II
117th CONGRESS
1st Session
S. 2926
IN THE SENATE OF THE UNITED STATES
October 4, 2021
Ms. Warren introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs
A BILL
To require certain entities to disclose to the Secretary of Homeland Security ransom payments, and for other purposes.
Disclosure of ransom payments
Definitions
In this section:
Covered entity
The term covered entity—
means a public or private entity that—
is engaged in interstate commerce or an activity affecting interstate commerce; or
receives Federal funds;
includes a local government; and
does not include an individual.
Information system
The term information system has the meaning given such term in section 3502 of title 44, United States Code.
Ransom
The term ransom means money or other thing of value demanded by an actor from a covered entity or individual after such actor gains control of an information system of such entity or individual.
Secretary
The term Secretary means the Secretary of Homeland Security.
Disclosure required
Not later than 7 days after the date on which a covered entity pays a ransom, the entity shall disclose to the Secretary, in accordance with subsection (b), such payment.
Contents
A disclosure made under subsection (b) shall include, with respect to the ransom at issue, the following:
The date on which such ransom was demanded.
The date on which such ransom was paid.
The amount of such ransom demanded.
The amount of such ransom paid.
An identification of the currency, including if cryptocurrency, used for payment of such ransom.
Whether the covered entity that paid such ransom receives Federal funds.
Any known information regarding the identity of the actor demanding such ransom.
Noncompliance
The Secretary shall establish by regulation appropriate penalties for a covered entity that fails to make a disclosure required under subsection (b).
Public availability
In general
Not later than 1 year after the date of the enactment of this Act and annually thereafter, the Secretary shall publish on a publicly available website of the Department of Homeland Security the information disclosed under subsection (b) during the preceding 1-year period, including the total dollar amount of ransoms paid by covered entities during such period.
Exclusion of identifying information
Information that reveals the identity of a covered entity that made a disclosure under subsection (b) shall be excluded from the information published under paragraph (1).
Study and report on ransom commonalities
Study
The Secretary shall conduct a study to determine if—
there are commonalities with respect to the information disclosed under subsection (b); and
the extent to which cryptocurrency has facilitated the kinds of attacks that resulted in the payment of ransoms by covered entities.
Report
Not later than 15 months after the date of the enactment of this Act, the Secretary shall submit to Congress a report that includes—
the findings of the study conducted under paragraph (1); and
such recommendations as the Secretary considers appropriate for protecting the information systems of covered entities.
Individual reporting
In general
Not later than December 21, 2021, the Secretary shall establish a website through which individuals may voluntarily report the payment of a ransom by the individual.
Incorporation of data
To the greatest extent practicable, the Secretary shall incorporate data from reporting by individuals under paragraph (1) in—
the information published under subsection (e); and
the study conducted under subsection (f).
Applicability
This section shall apply to ransoms paid on or after the date that is 90 days after the date of the enactment of this Act.
