Lawmakers start a push for new breach notification rules after SolarWinds attack

For more than a decade, policymakers on Capitol Hill have repeatedly tried and failed to pass meaningful federal data breach notification laws that would require companies to share details about cybersecurity incidents that they experience. As a result, organizations have to comply with a patchwork of more than 50 notification laws for each state and territory in the U.S.

However, a group of lawmakers are pushing colleagues and business associations to revisit these efforts, arguing that recent incidents have highlighted how the lack of mandatory reporting rules makes it harder to detect and respond to major incidents.

“There was a ‘holy heck’ moment with SolarWinds,” Sen. Mark Warner (D., Virginia) told members of the U.S. Chamber of Commerce, a major lobbying group for U.S. businesses, on Tuesday. “We need to focus on [creating] a structure that would allow some limited mandatory reporting for government contractors and critical infrastructure.”

Sen. Warner added that he and colleagues on the Senate Intelligence Committee, which he chairs, have been examining various mandatory reporting models and are working with White House officials on the matter, including Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger. Although some sectors have breach reporting regulations in place, there currently isn’t one for critical infrastructure as a whole—the government estimates that around 80% of critical infrastructure in the U.S. is privately owned.

Although details of the chosen model are still to be determined, Sen. Warner suggested that it would grant companies limited immunity to create an incentive to report incidents, and would anonymize sensitive corporate and personnel information to protect the privacy of the reporting organizations, their employees, and customers. It would also rely on a centralized bureau to collect and analyze information about cybersecurity incidents, in the same way that the Treasury Department’s Financial Crimes Enforcement Network collects suspicious activity reports and the National Transportation Safety Board investigates and reports on aviation accidents, highway crashes, and maritime incidents.

Under legislation that’s currently being drafted by Rep. Michael McCaul (R., Texas) and Rep. Jim Langevin (D., Rhode Island), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency would be responsible for that role. At a joint hearing of the House Committee on Oversight and Reform and the House Homeland Security Committee in February, Rep. McCaul said their bill would also protect companies by removing details such as sources, methods, and company names out of reports. 

Other lawmakers including Sen. Angus King (I., Maine) and Representatives Bennie Thompson (D., Mississippi) and John Katko (R., New York) have spoken recently about either introducing federal reporting laws or supporting such legislation.

“In recent days, I have been encouraged to learn of growing interest in enacting a cyber incident reporting law,” Rep. Thompson said during the February joint hearing. “We look forward to trying again this year and hope we can enact cyber incident notification legislation in short order.”

According to Sen. Warner, a federal reporting rule could potentially be the first step in establishing global norms for cybersecurity, which could potentially serve as a “red line” to nation state adversaries.

“If we can get the right regime set up in the United States, I think we’ll see many other nations move in this same direction,” he told the Chamber of Commerce. “And if we can get to that level of some acceptable level of cyber norms—what fits into classic espionage, what fits into denial-of-service—I think we can rally the world to make sure when our adversaries do take these actions, they pay a meaningful price.”