Cyberattacks and Security Breach Disclosures: U.S. Federal Law Coming?
The U.S. intelligence apparatus is pressing Congress to propose measures that require private industry to share security breach information and other threat intelligence to the federal government.
Directors of the National Security Agency (NSA), National Intelligence and the Federal Bureau of Investigation (FBI) told bipartisan members of the Senate Intelligence Committee in a recent hearing that a law requiring the private sector to report a breach can help stitch together the nation’s cyber defenses against attacks on critical industry.
While calls by federal security officials for the private sector to disclose breaches have become more frequent and insistent, it’s the massive SolarWinds attack that hit at least nine federal agencies and roughly 100 companies that has raised the volume of those voices. Two months ago, the House Homeland Security and the House Oversight and Reform committees, both of which are diving into the SolarWinds incident, called for private industry to report breaches. And, the tech industry, most prominently Microsoft and other top line cybersecurity providers, have also advocated for legislation toward that end.
Many enterprise businesses back away from disclosing security lapses for competitive reasons, not wanting to admit cyber vulnerabilities for fear of additional attacks, avoiding unease among their shareholders and customers, and potential legal entanglements. Nonetheless, in testimony to the Senate Intelligence Committee, NSA director general Payul Nakasone, who also serves as commander of the U.S. Cyber Command; Avril Haines, the director of National Intelligence; and, FBI director Christopher Wray all pushed legislators to support breach notification laws, largely for the greater good. (via The Hill)
“We are troubled in terms of being able to understand the depth and breadth of an intrusion based upon the fact that, for a number of good reasons, some of them obviously legal, that much of the private sector does not share this information readily,” Nakasone said. Both Haines and Wray also advised in favor of breach notification.
Wray contended that protecting critical infrastructure cannot happen without the industry’s collaboration. “The private sector controls 90 percent of the infrastructure and an even higher percentage of our PII [personally identifiable information] and innovation,” said Wray. “It has the key dots as part of the overall connecting of the dots phenomenon.” Mandatory breach notification would “further strengthen the glue between the private sector and the intelligence community and the rest of the government,” he said. Haines also called for a breach notification bill. “Something that would create, as I understand it, an obligation on companies to provide information when there are attacks,” he said. “That is obviously one piece of the puzzle.
State-Level Security Breach Disclosure Legislation
While no federal law requires companies to disclose security breaches, as of 2019 all 50 states in the U.S., the District of Columbia, Puerto Rico and the U.S. Virgin Islands had enacted data breach legislation requiring both public and private sector entities to notify individuals whose PII may have been compromised in a security breach. In the absence of a federal law, as the cyber security landscape has grown more threatening state legislatures are tasked with updating existing data breach rules, ranging from what constitutes PII and breach definitions to compliance rules and other specifics.