A bipartisan group of senators has presented a federal data breach notification law- the Cyber Incident Notification Act of 2021 – that calls for all federal institutions, contractors, and companies that have command over critical infrastructure to report considerable cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) in 24 hours of knowing about it.
Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) introduced the draft bill but haven’t formally presented it in the Senate. The bill wants to deal with many of the problems that have been discovered right after the latest cyberattacks that have impacted critical infrastructure, like the SolarWinds Orion supply chain attack and the Colonial Pipeline and JBS ransomware attacks.
The objective of the new bill is to make sure that prompt federal government awareness of cyber intrusions that present a danger to national security, which will allow the development of a common operating picture of countrywide-level cyber threats. Entities sensing cyber threats must offer actionable cyber threat data which will be given to the government and private sector entities and the public to enable taking action promptly to deal with threats.
Incidents categorized as major cybersecurity attacks that would warrant breach notifications are cyberattacks that:
- Entail or are considered to involve a nation-state.
- Involve or are considered to have a transnational organized crime group.
- Involve or are thought to involve an Advanced Persistent Threat (APT) actor.
- May harm U.S. national security interests, foreign relations, or the American economy.
- Could impact CISA systems.
- Probable to be of significant nationwide consequence.
- Utilizes ransomware.
The draft bill demands breach notifications to have a detail of the cybersecurity intrusion, the affected systems and networks, estimates of the dates when the attack is considered to have happened, a description of the vulnerabilities thought to have been exploited, and the tactics, techniques, and procedures (TTPs) utilized by the threat actor. Additionally, notifications need to include any data that can be employed to determine the threat actor, contact details to permit the breached entity to be reached by federal agencies, and information of any activities taken to offset the threat.
The bill necessitates the Department of Homeland Security to work with other federal institutions to set up a set of reporting requirements and to balance those standards with the regulatory specifications in effect on the date of enactment.
Any covered entity that does not report a cyber intrusion covered by the bill will be fined as decided by the Administrator of the General Services Administration. Organizations violating the conditions of the Cyber Incident Notification Act of 2021 may be charged a financial penalty of 0.5% of gross revenue for the prior year and sanctions can include removal from federal contracting schedules.
Although there is obviously a need for a national data breach notification law, there had been many attempts made in the past to bring in a data breach notification bill, however, all have failed to make it through the Senate. Besides this bill, a number of House members and Senators are known to be focusing on their own data breach notification bills.