News

So you’ve been hit with a ransomware attack or your IT professional has notified you that there is suspicious activity on your network and you suspect that malicious actors have taken some of your data. What now? Time is of the essence during a cyberattack and the clock is now ticking with respect to disclosures you may have to make.

If your company is considered a “covered entity” by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (“CISA”), you may be affected by the Strengthening American Cybersecurity Act of 2022, which was signed into law by President Biden on March 15, 2022. The new law requires yet-to-be-defined organizations that fall within sixteen “critical infrastructure” sectors to notify CISA of a “covered cyber incident” within 72 hours, and of making a ransomware payment within 24 hours. The sectors are defined very broadly and encompass businesses and organizations that may not automatically consider themselves “critical infrastructure”:

1. Chemical: U.S. chemical facilities which manufacture, store, use, and transport potentially dangerous chemicals
2. Commercial Facilities: sites that draw large crowds of people for shopping, business, entertainment, or lodging that operate on the principle of open public access, consisting of the following eight subsectors—
   • Entertainment and Media: motion picture studios, broadcast media
   • Gaming: casinos
   • Lodging: hotels, motels, conference centers
   • Outdoor Events: theme and amusement parks, fairs, campgrounds, parades
   • Public Assembly: arenas, stadiums, aquariums, zoos, museums, convention centers
   • Real Estate: office and apartment buildings, condominiums, mixed use facilities, self-storage
   • Retail: retail centers and districts, shopping malls
   • Sports Leagues: professional sports leagues and federations
3. Communications: providers of communications services using satellite, wireless, and wired technology
4. Critical Manufacturing: includes the following manufacturing industries—
   • Primary Metals: iron and steel mills, aluminum production and processing, nonferrous metal production and processing
   • Machinery: engines and turbines; power transmission equipment; earth moving, mining, agricultural, and construction equipment
   • Electrical Equipment, Appliance, and Component: electric motors, transformers, generators
   • Transportation Equipment: vehicles and commercial ships, aerospace products and parts, locomotives, railroad and transit cars, rail track equipment
5. Dams: delivers water retention and control services in the U.S., including hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation
6. Defense Industrial Base: enables research and development, as well as design, production, delivery, and maintenance of U.S. military weapons systems, subsystems, and components or parts
7. Emergency Services: community of millions of highly-skilled, trained personnel that provide a wide range of prevention, preparedness, response, and recovery services during both day-to-day operations and incident response; includes city police departments and fire stations, county sheriff’s offices, Department of Defense police and fire departments, town public works departments, industrial fire departments, private security organizations, and private emergency medical services providers
8. Energy: divided into electricity, oil, and natural gas segments which include power plants (nuclear, natural gas, hydroelectric, solar, wind, and geothermal) and pipelines
9. Financial Services: includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions which allow customers to deposit funds and make payments to other parties, provide credit and liquidity to customers, invest funds, and transfer financial risks between customers
10. Food and Agriculture: composed of farms, restaurants, and registered food manufacturing, processing, and storage facilities
11. Government Facilities: includes a wide variety of buildings located in the United States and overseas that are owned or leased by federal, state, local, and tribal governments, which include general-use office buildings and special-use military installations, embassies, courthouses, national laboratories, and structures that may house critical equipment, systems, networks, and functions
12. Healthcare and Public Health: protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters; while healthcare tends to be delivered and managed locally, the public health component of the sector, focused primarily on population health, is managed across all levels of government: national, state, regional, local, tribal, and territorial
13. Information Technology: virtual and distributed functions that produce and provide hardware, software, and information technology systems and services, and—in collaboration with the Communications Sector—the Internet
14. Nuclear Reactors, Materials and Waste: includes power reactors, research and test reactors, active nuclear fuel cycle facilities, licensed users of radioactive sources, and shipments of radioactive materials
15. Transportation Systems: consists of the following seven subsectors which move people and goods through the country and abroad—
    • Aviation: aircraft, air traffic control systems, airports, heliports, and landing strips
    • Highway and Motor Carrier: roadways, bridges, tunnels, vehicles
    • Maritime Transportation: coastline, ports, waterways, and landside connections
    • Mass Transit and Passenger Rail: infrastructure for passenger services by transit bus, trolleybus, monorail, heavy rail, light rail, passenger rail, and vanpool/rideshare
    • Pipeline Systems: pipelines, compressor and pumping stations
    • Freight Rail: seven major carriers, smaller railroads, freight cars, locomotives
    • Postal and Shipping: large integrated carriers, regional and local courier services, mail services, mail management firms, chartered and delivery services
16. Water and Wastewater Systems: public drinking water systems that ensure a supply of safe drinking water and wastewater treatment systems which treat sewage

It is important to note that a “covered entity’s” obligations to report cyber incidents or ransomware payments under the new law does not go into effect until CISA promulgates rules further defining the entities and types of incidents that are covered by the new law. CISA has until March 15, 2024, to issue a notice of proposed rulemaking, and then another eighteen months from that date to issue the final rule with these definitions. During this approximately three-and-a-half year period, companies have some time to prepare for possible CISA reporting requirements for what is seemingly an inevitable occurrence of a cyberattack.

However, there already exist numerous data breach and cyber incident-related reporting requirements depending on what state you and/or your customers are in. For example, California’s California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, requires covered businesses to notify California residents of a breach in the security of their unencrypted personal information, and if their encrypted personal information plus the encryption key was or is reasonably believed to have been acquired by an unauthorized person. If you don’t already have an incident response plan in place, contact a cybersecurity/data privacy attorney to assist you with prevention of and preparation for a cyber incident.

Jennie Wang VonCannon, CIPP/US is a Partner in the Downtown Los Angeles (“DTLA”) office of Ellis George LLP and is a Certified Information Privacy Professional (CIPP/US). Ms. VonCannon previously served for over 11 years as an Assistant U.S. Attorney and was the Deputy Chief of the Cyber & Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office. Ms. VonCannon now practices white-collar criminal and regulatory defense with a focus on data privacy and cybersecurity matters, and litigates a wide range of matters in state and federal court.