§681d — Title 6 Domestic Security | U.S. Code

Summary

The Director can get information if a company or other required organization does not report a cyberattack or ransom payment as they are supposed to. The Director will first ask the organization directly for details. If the organization does not reply or gives an incomplete reply within 72 hours of that request, the Director may issue a subpoena to force the organization to turn over the needed information. The Director must issue subpoenas personally (they cannot give that power to someone else). Electronic subpoenas must have a secure digital signature so the recipient can tell they are real; unsigned electronic subpoenas are not valid. If an organization ignores a subpoena, the Director can ask the Attorney General to go to federal court to enforce it, and a court can hold the organization in contempt. Information given after a request is treated the same as an official report and gets the same handling. If the subpoenaed facts could lead to a regulatory action or criminal case, the Director may share the information with the Attorney General or the proper federal regulator and may consult them first. The rules do not apply to State, local, Tribal, or territorial government entities. Each year the Director must tell Congress how many times they asked for information, issued subpoenas, or referred matters to the Attorney General, and must publish a version of that report online with any victim details removed or anonymized.

Title 6, §681d

Domestic Security — Source: USLM XML via OLRC

(a)In the event that a covered entity that is required to submit a report under section 681b(a) of this title fails to comply with the requirement to report, the Director may obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.

(b)(1)If the Director has reason to believe, whether through public reporting or other information in the possession of the Federal Government, including through analysis performed pursuant to paragraph (1) or (2) of section 681a(a) of this title, that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report such cyber incident or payment to the Agency in accordance with section 681b(a) of this title, the Director may request additional information from the covered entity to confirm whether or not a covered cyber incident or ransom payment has occurred.

(2)Information provided to the Agency in response to a request under paragraph (1) shall be treated as if it was submitted through the reporting procedures established in section 681b of this title 11 So in original. Probably should be followed by a comma. including that section 681e of this title shall apply to such information in the same manner and to the same extent to information submitted in response to requests under paragraph (1) as it applies to information submitted under section 681b of this title.

(c)(1)If, after the date that is 72 hours from the date on which the Director made the request for information in subsection (b), the Director has received no response from the covered entity from which such information was requested, or received an inadequate response, the Director may issue to such covered entity a subpoena to compel disclosure of information the Director deems necessary to determine whether a covered cyber incident or ransom payment has occurred and obtain the information required to be reported pursuant to section 681b of this title and any implementing regulations, and assess potential impacts to national security, economic security, or public health and safety.

(2)(A)If a covered entity fails to comply with a subpoena, the Director may refer the matter to the Attorney General to bring a civil action in a district court of the United States to enforce such subpoena.

(B)An action under this paragraph may be brought in the judicial district in which the covered entity against which the action is brought resides, is found, or does business.

(C)A court may punish a failure to comply with a subpoena issued under this subsection as contempt of court.

(3)The authority of the Director to issue a subpoena under this subsection may not be delegated.

(4)(A)Any subpoena issued electronically pursuant to this subsection shall be authenticated with a cryptographic digital signature of an authorized representative of the Agency, or other comparable successor technology, that allows the Agency to demonstrate that such subpoena was issued by the Agency and has not been altered or modified since such issuance.

(B)Any subpoena issued electronically pursuant to this subsection that is not authenticated in accordance with subparagraph (A) shall not be considered to be valid by the recipient of such subpoena.

(d)(1)Notwithstanding section 681e(a)(5) of this title and paragraph (b)(2) of this section, if the Director determines, based on the information provided in response to a subpoena issued pursuant to subsection (c), that the facts relating to the cyber incident or ransom payment at issue may constitute grounds for a regulatory enforcement action or criminal prosecution, the Director may provide such information to the Attorney General or the head of the appropriate Federal regulatory agency, who may use such information for a regulatory enforcement action or criminal prosecution.

(2)The Director may consult with the Attorney General or the head of the appropriate Federal regulatory agency when making the determination under paragraph (1).

(e)When determining whether to exercise the authorities provided under this section, the Director shall take into consideration—

(1)the complexity in determining if a covered cyber incident has occurred; and

(2)prior interaction with the Agency or awareness of the covered entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments.

(f)This section shall not apply to a State, local, Tribal, or territorial government entity.

(g)The Director shall submit to Congress an annual report on the number of times the Director—

(1)issued an initial request for information pursuant to subsection (b);

(2)issued a subpoena pursuant to subsection (c); or

(3)referred a matter to the Attorney General for a civil action pursuant to subsection (c)(2).

(h)The Director shall publish a version of the annual report required under subsection (g) on the website of the Agency, which shall include, at a minimum, the number of times the Director—

(1)issued an initial request for information pursuant to subsection (b); or

(2)issued a subpoena pursuant to subsection (c).

(i)The Director shall ensure any victim information contained in a report required to be published under subsection (h) be anonymized before the report is published.

Notes & Related Subsidiaries

Editorial Notes

Amendments

2022—Subsec. (b)(2). Pub. L. 117–263 inserted “including that section 681e of this title shall apply to such information in the same manner and to the same extent to information submitted in response to requests under paragraph (1) as it applies to information submitted under section 681b of this title” after “section 681b of this title”.

§681d Noncompliance with Required Reporting

Summary

Title 6, §681d

Notes & Related Subsidiaries

Editorial Notes

Amendments

Citations & Metadata