Ride the Lightning

We May Get (FINALLY) a Meaningful Federal Data Breach Law

March 17, 2021

If the Microsoft Exchange and Solar Winds hacks have a silver lining, it may be that they have propelled both the federal government and private enterprise to consider seriously the need for a federal data breach law.

If you want to know how alarming things are at the moment, read this March post from ZDNet. It reports on findings from Check Point Research (CPR) that cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.

The countries feeling the worst of the attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.

The Washington Post (sub.req.) reported on March 16 that the Solar Winds and Microsoft Exchange breaches, which collectively compromised federal and local governments as well as thousands of other U.S. businesses, have invigorated a longtime debate: Should companies be required to report cybersecurity breaches to the government?

Congress has talked about this more than a decade. And talked and talked and talked.

Why have things changed now? This time companies are encouraging Congress to take action – and soon, saying that our national security is at risk.

“I don’t think there’s ever been more organizations breached at one time. We’re at a world record right this minute,” says Kevin Mandia, chief executive of cybersecurity firm FireEye. “So obviously we have got to do something differently than what we’re doing … Whatever is currently in place has led us to a situation that’s the worst I’ve ever seen in my career.”

FireEye first discovered the SolarWinds breach and reported it to the government. Note that they had no legal obligation to do so – but if they had not, the Russian attack might have gone on for months longer without being discovered.

Developing a new law that improves information sharing between the private sector and the government is a challenge. The private sector says it’s critical the government provide a way for it to share data about attacks without revealing which customers were affected. On the other hand, lawmakers worry that a law that is too lax might shield companies who are in fact negligent with their cybersecurity but looking to avoid legal liability.

Mandia emphasized that companies such as his need a way to share threat intelligence before having to publicly disclose an attack or its victims. He argues that disclosing a possible attack to the public too early could create confusion and put customers at risk.

I get that, but the other side of the equation is that waiting until everything about the attack is known means that law enforcement will be slowed down in its efforts to aid in stopping an attack from more damage being done to more victims.

“One thing that does come up frequently is the importance of being able to protect customer identity before going public with a breach,” says Aaron Cooper, vice president of global policy at BSA Software Alliance, a trade group that represents companies including IBM and Microsoft. “They want to make sure that they’re not required to disclose a vulnerability before it’s patched.”

Mandia, alongside Microsoft President Brad Smith and SolarWinds chief executive Sudhakar Ramakrishna, stressed in two congressional hearings last month that companies need greater protections from liability for the breaches to facilitate sharing information with the government.

No one has yet articulated which specific liabilities a new law should shield companies from. But Mandia says that companies are up against a broad array of them.

“Shareholder liabilities, market cap liabilities, legal liabilities, constant inspection of your team — there’s basically no upside the minute you disclose a breach,” Mandia says. “Whether that breach put American citizens in harm’s way or customers in harm’s way is immaterial. You still get those liabilities.”

In 2015, Congress passed legislation opening the door for companies to voluntarily share cybersecurity incidents with the federal government. The law responded to concerns from companies they didn’t have legal authority to share that information with the government, according to Suzanne Spaulding, a former Department of Homeland Security official during the Obama administration and senior adviser at the Center for Strategic and International Studies.

“The 2015 law said that you can share information [that could be used to identify malicious activity] without worrying about having any liability for sharing that information, and I think that was always a little bit confused and garbled,” Spaulding says. “[Companies] thought it was a get-out-of-jail-free card — if you share that information with the government you can’t be held responsible for what happened in the breach.”

Industry dissatisfaction with the law has come across loud and clear in recent debate. Mandia pointed to a need for a central clearinghouse for companies to report attack data.

Lawmakers are taking new legislation seriously.

“We want to give certainty in terms of when customers would need to be notified and when it’s important to report to the government when you have an incident,” says Rep. Jim Langevin (D-R.I.). Langevin is working alongside Rep. Michael McCaul (R-Tex.) to introduce a pair of bills specifying which incidents require reporting to the government and when a breach needs to be reported to the public.

The Federal Trade Commission probably would have some role in arbitrating when a company needs to disclose a breach to customers. With the exception of health and financial data, most breach reporting is currently subject to a patchwork of state laws.

It is a bloody mess, though a boon to lawyers who have to guide clients through compliance with all the state laws.

The Biden administration also recently announced it has a team working on addressing industry barriers to sharing incident data with the government.

If there is one point of agreement between Congress and businesses, it is that something must be done.

“There is no pretty plan. Inaction is not an alternative,” Mandia says. “Even if it’s imperfect, it’s certainly better than staying on our heels, taking the browbeating that we’re getting in cyberspace.”

I have no argument with those statements.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson