Senators are drafting a bipartisan bill that would require a vast range of public and private entities to alert the government within 24 hours of a cyber security breach.
The proposal, drafted by Senators Mark Warner, Marco Rubio, and Susan Collins, follows a string of ransomware attacks on several organizations in the country.
The bill, obtained by CNN, would apply to US government agencies and federal contractors and critical infrastructure owners and operators, such as businesses in the manufacturing, energy, and financial services sectors.
By law, these organizations would have to notify the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) of any breaches. The legislation would also require CISA to create a secure way to receive reports and include safeguards for organizations that send breach reports.
Under the proposed bill, DHS would create more rules with definitions and requirements associated with implementing the law. It would also be required to send annual reports to Congress about notifications.
Ilia Kolochenko, founder of ImmuniWeb, told ITPro that receiving breach reports for centralized investigation and prevention while providing companies with certain immunities for the disclosure is a wise and timely idea.
“Given the gigantic volume of data such legislation may create, CISA will certainly need a tenfold increase of its existing budget, otherwise, valuable threat intelligence information will just gather dust in CISA archives. Furthermore, interagency collaboration is to be enhanced and better organized to enable investigation and judicial prosecution of wrongdoers, something that CISA is not entitled to perform without the FBI and DOJ for example,” he said.
Kolochenko added that lawmakers would have to consider whether the new federal law will pre-empt existing state and federal laws, such as HIPAA or HITECH. These existing laws already incorporate mandatory breach notifications, but they focus primarily on notifying victims.
“Finally, the privacy question is crucial: many breach notifications may inadvertently disclose sensitive information about individuals including foreign citizens, or expose corporate trade secrets. Comprehensive data protection and privacy framework must be defined by CISA before requesting the data breach reports,” Kolochenko said.
-
The IT industry’s shift to circular, low-carbon solutionsMaximize your hardware investment and reach your sustainability goals with HP’s Renew Solutions
-
Lenovo ThinkPad X9 14 Aura Edition reviewReviews This thin and light ultraportable will draw you in with its vibrant screen – but it isn't as powerful as some of its competitors
-
UK cyber experts on red alert after Salt Typhoon attacks on US telcosAnalysis The UK could be next in a spate of state-sponsored attacks on telecoms infrastructure
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
The US could be set to ban TP-Link routersNews US authorities could be lining up the largest equipment proscription since the 2019 ban on Huawei networking infrastructure
-
US government IT contractor could face death penalty over espionage chargesNews The IT pro faces two espionage charges, each of which could lead to a death sentence or life imprisonment, prosecutors said
-
US identifies and places $10 million bounty on LockBit, Hive ransomware kingpinNews Mikhail Pavlovich Matveev was linked to specific ransomware attacks, including a 2021 raid on the DC police department
-
Breach at US Transportation Department exposes 240,000 employee recordsNews An investigation is underway into the breach, which affected former and current employee data
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
IRS mistakenly publishes 112,000 taxpayer records for the second timeNews A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accenture
