Federal Breach Notification Bills: Cybersecurity Pros Should Pay Attention

For the past decade, U.S. lawmakers from both parties have introduced, debated and ultimately failed to pass a federal breach notification law that would require private businesses and government agencies to report a serious cybersecurity incident or attack.

The closest Congress has come to requiring reporting of the loss of sensitive personal data is the HIPAA Breach Notification Rule, which requires healthcare organizations to report breaches affecting 500 or more individuals within 60 days of discovery. Smaller breaches are reported annually under the law.

Now, with the cyberespionage campaign that targeted users of SolarWinds’ Orion network monitoring platform, as well as several recent and high-profile ransomware attacks (including the May incident involving Colonial Pipeline Co.), lawmakers are again debating a federal breach notification bill—and the odds that one passes have increased, as cybersecurity is seen as one of the few nonpartisan issues in Washington, D.C.

Currently, there are two versions of a federal breach notification bill under consideration in the U.S. Senate. One measure is sponsored by Sen. Mark Warner, D-Va., the chairman of the Intelligence Committee, along with Marco Rubio, R-Fla., the ranking member, and several others. The second piece of legislation has the backing of Sens. Gary Peters and Rob Portman, the leaders of the Homeland Security and Governmental Affairs Committee.

The House has also proposed its own breach notification bill, which has now been included in its version of the annual National Defense Authorization Act.

Each measure has its differences. For instance, the Senate bill backed by Warner and Rubio would require government agencies and businesses of a certain size to report a cyber incident within 24 hours, while the other Senate bill would push the notification period to between 72 hours and a week depending on the circumstances. The House bill, which was seen as more business-friendly when it was initially debated in September, would also offer a 72-hour timeframe to report. 

All three bills also agree that the U.S. Cybersecurity and Infrastructure Security Agency would likely oversee the incident reporting infrastructure, with CISA tapped to draft specific rules, such as how large an attack or breach needs to be to require reporting. The one Senate bill gives the cyber agency the ability to subpoena a business if it fails to report an incident or a payment that is made to a ransomware gang.

“The competing Senate and House bills will eventually be reconciled now that both have passed their respective chambers, with the main difference being whether or not ransom payments will also be required as reportable,” Mike Hamilton, the former vice chair for the Department of Homeland Security’s State, Local, Tribal, and Territorial Government Coordinating Council, told Dice. 

“The 72-hour reporting requirement makes more sense than a 24-hour standard from the perspective of being able to report accurate information rather than conjecture in the middle of a firefight; generally little is known after the first 24 hours apart from the fact that, ‘it happened,’” said Hamilton, who is now CISO of security firm Critical Insight.

Changing Attitudes

These various bills come at a time when large-scale cyber threats are on the rise and enterprises and government agencies look for ways to build more resilient IT systems and applications that can withstand and contain an attack (or return to operations even if there’s an incident).

The issue of transparency and how much organizations can and should reveal is also hotly debated. As some lawmakers have pointed out during these discussions: If FireEye didn’t publicly report that the company was targeted by the SolarWinds attackers, the incident might not have come to light when it did.

“This is a continuation of the growing realization defenders are experiencing that transparency is fundamental to internet resilience, consumer trust and robust responses to attacks,” Casey Ellis, founder and CTO at bug bounty firm Bugcrowd, told Dice. “Mandatory reporting will add overhead for organizations who haven’t yet thought this through. However, ultimately, this external communications piece should, and normally is, a part of your typical incident response playbook—which is something every organization should have in place.”

If reconciled and passed into law, federal breach notification legislation is likely to mean that organizations, especially those that work closely with the U.S. government, are due for increased scrutiny. This also means that IT and security teams are likely to have greater responsibility for product security and development, internal controls and the process in place used to identify and report incidents, said Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI’s New York office.

In addition to CISA, Berglas noted that organizations can expect greater contact during investigations with the likes of the Department of Justice, FBI and the Securities and Exchange Commission—putting additional responsibility on the shoulders of IT and security teams to ensure incidents are properly documented.

“This increased scrutiny and proposed—very aggressive—reporting timelines will require companies to ensure they have robust visibility across the company as well as real-time network and endpoint monitoring in order to rapidly identify threats and make timely reporting to CISA,” Berglas, now the global head of professional services at cybersecurity firm BlueVoyant, told Dice. 

“Failure to do so may now incur additional financial penalties and loss of the ability to contract with the federal government, in addition to the massive damage an unidentified incident can do to your organization,” Berglas added. “Tracking these new requirements and ensuring compliance will no doubt fall within the purview of risk managers who are already tracking requirements from other regulatory bodies.”

Speeding Up Reporting

What seems clear is that reporting of security incidents is likely to speed up, either with the passage of federal law or due to other steps that the Biden administration is taking to ensure that the owners and operators of critical infrastructure increase their cyber protections.

The increasing scrutiny of critical infrastructure, including the industrial control systems that help oversee and protect these networks, is likely to give both the government and operators greater insight into vulnerabilities that could be exploited, Hamilton said: “Changing this regulation will mean greater visibility into infrastructure operations that have historically been opaque to even the operators.”

A major challenge, however, is ensuring that smaller organizations that have less IT and security staff can keep up with either new laws or added regulations imposed by the White House, said Andrew Barratt, vice president for technology and enterprise at security consulting firm Coalfire.

“One of the challenges is that extreme timeframes on reporting incidents can detract from the importance of the incident management process itself, particularly for smaller organizations or those who don’t currently have retained support or a team that can handle the event,” Barratt told Dice. “Oftentimes one of the biggest hurdles to overcome when we are engaged in forensics or incident response is that the [non-disclosure agreement] and contracting time severely eat into the time that should be spent containing and eradicating a threat.”