U.S. tech execs, lawmakers suggest hack reporting requirement

Microsoft’s CEO said before Congress that it is time to impose a cyberattack ‘notification obligation on entities in the private sector.’

Senators and tech leaders are calling for the U.S. to require companies to disclose when they’ve experienced a data breach.

(Bloomberg) — A bipartisan group of senators on Tuesday, Feb 23, recommended that the U.S. consider requiring companies to disclose when they have been hacked.

At the first public hearing before Congress since a massive cyberattack by suspected Russian hackers was disclosed in December, Senate Intelligence Committee Chairman Mark Warner (D-Va.) was joined by the vice-chairman of the committee, Senator Marco Rubio (R-Fla.), in calling for the measure. Several others, including Senator Angus King, an independent from Maine, also voiced their support, as did several of the tech executives who were testifying.

There is currently no federal data breach notification law.

“It is time not only to talk about but to find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector,” said Microsoft Corp. President Brad Smith. “I think it is the only way we’re going to protect the country, and I think it is the only way we’re going to protect the world.”

FireEye Inc. Chief Executive Officer Kevin Mandia said he supported a requirement that companies notify an appropriate government agency about being hacked. But he urged that it be confidential to encourage companies to participate amid liability concerns.

Tech executives speak out

The hearing before Warner’s committee on Tuesday included Sudhakar Ramakrishna, the CEO of SolarWinds Corp., the Texas-based software firm that the hackers compromised as part of the attack. He told the committee that the tool hackers used to compromise the company’s software “poses a grave risk of automated supply chain attacks” across the software industry.

The senators mostly used a light touch in questioning Ramakrishna — who started at SolarWinds in January after the hack was disclosed — about his company’s responsibility in the massive cyberattack. He said his company is investigating three possible ways the attackers may have used to gain access to the company’s networks but haven’t reached a conclusion.

The senators were much tougher on Amazon Web Services for not appearing at the hearing despite an invitation. According to SolarWinds, its Orion software platform, which was compromised by the hackers, could be deployed by customers on AWS among other cloud platforms.

“The operation we will be discussing today used their infrastructure, at least in part,” Rubio said. “Apparently, they were too busy to discuss that here today.”

Amazon.com Inc. didn’t immediately respond to a request for comment.

The hackers responsible for the incident inserted malicious code into SolarWinds’s software, which was delivered to as many as 18,000 customers through software updates, though fewer are believed to have been targeted with additional hacking.

The White House has confirmed that the hackers leveraged this access to breach more than 100 companies and nine U.S. agencies with follow-on hacking aimed at espionage.

Mandia, of FireEye, said the attackers were “exceptionally hard to detect.” He added that the hackers appeared to be highly concerned with remaining hidden. “The minute you could detect these folks and stopped them breaking through the door, they sort of evaporated like ghosts until their next operation.”

FireEye discovered the hacking campaign while investigating a breach of its own networks. Mandia said in his prepared remarks that the company found an intrusion in late November and determined that a third-party had accessed their network without authorization. FireEye disclosed the cyberattack in December.

Smith told the committee that Microsoft’s threat hunters and engineers analyzed the attack and estimated there were 1,000 developers who worked on the attack. “It is the largest and most sophisticated operation of this sort that we’ve seen,” he said.

Another witness at the hearing, George Kurtz, the co-founder and CEO of Crowdstrike, the cybersecurity firm hired by SolarWinds for incident response, called for improvements to federal cybersecurity. He said old computer systems and compliance rules “detract from their core security work.”

While a mandatory data breach notification law is one mechanism by which Congress could improve U.S. cybersecurity, the prospects of passing such a law in 2021 are slim given competing COVID-19 relief priorities, according to Dominique Shelton Leipzig, a privacy and cybersecurity attorney at Perkins Coie LLP.

“Realistically, the chances of getting a federal omnibus privacy and data security law are looking more likely to happen next year,” she said.

Businesses want a federal law since they currently have to comply with differing data breach notification laws in all 50 states, she said. “This is the perfect example where companies are calling out for guidance both on the privacy and data security side,” she said.

Leave a Reply Cancel reply

Commercial Auto

Around the P&C Insurance Industry: November 20, 2024

Porsche Auto Insurance:Launched an unlimited insurance product for high-mileage Porsche owners driving over 10,000 miles annually. This complements their pay-per-mile policies, allowing owners to choose fixed premiums or mileage-based options. Multiple vehicles on a single policy can also have mixed coverage. Safeco Insurance:Entered a book transfer agreement with Main Street America Insurance, enhancing its personal lines presence in 22 states. Main Street America is shifting focus to commercial lines, including commercial products and bonds. Resilient Cities Network & Tokio Marine Group:Partnered to bolster urban resilience projects. The collaboration supports the Resilience Finance Taskforce, helping cities globally scale investment strategies for resilience and climate adaptation. Skyward Specialty Insurance Group:Introduced life sciences liability coverage tailored for the life sciences industry, addressing risks such as medical liability, errors and omissions, and general liability. This strategic move supports the complex insurance needs of healthcare innovators. AAIS Partner Program:Welcomed Sproutr, offering AAIS members access to tools and services that streamline operations and foster growth in insurance processes. Duck Creek Technologies:Opened its second Center of Excellence in Warsaw, Poland, enhancing global customer service capabilities, particularly in Europe, the Middle East, Africa, and the Asia-Pacific regions. Liberty Mutual & Coursera:Launched an entry-level course, Insurance Sales Agent, to train learners in risk management, sales, and ethical practices, equipping them for careers in insurance sales. World Insurance Associates:Acquired United Counties Insurance Group of Old Bridge, NJ, expanding its regional operations. Previsico:Unveiled Instacasting, a flood mitigation solution using rainfall data for real-time surface water flood predictions, enabling faster and more precise response strategies.

COVID-19

Live Event Insurance: Navigating New Risks in a Post-Pandemic World

The surge in live events after COVID-19 has brought a new wave of challenges for venues. Whether hosting concerts, sports games, or festivals, ensuring adequate insurance coverage has become critical for managing increasing risks. Venue owners and operators must reevaluate their general liability and other insurance policies to safeguard against potential liabilities. The Risks Facing Entertainment Venues Imagine hosting a packed concert where pyrotechnics go awry or a brawl breaks out. These incidents can lead to lawsuits, legal fees, and insurance claims that could devastate your business if not adequately prepared. Proper coverage and legal risk management are the backbone of every successful venue. Tools for Managing Liability: Exculpatory Language To mitigate risks, venues often employ exculpatory language, such as disclaimers on tickets or websites. In New York, for example, these clauses can limit a venue’s liability for certain incidents, excluding cases of gross negligence. However, courts mandate that such language must be clear, bold, and conspicuous to be enforceable. Online ticket purchases further enhance risk management through clickwrap agreements. These agreements require customers to actively confirm their understanding of terms, adding another layer of legal protection. Understanding Assumption of Risk For recreational activities like concerts or sporting events, the doctrine of primary assumption of risk is another legal shield. It protects venues when attendees willingly accept inherent risks of the activity, such as injuries from a mosh pit. However, it does not cover negligence in venue maintenance or security lapses. Maximizing Insurance Coverage Given the complexities of live event liability, venue owners must ensure their insurance policies address all potential scenarios. Key steps include: Compliance and Risk Mitigation Under New York Insurance Law § 3420(d)(2), insurers are required to respond promptly to liability claims. Delays can result in waived defenses, placing greater responsibility on the insurer. Staying compliant with such laws is essential for efficient risk management. Preparing for the Unexpected The post-pandemic resurgence of live events highlights the importance of a robust risk management strategy. Regularly updating exculpatory language, reviewing contracts, and optimizing insurance coverage ensures venues are well-prepared to handle unforeseen challenges. At Skyscraper Insurance, we specialize in tailoring comprehensive insurance solutions for entertainment venues. From general liability to vendor contracts, our team can help you set the stage for success while managing risks effectively. Contact us today to learn more about protecting your venue and your business.

U.S. tech execs, lawmakers suggest hack reporting requirement