[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2926 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                S. 2926

 To require certain entities to disclose to the Secretary of Homeland 
           Security ransom payments, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 4, 2021

  Ms. Warren introduced the following bill; which was read twice and 
referred to the Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To require certain entities to disclose to the Secretary of Homeland 
           Security ransom payments, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. DISCLOSURE OF RANSOM PAYMENTS.

    (a) Definitions.--In this section:
            (1) Covered entity.--The term ``covered entity''--
                    (A) means a public or private entity that--
                            (i) is engaged in interstate commerce or an 
                        activity affecting interstate commerce; or
                            (ii) receives Federal funds;
                    (B) includes a local government; and
                    (C) does not include an individual.
            (2) Information system.--The term ``information system'' 
        has the meaning given such term in section 3502 of title 44, 
        United States Code.
            (3) Ransom.--The term ``ransom'' means money or other thing 
        of value demanded by an actor from a covered entity or 
        individual after such actor gains control of an information 
        system of such entity or individual.
            (4) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
    (b) Disclosure Required.--Not later than 7 days after the date on 
which a covered entity pays a ransom, the entity shall disclose to the 
Secretary, in accordance with subsection (b), such payment.
    (c) Contents.--A disclosure made under subsection (b) shall 
include, with respect to the ransom at issue, the following:
            (1) The date on which such ransom was demanded.
            (2) The date on which such ransom was paid.
            (3) The amount of such ransom demanded.
            (4) The amount of such ransom paid.
            (5) An identification of the currency, including if 
        cryptocurrency, used for payment of such ransom.
            (6) Whether the covered entity that paid such ransom 
        receives Federal funds.
            (7) Any known information regarding the identity of the 
        actor demanding such ransom.
    (d) Noncompliance.--The Secretary shall establish by regulation 
appropriate penalties for a covered entity that fails to make a 
disclosure required under subsection (b).
    (e) Public Availability.--
            (1) In general.--Not later than 1 year after the date of 
        the enactment of this Act and annually thereafter, the 
        Secretary shall publish on a publicly available website of the 
        Department of Homeland Security the information disclosed under 
        subsection (b) during the preceding 1-year period, including 
        the total dollar amount of ransoms paid by covered entities 
        during such period.
            (2) Exclusion of identifying information.--Information that 
        reveals the identity of a covered entity that made a disclosure 
        under subsection (b) shall be excluded from the information 
        published under paragraph (1).
    (f) Study and Report on Ransom Commonalities.--
            (1) Study.--The Secretary shall conduct a study to 
        determine if--
                    (A) there are commonalities with respect to the 
                information disclosed under subsection (b); and
                    (B) the extent to which cryptocurrency has 
                facilitated the kinds of attacks that resulted in the 
                payment of ransoms by covered entities.
            (2) Report.--Not later than 15 months after the date of the 
        enactment of this Act, the Secretary shall submit to Congress a 
        report that includes--
                    (A) the findings of the study conducted under 
                paragraph (1); and
                    (B) such recommendations as the Secretary considers 
                appropriate for protecting the information systems of 
                covered entities.
    (g) Individual Reporting.--
            (1) In general.--Not later than December 21, 2021, the 
        Secretary shall establish a website through which individuals 
        may voluntarily report the payment of a ransom by the 
        individual.
            (2) Incorporation of data.--To the greatest extent 
        practicable, the Secretary shall incorporate data from 
        reporting by individuals under paragraph (1) in--
                    (A) the information published under subsection (e); 
                and
                    (B) the study conducted under subsection (f).
    (h) Applicability.--This section shall apply to ransoms paid on or 
after the date that is 90 days after the date of the enactment of this 
Act.
                                 <all>