Takeaway: Uncertainties over threats of cyberattacks resulted in both the House and Senate passing CIRCIA, which created an opportunity for whistleblowers to come forward under the False Claims Act with information about agencies and contractors failing to report cybersecurity breaches in a timely manner. Following CIRCIA, Congress voted to pass the Better Cybercrime Metrics Act to help analyze the effectiveness of cybercrime reporting.
President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) on March 15, 2022.[1] This Bipartisan Act, which passed both the House and Senate after fears of retaliatory cyberattacks from Russia, requires owners and operators of critical infrastructure to report specific incidents to the Cybersecurity Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. These two obligations require:
These reporting requirements are not in effect immediately, and companies have some time to put the proper reporting systems in place. Once in effect, this Act creates an opportunity for potential whistleblowers who have knowledge of a failure to report cybersecurity breaches to CISA in a timely manner. Whistleblowers can take advantage of a failure to report under the False Claims Act through a Qui Tam lawsuit.
Following the passage of CIRCIA, on March 30, 2022, the Senate and House both voted to pass the Better Cybercrime Metrics Act. The Bill now sits on President Biden’s desk for his signage into law. This Act was inspired by the attacks on the Colonial Pipeline in 2021 and would improve the reporting on the effectiveness of federal government cybercrime investigations.[4]
[1] Cyber Incident Reporting for Critical Infrastructure Act of 2022, H.R. 2471, 116th Cong. (2022).
[2] H.R. 2471 § 2242(a)(1)(A).
[3] H.R. 2471 § 2242(a)(2)(A).
[4] https://thehill.com/policy/cybersecurity/600357-house-sends-bipartisan-cybercrime-bill-to-biden/