of individuals;
• Incidents that substantially disrupt the operations of a high-value asset owned or operated by an agency;
• Incidents involving the exposure of sensitive agency information to a foreign entity; and,
• Any other type of incident that the Director of OMB determines appropriate. 

Similarly, the Act would require contractors and awardees to report to the agency that awarded the contract or award when they have a “reasonable basis to suspect or conclude” that one of three (3) data incidents has occurred. First, if an incident or breach involved “federal information collected, used, or maintained by the contractor or awardee” in connection with the contract or award. Second, if the incident or breach involved federal information systems. Third, if the contractor or awardee received information from the agency that the contractor or awardee is not authorized to receive in connection with the contract or grant.

Contractors and awardees must report to their governing agency within the same amount of time that the agency is responsible for reporting its own incidents to CISA. As such, contractors and awardees need to be aware of the agency reporting requirements listed above. If the agency that awarded the contract or award determines that the incident was a major one, contractors and awardees will likely have additional obligations including supplemental investigations and reports.

While many government contracts and awards already include reporting requirements and thus will be minimally impacted by the new law, the new requirements will ensure that anyone doing business with or receiving grants from the federal government will be subject to cyber reporting requirements.

Implications

The Act’s reporting requirements will be a major change for industry and will impose new obligations on companies that suffer data breaches. Currently, the choice to report a data incident to the federal government is generally voluntary absent specific contractual requirements in a government agreement or grant award. Given the breadth of what is considered critical infrastructure, after the Act is passed a sizable amount of companies operating in the United States will be responsible for reporting data incidents to the government.

Companies in critical infrastructure sectors should review their incident response plans and evaluate whether they need to be revised in light of the stringent reporting deadlines in the Act. Companies should also evaluate whether the mandatory reporting obligations would change their internal calculus regarding public notifications and whether to make a ransomware payment.

It is likely that there will be some amendments to the Act in the House, including a potential requirement to report incidents to the Federal Bureau of Investigation, but there remains strong support for the main elements of the Act in both Congressional bodies and within the Executive Branch. As the Act will impose new obligations and expenses, companies should be monitoring the progress of the law and subsequent rulemaking by CISA.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta Lichtenbaum, an O’Melveny partner licensed to practice law in the District of Columbia, Tod Cohen, an O’Melveny partner licensed to practice law in California and the District of Columbia, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, and Joshua Goode, an O’Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.