Skip to content

The U.S.’s New Breach Reporting Law & What It Means for Incident Response Teams

Canopy Team March 21, 2022
Canopy logo with people working on security badge and text reading


On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law as part of the Consolidated Appropriations Act of 2022, an omnibus spending bill.

This landmark provision is a huge step for the United States toward regulating breach reporting requirements at the federal level and implementing consistent standards across the country. (Regulations previously varied widely by state and sector.) U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH) authored the law with bipartisan support — demonstrating the importance of national cybersecurity to both sides of the political aisle, particularly as cyber concerns rise from the Russian invasion of Ukraine.


A Quick Rundown

The Cyber Incident Reporting for Critical Infrastructure Act introduces two strict reporting deadlines in the U.S., requiring critical infrastructure owners and operators to report:

  • Within 72 Hours: Significant cyber incidents that are likely to cause harm
  • Within 24 Hours: Any ransomware payments

Critical infrastructure owners and operators must report to the Cybersecurity & Infrastructure Security Agency (CISA). The mandate applies to all sectors designated as “critical infrastructure” by CISA, including Communications, Energy, Healthcare, and Information Technology (IT).


What Is a Significant Cyber Incident?

Lawmakers define a significant cyber incident as an attack on an entity in a critical infrastructure sector that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.”


Strict Deadlines Require Faster Action

The Act’s 72-hour reporting requirement is in line with the EU’s General Data Protection Regulation (GDPR), which is known for having the strictest breach notification timeline worldwide. This is a substantial change from many states’ & territories’ timelines to notify regulatory authorities, which range from vague language like “without unreasonable delay” to 30, 45, or even 60 days from the discovery of the cyber incident.

Does GDPR apply to your organization? Download our guide to find out & get 3 steps to achieve compliance.

Now, critical infrastructure organizations that experience a cyber attack must assess the incident’s scope, learn what information was potentially compromised, and determine whether the attack is considered a “significant cyber incident” — all within three days. This timeline may seem daunting, but it is necessary to control the impact of cyber attacks by coordinating responses across organizations and sectors. And it’s attainable with the right technology.

Knowing whether compromised data contains personally identifiable information (PII) is key in determining if a security incident is likely to cause harm. While keyword searching, regular expressions (regex), and other traditional methods for finding PII are slow and unreliable, Canopy’s Data Breach Response software uses AI and machine learning to detect PII with speed and precision.

Download our case study to see how Canopy processed 440 GB of compromised data & delivered a PII report in one day.

Canopy’s purpose-built software handles data processing and PII detection upfront, giving incident response teams the information they need to report significant cyber attacks. The software also streamlines PII review with powerful workflows, then uses AI to deduplicate identified people and PII into a consolidated entity list for breach notifications.


What’s Next for Breach Reporting Requirements?

CISA is not alone in its goal of consistent, federally-enforced cyber standards. The U.S. Securities and Exchange Commission (SEC) also recently announced its intent to pursue a cybersecurity disclosure mandate for all public companies across the country. In a March 9, 2022 statement, SEC Chair Gary Gensler said that this mandate “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”

Fast, accurate breach response isn’t just important for complying with regulations. It also helps organizations that experience cyber attacks to demonstrate their commitment to protecting sensitive data, thereby mitigating reputational harm and maintaining public trust. To learn more, download Canopy’s Guide to Effective Data Breach Response.


Read the full text of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 here.