Biden Administration, which has its eyes on Russia, Requests Reports from Companies

“Many of the real details will need to be worked through during the rulemaking process,” said Christopher D. Roberti, senior vice president of cyber, intelligence and supply chain security policy at the US Chamber of Commerce.

The law requires the cybersecurity agency to work with companies as it sets the rules, so business leaders will have a say in how the law should be enforced.

Cyberattacks disrupted operations at major American businesses last year, including JDS Foods, a meat supplier, and Colonial Pipeline, which provides fuel on the East Coast. Both attacks interfered with the Americans’ ability to obtain essential supplies and created an urgency for lawmakers to take action.

The authors of the incident reporting law, Michigan Democrat Senators Gary Peters and Ohio Republican Rob Portman, said the law will help companies like JDS Foods and Colonial recover faster after such attacks. The cybersecurity agency will be able to provide guidance and assistance to them in the recovery process.

Delayed disclosures have been costly for companies. In 2018, Yahoo paid a $35 million fine for failing to promptly disclose a 2014 hack. And administrators may find themselves facing criminal charges such as: the case of a former Uber executive He was charged with blocking and fraud for his handling of the 2016 data breach at the ride-hailing company.

“For the past year or more, we’ve heard from companies how inconsistent and erratic the incident reporting landscape has been,” said Courtney Lang, senior policy director at the Information Technology Industry Council. “Given the way the cybersecurity landscape has evolved, there are threats that need to be addressed. To some extent, we think incident reporting can provide useful information that can help shape specific responses.”

While similar rules are under consideration at other federal agencies in Europe and the United States, corporate leaders are hopeful that the new federal law will serve as a model for other legislators and government officials, allowing companies to avoid the confusion of conflicting event reporting requirements.