skip to main content

S. 2926 (117th): A bill to require certain entities to disclose to the Secretary of Homeland Security ransom payments, and for other purposes.


The text of the bill below is as of Oct 4, 2021 (Introduced). The bill was not enacted into law.


II

117th CONGRESS

1st Session

S. 2926

IN THE SENATE OF THE UNITED STATES

October 4, 2021

introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs

A BILL

To require certain entities to disclose to the Secretary of Homeland Security ransom payments, and for other purposes.

1.

Disclosure of ransom payments

(a)

Definitions

In this section:

(1)

Covered entity

The term covered entity

(A)

means a public or private entity that—

(i)

is engaged in interstate commerce or an activity affecting interstate commerce; or

(ii)

receives Federal funds;

(B)

includes a local government; and

(C)

does not include an individual.

(2)

Information system

The term information system has the meaning given such term in section 3502 of title 44, United States Code.

(3)

Ransom

The term ransom means money or other thing of value demanded by an actor from a covered entity or individual after such actor gains control of an information system of such entity or individual.

(4)

Secretary

The term Secretary means the Secretary of Homeland Security.

(b)

Disclosure required

Not later than 7 days after the date on which a covered entity pays a ransom, the entity shall disclose to the Secretary, in accordance with subsection (b), such payment.

(c)

Contents

A disclosure made under subsection (b) shall include, with respect to the ransom at issue, the following:

(1)

The date on which such ransom was demanded.

(2)

The date on which such ransom was paid.

(3)

The amount of such ransom demanded.

(4)

The amount of such ransom paid.

(5)

An identification of the currency, including if cryptocurrency, used for payment of such ransom.

(6)

Whether the covered entity that paid such ransom receives Federal funds.

(7)

Any known information regarding the identity of the actor demanding such ransom.

(d)

Noncompliance

The Secretary shall establish by regulation appropriate penalties for a covered entity that fails to make a disclosure required under subsection (b).

(e)

Public availability

(1)

In general

Not later than 1 year after the date of the enactment of this Act and annually thereafter, the Secretary shall publish on a publicly available website of the Department of Homeland Security the information disclosed under subsection (b) during the preceding 1-year period, including the total dollar amount of ransoms paid by covered entities during such period.

(2)

Exclusion of identifying information

Information that reveals the identity of a covered entity that made a disclosure under subsection (b) shall be excluded from the information published under paragraph (1).

(f)

Study and report on ransom commonalities

(1)

Study

The Secretary shall conduct a study to determine if—

(A)

there are commonalities with respect to the information disclosed under subsection (b); and

(B)

the extent to which cryptocurrency has facilitated the kinds of attacks that resulted in the payment of ransoms by covered entities.

(2)

Report

Not later than 15 months after the date of the enactment of this Act, the Secretary shall submit to Congress a report that includes—

(A)

the findings of the study conducted under paragraph (1); and

(B)

such recommendations as the Secretary considers appropriate for protecting the information systems of covered entities.

(g)

Individual reporting

(1)

In general

Not later than December 21, 2021, the Secretary shall establish a website through which individuals may voluntarily report the payment of a ransom by the individual.

(2)

Incorporation of data

To the greatest extent practicable, the Secretary shall incorporate data from reporting by individuals under paragraph (1) in—

(A)

the information published under subsection (e); and

(B)

the study conducted under subsection (f).

(h)

Applicability

This section shall apply to ransoms paid on or after the date that is 90 days after the date of the enactment of this Act.