Lawyers Media News


Law Marketing Topics for March 30, 2022

New federal cybersecurity legislation will create thorny compliance obligations for many businesses.

New substantive legislation from Congress is rare. Legislation that imposes new compliance obligations on businesses is rarer still. So when Congress actually does pass such legislation, law firms with business clients should not pass up the opportunity to publish information that broadly outlines the new compliance landscape and suggests steps businesses might take to minimize legal and competitive risks.

President Biden signed one of these laws on March 15 — the Cyber Incident Reporting for Critical Infrastructure Act (scroll down to “Division Y--Cyber Incident Reporting For Critical Infrastructure Act of 2022.” The measure was rolled into a large defense authorization bill).

The new law requires businesses that are part of the country’s critical infrastructure to report cyber incidents within 72 hours and ransomware payments within 24 hours. That’s a short deadline for most companies, and there are a host of thorny business and legal considerations to be weighed in deciding when, how, and whether to report cyber attacks to the government ... and possibly the general public.  

There’s also an upcoming rulemaking proceeding by the Cybersecurity and Infrastructure Security Agency that will decide which types of businesses will be required to report significant cyber incidents to the federal government. Firms with government relations practices will want to explain to current and prospective clients their interest in participating in that rulemaking.

If your law firm has business clients, the Cyber Incident Reporting for Critical Infrastructure Act is a golden opportunity to drive home the value of good legal advice on significant new federal legislation.