Cyber Breach Reporting Mandated for Companies, Agencies in Bill

Federal agencies and critical infrastructure operators such as energy companies and hospitals would have to report cyber intrusions within 24 hours to the Department of Homeland Security or face penalties, under a bipartisan bill unveiled Wednesday.

The legislation from Senate Intelligence Chairman Mark Warner (D-Va.), Vice Chairman Marco Rubio (R-Fla.), and Sen. Susan Collins (R-Maine) is the most substantive congressional effort this year to address the spike in cyber and ransomware attacks on federal government and private companies following the Solarwinds Corp. and Colonial Pipeline Co. hacks. The bill also boasts the support of 12 key Republican and Democratic cosponsors.

“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact,” Warner said in a statement.

The legislation, which Warner described in May, would be the first federal mandate requiring public or private entities to report when they’ve been breached, according to bill text provided to Bloomberg Government. Under the bill, federal agencies, government contractors and critical infrastructure owners and operators in the healthcare, transportation, financial services, agriculture, energy, and information technology sectors would have to notify DHS’s Cybersecurity and Infrastructure Security Agency.

To incentivize industry participation, the bill would offer limited liability protection for companies that report a cyber breach, as well as data privacy protections for companies with procedures to mask personally identifiable information.

As a method of enforcement, the CISA director would be authorized to asses civil penalties of up to 0.5% of an entity’s previous year’s gross revenue for every day the entity fails to report attempted or successful cyber intrusions. The bill allows for the CISA director to adjust the civil penalties. The bill also directs the Homeland Security Secretary and CISA director to issue rules defining the covered entities as well as what a cyber intrusion and potential cyber intrusion entail.

Cosponsors include Sen. Angus King (I-Maine), co-chair of the Cyberspace Solarium Commission that provides cybersecurity strategy recommendations to Congress. King has worked on his own cyber breach reporting bill. Other cosponsors include Sens. Joe Manchin (D-W.Va.), chair of the Senate Energy and Natural Resources Committee, and Jim Risch (R-Idaho), ranking member of the Senate Foreign Relations Committee.

The bill’s broad bipartisan support as well as pressure on Congress to act quickly to help the private sector mitigate future cyber and ransomware attacks could provide the momentum needed to move the legislation quickly. Warner is looking at all legislative pathways to advance the bill, including this year’s National Defense Authorization Act, according to Warner’s spokesperson. The Senate Armed Services Committee is considering the annual defense policy measure this week.

Warner has been in touch with multiple House member offices, but is still finalizing a House companion bill, according to the spokesperson.

To contact the reporter on this story: Rebecca Kern in Washington at rkern@bgov.com

To contact the editor responsible for this story: Zachary Sherwood at zsherwood@bgov.com