Published by The Lawfare Institute
in Cooperation With
In 2021, Congress made significant progress toward enacting a cybersecurity incident reporting law, which would require certain private-sector entities to formally report to the U.S. Department of Homeland Security (DHS) when they have been subjected to a ransomware attack or a similar cyber event. Although discussions on such a federal law have been ongoing for over a decade, this issue has received renewed attention as a result of a considerable increase in cyberattacks, including ransomware attacks, in recent years, the financial costs of which have reached a record high.
The three most comprehensive legislative proposals in this area in 2021 were the Cyber Incident Reporting Act (CIRA), the Cyber Incident Notification Act (CINA), and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), the last of which was included in an early draft of the National Defense Authorization Act for Fiscal Year 2022. These proposals all have the same goal: to mandate that certain private-sector entities report cybersecurity incidents (including ransomware attacks and payments) to the federal government for authorities to better understand cyber threats arising from foreign adversaries and other malicious actors. Although none of these bills was enacted into law last year, they will serve as a basis for how Congress seeks to draft future legislation in this area.
Each bill sets forth its own unique approach for providing liability protections and preserving legal privileges for organizations that submit cyber incident reports. Congress and the executive branch, through the Cybersecurity Information Sharing Act of 2015, have already addressed both of these areas in circumstances where organizations voluntarily share cyber threat information. Specifically, the 2015 act includes broad liability and privilege safeguards for private-sector organizations that participate in DHS-approved information-sharing forums. These protections were adopted to better protect businesses and consequently promote greater participation in these cybersecurity information-sharing programs.
These issues are a significant concern within the private sector, and their extension into or exclusion from any mandatory cybersecurity reporting law could impact how thoroughly businesses comply with such a requirement and the quantity and quality of incident reporting.
Cybersecurity Reporting: Legal Concerns and Privileges
In the past several years, the federal government has implemented several cybersecurity-related programs and policies to encourage broader information sharing among, and between, the private sector and federal, state and local governments. Although there have been success stories in these areas, there remains a real need for a mandatory cybersecurity incident reporting law to address the gaps caused by organizations that do not voluntarily participate in these programs. In many circumstances, organizations do not voluntarily disclose cybersecurity events to the government due to concerns that such information may be used against them in a regulatory enforcement action or that the disclosure would constitute a waiver of certain legal privileges.
These concerns are heightened in the ransomware context, where organizations may incur penalties for making ransom payments to groups or individuals included on a sanctions list. Recently, the Department of Treasury reinforced its position that it “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations” (emphasis added). By disclosing information related to a cyberattack, such as a ransomware payment, to a federal agency, an organization may inadvertently be furnishing evidence that it is violating a sanctions law.
This issue has hindered private-public information-sharing programs for years. As part of its report on combating ransomware, the Ransomware Task Force specifically recommended that any mandatory ransomware reporting regulation should incorporate limited liability protections (for example, the report cannot form the basis for a regulatory or other enforcement action) to better ensure that organizations do not “put themselves in potential regulatory jeopardy” when they report these cybersecurity events to a federal agency.
In addition to concerns over regulatory liability, private-sector businesses are also hesitant to share information pertaining to cyberattacks with government agencies because the disclosure of such information may constitute a waiver of certain legal privileges. Specifically, as organizations respond to cyberattacks, they consider legal risks to their business, such as a civil action arising from the compromise of personal data during the attack. Accordingly, organizations often rely on counsel to strategically lead their incident response efforts, which better ensures that information and data discovered in this process are subject to the attorney-client privilege and work product doctrine and therefore protected from discovery. The attorney-client privilege is the “oldest of the privileges for confidential communications known to the common law” and “[i]ts purpose is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.” The work product doctrine allows parties to withhold from discovery certain documents and other tangible things prepared in anticipation of litigation. The American Bar Association (ABA) has repeatedly stated that “[f]ederal agency policies that compel parties to disclose privileged or work product protected information violate longstanding common law principles and undermine both the confidential lawyer-client relationship and the fundamental right to counsel.” The ABA’s commentary is especially applicable to cybersecurity incident reporting where issues of legal privileges are highly relevant.
The Cybersecurity Information Sharing Act of 2015
Congress enacted the Cybersecurity Information Sharing Act of 2015 (which was part of the Cybersecurity Act of 2015) to increase cybersecurity information sharing among the private sector; state, local, tribal, and territorial governments; and the federal government. To minimize liability risks and legal concerns in this information-sharing context—and therefore encourage greater participation in cybersecurity information-sharing programs—the 2015 act includes important liability protections and provisions addressing legal privilege. For example, according to the law, cyber threat indicators and defensive measures (collectively referred to as cyber threat information) shared by a nonfederal entity, including a private-sector entity, as part of a DHS-approved cyber program generally cannot be used as a basis for a government agency to undertake a regulatory enforcement action against any entity. In addition, the 2015 act provides that “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed” if it is based on the information security practices, or the sharing of cyber threat information, undertaken in accordance with the law’s framework.
The 2015 act also expressly limits how the federal government can disclose, retain, and use cyber threat information shared by the private sector for non-cybersecurity purposes. For example, information shared with federal agencies consistent with the act is expressly exempt from disclosure under the Freedom of Information Act and state sunshine laws. The act also limits permissible uses of information shared under the act. The federal government may use such information to address terrorist threats, the use of weapons of mass destruction, espionage, sexual exploitation and threats to physical safety of minors, certain types of fraud and identity theft, and other similar crimes. However, the 2015 act is clear that such cyber threat information voluntarily provided to the federal government “shall not be disclosed to, retained by, or used by any Federal agency or department” for any other purpose not specifically enumerated in the law.
Separately, the 2015 act provides that the provision of certain cyber threat information to the federal government by a private-sector organization “shall not constitute a waiver of any applicable privilege or protection provided by law[.]” According to federal guidance, this provision “applies in all circumstances where state or Federal privileges and protections may be invoked” and “includes protections recognized under common law, such as the attorney-client and work product privileges.”
The Current Cyber Reporting Proposals
Each of the legislative proposals noted above (CIRA, CINA and CIRCIA) differ, to varying degrees, with respect to how they address liability protections and legal privileges, with CIRA and CIRCIA having many similarities. For instance, both CIRA and CIRCIA include a “no cause of action” clause (that is, courts are required to dismiss certain claims against a business based on its submission of a cybersecurity incident report) and expressly limit how the federal government can disclose, retain, and use information derived from a mandatory cybersecurity report outside the cybersecurity context. Both of these protections in CIRA and CIRCIA mirror the text and structure within the Cybersecurity Information Sharing Act of 2015. Moreover, like the 2015 act, CIRCIA generally provides that cybersecurity reporting information “may not be used by any Federal, State, Tribal, or local government to regulate, including through an enforcement action, the lawful activities of any non-Federal entity.” Although CIRA has a similar provision, its clause limits the government’s ability to use information derived from a cybersecurity incident report for regulatory purposes only if such information is obtained “solely through” the mandatory reporting. Although this additional “solely through” verbiage in CIRA may be intended to minimize the restrictions on a government’s ability to use cybersecurity reporting information for regulatory purposes, it may not have any practical effects given the aforementioned disclosure, retention, and use limitations set forth in the law.
Notwithstanding these general liability protections, both CIRA and CIRCIA allow for DHS to disclose information contained in a cybersecurity incident report to the Justice Department or any other appropriate regulator, which in turn may use such information for a regulatory enforcement action or criminal prosecution. DHS, however, is authorized to share this data only if it was collected pursuant to the department’s authority to issue a subpoena to a private-sector entity that has not complied with the law’s mandatory cybersecurity reporting requirements. This framework is clearly intended to incentivize organizations to comply with these new reporting requirements by revoking the availability of liability protections in circumstances where they are not compliant with the law.
CIRA and CIRCIA diverge with respect to how they address the preservation of legal privileges, which is especially important given each proposal’s framework allowing for regulatory actions against noncompliant businesses. CIRA’s legal privilege clause most closely adheres to the Cybersecurity Information Sharing Act of 2015, and it provides that a cybersecurity incident report submitted by a private-sector organization “shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection and attorney-client privilege.” CIRCIA does not specifically address the preservation of the legal privileges that correspond to a cybersecurity incident report.
CINA lacks many of the technical details set forth in the other two proposals, and its streamlined approach is apparent in its clauses potentially implicating liability protections and legal privilege. For instance, unlike the other proposals, CINA does not include a clause specifically limiting the government’s ability to “disclose, retain, and use” information derived from a cybersecurity incident report for non-cybersecurity purposes, or preventing government agencies from using such information for regulatory enforcement purposes. CINA does, however, contain a “no cause of action” provision requiring the dismissal of certain legal claims brought “in any court” against an organization for submitting a cybersecurity incident report. This means that businesses will be afforded only a limited set of the specific types of liability protections to which they have become accustomed pursuant to the Cybersecurity Information Sharing Act of 2015, which could impact how they assess their risk with respect to complying with the law.
Separately, CINA broadly provides (with limited exceptions) that a cybersecurity incident report may not be “admitted as evidence in any civil or criminal action brought against the victim” of the cyberattack (emphasis added). However, CINA does not expressly state that the disclosure of information within a cybersecurity incident report does not constitute a waiver of any applicable legal privilege or protection. In turn, it is unclear whether this clause prohibiting the admissibility of information derived from a cybersecurity incident as evidence in a trial or other proceeding was also intended to protect it from disclosure in all circumstances in which a legal privilege (for example, attorney-client privilege, work product doctrine) may apply, such as during a pretrial discovery process used to gather information in preparation for the trial or proceeding. This distinction could have important effects on an organization’s ability to invoke a legal privilege arising from a cybersecurity incident report.
We anticipate that Congress will (again) seek to enact a mandatory cybersecurity incident reporting law in 2022, and the legislative proposals offered in 2021 provide it with a comprehensive starting point. However, Congress will need to resolve some significant differences among these proposals, including reporting timelines, the scope of covered entities and cyber events, exemptions for small businesses, and discretionary regulatory authority delegated to DHS. As described above, Congress will also have to reconcile how it addresses liability protections and the preservation of legal privileges for businesses that submit cybersecurity incident reports. These issues could significantly impact the private sector’s level of compliance with any such mandatory incident reporting law and consequently the volume and quantity of cybersecurity data that the government is seeking to collect and analyze.