“A lot of the real details are going to have to be worked out in the rule-making process,” said Christopher D. Roberti, the senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce.
The law requires the cybersecurity agency to work with companies as it determines the rules, so business leaders will get a say in how the law should be applied.
Cyberattacks disrupted operations at major American businesses last year, including JDS Foods, a meat supplier, and Colonial Pipeline, which supplies fuel on the East Coast. Both attacks interfered with Americans’ ability to obtain essential supplies and created urgency for lawmakers to act.
Senators Gary Peters, Democrat of Michigan, and Rob Portman, Republican of Ohio, the authors of the incident reporting legislation, said the law would help companies like JDS Foods and Colonial recover more quickly after these kinds of attacks. The cybersecurity agency would be able to provide them with guidance and assistance during the recovery process.
Delayed disclosures have been costly for companies. In 2018, Yahoo paid a $35 million fine for failing to promptly disclose a 2014 hack. And executives can find themselves facing criminal charges, as in the case of a former Uber executive who has been charged with obstruction and fraud over his handling of a 2016 data breach at the ride-hailing company.
What to Know About Ransomware Attacks
“We’ve heard from companies in the last year or more about how inconsistent and unstreamlined the incident reporting landscape is,” said Courtney Lang, senior director of policy at the Information Technology Industry Council. “Given the way the cybersecurity landscape has evolved, there are threats that need to be addressed. To some extent, we think that incident reporting can provide useful information that can help to shape specific responses.”
While similar rules are under consideration in Europe and in other federal agencies in the United States, corporate leaders are hopeful that the new federal law will become a model for other legislators and government officials, allowing companies to avoid a muddle of overlapping incident reporting requirements.