117 S2926 IS: To require certain entities to disclose to the Secretary of Homeland Security ransom payments, and for other purposes.
U.S. Senate
2021-10-04
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Disclosure of ransom payments(a)In this section:(1)The term covered entity—(A)means a public or private entity that—(i)is engaged in interstate commerce or an activity affecting interstate commerce; or(ii)receives Federal funds;(B)includes a local government; and(C)does not include an individual.(2)The term information system has the meaning given such term in section 3502 of title 44, United States Code.(3)The term ransom means money or other thing of value demanded by an actor from a covered entity or individual after such actor gains control of an information system of such entity or individual.(4)The term Secretary means the Secretary of Homeland Security.(b)Not later than 7 days after the date on which a covered entity pays a ransom, the entity shall disclose to the Secretary, in accordance with subsection (b), such payment. (c)A disclosure made under subsection (b) shall include, with respect to the ransom at issue, the following: (1)The date on which such ransom was demanded.(2)The date on which such ransom was paid.(3)The amount of such ransom demanded.(4)The amount of such ransom paid.(5)An identification of the currency, including if cryptocurrency, used for payment of such ransom.(6)Whether the covered entity that paid such ransom receives Federal funds.(7)Any known information regarding the identity of the actor demanding such ransom.(d)The Secretary shall establish by regulation appropriate penalties for a covered entity that fails to make a disclosure required under subsection (b).(e)(1)Not later than 1 year after the date of the enactment of this Act and annually thereafter, the Secretary shall publish on a publicly available website of the Department of Homeland Security the information disclosed under subsection (b) during the preceding 1-year period, including the total dollar amount of ransoms paid by covered entities during such period.(2)Exclusion of identifying informationInformation that reveals the identity of a covered entity that made a disclosure under subsection (b) shall be excluded from the information published under paragraph (1).(f)Study and report on ransom commonalities(1)The Secretary shall conduct a study to determine if—(A)there are commonalities with respect to the information disclosed under subsection (b); and(B)the extent to which cryptocurrency has facilitated the kinds of attacks that resulted in the payment of ransoms by covered entities.(2)Not later than 15 months after the date of the enactment of this Act, the Secretary shall submit to Congress a report that includes—(A)the findings of the study conducted under paragraph (1); and(B)such recommendations as the Secretary considers appropriate for protecting the information systems of covered entities.(g)(1)Not later than December 21, 2021, the Secretary shall establish a website through which individuals may voluntarily report the payment of a ransom by the individual.(2)To the greatest extent practicable, the Secretary shall incorporate data from reporting by individuals under paragraph (1) in—(A)the information published under subsection (e); and(B)the study conducted under subsection (f).(h)This section shall apply to ransoms paid on or after the date that is 90 days after the date of the enactment of this Act.