After a cyberattack that impacted multiple government agencies and major corporations, new rules on data breach disclosure may be coming in the near future. According to GovTech Magazine, lawmakers in both parties are interested in legislation that would require companies to notify the government if they've been the victim of a cyberattack. The news comes as the European Data Protection Board (EDPB) is also in the process of updating its data breach notification rules, according to Wilson Sonsini Goodrich & Rosati.
Closing knowledge gaps
In the wake of the SolarWinds hacking exploit, named for the software company whose product was infected with malware, several members of Congress have reportedly been perplexed about the government's inability to grasp the full scope of the attack. This stemmed, in part, from confusion regarding companies' obligation (or lack thereof) to report a hack.
At a Feb. 23 congressional hearing on the recent attacks, lawmakers talked with several tech executives about cybersecurity issues, including the possibility of new legislation. Reps. Bennie Thompson and John Katko, of Mississippi and New York, respectively, pointed to gaps in data breach disclosure law as a problem that must be addressed.
""[There's] an undeniable gap in our country's cybersecurity posture… federal agencies are often operating in the dark instead of having access to the critical aggregate data regarding the tactics, techniques and procedures of bad actors," Katko said.
These potential changes also have support in the private sector. At the hearing, Microsoft president Brad Smith noted that because of the lack of guidelines, companies currently don't know whom to report attacks to. Smith also pointed out that when tech companies enter into contracts with a government agency, they are often legally obligated to keep an attack quiet.
Details of the hack
The SolarWinds exploit was first reported on Dec. 8 by the cybersecurity firm FireEye, which announced that several of its tools and data had been stolen. Within days, cybersecurity experts were able to trace the breach to malware attached to an update of a SolarWinds product, according to The Hill. Because SolarWinds software is so prevalent in both the public and private sector, the intrusion's reach was massive. In all, the company sent its update to about 18,000 customers, of which over 1,000 experienced some kind of adverse effect. Major targets included the Departments of Commerce, Energy, Homeland Security, State and Treasury, as well as various subsidiary agencies like the National Institutes of Health. Cybersecurity experts believe the hack was carried out by a team of hackers affiliated with the Russian government.
This recent hearing is not the first time that the idea for a breach notification law has been discussed. In fact, funding for a cyber incident reporting program was included in the House's 2021 funding bill for the Pentagon but taken out by the Senate. The measure was also significantly opposed by the U.S. Chamber of Commerce, which said in a statement that a potential program "undercuts public-private cybersecurity collaboration."
New rules in Europe
Meanwhile, across the Atlantic, the EDPB published a draft of its new guidelines for data breach notification. These new guidelines would suggest that companies must notify their national supervisory authorities (SAs) "without undue delay," typically 72 hours or less. (The SA is the national organization in each EU member country charged with handling data breach issues.)
In addition to guidelines surrounding the timeline for making a disclosure, the draft specifies best practices for non-high-risk cases and other general preventative measures. Notably, the guidelines state that the threshold at which organizations need to disclose a data breach to consumers is far higher than to a SA. In some cases, companies don't need to inform consumers of a breach even if their data was impacted. The document also gave advice for after-the-fact risk assessment, including that the process should begin even if a forensic report isn't ready.
The new EDPB guidelines are open to public consultation until March 2. The document represents the first guideline updates since 2018.
Stopping data breaches before they occur
The potential new rule changes in both the U.S. and EU is demonstrative of the full impact of a data breach. In addition to dealing with stolen data and the time and money required to fix a vulnerability, enterprises must deal with the potential legal repercussions. In some cases, especially if consumer data is involved, a company could be held liable in court. One of the easiest ways to avoid the hassle and prevent data breaches is with a terminal emulator tool.