BarbriSFCourseDetails
  1. keyboard_arrow_leftBack

Course Details

Course Information
  • smart_display Format

    On-Demand

  • signal_cellular_alt Difficulty Level

  • work Practice Area

    Corporate Law

Date & Time
  • event Date

    Thursday, June 30, 2022

  • schedule Time

    1:00 p.m. ET./10:00 a.m. PT

  • timer Program Length

    90 minutes

Credit Information

  • This 90-minute webinar is eligible in most states for 1.5 CLE credits.

$297.00
CLE
ALL

This CLE course will discuss the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The panel will address when businesses must report to the Cybersecurity and Infrastructure Security Agency (CISA), the reporting timeframes, liability protections, and enforcement. The panel will discuss how this new regulation will affect data governance and incident response plans.

Faculty

Shardul Desai
Partner
Holland & Knight LLP

Mr. Desai is a cybersecurity, data privacy, and white collar defense and government investigations attorney. He has extensive experience in handling cyber intrusions and data breaches, trade secret thefts, emerging technology matters and complex white collar investigations. With a computer science and physics background, Mr. Desai is highly skilled and knowledgeable to advise companies on novel issues at the intersection of law, technology and data privacy. He is also a Certified Information Privacy Professional in the United States (CIPP/US) with the International Association of Privacy Professionals (IAPP). Mr. Desai is a former federal prosecutor in the Cyber and National Security Section and the Economic Crimes Section at the U.S. Attorney's Office for the Western District of Pennsylvania.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio
Guillermo S. Christensen
Partner
K&L Gates, LLP

Mr. Christensen is a former CIA officer and diplomat. He is a national security law practitioner, focusing on cybersecurity and data protection, export controls and sanctions and national security reviews of mergers, acquisitions, and investments. Mr. Christensen combines his experience as a former CIA officer, a diplomat with the US Mission to the OECD in France, and an attorney to shape and inform the advice he provides to clients on enterprise risks involving cybersecurity, national security, and complex international business matters. He has overseen many serious cybersecurity incidents, including ones involving nation state threat actors and organized criminal groups employing ransomware.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio
Christopher K. Jones
Counsel
Sands Anderson

Working with corporations of all sizes, as well as insurers and their insureds, Mr. Jones handles the litigation needs of his clients from the claims stage through to litigation. He is experienced with a variety of matters, including privacy and data security. Mr. Jones also works with clients to avoid the pitfalls of litigation altogether by managing risk and implementing privacy plans that fit their unique needs. He is a frequent author and lecturer on many aspects of the law.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio

Description

CIRCIA, passed as part of the omnibus spending bill on Mar. 15, 2022, will require critical infrastructure companies--which could include financial services companies, energy companies, and other key businesses for which a disruption would impact economic security or public health and safety--to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.

CIRCIA establishes reporting requirements for entities that (1) have experienced a "covered cyber incident" and (2) meet the definition of a "covered entity." "Covered entity" is not yet fully defined, but will likely include those that belong to any of the 16 critical infrastructure sectors defined by DHS.

CIRCIA also clearly establishes the timing involved when a report must be made and includes limited liability protection for entities that report an incident to CISA.

CIRCIA does provide an exception for entities that are already required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, as long as there is an agreement in place between CISA and the other agency. State breach reporting obligations and reports to European privacy regulators will likely not trigger the exception, and organizations filing such reports likely will still need to report to CISA.

Listen as our expert panel discusses all of the new obligations under CIRCIA, the best practices to mitigate risks if noncompliant, and what the likely outcome of regulation of this Act will be.

Outline

  1. Cyber Incident Reporting for Critical Infrastructure Act
    1. Cybersecurity and Infrastructure Security Agency
  2. Defined terms
    1. Covered cyber event
    2. Covered entity
  3. Timing
  4. Continued reporting
  5. Liability protection
  6. Confidentiality
  7. Exceptions to reporting requirement
  8. Mitigating risks and best practices

Benefits

The panel will address these and other important issues:

  • What is the history of CIRCIA and its regulatory agency?
  • How is "covered entity" defined in CIRCIA?
  • What risks are associated with failure to report in a timely manner?
  • What exceptions to reporting exist under CIRCIA?