A bipartisan Senate bill would require some companies to report data breaches to law enforcement within 24 hours, risking financial penalties and losing government contracts.
The legislation of Senate Intelligence Chairman and Democratic Senator Mark Warner with Republican Senators Marco Rubio and Susan Collins is just one of many new cybersecurity bills likely to be debated this year.
If passed, the bill could force some U.S. companies to do much more to protect their customer data, and it could impose heavy penalties on companies that fail to act.
What we know about the bill
Senator Warner spotted the bill during an Axios event on cybersecurity. Joined by cybersecurity policy experts, Warner set out his vision for more effective cybersecurity legislation.
“Congress must act… We are working on a bill that would require mandatory reporting if you are a critical infrastructure company or a federal government contractor or the government itself… What we have right now is is simply a voluntary declaration.
the text of the bill, although not yet publicly available, has been obtained by a number of major news networks, including Politico and CNN.
The bill would apply to government agencies, federal contractors and “owners and operators of critical infrastructure,” including companies involved in manufacturing, power generation and financial services.
In addition to the 24-hour reporting requirement, businesses would also be required to continue sharing information for a period of 72 hours after reporting the breach.
The move follows a number of high-profile cyber attacks on critical US infrastructure, including the breach of the colonial pipeline, an event that destroyed the largest fuel pipeline in the United States and caused fuel shortages on the East Coast. . If passed, the bill will join a growing number of cybersecurity rules and regulations.
The United States Cyberspace Solarium Commission and the United States Department of Defense have also pushed for more effective cybersecurity policies within government; and federal contractors who work closely with government.
There are currently no federal standards for cybersecurity breach notifications, which defense experts say has prevented the country from effectively defending itself against cyber attacks.
What the bill requires of businesses
For companies that are already subject to stricter reporting laws – including U.S. pipeline companies, which are required by DHS to report violations within 12 hours – the bill might not have as much of an impact. ‘it is adopted. The stricter guidelines would take precedence over the more lax 24-hour reporting rule.
For many other businesses, however, this could dramatically change the way they are required to monitor and respond to data breaches and similar cybersecurity incidents.
According to CNN information, the bill would require critical businesses to report data breaches directly to DHS’s Cybersecurity and Infrastructure Security Agency (CISA). The legislation would require the CISA to create a secure mechanism for the agency to receive these reports within 180 days of the bill coming into force.
The bill includes liability protections for companies that file data breach reports, immunizing them from lawsuits related to potentially embarrassing data released as part of that report.
Cyber security experts have said these protections are essential to avoid discouraging companies from coming forward once they acknowledge a breach.
The bill also directs DHS to develop additional definitions and requirements that will enable the law to be implemented.
How the bill can impact businesses
If a company detects a violation and does not report it to DHS, that company could face hefty penalties depending on whether or not it is covered by the bill and has federal contracts.
Companies covered by the bill without federal contracts will be subject to a penalty “equal to 0.5% per day of the entity’s gross income for the previous year.”
For companies covered by the bill with public procurement, the bill itself does not specify the penalties. Instead, he orders the administrator of the General Services Administration to determine penalties, which may include removing federal procurement schedules.
Federal agencies that violate the law will be referred to that agency’s inspector general, which will likely trigger an inspection of the agency.
The bill itself does not specify when violations must be reported. Instead, it requires the CISA to create rules specifying which violations companies must report.
At a minimum, however, companies will need to report breaches involving foreign actors, ransomware attacks, incidents endangering national security, and a number of other incidents that may have “a significant national consequence.”
Washington’s push for new cybersecurity laws
Support for the bill in Congress is unclear, but there has been bipartisan support for the new cybersecurity measures so far this year.
A significant amount of cybersecurity laws have recently been introduced to Congress, including a bipartisan bill that give states $ 500 million to strengthen their cyber defenses.
Similar legislative activity can also be observed at the state level, according to the National Conference of State Legislatures. To date, 45 states and Puerto Rico have introduced more than 250 invoices or resolutions that “significantly deal with cybersecurity”.
Recent cybersecurity decrees suggest that the Biden administration is also ready to take action on cybersecurity.
As of June 30, the bill has yet to be introduced and will have to travel a long way through Congress before it is enacted.
However, given that there is currently great interest in cybersecurity – in part due to high-profile breaches like the Capital Pipeline hack – companies likely to be affected by the bill should pay close attention to its passage to Congress.
If passed, the bill would have a serious impact on expectations of how businesses should handle reports of a data breach.
Businesses Should Prepare for Stricter Cybersecurity Legislation
Either way, there is a growing bipartisan movement to improve the country’s cybersecurity defenses and cybersecurity policy.
Along with other data protection bills – like the IoT Cyber Security Bill that was enacted last year as well as state-level bills like the California Consumer Privacy Act (CCPA) – A number of cybersecurity bills are likely to be debated in Washington this year. .
Businesses should be aware of state and federal government efforts to strengthen cyber defenses and bills that could impose heavy penalties on businesses that fail to properly disclose data breaches.
About the Author: Devin Partida is a cybersecurity and data privacy writer whose work is featured regularly on Yahoo! Finance, Entrepreneur, AT & T’s Cyber Security Blog and other well-known industry publications. She is also editor-in-chief of ReHack.com.
Editor’s Note: The views expressed in this guest author’s article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.