A new bill introduced by the Senate (S. 2666), the “Sanction and Stop Ransomware Act of 2021”, would require a strict 24-hour limit for reporting ransomware payments for businesses with more than 50 employees. The bipartisan bill, put forward by leaders of the Senate Homeland Security and Governmental Affairs Committee, also focuses on critical infrastructure, non-profit organizations, state/local government agencies, regulation of cryptocurrency exchanges, and more.
Specifically, a Federal agency or covered entity that discovers “a ransomware operation that compromises, is reasonably likely to compromise, or otherwise materially affects the performance of a critical function by a Federal agency or covered entity” must report the discovery within 24 hours. Additionally, a federal agency or covered entity that issues a ransomware payment must submit details of the payment, including the method of payment, the amount, and the recipient. Reporting shall be done through an established system to the Cybersecurity and Infrastructure Security Agency (CISA). Failure to report risks being subpoenaed and referred to the Department of Justice (DOJ).
Several industry groups have opposed the bill, stating that the 24-hour window is not feasible, and that a 72-hour window is more realistic. (Incidentally, a 72-hour data breach notification is included in the European privacy law, the General Data Protection Regulation (GDPR), which is one of the strictest and comprehensive global privacy laws in the world, and after which the California privacy law (“CCPA”) was modeled.) Some agencies, including CISA itself, have also spoken out against subpoena power, and would prefer to impose fines instead.
Other legislative proposals, which may be ultimately merged with this one, introduce different measures. For instance, the Cyber Incident Notification Act, introduced by the Senate in July 2021, establishes a similar 24-hour reporting window for any business that supports a national security function.
Other enforcement terms would include barring federal government contractors from the Federal Contracting Schedule if they fail to comply, or penalties of up to 0.5% of gross annual revenue. (GDPR allows fines of up to €10 million or 2% of the company’s global annual revenue, whichever is higher.)
A 24-hour window for reporting ransomware payments could be difficult for covered entities to comply. Reporting a breach, much less a payment, within 72 hours can be difficult, as sufficient time is needed to determine the nature, scope, and degree of the breach itself. However, this legislation, however, it turns out, underscores the need for companies to have well established incident response plan and reporting procedures in place to act swiftly and decisively in the event of a suspected breach or ransomware attack.
View the language of the legislation here.