On March 15, 2022, President Biden signed into law significant new federal data breach reporting legislation that could vastly expand data breach notice requirements far beyond regulated entities or entities processing personal data. Unceremoniously tucked as Division Y into the H.R. 2471 Consolidated Appropriations Act, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require “covered entities” —organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack.
For more details, click here to read Ropes & Gray’s client alert on the expansive new federal breach reporting requirement.