New privacy and cybersecurity legislation has grown rapidly in 2021 in the United States, both federally and at the state level, with more than 30 bills being introduced in the US Congress alone. Given the path of these latest drafts, moving forward it is assured that businesses with US citizen’s data will face immense responsibility to uphold stringent standards when handling the data of their clients and consumers. The types of incidents these drafts aim to cover include both cyber security incidents as well as data breaches, unlike many recent privacy regulations aimed more at data breaches alone.
The Cyber Incident Notification Act, recently introduced by the Senate Intelligence Committee seems to have the most likely chance of passing. The bill aims to establish federal guidelines for when and how companies will be required to alert the government of any cyber incident or data breach. While the likelihood of the legislation passing as-is is still an open question, given that it has 15 cosponsors on both sides of the aisle and was recently endorsed by Jen Easterly, the director of the US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), it likely has a better chance than other bills we’ve seen to date.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!
Who Will This Bill Affect?
The quick answer is “a lot!” The groups directly mentioned in the bill include government agencies, government contractors, those involved in critical infrastructure, and even nongovernemntal entities that provide cybersecurity incident response services. Critical infrastructure here is quite broadly defined as the sixteen sectors DHS and CISA declare essential including the communications, energy, financial, and transportation sectors.
The first step for anyone wondering how this bill will affect them and their business is to figure out what qualifies a company for status as a ‘covered entity’, meaning it will be affected by the new rules proposed in the bill. If any of the organizations or entities included in those categories discover a “cyber intrusion” within their networks, regardless of whether the breach includes personal information or not, they will have to submit a notification of the incident to CISA within 24 hours. This would place the requirements in the regulation among the fastest in the world, for example at merely a third of the time allowed by the EU’s GDPR.
The bill authorizes CISA as the authority to create a system for submitting the notification. It also establishes a few guidelines for how that system must work, what a notification must contain, penalties for breaking the rules, and a number of other aspects of incident notification.
What Would Happen After the Bill is Enacted?
According to the draft regulation, after passing, the director of CISA will have 240 days to establish Cyber Intrusion Reporting Capabilities which will “facilitate the submission of timely, secure, and confidential cybersecurity notifications from Federal agencies and covered entities to the Agency”. In other words, within 8 months of being enacted, US Congress expects the director of CISA to create a system that any company, even those who are not technically ‘covered entities’, can use to notify CISA about a cyber security incident.
The bill also dictates that the system provides the ability for companies to submit and the government to accept classified information as well, particularly given the defense industry is part of critical infrastructure, so it is assumed that the security of this system will be high. The CISA director will have two days after a breach notification is submitted through the reporting capabilities to respond to inform the entity whether CISA needs more information or to give them further guidance or direction.
What Would a Notification Look Like?
The specific information that a company must include in their submission is not yet final, and will be up to the director of CISA to specifically define once the bill is enacted. There are, however, some details that the draft necessitates being included. For example, key information in each notification would include the date of the breach, a description of the cyber incident, identification of the system and networks that were breached, as well as tactics discovered and used by threat actors perpetrating the attack. In addition, any info that could reasonably help the investigation and any actions that were taken to mitigate the incident will definitely be required.
Submit a breach notification within 24 hours and provide updates every 72 hours or face daily fines of 0.5% of revenue
One of the most surprising details of the impending legislation is that the report must be made no later than 24 hours after the beach is detected, with the only exception being if another federal law or rule requires the covered entity to submit a breach notification prior to 24 hours have passed. Additionally, and until directed otherwise, the affected entity must notify CISA through the new system within every 72 hours of discovering any additional information which may pertain to the breach. As anyone who’s gone through an incident before knows, that means reports will need to be sent at least every 3 days for quite a while.
Penalties & Repercussions
The other surprise in the proposed bill is how exceptionally steep the penalty is, so companies will want to be absolutely certain that they are submitting their notifications and additional information within the stated time parameters and with the correct information. The bill states that CISA has the authority to levy a fine of up to 0.5% of the company’s gross revenue DAILY if and for as long as they remain in violation of the rules.
This repetitive, daily approach to the fine is significantly different from and more punishing than similar data privacy and cybersecurity bills, including California’s CCPA and Connecticut’s recent laws on data breaches and cybersecurity standards. CISA will have some leeway to dictate or change the amount or frequency of payment depending on the circumstances of the violation.
In addition, a section of the bill currently stipulates that all ‘covered entities’ must preserve all information that CISA designates. The specific information to preserve will be established by CISA within 60 days of the law’s enactment. While currently unclear, keeping a complete record of actions taken, by who, and when will likely be requirements set by the agency.
Overall, if you are in one of the sixteen sectors defined by DHS and CISA as critical infrastructure, a federal contractor, or your company deals in cyber security incident response, this bill has very serious implications for your organization. With cyber threat activity continuing to increase every year and with no signs of slowing, companies are going to have to be ready to execute a well-defined incident response if they want to maintain the trust of the government, their employees, customers, and the public.
How Organizations Can Prepare for this Act
In the current environment in which incidents are inevitable, getting incident response plans ready that take into account the provisions of this act and others will ensure companies can reach and maintain compliance and reduce the possibility for penalties and fines as a result.
This type of proactive planning starts by gaining visibility into how data gets collected and used, assigning responsibility for incident response, and then developing plans before they’re needed. In developing these plans, organizations should focus on three essential areas of incident response:
1) Readiness
Organizations must quickly and confidently respond to an incident when one occurs in order to meet the 24 hour timeline of this draft bill. For organizations to hit the ground running whenever a breach might occur, they should:
- Detail the requirements set forth in applicable laws, like the potential US Cyber Incident Notification Act
- Understand and capture agreed-upon terms from customer and partner contracts
- Outline incident response plans according to those requirements
2) Response
When an incident occurs, organizations must quickly execute on those plans. This speed to action can help them not just stop threats from manifesting but also to meet the proposed, unprecedented timelines to reduce any penalties or fines from governments. To effectively respond to an incident, organizations need to:
- Investigate the event, including when it occurred, what data and systems were impacted
- Issue the proper notifications to regulatory bodies, such as CISA if this bill is passed
- Mitigate the source of the attack and, if possible, act to reduce any potential harm to any impacted individuals
3) Ongoing Management
Finally, organizations must approach incident response as an ongoing effort by keeping their plans up to date as both external and internal factors evolve over time. Successfully keeping plans up to date requires organizations to:
- Introduce a centralized dashboard as a single source of truth for all monitoring, reporting, and incident response plans
- Promote accessibility to that dashboard to ensure key stakeholders remain aware of their responsibilities and aligned on response protocols
Get Started Now Prioritizing Proactive Incident Response
This act as currently written is clearly meant to make a statement that lawmakers and those they represent are tired of ill-prepared companies, and sets out to reestablish trust by forcing companies to be faster and more transparent when responding to incidents. Given the speed required and the penalties at stake, a high-level checklist or a rarely updated static plan, clearly won’t cut it. This bill requires companies to have a fast and effective incident response program.
Companies must be prepared to know what’s going on and hit the ground running when an incident or data breach occurs. They need to know exactly what to do by when. Presuming this legislation or something like it passes, part of that will include making notifications to CISA quickly. Being prepared ahead of time with an incident response program that leverages automation will be critical to make that possible.
Take the risk out of your breach response
Automate your incident response today