#RSAC: Does the US Need a National Breach Reporting Law?

When a security breach occurs in the US today there is no single authority or national breach reporting law that needs to be adhered to, but that could change in the near future, according to a panel of experts speaking at the 2021 RSA Conference on May 18.

Luke Dembosky, partner at law firm Debevoise & Plimpton LLP, commented that the current state of breach reporting in the US is a patchwork of laws and policies that vary by jurisdiction. He noted that each individual state sets the rules that determine whether an organization has to report to state authorities, as well as impacted individuals, in the event of a data breach.

"It's very challenging for companies that do business across state lines, often to figure out what are all the various potential breach notification obligations," Dembosky said.

The (Solar)Wind Pushing the National Data Breach Reporting Law Forward

Adam Hickey, deputy assistant attorney general, National Security Division at the US Department of Justice, commented that there have been a number of high-profile breaches in recent years that have impacted critical infrastructure across multiple sectors. Without a single reporting framework, the federal government doesn't always get all the data and insight it needs.

"We are challenged getting a handle on the visibility of what's happening," Hickey said.

Among the recent high-profile data breach incidents discussed during the panel was the SolarWinds data breach. Tonya Ugoretz, deputy assistant director at the FBI, commented that a lot of times when there is a push for legislation to close a particular gap, like with the national data breach reporting law, that groundswell is prompted by something that didn't happen, someone who didn't take an action.  That's not what happened in the SolarWinds incident.

Ugoretz said that in the SolarWinds incident, it was reported quickly by security vendor FireEye, which itself was a victim of a breach.

"They [FireEye] did the right thing," Ugoretz said. "Almost immediately upon noticing that they were the victim of this very sophisticated intrusion, they reached out to the government."

Part of the way you demonstrate you are taking something seriously and doing everything you can as a business is saying, I'm working with law enforcement to address it.Adam Hickey

She added that this type of quick notification doesn't always happen and the fact that it did may well have helped to prevent even more data loss, which was a theme that Hickey echoed. Hickey said that thanks to FireEye raising its hand and saying, "This is happening on my network," the federal government was able to move quickly to investigate and help limit risk.

Why a National Data Breach Reporting Law Is Needed

Hickey emphasized that a national data breach reporting law is needed to help provide visibility to law enforcement and push out information to enable potential victims to be protected.

As a general rule, Hickey noted, companies are more willing to contact the government and work with law enforcement now than they were ever before, for several reasons.

"In the past, having a data breach used to be kind of a scarlet letter, and there was a shame factor, so you kind of didn't want it to get out," Hickey said. "Now there's sort of a sad understanding that this is a part of the mortality of computer networks."

With the realization that data breaches happen, Hickey said, organizations' attention has turned not just to defense, but also to resilience and reputation.

"Part of the way you demonstrate you are taking something seriously and doing everything you can as a business is saying, I'm working with law enforcement to address it," Hickey commented.

What the National Breach Reporting Law Should Look Like

A key objective for a potential national breach reporting law that all the panelists agreed upon was the idea that it should make reporting a breach easier, not harder, than the current patchwork model.

Ugoretz emphasized that a having a national standard for breach reporting will give companies less to figure out, which is important especially at the moment that they're suffering from an intrusion. She wants to see a law that is clear and concise and that helps victims and law enforcement to figure out what happened and prevent further exposure.

"We think of each of these intrusions, as if it were a murder conducted by a serial killer where whoever is behind it will strike again and they're leaving clues, at each crime scene," Ugoretz said. "This reporting law will help us pick up those clues and share it with others before they then become subsequent victims."

What’s Hot on Infosecurity Magazine?