Skip to main content

Is Reporting Cyber Breaches to the Federal Government Required or Encouraged?

Kelly Ruane Melchiondo

Blog ImagePresident Joe Biden signed the Strengthening American Cybersecurity Act into law on March 15.  Among other requirements, companies that are “covered entities” must report data breaches promptly to federal regulators.  For now, the definition of “covered entities” is limited to entities that own and operate critical infrastructure, such as Emergency Services, Communications, Energy, Financial Services, Food and Agriculture, Transportation and Water Systems.  The Act provides the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) with the ability to expand the definition of “covered entities” to whom the law would apply.  

The Act requires covered entities to report covered cyber-incidents within 72 hours after the entity “reasonably believes” an incident has occurred.  Companies must report ransomware payments within 24 hours.  Companies must include with their reports a description of the incident, identifying or contact information for each actor believed to be responsible for the incident (if known), the category or categories of information subject to the unauthorized access, and information about the affected entity, including contact information for its authorized agent. The Act also imposes a continuing duty on affected entities to supplement reports as they gather more information.  

Companies are only required to file their reports to CISA, not to the FBI. CISA is authorized to share information from reports with other federal and state agencies, and to share anonymized information with private entities such as cybersecurity companies.  The US Department of Justice and the FBI have publicly opposed the Act because it fails to require reporting to the FBI.  

For its part, the FBI has increased its own capabilities to respond to cyber threats, and is casting a wider net by targeting the private sector.   For example, in a speech to the Detroit Economic Club in Detroit, Michigan on March 22, 2022, FBI Director Christopher Wray implored the private sector to assist the FBI by reporting cyber attacks.  Wray noted the staggering statistic that, between 2019 and 2021, the number of ransomware complaints reported to the FBI increased by 82 percent. Wray also cited other, non-ransomware incidents, such as China-sponsored cyber attacks on technology sectors that aim to steal corporate ideas and innovation.  As Wray chillingly put it, “Whatever makes an industry tick, they target.”

Wray told the group gathered that, to respond to the global threat of private and state-sponsored cyber attackers, the FBI has established Cyber Task Forces in all of its 56 Field Offices across the United States.  Wray encouraged businesses to report to those Field Offices all cyber attacks and intrusions.  Specifically, he observed, “If American businesses don’t report attacks and intrusions, we won’t know about most of them, which means we can’t help you recover, and we don’t know how to stop the next attack, whether that’s another against you or a new attack on one of your partners.  We like to say that the best way to protect one business is to hear from others, and the best way to protect others is to hear from that one.”

Closing out his speech, Wray asked that the business leaders in his audience “develop a formal cyber incident response plan … and include the contact information for your local FBI field office somewhere in that plan.” 

Companies should consult counsel to determine whether they fall within the ambit of the Strengthening American Cybersecurity Act, and if so, the requirements that the Act imposes on them.  Those companies that do not fall within the Act’s scope should be mindful of their security protocols, and should consult counsel if they are hit with a cyber incident, to determine whether to notify law enforcement. 
New Miami Blog February 19, 2016
American investors have made their way into Cuba. Just this week, the U.S. Treasury Department has approved the first significant U.S. business investment in Cuba since 1959: the Oggun tractor factory. This plant represents a $5 million to $10 million investment by an American company in Cuba. Both ...
Speaking Engagement March 4, 2024
Ryan J. Coyle speaks on the panel Stiff Winds, New Currents and Rough Seas: Navigating the Private Client World in Turbulent Times at the 29th Annual International Private Client Tax Conference. The panel discusses recent changes and salient topics in tax law in different jurisdictions, the use of a...
Publication November 30, 2023
Over the past decade, companies have increasingly turned to the collection of consumer personal data to help them better understand and adapt to the habits, preferences, and needs of consumers, engage in targeted marketing, and gain insight into the broader marketplace—that is, to better compe...