Senate Introduces Ransomware Notification Mandate
Post Series: Data Privacy Legislation
4.Infrastructure Bill Allocates Nearly $2 Billion to Cybersecurity
5.Senate Introduces Ransomware Notification Mandate
The US Senate has introduced a bill that would require businesses with more than 50 employees to report ransomware payments within 24 hours. (S. 2666), the “Sanction and Stop Ransomware Act of 2021,” was introduced by the Senate Homeland Security Committee and Governmental Affairs Committee and also would apply to nonprofits, state and local government agencies, and regulates cryptocurrency exchanges.
Reports of ransomware payments would be filed to the Cybersecurity and Infrastructure Agency (CISA) and covers any entity that discovers “a ransomware operation that compromises, is reasonably likely to compromise, or otherwise materially affects the performance of a critical function by a Federal agency or covered entity,” according to JD Supra.
Entities that fail to report covered ransomware activities would be subject to subpoenas from the Department of Justice. Many–including CISA itself–have objected to the strict timeframe imposed by the law, comparing it to the standard 72-hour window mandated by the European Union’s General Data Protection Regulation (GDPR). The bill would also allow for fines of up to .5 percent of a company’s annual revenue and potential exclusion from federal contracting opportunities.
But S. 2666 is not the only bill in play that introduces a 24-hour reporting window. The Cyber Incident Notification Act, introduced by the Senate earlier this year, also requires cyber incidents to be reported within 24 hours–but for businesses that contribute to national security.