Monday, October 11, 2021

Review - S 2926 Introduction – DHS Ransom Notification

Last week, Sen Warren (D,MA) introduced S 2926 (no formal name). The bill would require broadly defined covered individuals to report ransomware payments within 7 days of the payment being made. DHS would be required to prepare annual reports about such notifications.

Warren is not a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was referred. This means that there is probably insufficient influence to see this bill considered in Committee. I suspect that there would be little support for this bill in that Committee. I would not be surprised to see this bill included as a potential amendment to a larger authorization bill on the floor of the Senate.


So many problems, so little space… First, the problem of definitions. The ‘covered entity’ definition is the most sweeping definition I have seen to date in this space. The inclusion of ‘an individual’ exclusion is not even that important since information systems owned by a family would not technically be included in the exception. The bigger problem is the huge loophole in the ransom definition that effectively exempts all non-federal-agency entities from any reporting requirement. This is nitpicking, but lawyers get large sums of money for picking nits, and corporate lawyers do it extremely well.

The seven-day reporting deadline is the longest that I have seen in any bill. And given the very limited nature of the information being required to be reported, it is completely unjustified. Any company making a ransomware payment would easily be able to report the required information within say 30-minutes of making the payment.

And the DHS study requirements? How much studying will it take for DHS to determine the “extent to which cryptocurrency has facilitated” ransomware attacks? Popular TV shows to the contrary, the FBI figured out how to deal with large cash drops years ago.

For more details about the provisions of the bill, including a detailed look at the problems with definitions, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */