On July 21, 2021, a bipartisan group of Senators introduced the Cyber Incident Notification Act of 2021 (the “Act”). The Act would require federal government agencies, federal contractors and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident.
The Act would require covered entities to notify the Cybersecurity and Infrastructure Security Agency (“CISA”) of the Department of Homeland Security (“DHS”) within 24 hours of “confirmation” of a cybersecurity incident, and supplement such notification with any newly discovered information within 72 hours of discovery.
To encourage information sharing, the Act would provide limited immunity to entities reporting cybersecurity incidents pursuant to the Act. For example, notifications provided to CISA would be exempt from disclosure under the Freedom of Information Act. In addition, information contained in such notifications would not be admissible in any civil or criminal action and would not be subject to subpoenas, unless Congress issued the subpoena for oversight purposes.
Enforcement of the Act would differ based on the covered entity’s status. Federal contractors who violate the Act would be subject to penalties determined by the Administrator of General Services, including potential removal from the Federal Contracting Schedule. Under the Act’s definition of the term, only entities that perform work in the federal supply chain would qualify as federal contractors. Entities that are not federal contractors would be subject to daily financial penalties equal to 0.5 percent of their gross revenue from the prior year.
The Act also would require the Director of CISA to promulgate an interim final rule within 270 days of enactment of the Act. The interim final rule would define when reporting obligations are triggered and provide guidance on the exact contents of the notification.