§681d. Noncompliance with required reporting
(a) Purpose
In the event that a covered entity that is required to submit a report under section 681b(a) of this title fails to comply with the requirement to report, the Director may obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.
(b) Initial request for information
(1) In general
If the Director has reason to believe, whether through public reporting or other information in the possession of the Federal Government, including through analysis performed pursuant to paragraph (1) or (2) of section 681a(a) of this title, that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report such cyber incident or payment to the Agency in accordance with section 681b(a) of this title, the Director may request additional information from the covered entity to confirm whether or not a covered cyber incident or ransom payment has occurred.
(2) Treatment
Information provided to the Agency in response to a request under paragraph (1) shall be treated as if it was submitted through the reporting procedures established in section 681b of this title 1 including that section 681e of this title shall apply to such information in the same manner and to the same extent to information submitted in response to requests under paragraph (1) as it applies to information submitted under section 681b of this title.
(c) Enforcement
(1) In general
If, after the date that is 72 hours from the date on which the Director made the request for information in subsection (b), the Director has received no response from the covered entity from which such information was requested, or received an inadequate response, the Director may issue to such covered entity a subpoena to compel disclosure of information the Director deems necessary to determine whether a covered cyber incident or ransom payment has occurred and obtain the information required to be reported pursuant to section 681b of this title and any implementing regulations, and assess potential impacts to national security, economic security, or public health and safety.
(2) Civil action
(A) In general
If a covered entity fails to comply with a subpoena, the Director may refer the matter to the Attorney General to bring a civil action in a district court of the United States to enforce such subpoena.
(B) Venue
An action under this paragraph may be brought in the judicial district in which the covered entity against which the action is brought resides, is found, or does business.
(C) Contempt of court
A court may punish a failure to comply with a subpoena issued under this subsection as contempt of court.
(3) Non-delegation
The authority of the Director to issue a subpoena under this subsection may not be delegated.
(4) Authentication
(A) In general
Any subpoena issued electronically pursuant to this subsection shall be authenticated with a cryptographic digital signature of an authorized representative of the Agency, or other comparable successor technology, that allows the Agency to demonstrate that such subpoena was issued by the Agency and has not been altered or modified since such issuance.
(B) Invalid if not authenticated
Any subpoena issued electronically pursuant to this subsection that is not authenticated in accordance with subparagraph (A) shall not be considered to be valid by the recipient of such subpoena.
(d) Provision of certain information to Attorney General
(1) In general
Notwithstanding section 681e(a)(5) of this title and paragraph (b)(2) of this section, if the Director determines, based on the information provided in response to a subpoena issued pursuant to subsection (c), that the facts relating to the cyber incident or ransom payment at issue may constitute grounds for a regulatory enforcement action or criminal prosecution, the Director may provide such information to the Attorney General or the head of the appropriate Federal regulatory agency, who may use such information for a regulatory enforcement action or criminal prosecution.
(2) Consultation
The Director may consult with the Attorney General or the head of the appropriate Federal regulatory agency when making the determination under paragraph (1).
(e) Considerations
When determining whether to exercise the authorities provided under this section, the Director shall take into consideration-
(1) the complexity in determining if a covered cyber incident has occurred; and
(2) prior interaction with the Agency or awareness of the covered entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments.
(f) Exclusions
This section shall not apply to a State, local, Tribal, or territorial government entity.
(g) Report to Congress
The Director shall submit to Congress an annual report on the number of times the Director-
(1) issued an initial request for information pursuant to subsection (b);
(2) issued a subpoena pursuant to subsection (c); or
(3) referred a matter to the Attorney General for a civil action pursuant to subsection (c)(2).
(h) Publication of the annual report
The Director shall publish a version of the annual report required under subsection (g) on the website of the Agency, which shall include, at a minimum, the number of times the Director-
(1) issued an initial request for information pursuant to subsection (b); or
(2) issued a subpoena pursuant to subsection (c).
(i) Anonymization of reports
The Director shall ensure any victim information contained in a report required to be published under subsection (h) be anonymized before the report is published.
(
Editorial Notes
Amendments
2022-Subsec. (b)(2).