In March, 2022, President Joe Biden signed the Strengthening American Cybersecurity Act (the “Act”) into law. While the Act consists of various regulations, the security incident reporting requirements for entities in critical infrastructure sectors are getting the most attention. Although the reporting requirements are focused mainly on entities in critical infrastructure, there is potential that entities in various industries could be subject to these requirements.

Applicability.

The Act applies to “covered entities” which is broadly defined to include entities in “critical infrastructure.” Critical infrastructure under Presidential Policy Directive 21 is defined to include the following sectors:

  • Chemicals.
  • Commercial facilities.
  • Communications.
  • Critical manufacturing.
  • Dams.
  • Defense industrial base.
  • Emergency services.
  • Energy.
  • Financial services.
  • Food and agriculture.
  • Government facilities.
  • Healthcare and public health.
  • Information technology.
  • Nuclear reactors, material, and waste.
  • Transportation systems.
  • Water and wastewater systems.

While the above definition is quite broad, the Act requires the Director of the Cybersecurity and Infrastructure Security Agency (the “Director”) to publish a notice of proposed rulemaking no later than 24 months after the date of enactment of the Act. Then, no later than 18 months after the proposed rulemaking, the Director shall issue a final rule for final implementation. This rulemaking will include:

  • “A clear description of the types of entities that constitute covered entities, based on—
    • the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
    • the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
    • the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
  • A clear description of the types of substantial cyber incidents that constitute covered cyber incidents.”

Therefore, until the Director issues a final rule providing a clear description of what constitutes a “covered entity,” it is unclear what businesses will be subject to the Act. One broad interpretation of the Act is that a “covered entity” can include any business under the critical infrastructure sectors, including any business subject to the Health Insurance Portability and Accountability Act, which would fall under the healthcare and public health sector.

Reporting Requirements.

In general, the Act has the following reporting requirements for “covered entities” that experience a “covered cyber incident.” Covered cyber incidents will be further defined by the Director as noted above.

  • The Act requires covered entities to notify the Cybersecurity and Infrastructure Agency (CISA)(“Agency”) within 72 hours of discovering a covered cyber incident.
  • The Act also requires notifying the Agency within 24 hours of receiving a ransom payment demand.

The notice to the Agency shall include the following information:

  • A full description of the incident, including the estimated date range and impact on the operations of the impacted entity.
  • A description of the vulnerability exploited and the defenses that were in place at the time of the incident.
  • The identifying or contact information about the responsible parties, if known.
  • The category or categories of information that may have been compromised.
  • Contact details of the impacted entity providing notice.

What to Do Now

The short answer is “let’s wait and see.” As the Act stands now, it is unclear what businesses in critical infrastructure sectors will be considered “covered entities.” In the meantime, similar to approaching other data privacy laws and regulations, businesses should take the time to review their policies and procedures (such as an incident response plan to meet the 72 hour requirement or a written information security policy) to ensure they are able to detect, respond to, and mitigate data security incidents and that they continue effective training for their employees and staff relating to new cybersecurity threats.

We in Taft’s Privacy and Data Security Practice, with the help of our Government Affairs colleagues Graham Hill and Martin Edwards in Taft’s D.C. office, have been monitoring developments in the rule-making.  Based on meetings attended to date, we expect there to be considerable industry engagement. Our understanding is CISA has made the rule-making a top priority.  We will continue to monitor and provide updates here.

As always, please stay tuned to Taft Privacy and Data Security Insights for more information on the Act and other privacy updates.