US Lawmakers Look to Set Federal Cyber Breach Alert Standard

Following the string of recent high-profile cybersecurity attacks, a group of senators are leading a bipartisan effort to introduce legislation that will require select organizations to alert the government within 24 hours of a cybersecurity breach.

The effort is being led by Senator Mark Warner (D-Virginia), Senator Marco Rubio (R-Florida) and Senator Susan Collins (R-Maine) in response to the wave of recent high-profile cyber incidents, namely the Colonial Pipeline and JBS USA ransomware attacks, and the realization that critical infrastructure controls and supply chains are growing targets for cyber criminals.

The proposed bill would be the very first federal standard for cybersecurity breach notifications and would apply to US government agencies, federal contractors, critical infrastructure owners and digital security firms under the projected legislation. Impacted organizations would be required to report breach notification reports to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of a breach. Those who violate the 24-hour deadline would face loss of contracts and financial penalties, although no specifics are in the draft. The legislation also provides liability defenses for participating organizations that would protect them from lawsuits associated with the submitted reports – a step that many cite as critical in driving compliance in the program.

The ability for organizations to have a safety note in exchange for disclosure is an important factor in the proposed legislation. Our Digital Forensics and Incident Response team knows first hand how common it is for incident reports to never make it public due to the lack of requirements. The more regulations around incident disclosures will likely result in raused awareness and shared use case data for all industries to learn from. 

If the bill passes, CISA will then have 180 days to develop a secure channel and process and define the rules for when agencies and companies are to report breaches, what information will be required and how to archive the breach data. For transparency, the bill requires CISA to release summary reports to the public at least once a month to help communicate cybersecurity threat trends and statistics. In addition, CISA would be required to provide annual reports to Congress tracking the program’s progress, industry trends, participation statistics and threat mitigation strategies.

While this would be the first federal standard, it is important to note there are industries that have established reporting guidelines. The Transportation Security Administration recently enforced a 12-hour breach reporting requirement on U.S pipeline companies following the Colonial Pipeline incident – the proposed legislation states existing requirements such as these would take precedent over the federal 24-hour standard.

The bill is currently being shared for feedback and is planned to be formally introduced to the Senate this week. This follows the White House’s recent Executive Order introduced earlier in May focused on strengthening cybersecurity.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
President Biden Signs K-12 Cybersecurity Act into Law
What Are the Top Cybersecurity Questions of 2021?
Cybersecurity Awareness Month 2021
Biden Administration Announces First Ever Sanctions Against Cryptocurrency Exchange
Apple Releases Emergency Security Update to Address Critical Spyware Vulnerability
REvil Ransomware Group Resurfaces Over Labor Day Weekend
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×