What Would National Data Breach Notification Law Look Like?Federal Officials, Legal Expert Debate the Issue at RSA 2021
Since the supply chain attack that targeted SolarWinds and its customers was uncovered in December 2020, some members of Congress have been pushing for a nationwide data breach notification law.
What would a U.S. data breach notification law require? In a Tuesday panel discussion at RSA Conference 2021, officials with the U.S. Justice Department and the FBI, along with a legal expert, debated what such a law might include.
The U.S. has a patchwork of state laws that dictate when and how companies need to disclose a data breach, said panelist Luke Dembosky, an attorney with the law firm of Debevoise and Plimpton LLP who has advised clients on risk management and breach disclosures.
HIPAA's breach notification rule spells out requirements for the healthcare sector. But there's no broader federal rule for other sectors, and many previous efforts to pass such a law have failed.
Adam Hickey, deputy assistant attorney general for the Justice Department's National Security Division, said that a nationwide breach notification law could help provide the federal government with greater visibility into how an attack happened and whether it rises to the level of a national security threat.
"We've seen a number of circumstances where critical infrastructure is hacked during a breach or the impact of the breach is so sweeping that it's impacting multiple sectors and potentially thousands of victims," Hickey said. "And we are challenged by getting a handle on the visibility of what's happening, how widespread that particular form of ransomware is and how many companies or entities have been impacted by the exploitation of a particular vulnerability in commonly used products."
Crafting a Bill
Yet another effort to draft and enact a nationwide breach disclosure law is currently underway in Congress. Sen. Mark Warner, D-Va., said last week that the SolarWinds attack, along with the ransomware attack on Colonial Pipeline Co., should prompt lawmakers to pass breach notification this time around (see: Colonial Pipeline Attack Leads to Calls for Cyber Regs).
Some of the country's largest corporations have also voiced support for a national breach notification law to create uniform ways to report incidents. At a House hearing in February about the SolarWinds attack, Microsoft President Brad Smith said the U.S. needs a national breach disclosure law to help ensure targeted organizations come forward (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
Setting an Example
While Hickey and Tonya Ugoretz, a deputy assistant director in the FBI's Cyber Division, debated what might be in a proposed national breach notification law, they declined to endorse any specific proposals because a formal bill has not yet been introduced.
The two officials, however, agreed that security firm FireEye's discovery and disclosure of the SolarWinds supply chain attack in December 2020 provides a model for how prompt breach notification should work. That disclosure eventually led to the discovery that attackers had launched follow-on attacks on about 100 companies and nine federal agencies (see: SolarWinds, Ransomware and the State of the Industry).
Hickey and Ugoretz noted that without FireEye finding the intrusion within their network and then reporting the incident to the government, the cyberespionage campaign might have continued much longer. That's because others affected by the attack might not have reported it due to the lack of a national breach notification law.
"From the standpoint of the actions of FireEye in reporting the intrusion, all the stars aligned - they did the right thing," Ugoretz said. "Almost immediately upon noticing that they were the victim of this very sophisticated intrusion, [FireEye] reached out to the government. And I think that was extraordinary how they did that. And I think it highlights what we often, unfortunately, don't see."
A national breach notification law likely would spell out the circumstances - such as a potential threat to U.S. national security - in which breaches would have to be reported, Ugoretz said.
"What we're most concerned about from the federal government perspective are incidents where there's a national security or public safety concern," Ugoretz said. "So things like U.S. government information that's been threatened or U.S. critical infrastructure. And I think we have ways to establish the kind of procedures and processes where we can take that information and triage it, analyze it and find the connections."
Getting Companies to Cooperate
The panelists noted that there are many reasons why companies might withhold information about a breach. These include fears of lawsuits, penalties from regulators or even stigma that comes with being a breach victim.
Ugoretz said that a federal breach notification law should be simple to follow, allowing organizations to fill out a form with the relevant information about the breach and what data might have been compromised. This approach is preferable to some lawmakers' proposals to expand the government's ability to monitor private networks to gather intelligence, she adds.
"One alternative to that - if you don't like the idea of more surveillance - is reporting that is voluntary in the sense that you choose what you put on the form that you fill out now that the regulation may require it," Hickey said. "But the point is, you're filling it out - someone's not watching your network. And so, you know, if you don't like warrantless surveillance, I've got a bill you might like."