In the wake of widespread ransomware attacks, the newly enacted Strengthening American Cybersecurity Act will require “covered entities” to report data breaches to federal regulators. Our Privacy, Cyber & Data Strategy Team answers pressing questions about the new law.
- What companies and industries are covered?
- What types of cyber-incidents must be reported, and what related information needs to be included?
- Could information that companies disclose in these reports be used against them?
- How can companies influence CISA’s implementing rules?
On March 1, the Senate unanimously passed the Strengthening American Cybersecurity Act of 2022, which will require critical infrastructure companies to report significant cyber-incidents and all ransom payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The Act was included in the 2022 omnibus spending bill, which President Biden signed into law on March 15. Here is what companies need to know.
Which companies will be covered?
The Act delegates to CISA the power to define which entities will be subject to the Act’s reporting obligations but contemplates that CISA…
