Senate breach disclosure bill targets agencies, contractors, infrastructure

A bipartisan bill introduced by the leaders of the Senate Intelligence Committee sets up a 24-hour deadline for infrastructure operators, federal contractors and federal agencies to report confirmed cybersecurity breaches and ransomware attacks.

Mark Warner SSI hearing flickr

Sen. Mark Warner at an SSCI hearing

A bipartisan bill introduced by the leaders of the Senate Intelligence Committee sets up a 24-hour deadline for infrastructure operators, federal contractors and federal agencies to report confirmed cybersecurity breaches and ransomware attacks.

The Cyber Incident Notification Act of 2021, sponsored by Sens. Mark Warner (D-Va.), Marco Rubio (R-Fla.) and Susan Collins (R-Maine) establishes a new set of breach disclosure requirements and a new reporting system with classified capabilities to support the timely notification of cybersecurity incidents – especially those traceable to known state-sponsored threat groups – to the Cybersecurity and Information Security Agency at the Department of Homeland Security.

"The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target," Warner said in a statement. "We shouldn't be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."

Currently there is no federal breach notification law. Companies that collect and store personally identifiable information online are subject to a patchwork of state laws. Certain critical infrastructure sectors are subject to reporting requirements under federal regulations. Additionally, the Biden administration's May executive order on cybersecurity instituted a reporting requirement for federal contractors and announced plans to update contract language to specify precise requirements.

The bill mandates the creation of a Cyber Intrusion Reporting Capabilities system that is authorized to receive and store classified information. The system must also be equipped to receive notifications from any source – whether they are a covered entity under the legislation or not. The bill seeks to harmonize existing reporting requirements for sector-specific industrial categories so that CISA can become a clearinghouse to receive notifications from the full range of covered entities.

Lawmakers set a few key requirements for what kinds of breaches and even potential breaches are covered, focusing on attacks from state or state-sponsored actors, transnational criminal groups, any attack targeting or affecting a federal system and attacks "likely to be of significant national consequence" or resulting or potentially resulting in "demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States."

The new bill explicitly covers federal contractors with some exceptions, and authorizes the head of CISA to levy civil fines against firms that do not meet disclosure requirements. Fines can go as high as one half of one percent of the firm's prior year gross revenues for each day a violation continues. By that measure, a firm with $10 billion in annual gross revenue could face fines of up to $50 million a day for violations of the reporting requirements in the bill.

Federal contractors who are found to have violated the reporting requirements are also subject to additional penalties to be assessed by the head of the General Services Administration, including being removed from the federal schedule. Federal agencies who violate the reporting timeline will be subject to "urgent" inspector general probes.

There's just as much carrot as stick in the bill. Information disclosed by covered entities cannot be used in lawsuits except those brought by the federal government and is exempt from disclosure under the Freedom of Information Act. Additionally, any information shared with the government cannot be subpoenaed except by Congress, if necessary for the conduct of oversight.

The bill also tasks CISA with contacting reporting entities "within two business days" of a breach notification to let them know if more information is required by the agency.

Lawmakers are seeking a brisk implementation of the breach notification legislation. The bill specifies that within 270 days of enactment, the DHS secretary in consultation with the head of CISA and other key officials, will promulgate interim rules and regulations governing the breach notification regime ahead of a public comment process. Public comments are to be considered before the publication of final rules.

Collins, who sponsored similar legislation in 2012 that didn't pass in part because of objections from Democrats to broad liability waivers, urged lawmakers to support the new bill.

"Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure," Collins said.