Senators have crafted a bipartisan bill that would require a wide range of public and private entities to notify the government within 24 hours of a cyber breach. Mark Warner has introduced a bipartisan bill that requires the owners of critical infrastructure, companies responding to cybersecurity incidents and federal companies to report cyber intrusions within 24 hours to the Department of Homeland Security. The bill, introduced by Warner and Sen. Rand Paul (R-Ky.) on the Senate Intelligence Committee, follows a series of ransomware attacks against several organizations across the country.
The draft bipartisan bill which would require owners of critical infrastructure, companies responding to cybersecurity incidents and federal companies to report cyber intrusions to the Department of Homeland Security within 24 hours is one of the earliest bills to respond to the flood of attacks that started with the SolarWinds breach and continued with Microsoft Exchange Hack and Ransomware incidents at Colonial Pipeline and the meat supplier JBS. The bill, which has not yet been introduced in the Senate, aims to address issues that have come to light in the recent series of major ransomware attacks, including those that took Colonial Pipeline Co., meat processor JBS and the solar wind supply chain, an attack that led to follow-up attacks on nine federal agencies and more than 100 companies.
Mark Warner (D-VA) and Marco Rubio (R-FL) and Susan Collins (I-ME) would require public and private entities to notify government of cyber breach within 24 hours or face fines and potential contract losses. Under a new Senate Bill, federal contractors who fail to report cyber incidents could lose their contracts with other non-compliant companies and face fines of 0.5 percent per day of gross revenue last year, according to a draft of the bill published by CNN. Agencies that fail to report their own violations could also face an investigation by inspectors general.
The Violation Notification Act would require US government agencies, Federal Contractors and owners and operators of critical infrastructure to report violations to the Department of Homeland Security’s CISA (Virgin Security and Infrastructure Security Agency). The bill also provides liability protection for companies that submit infringement reports and encourages companies to disclose infringements.
The Transportation Security Administration, for example, requires US pipeline companies to report violations for 12 hours. Under the bill, that requirement would take precedence over the 24-hour deadline. Existing state and federal laws, such as HIPAA and Hitech, require violations to be reported, but focus on notifying victims first.
Under the bill, that requirement would take precedence over the 24-hour deadline. The bill also directs DHS to develop additional rules, definitions and requirements related to law implementation and provides DHS and its cybersecurity agencies to submit annual reports to Congress on those reports. It also directs the Transportation Security Administration to develop additional policies, definitions, and requirements related to the implementation of the bill, and that DHS, DHS, and cybersecurity companies submit an annual report to Congress on the notifications.
Senior cyber officials this week called for the agency to report more cybersecurity incidents arguing that doing so would help protect critical industries across the country from cyberattacks.
Senators plan to submit the bill next week, and other members of the intelligence committee are likely to sign it, a Warner aide said. A bill that is expected to take effect in 2020 is a bipartisan staff bill from the House Energy and Commerce Committee. The bill is a step towards a comprehensive bipartisan data protection law, but at the time of publication a review by the two main political parties had failed to reach agreement on several parts of the law, including exemptions from consent requirement, categorization of sensitive data, decryption of data, whether the revenue from data processing is sufficient to require increased compliance, whether companies can opt out, requirements for initial marketing and discriminatory use of data, the size of the Data Protection Office and the issue of.