Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post

New Year, (Potentially) New Rules?

SOMETIMES, THE ONLY CONSTANT IS CHANGE. THIS NEW YEAR IS NO DIFFERENT.

In 2023, we saw several developments in labor and employment law, including federal and state court decisions, regulations, and administrative agency guidance decided, enacted, or issued. This article will summarize five proposed rules and guidance issued by the Department of Labor (“DOL”), the National Labor Relations Board (“NLRB”), the United States Equal Employment Opportunity Commission (“EEOC”), and the Occupational Safety and Health Administration (“OSHA”), which will or may be enacted in 2024.

DOL’s Proposed Rule to Update the Minimum Salary Threshold for Overtime Exemptions

In 2023, the DOL announced a Notice of Proposed Rulemaking (“NPRM”) recommending significant changes to overtime and minimum wage exemptions. Key changes include:

  • Raising the minimum salary threshold: increasing the minimum weekly salary for exempt executive, administrative, and professional employees from $684 to $1,059, impacting millions of workers;
  • Higher Highly Compensated Employee (HCE) compensation threshold: increasing the total annual compensation requirement for the highly compensated employee exemption from $107,432 to $143,988; and
  • Automatic updates: automatically updating earning thresholds every three years.

These proposed changes aim to expand overtime protections for more employees and update salaries to reflect current earnings data. The public comment period closed in November 2023, so brace yourselves for a final rule in the near future. For more information: https://www.federalregister.gov/documents/2023/09/08/2023-19032/defining-and-delimiting-the-exemptions-for-executive-administrative-professional-outside-sales-and

DOL’s Proposed Rule on Independent Contractor Classification under the Fair Labor Standards Act

The long-awaited new independent contractor rule under the Fair Labor Standards Act (“FLSA”) may soon be on the horizon. The DOL proposed a new rule in 2022 on how to determine who is an employee or independent contractor under the FLSA. The new rule will replace the 2021 rule, which gives greater weight to two factors (nature and degree of control over work and opportunity for profit or loss), with a multifactor approach that does not elevate any one factor. The DOL intends this new rule to reduce the misclassification of employees as independent contractors and provide greater clarity to employers who engage (or wish to engage) with individuals who are in business for themselves.

The DOL is currently finalizing its independent contractor rule. It submitted a draft final rule to the Office of Management and Budget (OMB) for review in late 2023. While an exact date remains unknown, the final rule is likely to be announced in 2024. More information about the rule can be found here: https://www.federalregister.gov/documents/2022/10/13/2022-21454/employee-or-independent-contractor-classification-under-the-fair-labor-standards-act

NLRB’s Joint-Employer Standard

The NLRB has revamped its joint-employer standard under the National Labor Relations Act (“NLRA”). The NLRB replaced the 2020 standard for determining joint-employer status under the NLRA with a new rule that will likely lead to more joint-employer findings. Under the new standard, two or more entities may be considered joint employers of a group of employees if each entity: (1) has an employment relationship with the employees and (2) has the authority to control one or more of the employees’ essential terms and conditions of employment. The NLRB has defined “essential terms and conditions of employment” as:

  • Wages, benefits, and other compensation;
  • Hours of work and scheduling;
  • The assignment of duties to be performed;
  • The supervision of the performance of duties;
  • Work rules and directions governing the manner, means, and methods of the performance of duties and the grounds for discipline;
  • The tenure of employment, including hiring and discharge; and
  • Working conditions related to the safety and health of employees.

The new rule further clarifies that joint-employer status can be based on indirect control or reserved control that has never been exercised. This is a major departure from the 2020 rule, which required that joint employers have “substantial direct and immediate control” over essential terms and conditions of employment.

The new standard will take effect on February 26, 2024, and will not apply to cases filed before the effective date. For more information on the final rule: https://www.federalregister.gov/documents/2023/10/27/2023-23573/standard-for-determining-joint-employer-status

EEOC’s Proposed Enforcement Guidance on Harassment

A fresh year brings fresh guidance! On October 2023, the EEOC published a notice of Proposed Enforcement Guidance on Harassment in the Workplace. The EEOC has not updated its enforcement guidance on workplace harassment since 1999. The updated proposed guidance explains the legal standards for harassment and employer liability applicable to claims of harassment. If finalized, the guidance will supersede several older documents:

  • Compliance ManualSection 615: Harassment (1987);
  • Policy Guidance on Current Issues of Sexual Harassment(1990);
  • Policy Guidance on Employer Liability under Title VII for Sexual Favoritism (1990);
  • Enforcement Guidance on Harris v. Forklift Sys., Inc. (1994); and
  • Enforcement Guidance on Vicarious Employer Liability for Unlawful Harassment by Supervisors(1999).

The EEOC accepted public comments through November 2023. After reviewing the public comments, the EEOC will decide whether to finalize the enforcement guidance. While not law itself, the enforcement guidance, if finalized, can be cited in court. For more information about the proposed guidance: https://www.eeoc.gov/proposed-enforcement-guidance-harassment-workplace

OSHA’s Proposed Rule to Amend Its Representatives of Employers and Employees Regulation

Be prepared to see changes in OSHA on-site inspections. Specifically, OSHA may reshape its Representatives of Employers and Employees regulation. In August 2023, OSHA published an NPRM titled “Worker Walkaround Representative Designation Process.” The NPRM proposes to allow employees to authorize an employee or a non-employee third party as their representative to accompany an OSHA Compliance Safety and Health Officer (“CSHO”) during a workplace inspection, provided the CSHO determines the third party is reasonably necessary to conduct the inspection. This change aims to increase employee participation during walkaround inspections. OSHA accepted public comments through November 2023. A final rule will likely be published in 2024.

For more information about the proposed rule to amend the Representatives of Employers and Employees regulation: https://www.federalregister.gov/documents/2023/08/30/2023-18695/worker-walkaround-representative-designation-process

Preparing for 2024

While 2023 proved to be a dynamic year for Labor and Employment law, 2024 could be either transformative or stagnant. Some of the proposed regulations mentioned above could turn into final rules, causing significant changes in employment law. On the other hand, given that 2024 is an election year, some of these proposed regulations could lose priority and wither on the vine. Either way, employers should stay informed of these ever-changing issues.

       
For more news on 2024 Labor and Employment Laws, visit the NLR Labor & Employment section.

DHS May Make Form I-9 Flexibility a Fixture

The Department of Homeland Security (DHS) announced it is considering changes to the Form I-9 documentation examination procedures. As human resources teams know, the remote workplace that became common during the COVID-19 pandemic made an already complicated I-9 process a logistical nightmare. With the U.S. government’s declaration of a national emergency due to the COVID-19 pandemic, DHS and Immigration and Customs Enforcement (ICE) announced certain flexibilities in March 2020 that suspended the requirement of in-person review of I-9 documents when a company was operating remotely due to COVID-19. Those flexibilities have been extended numerous times and are currently set to expire Oct. 31, 2022.

While DHS says it is considering making these temporary flexibilities permanent, the Notice of Proposed Rule Making (NPRM) published last month does not seek to do so. Instead, the NPRM seeks to validate the authority of the DHS secretary to enact flexibilities, offer alternative options, and/or implement a pilot program to evaluate existing and additional alternative I-9 procedures for some or all employers. DHS recognizes that more and more employers are utilizing telework and remote work for their employees and that requiring in-person review of I-9 documents is no longer consistent with work patterns of many businesses.

Some of the more notable possible changes to the I-9 process described in the NPRM include requiring employers to note on the Form I-9 which of the alternative procedures they used; requiring employers to retain copies of I-9 documents; requiring online training on fraudulent document and/or anti-discrimination training for employers who wish to utilize the alternative procedures; and limiting eligibility to use the alternative procedures to employers that utilize E-Verify, the government’s online employment verification system.

Comments to the NPRM are due on or before Oct. 17, 2022.

©2022 Greenberg Traurig, LLP. All rights reserved.

HHS Recognizes Changing Environment of Research: Still Time to Comment

Late last month the Department of Health and Human Services (HHS) and other Federal Departments and Agencies announced an extension until January 6, 2016  to the comment period for the Federal Policy for the Protection of Human Subjects notice of proposed rulemaking (NPRM). The proposed rulemaking is the most sweeping since 1991 when HHS codified The Common Rule, 45 C. F. R. part 46,  and  recognizes the changed research environment with many multisite studies and the  expansion of research with more data accessible through technology.  The NPRM seeks to further the principles of autonomy and  beneficence by protecting privacy and improving the consent process  in the new world of research while creating avenues to lessen the administrative burden  and to promote research.

The NPRM proposes to apply The Common Rule to all studies, regardless of funding source, conducted by a U.S. institution that receives federal funding for human subjects research.  Currently, The Common Rule applies to studies funded by certain federal agencies. Most significantly, the proposed rules impact the following areas:

Streamlined process  – To streamline the process of initiating certain activities the NPRM creates a  new category not currently in The Common Rule, exclusions.  Exclusions are for activity that is not research, that is low risk and for which there may be statutory protections.  Accordingly,  no procedures need to occur under the Common Rule to approve of the activity.  An example of an exclusion would include quality assurance activities.

The exemptions under The Common Rule are expanded in the NPRM. Exemptions are different than exclusions in that certain procedures need to occur for them to proceed such as recording, privacy safeguards, broad consent, or notice.  How HHS ultimately defines adequate notice will be critical in protecting privacy and autonomy rights in exempt research.

As well, a single institutional review board (IRB) would approve all multisite research. Independent IRBs would be held directly responsible for compliance with The Common Rule.

In addition, another streamline in the IRB process is not requiring continuing review of research where there is minimal risk. For instance, continuing review would not be required if a study undergoes expedited review or if there are completed interventions where only data continues to be analyzed. There would need only to be an annual confirmation that there are no changes.  An IRB would be able to require continuing review  with documentation of  the reason for the increased requirement.

Informed Consent  – The NPRM mandates a simplified  informed consent form with appendices with more detailed information. The goal is to provide potential research subjects all the essential information  that a reasonable person would need to consent to participation in research.  The NPRM suggests using the reasonable person standard as a means to gauge the protections in the process.  Currently, there are recommendations that informed consent forms should to be at no higher than an eighth grade education level, but the consent forms are often mired in so much detail human subjects may not easily comprehend the forms.

Research with Biospecimens – A particularly sweeping area of the NPRM is the protection of biospecimens (e.g., blood or urine) which is reflected in a proposed change in the definition of human subjects to include unidentified biospecimens. Hospitals, providers and laboratories  collect biospecimens from patients as part of medical care. Those biospecimens may be stored and used as part of research without the patient’s knowledge. The ethical issue regarding the use of biospecimens in research is well described by Professor Ellen Wright Clayton of Vanderbilt University, “[a] tremendous amount of epidemiological  research and other types of investigations have been done in the United States for decades without any informed consent or notification whatsoever….” [i] The proposed rule would require a broad consent  template covering the consent for storage  and maintenance of the biospecimens and the consent for future unspecified research. An alternative to the broad consent for the use of biospecimens would be a potential waiver of consent by the IRB for compelling scientific research, but consent could not be waived if the human subject declined to sign the broad consent form. Use of the IRB waiver of consent mostly likely would be rare, as proposed in the NPRM.

Secondary Research Use of Data – The NPRM also recognizes the growing business of information technology and the availability of data available for secondary use.  Researchers often can find data from sources such as the internet or through mHealth devices. The goal of the NPRM seems to be able to allow the secondary use of data in research or other activities while creating a balance for privacy protections. Secondary research activity excluded from The Common Rule would be a) publically available data (not biospecimens) or data recorded without identifiers; b) data protected through the provisions of the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA); c) data confined to a single institution and its internal quality assurance programs and d)  data through federally conducted research.

Exempt secondary use research proposed in the NPRM would include a) identifiable private information where there is notice, privacy safeguards and use solely for specific research and b) storage and maintenance of data for secondary use where there are privacy safeguards, limited IRB review of the consent process, and  specific studies where the individual results will not be provided to the subjects.  Again, the procedures for notice will be a critical component of privacy protections with secondary use research.

There has been an overwhelming response to the NPRM which proposes comprehensive changes to The Common Rule. While there is seemingly a streamlined process to allowing certain activities or research to occur in the NPRM, there are areas in need of additional guidance such as the lack of clarity on certain privacy protections. A copy of the NPRM as well as details on how to submit comments can be found in this link.

© 2015, Sheppard Mullin Richter & Hampton LLP.


[i] Institute of Medicine (US) Roundtable on Translating Genomic-Based Research for Health, Establishing Precompetitive Collaborations to Stimulate Genomics-Driven Product Development: Workshop Summary, Washington (DC): National Academies Press (US); 2011, 6, Ethical Challenges in the Use of Biospecimens.

DOT Proposes Rules for Rail Transport of Flammable Materials: New Standards for Classification, Tank Cars, Emergency Preparedness

Beveridge Diamond Law Firm

Following recent events highlighting the potential devastating effects of accidents involving rail transportation of flammable liquids, the Pipeline and Hazardous Materials Safety Administration (PHMSA) of the U.S. Department of Transportation (DOT) released a pre-publication copy of a Notice of Proposed Rulemaking (NPRM) on July 23 designed to improve the safety of transporting such materials. The proposed regulations come more than a year after the derailment and explosion of a train carrying 72 tank cars, each filled with 30,000 gallons of Bakken crude oil in Lac-Mégantic, Quebec, that killed 47 people. PHMSA will accept comments 60 days from the date of publication (not yet available) in the Federal Register. Given the extensive comments received on the Advanced Notice of Proposed Rule Making (ANPRM), the agency has indicated it does not intend to extend the comment period.

Classification and Characterization Requirements of Mined Liquids and Gases

Under the proposed regulations, all offerors and shippers would be required to implement a sampling and testing program for mined gases and liquids extracted from the earth (e.g., crude oil) to ensure their hazards are understood and accounted for in packaging and emergency preparedness. Offerors would be required to maintain documentation of the sampling and testing program, review their program annually, and make program documentation available to DOT upon request. The program would include:

  • Frequency of sampling to understand material variability;
  • Sampling of different points along the supply chain to understand changes during transportation;
  • Sampling methods that ensure samples representative of entire mixtures, as packaged;
  • Testing methods to ensure better analysis, classification, and characterization of materials;
  • Statistical justifications for sample frequencies;
  • Duplicate samples for quality assurance; and
  • Criteria for modifying sampling and testing programs.

Additional Operational Requirements for High-Hazard Flammable Trains

The proposed regulations would impose additional requirements for high-hazard flammable trains (HHFTs), defined by the NPRM as trains carrying 20 or more tank carloads of a Class 3 flammable liquid. Specifically, all HHFT units constructed after October 1, 2015 must comply with DOT-117 tank car design requirements for tank cars, such as inclusion of thermal protection systems and tank car plate thickness requirements. The rule would phase out DOT-111 tank cars, the oldest tank cars in use, on the following schedule:

HHFT Class 3 Flammable Liquid Packing Group DOT-111 Not Authorized After
I October 1, 2017
II October 1, 2018
III October 1, 2020

Along with changes to tank car design specifications, operators of HHFTs would have to implement the following requirements:

  • Use of Risk Assessment in Route Selection: The proposed rule would apply rail routing requirements currently required of trains carrying certain volumes of Toxic-by-Inhalation (TIH) Chemicals, and other highly hazardous materials to HHFTs. Carriers would be required to apply 27 safety and security factors, including population density along routes, emergency response capability along the route, among others, in selecting a route for HHFTs.
  • Notification to SERCs: The rule would make permanent a May 2014 DOT emergency order requiring HHFTs carrying more than one million gallons of Bakken crude oil to notify State Emergency Response Commissions (SERCs) and other appropriate state officials about the operation of such trains through their states. Carriers would be required to report such information within 30 days of the effective date of the rule and to maintain documentation of notifications that could be made available to the Federal Railroad Administration (FRA) upon request.
  • Speed Limits and Enhanced Braking Requirements: HHFTs would be limited to 50 mph in all areas. PHMSA seeks comments on whether HHFTs that do not meet design specifications should be subject to 40 mph speed limit options in certain areas. The proposed regulations also would require HHFTs to be equipped with alternative brake propagation systems as an added safety precaution.

Other DOT Actions

Along with the NPRM, DOT issued a companion ANPRM seeking comment on the application of oil spill response planning to the shipment of flammable liquids as well as an Operation Safe Delivery Update report containing data collected from its staff and the FRA from August 2013 to May 2014. This report concludes that Bakken crude oil is more volatile and flammable compared to other crude oils. In a press release, DOT claims that it will continue to monitor the data through the fall of 2014.