When a security breach occurs in the US today there is no single authority or national breach reporting law that needs to be adhered to, but that could change in the near future, according to a panel of experts speaking at the 2021 RSA Conference on May 18.
Luke Dembosky, partner at law firm Debevoise & Plimpton LLP, commented that the current state of breach reporting in the US is a patchwork of laws and policies that vary by jurisdiction. He noted that each individual state sets the rules that determine whether an organization has to report to state authorities, as well as impacted individuals, in the event of a data breach.
"It's very challenging for companies that do business across state lines, often to figure out what are all the various potential breach notification obligations," Dembosky said.
The (Solar)Wind Pushing the National Data Breach Reporting Law Forward
Adam Hickey, deputy assistant attorney general, National Security Division at the US Department of Justice, commented that there have been a number of high-profile breaches in recent years that have impacted critical infrastructure across multiple sectors. Without a single reporting framework, the federal government doesn't always get all the data and insight it needs.
"We are challenged getting a handle on the visibility of what's happening," Hickey said.
Among the recent high-profile data breach incidents discussed during the panel was the SolarWinds data breach. Tonya Ugoretz, deputy assistant director at the FBI, commented that a lot of times when there is a push for legislation to close a particular gap, like with the national data breach reporting law, that groundswell is prompted by something that didn't happen, someone who didn't take an action. That's not what happened in the SolarWinds incident.
Ugoretz said that in the SolarWinds incident, it was reported quickly by security vendor FireEye, which itself was a victim of a breach.
"They [FireEye] did the right thing," Ugoretz said. "Almost immediately upon noticing that they were the victim of this very sophisticated intrusion, they reached out to the government."
No tags.
