Is Reporting Cyber Breaches to the Federal Government Required or Encouraged?

President Joe Biden signed the Strengthening American Cybersecurity Act into law on March 15.  Among other requirements, companies that are “covered entities” must report data breaches promptly to federal regulators.  For now, the definition of “covered entities” is limited to entities that own and operate critical infrastructure, such as Emergency Services, Communications, Energy, Financial Services, Food and Agriculture, Transportation and Water Systems.  The Act provides the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) with the ability to expand the definition of “covered entities” to whom the law would apply.  

The Act requires covered entities to report covered cyber-incidents within 72 hours after the entity “reasonably believes” an incident has occurred.  Companies must report ransomware payments within 24 hours.  Companies must include with their reports a description of the incident, identifying or contact information for each actor believed to be responsible for the incident (if known), the category or categories of information subject to the unauthorized access, and information about the affected entity, including contact information for its authorized agent. The Act also imposes a continuing duty on affected entities to supplement reports as they gather more information.  

Companies are only required to file their reports to CISA, not to the FBI. CISA is authorized to share information from reports with other federal and state agencies, and to share anonymized information with private entities such as cybersecurity companies.  The US Department of Justice and the FBI have publicly opposed the Act because it fails to require reporting to the FBI.  

For its part, the FBI has increased its own capabilities to respond to cyber threats, and is casting a wider net by targeting the private sector.   For example, in a speech to the Detroit Economic Club in Detroit, Michigan on March 22, 2022, FBI Director Christopher Wray implored the private sector to assist the FBI by reporting cyber attacks.  Wray noted the staggering statistic that, between 2019 and 2021, the number of ransomware complaints reported to the FBI increased by 82 percent. Wray also cited other, non-ransomware incidents, such as China-sponsored cyber attacks on technology sectors that aim to steal corporate ideas and innovation.  As Wray chillingly put it, “Whatever makes an industry tick, they target.”

Wray told the group gathered that, to respond to the global threat of private and state-sponsored cyber attackers, the FBI has established Cyber Task Forces in all of its 56 Field Offices across the United States.  Wray encouraged businesses to report to those Field Offices all cyber attacks and intrusions.  Specifically, he observed, “If American businesses don’t report attacks and intrusions, we won’t know about most of them, which means we can’t help you recover, and we don’t know how to stop the next attack, whether that’s another against you or a new attack on one of your partners.  We like to say that the best way to protect one business is to hear from others, and the best way to protect others is to hear from that one.”

Closing out his speech, Wray asked that the business leaders in his audience “develop a formal cyber incident response plan … and include the contact information for your local FBI field office somewhere in that plan.” 

Companies should consult counsel to determine whether they fall within the ambit of the Strengthening American Cybersecurity Act, and if so, the requirements that the Act imposes on them.  Those companies that do not fall within the Act’s scope should be mindful of their security protocols, and should consult counsel if they are hit with a cyber incident, to determine whether to notify law enforcement.