New Senate bill would force organizations to report cyber attacks within 24 hours

The law may overlap or override some state and local rules

Data Breach overlaying a circuitboard

Senators are drafting a bipartisan bill that would require a vast range of public and private entities to alert the government within 24 hours of a cyber security breach.

The proposal, drafted by Senators Mark Warner, Marco Rubio, and Susan Collins, follows a string of ransomware attacks on several organizations in the country. 

The bill, obtained by CNN, would apply to US government agencies and federal contractors and critical infrastructure owners and operators, such as businesses in the manufacturing, energy, and financial services sectors.

By law, these organizations would have to notify the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) of any breaches. The legislation would also require CISA to create a secure way to receive reports and include safeguards for organizations that send breach reports.

Under the proposed bill, DHS would create more rules with definitions and requirements associated with implementing the law. It would also be required to send annual reports to Congress about notifications.

Ilia Kolochenko, founder of ImmuniWeb, told ITPro that receiving breach reports for centralized investigation and prevention while providing companies with certain immunities for the disclosure is a wise and timely idea. 

“Given the gigantic volume of data such legislation may create, CISA will certainly need a tenfold increase of its existing budget, otherwise, valuable threat intelligence information will just gather dust in CISA archives. Furthermore, interagency collaboration is to be enhanced and better organized to enable investigation and judicial prosecution of wrongdoers, something that CISA is not entitled to perform without the FBI and DOJ for example,” he said.

Kolochenko added that lawmakers would have to consider whether the new federal law will pre-empt existing state and federal laws, such as HIPAA or HITECH. These existing laws already incorporate mandatory breach notifications, but they focus primarily on notifying victims. 

“Finally, the privacy question is crucial: many breach notifications may inadvertently disclose sensitive information about individuals including foreign citizens, or expose corporate trade secrets. Comprehensive data protection and privacy framework must be defined by CISA before requesting the data breach reports,” Kolochenko said.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Biden nominates Meg Whitman for ambassador role in Kenya
Policy & legislation

Biden nominates Meg Whitman for ambassador role in Kenya

10 Dec 2021
UK and US agree deeper data-sharing partnership
Policy & legislation

UK and US agree deeper data-sharing partnership

9 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022