Oberman Law Firm


Add Your Heading Text Here

Cybersecurity Update

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished version of a Notice of Proposed Rulemaking (“NPRM”), as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024.

Pursuant to the proposed rules, “covered entities” would be required to report (1) “qualifying cyber incidents,” (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a previously submitted report to CISA. Covered entities are required to notify CISA within 72 hours in the event of a qualifying cyber incident and within 24 hours, in the event that payment is made in response to a ransomware attack.

CISA proposes that qualifying cyber incidents are “substantial” cyber incidents that lead to:

1. a substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network;
2. a serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
3. a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
4. unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

CISA also proposes that a “covered entity” include entities:

1. within a critical infrastructure sector that exceed small business size standards specified by the U.S. Small Business Administration; or
2. subject to sector-specific standards that CISA proposes developing for critical infrastructure entities. CISA considers 16 sectors to be “critical infrastructure:” chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; state, local, tribal, and territorial government coordinating council; transportation systems; and water and wastewater.

In the event a covered entity experiences one of the three above-listed reportable events, CISA proposes that a covered entity must submit reports through a web-based form, the “CIRCIA Incident Reporting Form,” that will be available on the reporting page of CISA’s website. The proposed rules would give CISA the enforcement power to issue a Request for Information or a subpoena. Failure to comply with a subpoena could lead a referral of the matter to the U.S. Attorney General to enforce compliance. Covered entities that knowingly and willfully make materially false or fraudulent statements or representations within or in connection with a CIRCIA Report, RFI Response, or reply to an administrative subpoena is subject to penalties.

About Us
Oberman Law Firm represents clients in a wide range of practice areas, including private equity, M&A, healthcare, corporate transactions, intellectual property, data privacy and security, regulatory compliance and governance, cross-border transactions, labor and employment, construction law, litigation, private clients’ services, corporate restructuring, and white-collar and governmental disputes.

As a firm, we offer the highest quality legal advice coupled with extraordinary and tailored service to deliver exceptional results to our clients. Our philosophy is to invest deeply in the brightest legal talent and build dynamic teams that operate at the pinnacle of respective practice areas. We believe in empowering our attorneys, encouraging entrepreneurialism, operating ethically and with integrity, and collaborating to bring the very best to every client engagement. These principles have guided us in building extraordinary and successful long-term partnerships with our clients.

Stuart J. Oberman is the founder and President of Oberman Law Firm. Mr. Oberman graduated from Urbana University and received his law degree from John Marshall Law School. Mr. Oberman has been practicing law for over 30 years, and before going into private practice, Mr. Oberman was in-house counsel for a Fortune 500 Company. <strong><a href="https://obermanlaw.com/people/stuart-j-oberman/"><span style="color: #0059b8;">Read More =></span></a></strong>