Senators Introduce Federal Breach Notification BillMeasure Requires Reporting Certain Cyber Incidents to CISA Within 24 Hours of Discovery
A bipartisan group of senators formally introduced a federal breach notification bill Wednesday that would require federal agencies, federal contractors and organizations that are considered critical to U.S. national security to report security incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of discovery.
See Also: The CISO's Response Plan After a Breach
Under the Cyber Incident Notification Act of 2021, companies that do not report an incident within 24 hours could face a maximum financial penalty equal to 0.5% of the previous year's gross revenue. The measure, however, allows for exceptions to the penalty, depending on the circumstances.
Some cybersecurity experts have said that it's unrealistic to expect organizations to report incidents within 24 hours of discovery because they need more time to properly assess an attack and determine if it meets the criteria for notification.
The bill also includes liability protections for those organizations reporting a breach to shield them from potential lawsuits that could come with disclosing this type of information. Another provision would allow organizations to anonymize personal data when they report a breach - another way to encourage victims to report incidents without revealing sensitive data.
Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., who are the chairman and ranking member, respectively, of the Senate Intelligence Committee, began circulating a draft of the bill last month. Susan Collins, R-Maine, signed on to the early version of the legislation, and as of Wednesday, a dozen other senators from both parties are now supporting the measure as well (see: Senators Draft a Federal Breach Notification Bill).
Many other national breach notification bills, which would have applied to a broader range of organizations, have failed to advance in Congress over the last several years. But the HIPAA Breach Notification Rule requires healthcare organizations to report breaches affecting 500 or more individuals within 60 days of discovery - with smaller breaches reported annually.
The federal breach notification bill comes in the wake of a series of significant security incidents, including the SolarWinds supply chain attack, the Colonial Pipeline Co. ransomware attack and the attacks on vulnerable Microsoft Exchange servers that the Biden administration attributed to China.
"The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target," Warner says. "We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."
When the Department of Homeland Security rolled out new security requirements for pipelines on Tuesday, authorities noted that Chinese-linked attackers had conducted phishing campaigns against multiple oil and gas companies over several years (see: TSA Issues Cybersecurity Requirements for Pipelines).
Commenting on the legislative proposal, Rubio said: "It is critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible."
During some of the Congressional hearings into the SolarWinds supply chain attack, which led to follow-on attacks on about 100 companies and nine federal agencies, lawmakers noted there was no federal law to compel any of the victims to come forward (see: Senators Grill Cybersecurity Execs on SolarWinds Attack).
John Hellickson, cyber executive advisor at consulting firm Coalfire, praised the bill's provision calling for CISA to risk mitigation strategies with companies that are attacked. But, he pointed out, "the usefulness of this collaboration will be if the information is provided back to the organization in a timely fashion in order to minimize the overall impact of such attacks."
The legislation introduced Wednesday is a modified version of the draft bill circulated last month.
For instance, the updated version of the bill now gives CISA two business days to respond to reports of an intrusion or an attack as well as to ask targeted victims for additional information about an incident. The timing was not specified in the earlier draft.
The bill released Wednesday, like the draft, defines what type of cybersecurity intrusion would trigger the 24-hour notification to CISA, including those that:
- Involve a nation-state attack, an advanced persistent threat actor or a transnational organized crime group that meets previous definitions published by the U.S. State Department;
- Could harm U.S. national security, including economic consequences;
- Could result in significant national consequences;
- Involve ransomware.
The version introduced this week, however, now defines the type of ransomware incident that would trigger the notification, such as an attack conducted by a nation-state actor or an advanced persistent threat group or one that would directly cause harm to U.S. national security.
The bill also requires CISA to consult with companies and other stakeholders before drafting additional rules.
The House is working on its own version of the bill, Bloomberg reports.
In other legislative activity, the House approved 13 cybersecurity-related bills on Tuesday and Wednesday that address issues ranging from providing more funding to help state and local governments address security concerns to making security improvements to the nation's critical infrastructure.
Among the bills to pass the House is the CISA Cyber Exercise Act, which could require CISA to establish a National Cyber Exercise program that would promote the testing and assessments of the resiliency of the nation's critical infrastructure to attack, and the DHS Industrial Control Systems Capabilities Enhancement Act of 2021, which would require CISA to track and help mitigate vulnerabilities in industrial control systems.