U.S. Legislation is in the pipeline that would make most public and private companies responsible for reporting cyber breaches to the U.S. government within 24 hours. This comes hot on the heels of multiple high-profile cyber-attacks that crippled the nation’s infrastructure.
What is a cyber breach?
A cyber breach, or data breach, occurs when confidential information is leaked to unauthorized persons. This could happen accidentally, or it could be done maliciously. It could, for example, be due to a system error that results in sensitive data being accessible by the public. Or, maybe a hacker gained illegal access to a company’s databases and shared them online.
Whatever the cause, data breaches are bad news for both the company responsible for protecting the data and the people to whom the data belongs. Around 50% of compromised accounts are accessed within 24 hours of a data breach.
What would this legislation mean?
If this bill passes, it would not only apply to private organizations, but to U.S. government agencies too. It would cover all federal contractors and those responsible for infrastructure. When a cyber breach occurs, it would be reportable to the “Cybersecurity and Infrastructure Security Agency”, a branch of the Department of Homeland Security.
Some industries already have their own reporting process for data breaches. For example, the Transportation Security Administration must report breaches within 12 hours. However, there is currently no single federal law governing data privacy in the U.S.A. There is also no equivalent of GDPR in the U.S.
“We need the ability to get visibility into national cybersecurity risks (…) to understand where adversaries are intruding into networks across this country (…) to understand the techniques that they’re using to break in. We need to understand what they are doing or trying to do. The more of that kind of information that we get, we can then protect others.” — Eric Goldstein, Cybersecurity and Infrastructure Security Agency. 2021
What is GDPR, the EU’s new data protection law?
“The General Data Protection Regulation 2016/679” (GDPR) was named in April 2016 and came into effect on May 25, 2018. It is the toughest privacy law in the world, and it affects any organization processing data that belongs to people within the EU. Fines for breaching its regulations can stretch into the millions of Euros.
Are American Data Privacy Laws Lacking?
You may be asking yourself, why are cyber breaches only being discussed now? Why are cyber attacks increasing? In 2019, the New York Times’ Editorial Board asked a similar question: why is America so far behind Europe on digital privacy? Some polls and studies have suggested that Americans are more trusting in the use of their personal data. However, change typically flows down from the top, and if Congress’ reaction to GDPR is any indication, the data privacy situation in the U.S. might not change in a hurry.
GDPR should extend to cover any American company handling EU customer data. However, Congress enacted something called the “Clarifying Lawful Overseas Use of Data” (CLOUD) Act on March 2018, just two months before GDPR became enforceable. This Act overrules GDPR in two ways:
- Software companies in the U.S. and IT service providers must provide access to all stored data to the authorities if requested.
- U.S. service providers do not have to inform customers when authorities request their data.
Cyber Breaches When Working From Home
There’s never been a more dangerous time to be online. According to Forbes, 2020 smashed every previous record for the number of cyber-attacks and the amount of data lost to breaches in a single year. In part, this is likely due to the huge increase in working from home.
When we’re in the office, we’re protected. Unless you work for a small start-up, chances are that you’ve got an experienced I.T. team behind you. Their role is to secure your network and make sure that your computer and corporate user account are safe from prying eyes. While corporate breaches do happen, they are typically an exception rather than a rule. Corporate security is usually much better than each employee’s personal cybersecurity habits at home.