.png)
A few binged seasons of Law & Order will teach you that you have a Constitutional right, under the 5th Amendment to remain silent: you have the right to refuse to give any self-incriminating statement or testimony. With this constitutional right available to individuals and companies alike, how does the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) lawfully impose certain reporting requirements?
Passed in 2022, CIRCIA requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents no later than 72 hours from the time the entity reasonably believes the incident occurred. In March of 2024, CISA issued proposed rules for public comment in 89 FR 23644.
In the proposal, CIRCIA requires a covered entity to tender a “Ransom Payment Report,” if the victim makes a ransom payment, or has another entity make a ransom payment on its behalf under 6 U.S.C. 681b(a)(2)(A). Additionally, the same rule (under 6 U.S.C. 681a(a)(10) and (b)) requires CISA to share the reports received (including Ransom Payment Reports) under CIRCIA to other federal agencies within 24 hours of receipt of a subpoena or request for information.
Fortunately, “A few commenters recommended that information contained in CIRCIA Reports be protected from discovery in civil or criminal actions.” Unfortunately, CISA’s response reinforces the commentators’ collective concerns:
[The Director may] provide information submitted by a covered entity in response to a subpoena to the Attorney General or head of a Federal regulatory agency if the Director determines that the facts relating to the covered cyber incident or ransom payment may constitute grounds for criminal prosecution or regulatory enforcement action.
While likely unintentional, the CIRCIA regulations create a trap for any reporting covered entity. A covered entity that reports a cyber incident under CIRCIA can have that information used against them by another federal agency.
Here is a real-life example: United Healthcare and its countless customers and affiliates are battling the effects of a ransomware event likely allowed by a lack of multi-factor authentication (a VERY basic cybersecurity control). Were United to comply with the CIRCIA reporting requirements, it would open itself to the following criminal and civil penalties for its payment of a $22 million ransom:
CRIMINAL:
Paying a ransom is technically illegal under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) if the payment is made to any group linked to a nation state subject to U.S. Economic Sanctions (such as Russia and North Korea).
If United Healthcare was a public or quasi-public entity in North Carolina or Florida, paying the ransom would also be illegal.
2. CIVIL:
Investigations and fines from the Office of Civil Rights, under the Department of Health and Human Services for failure to comply with HIPAA’s cybersecurity rules by lacking multi-factor authentication (MFA) and a routine security assessments (that would identify the lack of MFA).
Investigations and fines from the Federal Trade Commission for failure to impose MFA and conduct assessments that would have identified the lack of MFA under the Gramm-Leach Bliley Act.
Investigations and Sanctions from the Office of Foreign Asset Control with the Department of Treasury.
Investigations and lawsuits from private citizens for unfair trade practices, breach of implied contract, and negligence.
With so many laws concerning privacy, cybersecurity reporting requirements, and information sharing, retaining a cybersecurity attorney that is familiar with the mine-field of conflicting legislation is crucial before rushing to disclose key information to regulators.