View all text of Part D [§ 681 - § 681g]
§ 681d. Noncompliance with required reporting
(a) Purpose
(b) Initial request for information
(1) In general
(2) Treatment
(c) Enforcement
(1) In general
(2) Civil action
(A) In general
(B) Venue
(C) Contempt of court
(3) Non-delegation
(4) Authentication
(A) In general
(B) Invalid if not authenticated
(d) Provision of certain information to Attorney General
(1) In general
(2) Consultation
(e) Considerations
When determining whether to exercise the authorities provided under this section, the Director shall take into consideration—
(1) the complexity in determining if a covered cyber incident has occurred; and
(2) prior interaction with the Agency or awareness of the covered entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments.
(f) Exclusions
(g) Report to Congress
The Director shall submit to Congress an annual report on the number of times the Director—
(1) issued an initial request for information pursuant to subsection (b);
(2) issued a subpoena pursuant to subsection (c); or
(3) referred a matter to the Attorney General for a civil action pursuant to subsection (c)(2).
(h) Publication of the annual report
The Director shall publish a version of the annual report required under subsection (g) on the website of the Agency, which shall include, at a minimum, the number of times the Director—
(1) issued an initial request for information pursuant to subsection (b); or
(2) issued a subpoena pursuant to subsection (c).
(i) Anonymization of reports
(Pub. L. 107–296, title XXII, § 2244, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1049; amended Pub. L. 117–263, div. G, title LXXI, § 7143(e)(2), Dec. 23, 2022, 136 Stat. 3664.)