Published by The Lawfare Institute
in Cooperation With
Against the background of the Russia-Ukraine war, public officials have warned that Moscow or other hacktivist groups may escalate their malicious cyber operations, which could (directly or indirectly) impact the United States and local businesses. Congress, in response to these concerns and the significant increase in cyberattacks in recent years, has enacted a law requiring private-sector entities to submit reports to the Cybersecurity and Infrastructure Security Agency (CISA) when they suffer cybersecurity incidents or make ransomware payments. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was included in the Consolidated Appropriations Act of 2022 that President Biden signed into law on March 15.
Congress delegated a significant amount of authority to CISA to draft and implement regulations defining CIRCIA’s scope and applicability. CIRCIA allows 24 months for CISA to publish its initial notice of proposed rulemaking and an additional 18 months from the notice to issue its final regulations, although CISA can expedite its rulemaking process. However, CIRCIA includes important reporting thresholds, liability protections, legal privilege safeguards and regulatory limitations that cannot be superseded by CISA in the regulatory process. These provisions are designed to encourage compliance with the law and increase the quantity and quality of cyber incident reporting.
Defining Cybersecurity Incident and Ransomware
CIRCIA sets forth formal reporting obligations for certain organizations that suffer a “covered cyber incident” or that make a “ransom payment.” Essentially, a covered cyber incident is defined as a substantial security event that jeopardizes the integrity, confidentiality, or availability of an information system, or the data retained or transmitted thereon. The term applies only to “unlawful” acts and expressly excludes cyber actions undertaken (in good faith) in response to a request from an information system owner or operator, such as penetration testing or vulnerability scanning services. CISA is required to implement regulations that describe the types of events that constitute a covered cyber incident for reporting purposes, and at a minimum, these must include cyberattacks that:
- Lead to a substantial loss to the confidentiality, integrity or availability of an information system.
- Seriously impact the safety or resiliency of operational systems.
- Disrupt business or industrial operations due to certain types of attacks (such as a denial of service attack or a zero day vulnerability exploit).
- Result in unauthorized access to an information system or otherwise impact business or industrial operations due to a compromise in the supply chain (such as impact to a cloud service provider or manager service provider).
The term “ransom payment” refers to the “the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.” In turn, a “ransomware attack” is defined as the actual or threatened use of malware or similar cyber tactics to impact an information system or compromise the data retained or transmitted thereon to extort a ransom payment. Similar to a covered cyber incident, the term “ransomware attack” has a good-faith exception for activities undertaken at the direction of an information system’s owner or operator.
Scope of Applicability
Only those organizations designated as “covered entities” by CISA will be subject to the cyber incident and ransomware reporting provisions in CIRCIA. A covered entity could include any organization within a critical infrastructure sector (such as chemical, manufacturing, health care, defense contracting, energy, financial, nuclear, or transportation) that CISA identifies as satisfying other criteria in the law. These criteria focus on whether the entity could impact national security, economic security, or public health and safety if compromised by a cyberattack; the likelihood the entity would be targeted by a malicious cyber actor; and whether the compromise of the entity, including its offensive cybersecurity tools, could disrupt other critical infrastructure operations. CISA will likely designate covered entities early in the rulemaking process to exclude public comments from organizations that otherwise will not be impacted by its regulatory framework.
Reporting Obligations and Timelines
CIRCIA mandates that covered entities report cyber incidents to CISA within 72 hours after the entity “reasonably believes” the incident occurred. These entities are also required to promptly submit supplemental reports if they discover substantially new or different information related to the incident. Separately, in the event a covered entity submits a ransomware payment, CIRCIA mandates that the entity report the payment to CISA within 24 hours. CISA is responsible for the format in which these reports will be submitted, which will likely mirror CISA’s existing cyber threat information sharing platforms. CISA is also responsible for describing the content that needs to be included in such reports, and CIRCIA already sets forth a broad set of categories on information that should be addressed by covered entities, such as descriptions of the attack and any identifying information on the malicious actor; its impact on business operations; the security measures circumvented and vulnerabilities exploited; the tactics, techniques, and procedures used to perpetrate the attack; categories of data compromised; the ransom demand and type of virtual currency or commodity used as payment; ransom payment instructions; and ransom amount.
CIRCIA expressly allows third parties, such as law firms, insurance carriers, and data breach response consultants, to submit these reports to CISA on behalf of the covered entity. However, any third party that submits a ransom payment on behalf of a covered entity must advise the entity of its regulatory reporting obligations. In turn, it will likely be common for service contracts with these types of third-party consultants to include standard disclaimers referencing CIRCIA in order for them to satisfy their respective compliance obligations in this area. Regardless of who actually submits a cyber incident or ransomware payment report to CISA, CIRCIA mandates that the covered entities preserve evidence related to their reporting obligations, and the extent and scope of such preservation is to be set forth by CISA in future regulations. Given that evidence preservation is a key aspect of any comprehensive data breach response program, these obligations may not create any materially new obligations for covered entities.
Liability Protections and Regulatory Enforcement
One of the primary reasons the government seeks to impose mandatory cybersecurity and ransomware-related requirements is because organizations have not historically disclosed such information as part of the government’s discretionary information sharing programs. Generally, organizations are hesitant to voluntarily disclose such information over concerns that they would inadvertently be furnishing evidence to the government that they violated a law or regulation (such as ransom payments made in violation of sanctions law). Accordingly, CIRCIA adopts liability protections that are found in similar information sharing contexts. In fact, Sen. Mark Warner, a key supporter of CIRCIA, recently said that CIRCIA will give covered entities “immunity” and “[w]e don’t want to hold the company accountable,” but “[w]e do want to be able to go after malware actors.” Warner’s statement is partially true as CIRCIA includes key liability protections for organizations that comply with the law; however, there are important caveats to these limitations on liability that covered entities need to understand.
CIRCIA provides that “[n]o cause of action shall … be maintained in any court by any person or entity” arising from the submission of a cyber incident or ransom payment report. Yet this liability protection applies only to “litigation that is solely based on the submission” of such a report. Separately, CIRCIA prohibits (with some limited exceptions) a federal, state, local, or tribal government or agency from using information derived solely from a covered cyber incident or ransom payment report submitted to CISA to undertake a regulatory or other enforcement action against the covered entity. In addition, CIRCIA sets forth the areas in which federal agencies can use and disclose information contained in CISA reporting for other, noncyber purposes, such as to counter terrorist threats and the proliferation of weapons of mass destruction.
Under CIRCIA, cyber incident and ransom reports, and any communications or materials created for the “sole purpose” of preparing and submitting such reports, may not “be received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding.” This “sole purpose” language is important as businesses often create and retain data related to a cybersecurity event, including a ransom payment, for multiple purposes (like insurance claims), and such dual-use purposes could nullify the scope of this liability protection.
Notwithstanding these general liability protections, CIRCIA permits CISA to disclose the information contained in a cyber incident or ransom report to the Justice Department or any other appropriate regulator. These recipients may then use such information for a regulatory enforcement action or criminal prosecution against the noncompliant entities. CISA, however, is authorized to share this data only if it was collected under its authority to (in conjunction with the Justice Department) issue a subpoena to a covered entity that has not complied with the law’s mandatory reporting requirements. The failure to comply with a subpoena can result in an organization being held in contempt of court. This framework is intended to incentivize organizations to comply with these new reporting requirements by revoking the availability of liability protections in circumstances where they are not compliant with the law.
Legal and Evidentiary Privileges
Organizations often rely on counsel to lead their incident response efforts when responding to cyberattacks. This approach better ensures that the information and data discovered in this process are subject to the attorney-client privilege and work product doctrine and therefore protected from discovery. The American Bar Association (ABA) has repeatedly stated that “[f]ederal agency policies that compel parties to disclose privileged or work product protected information violate longstanding common law principles and undermine both the confidential lawyer-client relationship and the fundamental right to counsel.” The ABA’s commentary is especially applicable to cybersecurity incident reporting where issues of legal privileges are highly relevant and CIRCIA sought to address these concerns. CIRCIA notes that the disclosure of such reports shall not constitute a waiver of any “applicable privilege or protection provided by law,” which presumably extends to the attorney-client privilege and work product doctrine. As part of its implementing regulations, CISA may consider adopting guidance issued in other information sharing contexts and clarify that this protection applies in all circumstances where federal or state legal and evidentiary privileges may be invoked, and is interpreted to include protections recognized under common law, such as the attorney-client and work product privileges.
Duplicative Reporting and More Regulations
CIRCIA recognizes that an organization deemed a “covered entity” by CISA may be subject to other federal data breach notification requirements—such as regulations governing defense contractors and health care organizations—and this may create duplicative cyber reporting obligations. CIRCIA sought to remedy this situation by creating a Cyber Incident Reporting Council composed of a broad range of federal agencies and vested with the authority to “coordinate, deconflict, and harmonize” disparate incident reporting requirements. More specifically, the council is required to analyze existing cyber reporting regulations (such as DFARS 252.204-7012, Health Insurance Portability and Accountability Act Breach Notification Rule) and ensure that any such requirements “avoid conflicting, duplicative, or burdensome requirements.”
CIRCIA envisions a process in which CISA will execute an interagency agreement with another federal agency that has its own cyber reporting requirements, and the agreement will set forth the terms and conditions in which CISA will be able to gain timely access to this other cyber reporting. This is significant as CIRCIA provides that covered entities that are legally or contractually required to report cyber incidents and ransomware payments to a federal agency (that is not CISA) are exempt from submitting duplicative reports of such incidents and ransom payments to CISA. This exception is intended to avoid duplicative reporting but is available only if an information sharing agreement between the federal agency and CISA exists, and the underlying reporting obligation to the other federal agency has similar reporting time frames and content requirements as set forth in CIRCIA. Given the broad range of existing and pending cyber reporting obligations, it will be important to see how federal agencies amend their regulations to align with CIRCIA and consequently minimize reporting obligations on the private sector.