A bipartisan group of senators has brought in a federal data breach notification bill- the Cyber Incident Notification Act of 2021 – that calls for all federal organizations, contractors, and firms that have supervision over critical infrastructure to report major cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) in just 24 hours of finding.
Senators Mark Warner (D-VA), Susan Collins (R-ME) and Marco Rubio (R-FL) introduced the draft bill although have not officially announced it in the Senate. The bill wishes to handle lots of the concerns that were found subsequent to the current cyberattacks that have affected critical infrastructure, for instance, the SolarWinds Orion supply chain attack as well as the JBS and Colonial Pipeline ransomware attacks.
The goal of the new bill is to make certain that well-timed federal government understanding of cyber intrusions that cause a risk to national safety, which will permit the creation of a common operating picture of nationwide-level cyber threats. Entities finding out about cyber threats must present useful cyber threat details that will be available for government and private sector entities and the general public to enable taking action immediately to take on threats.
Incidents deemed as significant cybersecurity attacks that would require notifications are cyberattacks that:
- Entail or are thought to involve an Advanced Persistent Threat (APT) actor.
- Consist of or are thought to have nation-state involvement.
- Involve or are considered to have a transnational organized crime group.
- Possible to be of considerable countrywide consequence.
- Can hurt U.S. national security interests, international relations, or the U.S.A. economy.
- May have an effect on CISA systems.
- Uses ransomware.
The draft bill calls for breach notifications to consist of information of the cybersecurity attack, the impacted networks and systems, estimations of the dates when the intrusion is believed to have taken place, information of the vulnerabilities believed to have been used, and the tactics, techniques, and procedures (TTPs) utilized by the attacker. Furthermore, notifications need to include any detail that may be employed to indicate the threat actor, contact data to permit the breached entity to be called by federal agencies, and particulars of any measures undertaken to minimize the threat.
The bill necessitates the Department of Homeland Security to work together with other federal bureaus to draft a set of reporting requirements and to coordinate those standards with the regulatory demands in place on the particular date of enactment.
Any covered entity that doesn’t report a cyber attack covered by the bill is going to be penalized as confirmed by the Administrator of the General Services Administration. Companies breaking the provisions of the Cyber Incident Notification Act of 2021 can be charged a financial fine of 0.5% of gross income for the preceding year and sanctions may consist of taking away from federal contracting schedules.
Though there is evidently a requirement for a national data breach notification law, there had been several efforts made before to create a data breach notification bill, yet all were unable to pass the Senate. Aside from this bill, many House members and Senators are thought to be studying their own data breach notification laws.