New Senate bill would force organizations to report cyber attacks within 24 hours

Data Breach overlaying a circuitboard

Senators are drafting a bipartisan bill that would require a vast range of public and private entities to alert the government within 24 hours of a cyber security breach.

The proposal, drafted by Senators Mark Warner, Marco Rubio, and Susan Collins, follows a string of ransomware attacks on several organizations in the country.

The bill, obtained by CNN, would apply to US government agencies and federal contractors and critical infrastructure owners and operators, such as businesses in the manufacturing, energy, and financial services sectors.

By law, these organizations would have to notify the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) of any breaches. The legislation would also require CISA to create a secure way to receive reports and include safeguards for organizations that send breach reports.

Under the proposed bill, DHS would create more rules with definitions and requirements associated with implementing the law. It would also be required to send annual reports to Congress about notifications.

Ilia Kolochenko, founder of ImmuniWeb, told ITPro that receiving breach reports for centralized investigation and prevention while providing companies with certain immunities for the disclosure is a wise and timely idea.

“Given the gigantic volume of data such legislation may create, CISA will certainly need a tenfold increase of its existing budget, otherwise, valuable threat intelligence information will just gather dust in CISA archives. Furthermore, interagency collaboration is to be enhanced and better organized to enable investigation and judicial prosecution of wrongdoers, something that CISA is not entitled to perform without the FBI and DOJ for example,” he said.

Kolochenko added that lawmakers would have to consider whether the new federal law will pre-empt existing state and federal laws, such as HIPAA or HITECH. These existing laws already incorporate mandatory breach notifications, but they focus primarily on notifying victims.

“Finally, the privacy question is crucial: many breach notifications may inadvertently disclose sensitive information about individuals including foreign citizens, or expose corporate trade secrets. Comprehensive data protection and privacy framework must be defined by CISA before requesting the data breach reports,” Kolochenko said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.