New Senate bill would force organizations to report cyber attacks within 24 hours
The law may overlap or override some state and local rules
Senators are drafting a bipartisan bill that would require a vast range of public and private entities to alert the government within 24 hours of a cyber security breach.
The proposal, drafted by Senators Mark Warner, Marco Rubio, and Susan Collins, follows a string of ransomware attacks on several organizations in the country.
The bill, obtained by CNN, would apply to US government agencies and federal contractors and critical infrastructure owners and operators, such as businesses in the manufacturing, energy, and financial services sectors.
By law, these organizations would have to notify the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) of any breaches. The legislation would also require CISA to create a secure way to receive reports and include safeguards for organizations that send breach reports.
Under the proposed bill, DHS would create more rules with definitions and requirements associated with implementing the law. It would also be required to send annual reports to Congress about notifications.
Ilia Kolochenko, founder of ImmuniWeb, told ITPro that receiving breach reports for centralized investigation and prevention while providing companies with certain immunities for the disclosure is a wise and timely idea.
“Given the gigantic volume of data such legislation may create, CISA will certainly need a tenfold increase of its existing budget, otherwise, valuable threat intelligence information will just gather dust in CISA archives. Furthermore, interagency collaboration is to be enhanced and better organized to enable investigation and judicial prosecution of wrongdoers, something that CISA is not entitled to perform without the FBI and DOJ for example,” he said.
Kolochenko added that lawmakers would have to consider whether the new federal law will pre-empt existing state and federal laws, such as HIPAA or HITECH. These existing laws already incorporate mandatory breach notifications, but they focus primarily on notifying victims.
“Finally, the privacy question is crucial: many breach notifications may inadvertently disclose sensitive information about individuals including foreign citizens, or expose corporate trade secrets. Comprehensive data protection and privacy framework must be defined by CISA before requesting the data breach reports,” Kolochenko said.
Modern governance: The how-to guide
Equipping organisations with the right tools for business resilienceFree Download
Cloud operational excellence
Everything you need to know about optimising your cloud operationsWatch now
A buyer’s guide to board management software
How the right software can improve your board’s performance
The real world business value of Oracle autonomous data warehouse
Lead with a 417% five-year ROIDownload now