As discussed in our previous blog post, the Cybersecurity and Infrastructure Security Agency (CISA) is proposing a significant new rule to bolster the nation’s cyber defenses through mandatory incident reporting. While designed to enhance CISA’s ability to monitor and respond to cyber threats, the rule has ignited a contentious debate. The concerns raised highlight the delicate balance between strengthening national security and avoiding undue burdens on businesses.

Broad Concerns and Overreporting Fears

A key concern across various industries is that the rule’s broad scope could capture over 300,000 entities, many not traditionally considered critical infrastructure. This could lead to overreporting, overwhelming CISA with low-value data, and potentially diverting resources from addressing significant threats. Critics, including Sen. Gary Peters, advocate for a more targeted approach, focusing on incidents with genuine national security implications.

Furthermore, the existing patchwork of over 50 federal breach reporting rules across various agencies raises concerns about redundancy and increased compliance burdens for businesses. The proposed rule could add another layer of complexity without necessarily enhancing cybersecurity outcomes.

Manufacturing Sector’s Alarm Bells

The National Association of Manufacturers (NAM) is particularly worried about the rule’s potential impact on its members. The NAM argues that the broad definition of “covered entities” could ensnare numerous manufacturers operating outside traditional critical infrastructure, burdening them with complex and costly reporting requirements they may not be equipped to handle. The NAM also criticizes the expansive definition of reportable incidents, advocating for a more targeted approach focused on incidents that genuinely impact critical infrastructure and national security.

Healthcare’s Unique Challenges

Healthcare and hospital groups raise unique concerns due to their sector’s interconnected nature. They argue for the inclusion of insurers and third-party vendors under the rule, as the exclusion of key entities like health IT providers and labs could lead to significant disruptions if they are targeted by cyberattacks. The strict 24- and 72-hour reporting deadlines are also a concern, as they could divert resources from patient care during a crisis and impose financial burdens on under-resourced hospitals and providers. These groups have requested financial support and technical assistance to help comply with new requirements without compromising patient care.

Finding a Middle Ground

To address these concerns, several recommendations have been proposed:

  1. Reconsider the Scope – Focus on those entities and reportable incidents with significant impact on critical infrastructure and national security.
  2. Streamline Reporting – Develop a unified reporting mechanism that harmonizes with existing regulations.
  3. Provide Support – Offer technical and financial assistance to smaller entities.
  4. Clarify Definitions – Clearly define key terms to prevent overreporting and ensure consistent interpretation.
  5. Flexibility – Tailor reporting requirements to specific industry needs, such as healthcare’s need for immediate incident response.

Balancing Security and Practicality

The debate surrounding CISA’s proposed rule underscores the challenge of balancing robust cybersecurity measures with practical, feasible compliance for businesses. Open dialogue and collaboration between CISA and industry stakeholders are crucial to finding a middle ground that strengthens national security without imposing undue burdens. By addressing industry concerns and refining the rule, CISA can create a framework that effectively protects critical infrastructure while fostering a collaborative approach to cybersecurity.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Photo of Sinan Pismisoglu Sinan Pismisoglu

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with…

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with early planning and prevention through detection, remediation, and crisis management. Sinan collaborates with engineering teams to create compliance-integrated risk management frameworks, governance, and ethics programs for emerging technologies such as AI/ML, cybersecurity, IoT, and cloud models.

Read more about Sinan PismisogluEmailSinan's Linkedin Profile
Show more Show less
Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as partner in Bradley’s Healthcare practice group and co-chair of the Cybersecurity and Privacy practice group. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief…

Eric Setterlund serves as partner in Bradley’s Healthcare practice group and co-chair of the Cybersecurity and Privacy practice group. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.

Read more about Eric SetterlundEmail
Show more Show less