Government and private-sector stalwarts this week said they are encouraged that the SolarWinds supply-chain attack will set the scene for a “groundswell” for federal data breach reporting legislation.
Data breach notification laws exist at the state level - however, no such federal law exists yet, despite years of discussion by tech giants, government officials and security experts aimed at moving the needle. However, the December public disclosure of the SolarWinds supply-chain attack by FireEye, one of the victims of the hack, shed a light on the benefits of reporting cyber incidents that experts hope will fast-track national regulatory efforts.
Not only does data breach reporting help set up important partnerships between victim companies and governmental agencies who can help, but - as seen in the case of the SolarWinds attack, where malware was installed in SolarWinds software updates that were pushed out to 18,000 companies and government entities - it could help other companies impacted by the same attack or threat actor, said Adam Hickey, deputy assistant attorney general for the National Security Division of the U.S. Department of Justice, speaking at the RSA Conference this week.
“That was model behavior by FireEye,” Hickey said. “This anecdote demonstrates why that legislation makes it easier and how we want a carrot and sticks type of policy to head up the data breach reporting process.”
The Current Data Breach Reporting Law Landscape
Currently, businesses in the U.S. are grappling with a multiplicity of state-level data breach reporting laws, creating a complicated regulatory patchwork that makes compliance expensive and difficult, and opening them up to multiple sets of fines.
Luke Dembosky, partner at Debevoise & Plimpton LLP, which counsels companies dealing with data breaches, said these disparate laws create challenges for organizations doing business across state lines. On top of dealing with data breach remediation, he said, companies need to identify what states customers reside in and if they have a second residence, and discern all the different data breach requirements for those states.
“We’ve got 50 state and four territorial separate data breach laws, each setting ground rules for when a company needs to make a report to individuals and to authorities,” said Dembosky.
Despite their complexity for businesses, state-level laws come from a good place in that they shed a transparent light for customers whose data may have been compromised, said Hickey. However, consumer and personal data - while a major part of the equation - is only part of it.
Hickey said another layer to data breach reporting rules revolves around giving governmental agencies a higher level of visibility into incidents, allowing for important sharing of tactics utilized in the attacks or by threat actors, which in turn can be used to help other companies potentially impacted. And in certain circumstances - where critical infrastructure is impacted by a breach, or where the breach impacts multiple sectors, for example - the implications of complex state-level breach reporting laws have a different impact, he said.
“In addition to the challenges from the standpoint of the private sector, such as compliance and the patchwork of obligations, there is another value we should be concerned with that could be served by a federal data breach law, when it comes to protecting national security,” he said.
Data Breach Reporting: Positive Steps Forward
As the SolarWinds attack exemplified, the conversation around federal data breach reporting legislation is becoming increasingly relevant, said experts.
Tonya Ugoretz, deputy assistant director with the FBI, said that FireEye’s public disclosure of the SolarWinds attack exemplified the benefits of proactive partnerships between the government and private sector, which have been strengthened over the years by routine information sharing and other initiatives.
“In this case, all the stars aligned when FireEye reported the intrusion… as a sophisticated cybersecurity company, they are more accustomed to recognizing intrusions and recognizing that this is something that had an impact on them but was also part of a much larger campaign,” she said.
Overall, experts said that they are seeing less hesitancy from other companies about reporting data breaches - in fact, Hickey said more companies are understanding that the best way to approach a breach is to show they’re approaching it seriously by proactively saying they’re addressing it.
“As a general rule, companies are more willing to contact the government now more than ever before for a few reasons,” said Hickey. “While having a data breach was once seen as a scarlet letter, now there’s a sad understanding that this is part of the mortality of computer networks.”
An Ideal Time For Federal Legislation
The combination of FireEye’s cyber intrusion disclosure in the SolarWinds attack, and this overall positive-leaning perception from the private sector regarding data-breach reporting, paves the way for federal data breach reporting legislation that industry experts have long advocated for.
What would such a law look like? A critical piece is making the reporting requirements as clear and easy as possible, said Ugoretz. Also important is developing a process where the government can have established procedures to take information, triage it and provide data back to affected companies that will help prevent public safety or national security incidents - ultimately with the goal of preventing future incidents.
“The idea of standardization and giving companies less to figure out at a moment when they’re suffering an intrusion is the key part,” said Ugoretz.
Beyond the logistics, a central aspect to a data breach reporting law is establishing a level of trust between the government and private-sector companies, which showcases that the disclosure rules are not just a slap on the wrist, but a chance for these entities to work together. Dembosky stressed that if data breach reporting rules are just seen as another compliance layer, they will not be so meaningful in the grand scheme of things: “Companies will do what’s required, but it won’t be viewed favorably,” he said.
“In the U.S. there’s been a huge effort by the FBI and DoJ to change the dynamic with data breach victims and to treat them as victims,” said Dembosky. “As long as that message carries through with what’s being done, it will be treated favorably.”