Tuesday, October 5, 2021

Review - S 2875 Introduced – Cyber Incident Reporting

Last month Sen Peters (D,MI) introduced S 2875, the Cyber Incident Reporting Act of 2021. The bill amends the Homeland Security Act of 2002 to establish a Cyber Incident Review Office within CISA and establishes cyber incident reporting requirements, including specific reporting requirements for ransomware incidents. No new spending is authorized by this bill.

As I mentioned yesterday, the Homeland Security and Governmental Affairs Committee will hold a markup hearing tomorrow that will include this bill. While amendments to the language are probably to be expected, this bill will almost certainly pass out of Committee with a favorable report. While the business community would probably rather not see this bill become law, there is a large enough loop-hole (see below) that there will probably not be any strong public opposition to the bill. It will be some-time, however, before this bill makes it to the floor of the Senate for consideration and there will be significant amendments that will further weaken the bill.


A major problem with this bill is that there are no provisions to allow CISA to establish an actual list of covered entities, or a requirement to notify covered entities of their specific coverage under the provisions of this bill. The regulations outlined in §2232(b) only allow CISA to provide a “clear description of the types of entities that constitute covered entities”. This allows a private entity to determine, absent specific notification, that they are not covered entities for any number of reasons, real or crafted. This would allow those companies to ignore the reporting requirements of the bill and argue (maybe successfully, maybe not) against an application of a CISA subpoena.

The provisions of §2232 needs to include authorization for CISA to specifically identify entities that it determines meet the criteria in §2232(b) and to notify those entities that they are covered entities and the reason for that identification. Obviously, provisions would have to be made for an appeal process to petition a reversal of that identification, but positive identification would remove the nearly legitimate “I did not think we were a covered entity” defense.

That still leaves the less obvious loophole related to the lack of a clear definition of a ‘covered cyber incident’. This is the same problem that I addressed in relation to the CFATS program new cyber incident reporting guidance. Unfortunately, I do not see a ‘simple’ solution to this. We can hope that CISA could provide a broad enough “clear description of the types of substantial cyber incidents” that existing and yet to be developed cyberattacks would not be able to be ignored by corporate lawyers under the “we just did not think that this was a covered incident” defense.

For more details on the provisions of the bill, see my article at CFSN Detailed Analysis - https://tinyurl.com/nv47z7jy - subscription required.

No comments:

/* Use this with templates/template-twocol.html */