What Happened to the Ransom Disclosure Act – and Your Obligations?
Yes, compliance life is getting more and more complicated as industry after industry is hammered by new compliance requirements. It’s all for a good reason of course, but it’s alarming whenever something new pops up.
That was the case when news emerged in late 2021 that Rep. Deborah Ross and Sen. Elizabeth Warren drafted the Ransom Disclosure Act, which was an attempt to introduce a law that forces businesses to declare ransomware payments to the US Department of Homeland Security.
What happened to this disclosure requirement – and what other ransomware disclosure requirements should companies be aware of?
In this article, we’ll look at the proposed Ransom Disclosure Act alongside a few other attempts at creating federal ransomware disclosure laws. We’ll also quickly examine where else you’ll find ransomware disclosure requirements.
Note that this is by no means a thorough examination of ransomware disclosure requirements. The industry you operate in, your contracts with your clients, and your insurance policies may have specific requirements around disclosing ransomware attacks and payments. Always consult legal advice to ensure you’re up to date with which compliance requirements apply to you.
Proposed, but Never Signed into Law
Introduced on October 5th, 2021, the Ransom Disclosure Act is a proposed U.S. law that aimed to counter ransomware threats by requiring organizations to disclose details about ransom payments within 48 hours of the payment.
This includes the amount paid, the currency used, and any known information about the attackers. The information would be reported to the Department of Homeland Security (DHS), which would also be required by the new law to publicly report this information annually and conduct a study on ransomware patterns and the role of cryptocurrency.
The Act was seen as a step towards understanding the scale of the ransomware problem and potentially informing further legislation.
However, despite the fact that you may read about the act on some technology websites, and even though some of this content is worded as if the Act was signed into law, the Act remained a proposal and never received approval from the House of Representatives and the Senate. (It’s not the first time that a proposed act around ransomware disclosure did not make it into law.)
Another Disclosure Requirement Did Pass into Law
That’s not to say that there’s been no movement on the legal front when it comes to requiring ransomware disclosure. In March 2022, a more narrowly focused bill was signed into law by President Biden, which applies to organizations that operate critical national infrastructure (CNI).
This act introduces significant new cybersecurity reporting requirements for businesses across healthcare, financial services, energy, transportation, and commercial facilities. These are considered as “covered entities,” who now have four reporting obligations:
- Any covered entity experiencing a “covered cyber incident” must report the incident to CISA within 72 hours of the entity reasonably believing the incident occurred
- A covered entity making a ransom payment because of a ransomware attack must report the payment to CISA within 24 hours of the ransom payment being made
- If substantial new or different information becomes available, e.g. a ransom payment after submitting a covered cyber incident report, the entity must submit an update
- Covered entities must preserve data relevant to the covered cyber incident or ransom payment
So, if you operate within CNI, you’re now covered by federal law and need to report ransomware attacks and ransomware payments within a strict timeline.
Pros and Cons of Forced Reporting
There could be many reasons why some ransomware disclosure legislation did not make it into law. After all, there are plenty of advantages when it comes to forced reporting.
Mandating reporting by victims overcomes the collective action problem of underreporting ransomware incidents: reporting incident details supports the public good by providing information for the prosecution of ransomware gangs and defense against future attacks.
Payment instructions provided in reports can aid in law enforcement’s recovery of ransom payments and tracking transactions, and reporting can lead to indicators of compromise for specific ransomware gangs, aiding investigations.
But there are a couple of issues. The quality of reporting data could vary and reporting mandates may result in attackers using exfiltrated data as an enforcement mechanism, leading to more suffering for victims and their customers, or to an increased ransom demand.
Loopholes and uncertainties exist regarding reporting requirements for intermediaries, insurance companies, multinational corporations, and varying reporting standards for different entities. Victims could be faced with tough choices: risking data leaks by going to the police or paying a penalty for not reporting.
What About Other Ransomware Disclosure Requirements?
It gets messy here because the disclosure needs are all over the place. You need to seek legal advice to see whether your organization faces a penalty for not disclosing a ransomware attack.
For example, in late 2021, the Department of Justice (DOJ) announced that it would initiate civil legal action against federal contractors failing to report cyberattacks or data breaches. This forms part of the Civil Cyber-Fraud Initiative.
The initiative will make use of the existing False Claims Act to target cybersecurity-related fraud by government contractors and grant recipients. Federal contractors will be held accountable for knowingly providing flawed cybersecurity products or services and for failing to monitor and report cybersecurity incidents and breaches – which would include ransomware attacks.
Furthermore, the SEC has cybersecurity disclosure requirements that require public companies (companies listed on the stock exchange) to report material cybersecurity incidents within four business days after determining that an incident has occurred. That would also include ransomware incidents – indeed, the SEC fined Blackbaud $3m for a misleading disclosure.
For entities covered by the Health Insurance Portability and Accountability Act (HIPAA), the presence of ransomware is considered a security incident. These entities are required to initiate reporting procedures when ransomware is detected.
You may also find, for example, that you need to comply with ransomware disclosure requirements under your insurance policies. For example, some policies require companies to notify their insurer within a certain timeframe after a ransomware attack occurs if you intend to make a successful claim.
Irrespective of Requirements – Be Ready to Respond
Ransomware attacks are a growing threat. Without a comprehensive ransomware response plan, organizations risk severe operational disruptions, financial loss, and damage to their reputation. A well-prepared strategy not only helps in rapid recovery but also ensures business continuity and preserves customer trust.
To help you prepare for and mitigate these threats, we encourage you to download our whitepaper How to Recover from Ransomware.
This resource provides insights into best practices for responding to such attacks, as well as proactive measures to prevent them. Take a first step towards enhancing your organization’s ransomware preparedness and download it here now.