On Wednesday July 21, 2021, Sens. Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins, (R-ME) introduced the Cyber Incident Notification Act of 2021 (CINA).
Under CINA, federal agencies, federal contractors, and critical infrastructure companies (Covered Entities) would need to notify the Cybersecurity and Infrastructure Security Agency (CISA) within twenty four hours of discovery of a cyber intrusion or a potential cyber intrusion. Moreover, under CINA, Covered Entities would need to provide regular seventy two-hour updates to CISA until the cyber intrusion has been mitigated.
Covered Entities who report to CISA under CINA will be afforded certain protections regarding their reports, including the report not being admissible as evidence into any resulting criminal or civil actions and being exempt to subpoenas, except for those directly coming from Congress.
CINA provides that Covered Entities who fail to report a cyber intrusion to CISA are subject to penalties determined by the Administrator of the General Services Administration (GAO), including but not limit to removal from Federal Contracting Schedules. Additionally, CINA also provides that Covered Entities who fail to report cyber intrusions to CISA may be “subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.”
Octillo closely monitors changes in laws governing cybersecurity incidents and breaches of system security, including those which affect government contractors and suppliers. Octillo’s team of attorneys and technologists are especially entuned with both responding to a data breach and understanding what a robust cybersecurity program would entail. Octillo will continue to monitor CINA as it makes its way through the Senate and an update accordingly.
*Attorney Advertising. Prior results do not guarantee future outcomes.
Subscribe to our Newsletter.