Budget Law Requires Reporting of Hacks to Homeland Security

Although only one in seven businesses typically reports a cybersecurity hack to the federal government that should change now that the recent budget/government funding law requires 16 types of businesses to report hacks to the Department of Homeland Security within 72 hours. The types of hacks that must be reported include data breaches and ransomware attacks/payments. Lawyers and law firms already have an ethical obligation under the Rules of Professional Conduct to report breaches, attacks and other cybersecurity incidents to clients whose data may have been impacted. This law is far broader in its reach.

Under the funding package, signed on March 15, 2022 by President Biden, the reporting requirement applies to “16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” This, according to the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA).

Although law firms are not among the 16 sectors, they represent and advise countless businesses that are directly impacted, including the:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base Sector
  • Emergency Services Sector
  • Energy Sector
  • Financial Services Sector
  • Food and Agriculture Sector
  • Government Facilities Sector
  • Healthcare and Public Health Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials and Waste Sector,
  • Transportation Systems Sector
  • Water and Wastewater Systems Sector

The new cyber reporting obligations will not become effective until CISA promulgates rules to define the entities within the critical infrastructure sectors that will be impacted by this law and the types of substantial cyber incidents it covers. The law requires CISA to issue a notice of proposed rulemaking within 24 months from the date of the bill’s enactment and a final rule within 18 months of issuing the proposed rule.

Regardless, law firms need to take heed, not just to warn clients, but to recognize the importance of being prepared and to report cybersecurity hacks, including phishing, ransomware, and more. Not only must lawyers and law firms be aware of the situations, but they also have ethical obligations under the Rules of Professional Conduct. For example, the American Bar Association Center for Professional Responsibility issued Formal Opinion 483 in October 2018, which concluded that Model Rule 1.4 (“Communication” requires lawyers to keep clients “reasonably informed” about the status of matters and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” The OPinion also concludes that lawyers have a duty to notify clients of breaches and to take other reasonable steps consistent with their obligations under the Rules of Professional Conduct to  whenever a data breach occurs involving, or having a substantial likelihood of involving, material client information. Thus, lawyers have always been required to notify clients. The new law requires many clients to notify CISA and other agencies.

At the Law Offices of Daniel J. Siegel, LLC and Integrated Technology Services, LLC, we are pioneers in the areas of techno-ethics and we regularly advise our lawyer and law firm clients about cybersecurity and related issues. If your firm needs such guidance, click here to send an email to Attorney Daniel J. Siegel, who is Chair of the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility and regularly lectures and writes about techno-ethics, ethics, cybersecurity and other related topics.