Proposed Ransom Disclosure Act

Written by: Alyssa Feliciano, Esq.

Representative Deborah Ross [D] and Senator Elizabeth Warren [D] proposed the Ransom Disclosure Act (“RSA”), to provide DHS with information regarding ransomware attacks and subsequent payments that are made by covered entities.  The goal of the RSA, according to Rep. Ross and Sen. Warren, is to provide DHS with data on these types of attacks, so the government can provide recommendations to minimize the damage in the future. At present, there is no federal requirement for businesses to report if they have paid due to ransomware attacks.

Below is an overview of who would be regulated and what the impact would be if the RSA passes.

Who will be covered under RSA:

1. 1. A public or private entity that is either:
      • engaged in interstate commerce or an activity affecting interstate commerce; or
      • receives federal funds
   2. Includes a local government
   3. Does not include individuals

Main requirements under RSA:

1. 1. Ransomware victims must disclose information about ransom payments no later than 48 hours after the date of payment. Must include:
      • the amount of ransom demanded and paid
      • the type of currency used for payment of the ransom
      • any known information about the entity demanding the ransom
   2. DHS must make the information disclosed public during the previous year.
      • excluding identifying information about the entities that paid ransoms.
   3. DHS must establish a website through which individuals can voluntarily report payment of ransoms.
   4. The Secretary of Homeland Security shall conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity.

Penalties

Specific penalties are not indicated in RSA, however, it is noted that DHS will establish them by regulation for covered entities that fail to comply with the required disclosures.