Do the 2021 Federal Ransomware Laws Foretell Passage of Federal Data Privacy Laws?

In the last several weeks, the Executive and Legislative branches of the United States federal government have taken bipartisan measures to defend the country’s infrastructure from the critical national security threat posed by ransomware attacks, both foreign and domestic.

On Wednesday, July 28, 2021, the Biden Administration signed a National Security Memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems.” The NSM directs the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards & Technology (NIST) to work together with other agencies to develop cybersecurity performance goals for companies that provide infrastructure. While those goals are strictly voluntary right now, the Biden Administration indicated unequivocally that it expects these standards to assist companies that provide essential services such as power, water and transportation to strengthen their cybersecurity.

The NSM also formally establishes the President’s Industrial Control System (ICS) Cybersecurity Initiative. This, again, is a voluntary effort between the government and the critical infrastructure community to deploy technology and systems that provide threat visibility, detection and warnings. In its NSM, the Biden Administration noted that it began this ICS initiative informally in April with a pilot program for the Electricity subsector. Since April, over 150 local utilities that service approximately 90 million residential customers have agreed to deploy control system cybersecurity technologies. Natural gas is next, with additional initiatives for other subsectors to follow later this year.

The NSM comes as the legislative branch is also considering legislation aimed at protecting the country’s critical infrastructure in the wake of the Colonial Pipeline and Solar Winds cyberattacks. On Tuesday, July 27, a bipartisan team of Senators including Democrats Mark Warner and Sheldon Whitehouse, and Republicans Marco Rubio and Lindsey Graham introduced in the Senate the Cyber Incident Notification Act (CINA), at least in part, in response to the recent ransomware attacks such as the Colonial Pipeline attack.

Current federal law does not require a company that suffers a ransomware attack to report such attacks. This means that, except in catastrophic cases such as Colonial Pipeline, many ransomware attacks are swept under the rug. Conventional wisdom holds that ransomware attackers seek publicity, and resolving these attacks privately deprives these attackers of the notoriety they seek. But when an attack affects infrastructure, or other government systems, conventional wisdom should no longer apply.

Thus, the proposed CINA would require federal agencies and contractors, and critical infrastructure companies to notify the Department of Homeland Security when they identify a breach of their systems. The goal of the law is to allow the government to act quickly in response to a breach. An affected company would also need to provide continual updates, every 72 hours, to CISA, until the company has mitigated the breach. Companies that report such breaches to DHS and CISA would enjoy certain limited immunity, including exemption from disclosure pursuant to subpoenas, except those that come from Congress, and maintaining the confidentiality of information disclosed so that it cannot be used as evidence against the company in any private shareholder lawsuits regarding the breach.

While the NSM and the proposed CINA right now target only companies with connections to the federal government, they evidence a greater willingness to pass laws at the federal level to address cybersecurity and breach response. We may be heading, at long last, to a federal framework for addressing data privacy and security.