During an uncommon Friday legislative session, the U.S. Senate passed legislation aimed at mitigating any adverse effects of future cyberattacks on American companies. S. 3600, the Strengthening American Cybersecurity Act of 2022,is a mini-omnibus bill that combines three pieces of legislation previously introduced in the Senate that sought to improve information security.

Of the three bills contained within S. 3600, the Cyber Incident Reporting Act (CIRA) is the bill that is likely to have the largest impact on the promotional products industry. CIRA requires certain entities that encounter a cyber incident to report the incident to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and alert that same agency about ransomware payments within 24 hours. Covered entities include organizations identified as existing within one of 16 critical infrastructure sectors. The Commercial Facilities Sector is of particular concern to the promotional products industry because it includes office buildings.

The Senate passed S. 3600 via unanimous consent, which is indicative of broad bipartisan support for the policy. The bill is widely expected to pass the House of Representatives as well, considering the House already passed similar legislation in 2021. After passage by the House, the bill would have to be signed by the president before being enacted into law.

PPAI staff is also tracking efforts by the bill’s sponsor, Senator Gary Peters, to include this new cybersecurity legislation in the huge omnibus federal spending bill that must be passed in Congress this week to avoid a federal government shutdown. Although CIRA is atypically prescriptive, the reporting requirements created by the bill would be developed through the normal regulatory progress by the CISA director, consisting of a Notice of Proposed Rulemaking listed in the Federal Register, a public commenting period, and the issuance of a final rule to clarify the details relating to compliance with the bill’s mandates.