Skip to content

Firms Must Report Hacks to DHS in 72 Hours Under Law

  • Reporting breaches to DHS is mandatory under new law
  • U.S. currently lacks meaningful data about digital intrusions
Updated on

The $1.5 trillion government funding package that President Joe Biden signed Tuesday includes sweeping cybersecurity legislation that will require critical infrastructure operators to quickly report data breaches and ransomware payments.  

The new law mandates that companies report hacks to the U.S. Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. FBI officials last year estimated that the bureau has visibility into a quarter of cyber incidents, resulting in a government-wide lack of information about the nature of many data breaches, the tactics of cybercriminals and the U.S. industries that are most vulnerable.