Bill Chizek - stock.adobe.com

US Senate mulling bill on data breach notifications

The Senate Intelligence Committee introduced a bill that would require federal agencies and companies providing critical infrastructure to report network breaches to DHS.

The U.S. Senate is considering a bill that would require government agencies, contractors and critical infrastructure providers to notify the Department of Homeland Security when they suffer a network breach or other data security incident.

Dubbed the Cyber Incident Notification Act of 2021, the data breach notification bill already has bipartisan backing from a number of powerful senators, including Select Committee on Intelligence chair Mark Warner (D-Va.) and members Marco Rubio (R-Fla.) and Susan Collins (R-Maine). Among the 12 other Senators backing the bill are Dianne Feinstein (D-Calif.), Richard Burr (R-N.C.), Roy Blunt (R-Mo.) and Kirsten Gillibrand (D-N.Y.).

Should it be passed and signed, the bill would mandate that all federal agencies, as well as federal contractors and companies tasked with managing critical infrastructure, contact the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of experiencing any sort of "cybersecurity intrusion" as defined by the agency.

Additionally, it would provide those who promptly report incidents with "limited immunity," according to the bill. CISA would also be tasked with setting up privacy safeguards to prevent the company's private data and customer or client personally identifiable information from being exposed during the course of the investigation and response.

The senators behind the bill made no secret of the motivation behind the act, pointing to the SolarWinds breach as an indication that companies, particularly those who are tasked with managing critical infrastructure and federal contractors, require a strict set of requirements around when and how to report network breaches and malware attacks.

"The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target," Warner said in a statement introducing the bill.

"We shouldn't be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."

Collins, meanwhile, called the bill "common sense and longer overdue."

"Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure," Collins declared.

The SolarWinds network intrusion led to threat actors gaining control of the vendor's Orion remote monitoring platform and sending poisoned software updates that lead to thousands of customers, including federal agencies and major technology companies, being infected with backdoor access tools that were in turn used to siphon off their own critical data.

The breach was eventually attributed to state-sponsored hackers operating out of Russia, a revelation that further raised tensions between the U.S. and Russia. 

Next Steps

Hackers selling access to breached networks for $10,000

T-Mobile breach exposes data for more than 40M people

T-Mobile offers details of data breach that affected 40M

Dig Deeper on Security operations and management

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close