Share this article on:
A bipartisan group of senators has introduced a federal data breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and businesses that have oversight over critical infrastructure to report significant cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery.
The draft bill was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) but has yet to be formally introduced in the Senate. The bill seeks to address many of the issues that have been identified following recent cyberattacks that have impacted critical infrastructure, such as the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline.
The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, which will enable the development of a common operating picture of national-level cyber threats. Entities discovering cyber threats will be required to provide actionable cyber threat information which will be made available to government and private sector entities and the public to allow action to be taken promptly to tackle threats.
Incidents classified as significant cybersecurity intrusions that would warrant notifications are cyberattacks that:
- Involve or are believed to involve a nation state.
- Involve or are believed to involve an Advanced Persistent Threat (APT) actor.
- Involve or are believed to involve a transnational organized crime group.
- Could harm U.S. national security interests, foreign relations, or the U.S. economy.
- Likely to be of significant national consequence.
- Has potential to affect CISA systems.
- Involves ransomware.
The draft bill requires breach notifications to include a description of the cybersecurity intrusion, the affected systems and networks, estimates of the dates when the intrusion is thought to have occurred, a description of the vulnerabilities thought to have been exploited, and the tactics, techniques, and procedures (TTPs) used by the threat actor. In addition, notifications should include any information that could be used to identify the threat actor, contact information to allow the breached entity to be contacted by federal agencies, and details of any actions taken to mitigate the threat.
The bill requires the Department of Homeland Security to work with other federal agencies to draw up a set of reporting criteria and to harmonize those criteria with the regulatory requirements in effect on the date of enactment.
Any covered entity that fails to report a cyber intrusion covered by the bill will face penalties determined by the Administrator of the General Services Administration. Businesses violating the terms of the Cyber Incident Notification Act of 2021 could face a financial penalty of 0.5% of gross revenue for the previous year and sanctions could include removal from federal contracting schedules.
While there is clearly a need for a national data breach notification law, several attempts have been made previously to introduce a data breach notification bill, but all have failed to make it through the Senate. In addition to this bill, Several House members and Senators are believed to be working on their own data breach notification bills.