Following the string of recent high-profile cybersecurity attacks, a group of senators are leading a bipartisan effort to introduce legislation that will require select organizations to alert the government within 24 hours of a cybersecurity breach.
The effort is being led by Senator Mark Warner (D-Virginia), Senator Marco Rubio (R-Florida) and Senator Susan Collins (R-Maine) in response to the wave of recent high-profile cyber incidents, namely the Colonial Pipeline and JBS USA ransomware attacks, and the realization that critical infrastructure controls and supply chains are growing targets for cyber criminals.
The proposed bill would be the very first federal standard for cybersecurity breach notifications and would apply to US government agencies, federal contractors, critical infrastructure owners and digital security firms under the projected legislation. Impacted organizations would be required to report breach notification reports to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of a breach. Those who violate the 24-hour deadline would face loss of contracts and financial penalties, although no specifics are in the draft. The legislation also provides liability defenses for participating organizations that would protect them from lawsuits associated with the submitted reports – a step that many cite as critical in driving compliance in the program.
The ability for organizations to have a safety note in exchange for disclosure is an important factor in the proposed legislation. Our Digital Forensics and Incident Response team knows first hand how common it is for incident reports to never make it public due to the lack of requirements. The more regulations around incident disclosures will likely result in raused awareness and shared use case data for all industries to learn from.
If the bill passes, CISA will then have 180 days to develop a secure channel and process and define the rules for when agencies and companies are to report breaches, what information will be required and how to archive the breach data. For transparency, the bill requires CISA to release summary reports to the public at least once a month to help communicate cybersecurity threat trends and statistics. In addition, CISA would be required to provide annual reports to Congress tracking the program’s progress, industry trends, participation statistics and threat mitigation strategies.
While this would be the first federal standard, it is important to note there are industries that have established reporting guidelines. The Transportation Security Administration recently enforced a 12-hour breach reporting requirement on U.S pipeline companies following the Colonial Pipeline incident – the proposed legislation states existing requirements such as these would take precedent over the federal 24-hour standard.
The bill is currently being shared for feedback and is planned to be formally introduced to the Senate this week. This follows the White House’s recent Executive Order introduced earlier in May focused on strengthening cybersecurity.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.