United States: Congress Circulates A Federal Breach Notification Bill

Will increased Federal focus on cybersecurity change the data breach protocol for businesses?

A draft of a federal breach notification bill is currently circulating in Congress. Although not formally introduced to the Senate, the draft legislation requires federal agencies, federal contractors, private sector "critical infrastructure owners and operators," and companies that respond to cybersecurity incidents to report significant "cybersecurity intrusions" to DHS's Cybersecurity and Infrastructure Security Agency within 24 hours of discovery. Affected entities would be further required to disclose affected networks and the tactics employed in the incident, as well as provide regular updates. 

The draft bill seeks to address concerns raised by the recent string of significant ransomware attacks that have recently hit industry giants like SolarWinds. Successful attacks like these can lead to follow-on attacks on federal agencies and dozens of private sector entities. 

Sectors that could be subject to the legislation's current draft include: telecommunications, energy, healthcare, emergency services, financial services, food and agriculture, defense industrial base, critical manufacturing, government and commercial facilities, information technology, transportation, water systems, nuclear materials and waste systems, chemical, and dams.

"Cybersecurity intrusions" that would trigger the notification requirement include incidents involving:

• nation-state or trans-national organized crime group, 
• advanced persistent threat cyber actors, and
• ransomware, 

as well as incidents resulting in, or that have potential to result in:

• harm to national security interests, foreign relations, or the US economy, 
• harm to the public confidence, civil liberties, or public health and safety of US citizens,
• or otherwise likely to be of significant national consequence.

Private sector critical infrastructure owners and operators that fail to comply could face penalties of up to 0.5% of their gross revenue from the previous year; federal contractors would no longer be eligible for future contracts.

Currently, there is no comprehensive federal breach notification framework in place. Previously proposed bills have failed to pass in recent years, but rules and regulations that target specific industries have been and continue to be adopted. Financial institutions (under the GLBA) and healthcare organizations (under the HIPAA) are required to report significant breaches and cyber-based incidents, and the TSA is currently working on additional pipeline security regulations following the successful ransomware attack on an established pillar in the nation's energy industry.

While states have their own breach notification laws, they target specifically incidents that involve unauthorized access or disclosure of sensitive, personal information. Experts and ex-officials point out that the standard for data breach so broadly defined in the draft legislation would conflict with those found in state laws, upending individual states' notification requirements. However, even if unsuccessful, the draft bill may signal a pivot away from breach of personal data to a more general data breach as the benchmark, even in state laws.