A bipartisan Senate bill would require some businesses to report data breaches to law enforcement within 24 hours or face financial penalties and the loss of government contracts.
The legislation from Senate Intelligence Chair and Democratic Senator Mark Warner with Republican Senators Marco Rubio and Susan Collins is just one of several new cybersecurity bills that will likely be debated this year.
If passed, the bill could require certain U.S. businesses to do much more to protect their customers’ data, and it may levy serious penalties against businesses that fail to act.
What We Know About the Draft Bill
Senator Warner previewed the bill during an Axios event on cybersecurity. Joined by experts on cybersecurity policy, Warner laid out his vision for more effective cybersecurity legislation.
“Congress needs to act … We are working on a bill that would require mandatory reporting if you are a critical infrastructure company or a federal government contractor or the government itself … What we have right now is simply voluntary reporting.”
The text of the draft bill, while not publicly available yet, has been obtained by a number of major news networks including Politico and CNN.
The bill would apply to government agencies, federal contractors, and “critical infrastructure owners and operators” including businesses involved in manufacturing, energy production, and financial services.
In addition to the 24-hour reporting requirement, businesses would also be required to continue sharing information for a 72-hour period after the breach is reported.
The move follows a number of high-profile cyberattacks on essential U.S. infrastructure including the Colonial Pipeline breach, an event which took down the largest fuel pipeline in the United States and caused fuel shortages across the East Coast. If passed, the legislation would join a growing number of cybersecurity rules and regulations.
The U.S. Cyberspace Solarium Commission and Department of Defense have also pushed for more effective cybersecurity policies in the government and in federal contractors that work closely with the government.
There is currently no federal standard on cybersecurity breach notifications, which defense experts say has prevented the country from effectively defending itself against cyberattacks.
What the Bill Requires From Businesses
For businesses that are already beholden to stricter reporting laws — including U.S. pipeline companies, which are required by DHS to report breaches within 12 hours — the bill may not have that much of an impact if passed. The stricter guidelines would take precedence over the more lax 24-hour reporting rule.
For many other businesses, however, it could significantly change how they are required to monitor and respond to data breaches and to similar cybersecurity incidents.
The draft bill, according to reporting from CNN, would require essential businesses to report data breaches directly to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). The legislation would require CISA to create a secure mechanism allowing the agency to receive these reports within 180 days of the bill becoming law.
The bill includes liability protections for businesses that come forward with data breach reports, immunizing them from lawsuits related to potentially embarrassing data released as part of that report.
Cybersecurity experts have said that these protections are essential to avoid discouraging companies from coming forward once they recognize a breach.
The bill also directs DHS to develop additional definitions and requirements that will make implementing the law possible.
How the Bill May Impact Businesses
If a business detects a breach and fails to report it to DHS, that business could face steep penalties depending on whether or not they are covered under the bill and have federal contracts.
Businesses covered under the bill without federal contracts will be subject to a penalty “equal to 0.5% per day of the entity’s gross revenue from the prior year.”
For businesses covered under the bill with government contracts, the draft bill itself does not specify penalties. Instead, it directs the Administrator of the General Services Administration to determine penalties, which may include removal from federal contracting schedules.
Federal agencies that violate the law will be referred to the inspector general for that agency, likely triggering an inspection of the agency.
The bill itself does not specify when breaches must be reported. Instead, it requires CISA to create rules specifying which breaches businesses need to report.
At a minimum, however, businesses will need to report breaches involving foreign actors, ransomware attacks, incidents that endanger national security, and a number of other incidents likely to be “of significant national consequence.”
Washington’s Push for New Cybersecurity Laws
It isn’t clear how much support there is for the bill in Congress, but there has been bipartisan support for new cybersecurity measures so far this year.
A significant amount of cybersecurity legislation has been recently introduced to Congress — including one bipartisan bill that would give states $500 million to bolster their cyber defenses.
Similar legislative activity can be seen at the state level, as well, according to the National Conference of State Legislatures. To date, 45 states and Puerto Rico have introduced more than 250 bills or resolutions that “deal significantly with cybersecurity.”
Recent executive orders on cybersecurity suggest the Biden administration is also ready to take action on cybersecurity.
As of June 30th, the bill hasn’t been introduced yet and will have to take a long path through Congress before being signed into law.
However, because there is so much interest in cybersecurity right now — due in part to high-profile breaches like the Capital Pipeline hack — businesses that may be impacted by the bill should pay close attention to its movement through Congress.
If passed, the bill would have a serious impact on expectations of how businesses should deal with reporting in the wake of a data breach.
Businesses Should Prepare for Stricter Cybersecurity Legislation
In any case, there is a growing bipartisan movement to improve the nation’s cybersecurity defenses and cybersecurity policy.
Along with other data-protection bills — like the IoT cybersecurity bill that was signed into law last year as well as state-level bills like the California Consumer Privacy Act (CCPA) — a number of cybersecurity bills will likely be debated in Washington this year.
Businesses should be aware of state and federal efforts to bolster cyber defenses and bills that could levy serious penalties against businesses that fail to properly disclose data breaches.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.