Cybersecurity Incident and Breach Reporting Requirements
A Visual Representation of Federal Policy, Rulemakings and Guidance
Over the past several years—and the last 365 days in particular—a flurry of new cybersecurity incident and breach reporting (CIBR) requirements have been introduced by federal government entities. This is a trend catalyzed in part by a number of major recent hacks and cyberattacks, but it is also part of a broader shift in our national understanding of the balance of responsibility and accountability in cybersecurity.
Simply put, in our digitally interconnected world—in which you may be a victim of a cyberattack even if you are not its target—CIBR requirements establish who has the right and who has the need to know when something goes wrong in a system.
But despite a consensus that cyberattacks—and the damage they cause—should be reported more often, there tends to be less agreement over the details of that reporting. For example, what is the threshold of severity at which an event should be reported? How quickly should it be reported? Which entities should report? And to whom?
The result is a patchwork of different policies, rulemakings and guidelines delivered by different levels of federal, state and sector-based authorities. And while many of these policies include a written mandate ordering rulemakings to deconflict with other ones, in practice, it is a wild world of diverse and sometimes competing requirements.
The chart below is our effort to track all public existing and proposed CIBR requirements that originate within the federal government or its components. Our intent is to serve as a one-stop resource to compare and contrast any U.S. federal government-imposed cyber incident or data breach reporting requirements.
The goal of this project is to facilitate improvements in this policy-making issue area by enabling stakeholders to:
- Better understand the current policy “baseline” of existing rulemakings
- Identify opportunities to harmonize competing requirements
- Move the conversation forward by analyzing trends, gaps and areas of disagreement
When possible, we analyze the reporting requirement or guidance that is at the lowest or most direct level of rulemaking—that is, the text that specifically lays out thresholds, timelines and authorities. If this implementing-level text has not yet been issued or is not public, we have substituted it with the law, policy or other authorizing document that underpins it. Some requirements may impact the federal government itself, contractors, sectors or the public.
The chart is up-to-date as of July 28, 2022. We will periodically update it with new laws and rulemakings as appropriate. (You can download an excel version here.)
State, local, tribal and territorial laws are not included. If those are your focus, we would direct you to this slightly dated but still excellent chart on state-by-state data breach laws published by Steptoe or to this (sortable!) version by the International Association of Privacy Professionals.
How to Read the Chart
- Column A: The name of the rulemaking or otherwise lowest-level and most directly actionable reporting requirement.
- Column B: The name of the entity responsible for devising, implementing and managing the reporting requirement.
- Column C: The name(s) of the law, policy or other text that authorized or mandated the creation of the reporting requirement, along with supplementary texts as relevant.
- Column D: The relevant year(s) that the reporting requirement was issued, came into effect or was substantially revised or modified.
- Column E: A brief overview of the scope or intent of the reporting requirement. Also specifies whether the requirement is an incident reporting requirement or a data breach reporting requirement.
- Columns F to H: These columns spell out the details of the reporting requirement, specifically to whom, for what and when.
This chart and accompanying analysis are intended for research purposes only and do not represent legal or financial advice. If you are a covered entity with reporting requirements, please speak with a lawyer or financial advisor.
Think we may have missed or misinterpreted a rulemaking? It’s entirely possible, as this is a rapidly evolving area in cybersecurity policy. Do us a favor and let the researchers Mary Brooks [email protected] and Sofia Lesmes [email protected] know and we will fix it.
You are welcome to reproduce this chart or use its data fully or in part, but please cite us and link to this page. You may also contact the R Street PR team ([email protected]). Example:
Mary Brooks and Sofia Lesmes, “Chart: Federal Cyber Incident and Breach Reporting,” The R Street Institute, updated July 28, 2022. https://www.rstreet.org/2022/06/22/cybersecurity-incident-and-breach-reporting-requirements/.
Please note: this chart is for research purposes only and should not be interpreted as