There could soon be new requirements when it comes to reporting data breaches in the U.S. The Cyber Incident Notification Act of 2021 was introduced in the Senate earlier this year. It was read twice and referred to the Committee on Homeland Security and Governmental Affairs, per Congress. This would be the first time a national requirement has been enacted that requires reporting when systems have been breached.
The act, introduced in July of 2021, would be an amendment to the Homeland Security Act of 2002 and would fall under Subtitle C: Cybersecurity Intrusion Reporting Capabilities. It's a bipartisan act sponsored by Senate Intelligence Committee Chairman Mark Warner, Vice Chairman Marco Rubio and committee member Susan Collins.
Essentially, this new legislation would require the reporting of cybersecurity intrusion (or potential cybersecurity intrusion) immediately. So any data breaches would need to be reported within 24 hours to the Cybersecurity and Infrastructure Security Agency, also known as CISA. This act applies to government contractors, federal agencies and groups considered critical to national security like hospitals, financial services, utilities and information technology groups. The exception here is if the entity experiencing the data breach is subject to another Federal law, policy or government contract that requires less than 24 hours, that will take precedence.
When a group or entity does properly file the data breach as a report, as this act would require, they would be granted liability protection. The companies involved would also be promised anonymity in reporting, according to the bill. However, the bill also states "The Director of National Intelligence may declassify any analytic products, or portions thereof, produced under this section if such declassification is required to mitigate cyber threats facing the United States."
With cybersecurity threats increasing, the concern that prompted this act is that the government can't completely understand the full threat and impact of the threats if they are not being reported on, particularly in cases of national security and the economic impacts.
The information that will be required of these entities upon a data breach is the following:
The bill states exactly that "Not later than 24 hours after the confirmation of a cybersecurity intrusion or potential cybersecurity intrusion, the Federal agency or covered entity that discovered the cybersecurity intrusion or potential cybersecurity intrusion shall submit a cybersecurity notification to the Agency through the Cyber Intrusion Reporting Capabilities."
So whether the breach has already been completed, whether it's still underway, or if there is even potential of a breach, it would need to be reported through a cybersecurity notification through CISA.
Once the initial reporting is complete, any new information that is discovered as part of the data breach should be reported no later than 72 hours.
How will this be enforced, you may wonder?
A penalty of up to 0.5% of gross revenue from the prior year will be applied for each day the violation continues. When it comes to determining the exact amount, however, the bill states, "The Director shall have the authority to reduce or otherwise modify the civil penalties assessed under paragraph (1) and may take into account mitigating or aggravating factors, including the nature, circumstances, extent, and gravity of the violations and, with respect to the covered entity, the covered entity's ability to pay, degree of culpability, and history of prior violations." So it appears that the penalty would likely vary greatly depending on exactly what the entity is dealing with and the specific breach that's being accounted for.
What will be done once a breach is reported?
The bill states that, "The Secretary, acting through the Director, the Attorney General, and the Director of National Intelligence, shall jointly develop procedures for ensuring any cybersecurity notification submitted to the System is promptly and appropriately analyzed to—
"(A) determine the impact of the breach or intrusion on the national economy and national security;
"(B) identify the potential source or sources of the breach or intrusion;
"(C) recommend actions to mitigate the impact of the breach or intrusion; and
"(D) provide information on methods of securing the system or systems against future breaches or intrusions."
This means that the breach will be analyzed to determine its impact on the U.S. economy and security, it will attempt to identify the source(s) of the breach, it will recommend how to lessen the impact of the breach, and help to provide information with the intention of protecting the system against future data breaches.
The Cyber Security Notification Act was created to attempt to get a handle on cybersecurity, and in turn, national security. Data breaches are becoming more frequent and of a larger scale, putting companies, businesses and government entities at risk. At a micro level, it's putting individuals at risk through the leaks of personal information.