SolarWinds hack has lawmakers pushing for national breach notification law

Microsoft President Brad Smith called the SolarWinds hack “the largest and most sophisticated attack the world has ever seen” during a Feb. 26 hearing before two House committees.

During the hearing, several lawmakers promised to push a national data breach notification law this year. An upcoming bill would require companies to share information about breaches with the U.S. Cybersecurity and Infrastructure Security Agency but allow them to keep their names anonymous to the general public, said Rep. Michael McCaul.

The bill McCaul plans to introduce with Rep. Jim Langevin would presumably include penalties for failing to disclose breaches. All 50 states have their own data breach notification laws, some with significant fines for failure to disclose.

Lawmakers have for years tried to pass a federal breach notification law but have so far failed. Advocates of a national law say it would create a consistent breach notification standard with consistent penalties. However, some critics question whether federal law would water down tougher state laws.

In addition to a handful of lawmakers calling for a national breach notification law during the hearing, Smith also said it’s time for federal rules. Sharing threat information is “something that doesn’t happen broadly enough across the industry,” he said during the hearing.

Currently, reporting data breaches can open up companies to scrutiny from Congress and the public, Smith said. “A lot of companies choose to say as little as possible, and often, that’s nothing,” he added. “But silence is not going to make this country stronger.”

But Kevin Mandia, CEO of cybersecurity vendor FireEye, questioned the need for public disclosures of data breaches. Instead, companies should be encouraged to share threat information, and with the government, he said.

Too much disclosure creates fear and uncertainty, he told the committees. Without information about how to combat attacks, simple disclosure is “just going to scare the heck out of everybody,” he said.

After the hearing, several cybersecurity experts welcomed the push for a national data breach notification law.

“It would be wonderful if serious-minded politicians would reach across the aisle and craft commonsense legislation for today’s digital age,” said Monica Eaton-Cardone, co-founder and COO of Chargebacks911, a cybersecurity company focused on online transactions. “Our internet laws are ridiculously out of date, and you’d think that cybersecurity would be a nonpartisan issue.”

Customers, not just government agencies, should be notified of data breaches, she told the Washington Examiner. “The integrity of our online marketplace is directly dependent on consumers having faith and confidence in digital, card-not-present transactions,” she added. “That won’t continue if consumers suspect that they’re being deliberately kept in the dark.”

Federal law is needed because the “patchwork” of state laws is too complex, added Adam Levin, founder of cybersecurity vendor CyberScout. A new law should require companies to notify affected consumers of a breach within a short time, preferably 72 hours, he added.

A new law should also “hold organizations accountable for preventable errors and … sloppy security,” he told the Washington Examiner. “There should also be a minimum standard remedy offered to consumers whose data has been compromised.”

Still, it seems unlikely that Congress will pass a breach notification law after similar attempts failed after several past high-profile breaches, said Dean Gonsowski, chief revenue officer of ActiveNav, a data protection and minimization vendor.

After many other breaches, “I don’t know why this time, it would be any different,” he told the Washington Examiner. “With all 50 states already having some type of a data breach notification law, trying to harmonize the vastly different laws would be a mammoth undertaking.”