Dear Congress: It's Complicated. Please Consider This When Crafting New Cybersecurity Legislation
As mandatory reporting bills work their way through the halls of Congress, what should businesses do to prepare for this pending legislation?
In light of recent high-profile cyberattacks, including those against SolarWinds and Colonial Pipeline, the federal government is scrambling to build greater resilience against future attacks. Federal agencies are revisiting provisions under existing laws to push new requirements on both federal agencies and critical infrastructure operators; in fact, last month US banking regulators passed a rule requiring financial institutions to report breaches within 36 hours of discovery. The Department of Justice has announced its plan to apply a Civil War-era law to hold federal contractors accountable for failing to disclose breaches.
Simultaneously, the US Senate is considering legislative responses, an acknowledgement that laws written before the invention of the Internet would be ill-equipped to help secure it today. A core component of all the bills is the requirement for organizations to disclose cybersecurity breaches to the Cybersecurity and Infrastructure Security Agency (CISA) to help the government better assess, prevent, and respond to cyberattacks.
The new bills would create the first federal mandate requiring such widespread disclosure of security incidents. Senator Mark Warner (D-VA) said, "We shouldn't be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."
Under Warner's bill, the Cyber Incident Notification Act, organizations that fail to report cyber intrusions within 24 hours would be subject to penalties of up to 0.5% of their previous year's revenue for every day they neglect to report either a potential or successful intrusion. Senator Elizabeth Warren's (D-MA) bill, the Ransomware Disclosure Act, would fine organizations for not disclosing ransomware payments within 48 hours of payment.
Although new cybersecurity legislation is necessary, for it to be effective, any new cybersecurity law must consider certain realities. First, due to a talent shortage, many organizations do not have the ability to comply with these mandates today. Second, the federal government has to earn the private sector's trust by being clear about legal and financial ramifications. Finally, a patchwork of conflicting legislation will only lead to industry confusion and pushback, ultimately undercutting the intent behind these legislative moves.
Legislators must consider the disincentives for disclosing a breach and the legitimate reasons an organization may be reluctant to do so. Any legislation that becomes law should factor in those reasons. Some key questions to consider:
● What defines a "potential" security incident? Such terms in the Cyber Incident Notification Act are too broad to be enforceable and could leave organizations sending every security alert to the government before they are effectively triaged.
● Today, ransomware payments reside in a legally gray area where disclosure of them could be self-incriminating. In the event of a disclosure, can the information be used to support criminal prosecution of the victim organization? Currently, at least four states — New York, Texas, North Carolina, and Pennsylvania — are considering bills that make ransomware payments illegal. Without direct clarity on these points, businesses will be reluctant to comply with Warren's Ransomware Disclosure Act.