Here's the text of the newly signed bill: <a href="https://www.congress.gov/bill/117th-congress/house-bill/2471/text" rel="nofollow">https://www.congress.gov/bill/117th-congress/house-bill/2471...</a><p>The ransomware reporting stuff is at the bottom; search for "ransom" and you'll find the section easily.<p>Note this is amending existing law, so think of it as a legal diff. There may be important context not presented in this text.
It's apparently "critical infrastructure operators", not all "firms".<p>> <i>sweeping cybersecurity legislation that will require critical infrastructure operators to quickly report data breaches and ransomware payments.</i><p>Pretty expansive though:<p>> <i>The agency lists 16 broad sectors spanning health, energy, food and transportation as critical to the U.S., although the new legislation is yet to spell out precisely which companies would be required to report cyber incidents.</i><p>This data will eventually become public. So long as the DHS database exists it will be hacked eventually.
I may be missing something, law is a pain to read, but I'm not seeing any penalty for failure to report being mentioned. So you must report or we'll be cross with you?
Enforcement will be what exactly?<p>How is an impacting specific data loss inexplicitly tied to one company's compromise beyond a reasonable doubt when systems everywhere are "leaking"?<p>Having been involved in several financial compromise events dating back to the very earliest known I find more laws will in no way address the issue. Everyone drives the speed limit or under it too, correct? For those with experience in the financial banking realm the rules often "apply to thee but not to me" and yet companies are still hiding compromise events, even those ‘compliant’. While companies joining the fintech rush are held to standards and requirements that cost significant sums of both time and money all the while the large grandfathered entities and systems are allowed to continue not abiding by the same rules and laws those entities themselves set. Hypocrisy rolls on and exists everywhere and I welcome the changes to level the playing field but more laws are certain to not fix a problem which cannot be seen since the function of vision in our species is the primary driver for nearly all we do. If it cannot be seen then it must not be a 'real' problem so let's schedule more meetings to talk about it.<p>As the governments around the world continue to have meetings weekly, both publicly and privately, about the ever growing cyber issue I again reiterate that the problem lies at the source(code) and with those who write it. This is truly an issue that can only be solved through education of those writing code and it cannot be solved tomorrow. Let's schedule another meeting to talk about it.
This is presumably based on the same reporting requirements that are stipulated in section 85 of GDPR: <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679&qid=1647443821579" rel="nofollow">https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...</a>
Is there any evidence that DHS employs anyone who would even understand a report about a breach?<p>Making a report to police about a crime they won’t understand sounds extremely risky for the reporter.
Report every day because you can't prove that you weren't and you wouldn't want to be accused of failing to report or failing to detect later.