

117 HR 5501 IH: Ransom Disclosure Act
U.S. House of Representatives
2021-10-05
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I117th CONGRESS1st SessionH. R. 5501IN THE HOUSE OF REPRESENTATIVESOctober 5, 2021Ms. Ross introduced the following bill; which was referred to the Committee on Energy and CommerceA BILLTo require certain entities to disclose to the Secretary of Homeland Security ransom payments, and for other purposes.1.Short titleThis Act may be cited as the Ransom Disclosure Act.2.Disclosure of ransom payments(a)DefinitionsIn this section:(1)Covered entityThe term covered entity—(A)means a public or private entity that—(i)is engaged in interstate commerce or an activity affecting interstate commerce; or(ii)receives Federal funds;(B)includes a local government; and(C)does not include an individual.(2)Information systemThe term information system has the meaning given such term in section 3502 of title 44, United States Code.(3)RansomThe term ransom means money or other thing of value demanded by an actor from a covered entity or individual after such actor gains control of an information system of such entity or individual.(4)SecretaryThe term Secretary means the Secretary of Homeland Security.(b)Disclosure requiredNot later than 48 hours after a covered entity pays a ransom, the covered entity shall disclose to the Secretary, in accordance with subsection (b), such payment. (c)ContentsA disclosure made under subsection (b) shall include, with respect to the ransom at issue, the following: (1)The date on which such ransom was demanded.(2)The date on which such ransom was paid.(3)The amount of such ransom demanded.(4)The amount of such ransom paid.(5)An identification of the currency, including if cryptocurrency, used for payment of such ransom.(6)Whether the covered entity that paid such ransom receives Federal funds.(7)Any known information regarding the identity of the actor demanding such ransom.(d)NoncomplianceThe Secretary shall establish by regulation appropriate penalties for a covered entity that fails to make a disclosure required under subsection (b).(e)Public availability(1)In generalNot later than 1 year after the date of the enactment of this Act and annually thereafter, the Secretary shall publish on a publicly available website of the Department of Homeland Security the information disclosed under subsection (b) during the preceding 1-year period, including the total dollar amount of ransoms paid by covered entities during such period.(2)Exclusion of identifying informationInformation that reveals the identity of a covered entity that made a disclosure under subsection (b) shall be excluded from the information published under paragraph (1).(f)Study and report on ransom commonalities(1)StudyThe Secretary shall conduct a study to determine—(A)if there are commonalities with respect to the information disclosed under subsection (b); and(B)the extent to which cryptocurrency has facilitated the kinds of attacks that resulted in the payment of ransoms by covered entities.(2)ReportNot later than 15 months after the date of the enactment of this Act, the Secretary shall submit to Congress a report that includes—(A)the findings of the study conducted under paragraph (1); and(B)such recommendations as the Secretary considers appropriate for protecting the information systems of covered entities.(g)Individual reporting(1)In generalNot later than 60 days after the date of enactment of this Act, the Secretary shall establish a website through which individuals may voluntarily report the payment of a ransom by the individual.(2)Incorporation of dataTo the greatest extent practicable, the Secretary shall incorporate data from reporting by individuals under paragraph (1) in—(A)the information published under subsection (e); and(B)the study conducted under subsection (f).(h)ApplicabilityThis section shall apply to ransoms paid on or after the date that is 90 days after the date of the enactment of this Act.