New CIRCIA Bill and What It Means for Whistleblowers

Christopher Iacono
Pietragallo Gordon Alfano Bosick & Raspanti, LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Pietragallo Gordon Alfano Bosick & Raspanti, LLP

Takeaways: Uncertainties over threats of cyberattacks resulted in both the House and Senate passing CIRCIA, which created an opportunity for whistleblowers to come forward under the False Claims Act with information about agencies and contractors failing to report cybersecurity breaches in a timely manner. Following CIRCIA, Congress voted to pass the Better Cybercrime Metrics Act to help analyze the effectiveness of cybercrime reporting.

President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) on March 15, 2022.[1] This Bipartisan Act, which passed both the House and Senate after fears of retaliatory cyberattacks from Russia, requires owners and operators of critical infrastructure to report specific incidents to the Cybersecurity Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. These two obligations require:

  • “Covered cyber incidents” to be reported to CISA within 72 hours,[2] and
  • Ransomware payments to be reported to CISA within 24 hours.[3]

These reporting requirements are not in effect immediately, and companies have some time to put the proper reporting systems in place. Once in effect, this Act creates an opportunity for potential whistleblowers who have knowledge of a failure to report cybersecurity breaches to CISA in a timely manner. Whistleblowers can take advantage of a failure to report under the False Claims Act through a Qui Tam lawsuit.

Following the passage of CIRCIA, on March 30, 2022, the Senate and House both voted to pass the Better Cybercrime Metrics Act. The Bill now sits on President Biden’s desk for his signage into law. This Act was inspired by the attacks on the Colonial Pipeline in 2021 and would improve the reporting on the effectiveness of federal government cybercrime investigations.[4]

[1] Cyber Incident Reporting for Critical Infrastructure Act of 2022, H.R. 2471, 116th Cong. (2022).
[2] H.R. 2471 § 2242(a)(1)(A).
[3] H.R. 2471 § 2242(a)(2)(A).
[4] https://thehill.com/policy/cybersecurity/600357-house-sends-bipartisan-cybercrime-bill-to-biden/

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pietragallo Gordon Alfano Bosick & Raspanti, LLP | Attorney Advertising

Written by:

Pietragallo Gordon Alfano Bosick & Raspanti, LLP
Pietragallo Gordon Alfano Bosick & Raspanti, LLP
Contact
more
less

Pietragallo Gordon Alfano Bosick & Raspanti, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide