Senators Draft a Federal Breach Notification BillBipartisan Legislation Would Require Notifying CISA Within 24 Hours of a Breach Discovery
A bipartisan group of senators is circulating a draft of a federal breach notification bill that would require federal agencies, federal contractors and businesses that have oversight over the nation's critical infrastructure to report significant cyberthreats to the U.S. Cybersecurity and Infrastructure Security Agency within 24 hours of discovery.
Businesses that fail to meet the requirement would face a financial penalty equal to 0.5% of gross revenue from the previous year, according to the draft.
Some security experts, however, say the 24-hour notification deadline would not give organizations enough time to fully assess the severity of an attack.
Many previous national breach notification bills, which would have applied to a broader range of organizations, have failed to advance in Congress in recent years.
The HIPAA Breach Notification Rule requires healthcare organizations to report breaches affecting 500 or more individuals within 60 days of discovery, with smaller breaches reported annually.
The draft bill is being circulated by Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., who are the chairman and ranking member, respectively, of the Senate Intelligence Committee, as well as by Sen. Susan Collins, R-Maine.
The draft legislation, not yet formally introduced in the Senate, seeks to address some of the issues that have come to light since a recent string of major ransomware attacks, including those targeting Colonial Pipeline Co. and meat processor JBS, and the SolarWinds supply chain attack, which led to follow-on attacks on nine federal agencies and 100 companies.
The Senate Intelligence Committee has been investigating the SolarWinds attack and other cyber incidents since the start of this year (see: Senate SolarWinds Hearing: 4 Key Issues Raised).
Push for Legislation
"In order to deter these intrusions, we will need to accurately attribute them and hold our adversaries accountable," Warner said during an Intelligence Committee hearing in April. "The SolarWinds hack offered a stark reminder that there is no [federal] requirement to report breaches of critical infrastructure."
Chris Painter, who served as the State Department’s top cyber official during the Obama administration, says he hopes this week's summit in Geneva between U.S. President Joe Biden and Russian President Vladimir Putin will help spur some action on a federal breach notification law (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
"It's ludicrous that we still don't have a national data breach reporting bill. … If there's a major data breach, especially among the critical infrastructure sectors, you should have to report it," notes Painter, who now serves on the board of the Center for International Security.
The Draft's Provisions
The draft bill would require federal agencies, government contractors and businesses that have oversight over the nation's critical infrastructure to inform CISA, which is part of the Department of Homeland Security, within 24 hours of the discovery of a breach or a significant "cybersecurity intrusion."
The notification law would also apply to "nongovernmental entities that provide cybersecurity incident response services," the draft notes.
The draft also seeks to define what type of cybersecurity intrusion would trigger the 24-hour notification to CISA. These circumstances would include incidents that:
- Involve a nation-state attack, an advanced persistent threat actor or a transnational organized crime group that meets previous definitions published by the U.S. State Department;
- Could harm U.S. national security, including economic consequences;
- Could result in significant national consequences;
- Involve ransomware.
The reporting requirements in the draft legislation seem unrealistic, says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"The definitional requirements for 'intrusion' are that the act has been performed by a nation-state or transnational organized group," says Hamilton, now the CISO of CI Security. "It's fascinating that, within 24 hours, victims are required to determine whether the actor is affiliated with or supported by a nation-state. This seems a pretty tall hill to climb."
The bill would allow CISA to work with other federal agencies, such as the Office of the Director of National Intelligence, the Office of Management and Budget and others to write specific rules about which organizations would have to report intrusions. For now, Hamilton says, the bill lacks detail.
"I see nothing about using the information in any other way than tracking and addressing nation-state actors," he says. "A section in the rule-making process about the dissemination of aggregate reporting to covered entities and sectors writ large would be helpful."
Other lawmakers are working on similar federal legislation.
For instance, The Washington Post reports that Sen. Rob Portman, R-Ohio, who is the ranking member of the Senate Homeland Security Committee, is working on a proposal. That committee oversees CISA.
Several members of the House are also considering draft legislation that would require organizations and federal agencies to report breaches and other cyber incidents (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).