Sound the alarm: Data breach reporting for critical infrastructure

June 25, 2026

Alert

Cyber incident reporting is quickly becoming a critical component of cyber preparedness. During our recent webinar, Sound the Alarm: Data Breach Reporting for Critical Infrastructure, attorneys Heather Shumaker and Lucia Argento explored evolving federal reporting requirements, what organizations may be subject to them, and how businesses can prepare to meet reporting obligations while responding to an incident.

Critical infrastructure may be broader than you think

One of the webinar's key themes was the broad scope of "critical infrastructure." While sectors such as healthcare, energy, government services, and financial services are obvious examples, organizations that support these industries through technology, cloud services, logistics, or other operational functions may also fall within scope. As a result, organizations should assess whether their services support critical infrastructure and understand what reporting requirements may apply.

Reporting must be built into incident response

Federal regulators are increasingly focused on receiving timely information about significant cyber incidents. Because reporting timelines often begin before investigations are complete, organizations need processes that allow them to evaluate incidents, make reporting decisions, and communicate with regulators while containment and recovery efforts are still underway.

Preparation is essential

Organizations should establish clear escalation procedures, define decision-making authority, and identify the information that may be required for reporting before an incident occurs. Maintaining updated contact lists, preserving evidence, and conducting tabletop exercises can help teams respond more effectively when faced with tight reporting deadlines.

Understand reporting triggers

Not every cybersecurity event is reportable, but organizations should have a framework for determining when an incident crosses the threshold. Heather and Lucia noted that ransomware attacks, disruptions to critical systems, and other incidents that materially affect operations are among the events most likely to trigger reporting obligations. In some cases, actions taken during response—such as making a ransomware payment—may create separate reporting requirements.

Reporting readiness is an operational capability

Organizations that perform best during a cyber incident treat reporting as an extension of incident response rather than a standalone compliance exercise. By aligning security, legal, compliance, communications, and executive stakeholders around a defined process, businesses can meet reporting obligations, reduce regulatory risk, and maintain stakeholder confidence during a crisis.

McDonald Hopkins Juliana Cipolla will be speaking for Professional Liability Underwriting Society on digital asset regulation, perspective on emerging D&O, and practical considerations for advising clients during "Decoding Digital Risk: Crypto, Regulation, & Professional Liability in 2026."

In McDonald Hopkins’ recent webinar, “Lifecycle of a Cyber Incident: Stages and Vendor Support,” Blair Dawson and Ryan Smith discussed today’s most common cyber incidents and the practical steps organizations should take when responding to a compromise.

McDonald Hopkins is proud to welcome attorney Walter Deering. Walter is an Associate in the Litigation Department and the national Data Privacy and Cybersecurity Practice Group. His practice focuses on incident response, regulatory defense, and privacy litigation.