A new bill would require ransomware victims to report payments within 48 hours

It's one of numerous pieces of legislation under consideration in Congress.
Senator Elizabeth Warren (D-MA) listens during a Senate hearing at the Hart Senate Office Building on September 28, 2021 in Washington, DC. (Photo by Matt McClain-Pool/Getty Images)

Democrats introduced legislation in the House and Senate Tuesday requiring ransomware victims who pay hackers to notify the Department of Homeland Security within 48 hours of payment.

The bill would also require DHS to release a report publicly disclosing information about payments from the prior year. The report would not include identifying information about victims. The legislation, which was introduced in the Senate by Elizabeth Warren, D-Mass, also directs DHS to study the role cryptocurrency plays in ransomware attacks and produce recommendations for improving cybersecurity.

“The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back,” said Rep. Deborah Ross, D-N.C., who introduced the legislation in the House. “The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation.”

The bill is the most recent in a collection of cybersecurity incident notification bills under consideration in Congress. The House Homeland Security Committee is considering legislation that would give DHS’s Cybersecurity and Infrastructure Security Agency the authority to create incident reporting rules that require critical infrastructure victims to report no sooner than 72 hours from a breach.


The Senate Committee on Homeland Security & Governmental Affairs, meanwhile, marks up its incident notification bill on Wednesday. The bill would require critical infrastructure owners and operators to report cyber incidents within 72 hours, and a wider range of organizations to report a ransomware payment.

Sen. Mark Warner, D-Va., has introduced a competing bill that would require critical infrastructure owners, cybersecurity incident response firms, and federal contractors to report cyber incidents to DHS within 24 hours.

Department of Homeland Security Secretary Alejandro Mayorkas, CISA director Jen Easterly and U.S. Cyber Command director Paul Nakasone have all come out in favor of incident reporting requirements.

In September, the Treasury Department issued an update on its 2020 ransomware guidance strongly discouraging the payment of ransom attacks or extortion. The advisory encourages victims to report incidents to law enforcement and said cooperation would be considered in weighing whether to bring sanctions against victims who decide to pay.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts