(Updates throughout with additional reporting.)
Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.
Cybersecurity legislation that would impose new hack and ransomware reporting requirements on businesses was included in a spending bill lawmakers unveiled early Wednesday.
The Senate passed the cyber reporting requirements on March 1 under a bill (S. 3600) from Sen. Gary Peters (D-Mich). Peters previewed their inclusion in the spending bill Tuesday.
“This has been a bicameral, bipartisan work product that passed unanimously in the Senate,” Peters said. “It has the broadest support that you can possibly get.”
The $1.5 trillion government funding package is set for a House vote later on Wednesday, with lawmakers also planning to vote on another stopgap funding bill that continues government funding at current levels through March 15, to give the Senate time to deal with the full-year legislation.
The bill would impose requirements to report hacks and ransomware on critical infrastructure owners. The provisions have taken on new urgency as lawmakers and U.S. businesses worry about Russian cyberattacks in response to escalating sanctions imposed for invading Ukraine.
Companies operating in critical infrastructure sectors, such as energy and communications, would have to report hacks to the government within 72 hours, or 24 hours if a ransomware payment is made.
Businesses will be looking to closely collaborate and communicate with the government to ensure their plans satisfy the new requirements, said Cinthia Granados Motley, global data privacy and information security director at Dykema Gossett PLLC, a law firm.
“If you’re an organization that hasn’t dealt with this before, you’re going to have a lot of work to do,” Motley said. For example, companies will have to ramp up data breach simulations to test if they can meet the “really tight” reporting turnaround, she said.
To contact the reporter on this story: Maria Curi at firstname.lastname@example.org