Heightened cybercrime and incomplete reporting records are concerning cybersecurity researchers at a time when it remains unclear which U.S. federal agency should take the lead on crafting comprehensive cyber breach and incident disclosure rules.

There were 1,291 publicly-reported U.S. data compromises in the first nine months of this year, according to the Identity Theft Resource Center, a nonprofit that supports victims of identity crime. At that pace, the 2022 numbers are unlikely to surpass the record 1,862 data breaches reported last year. Notably, however, the number of data breaches with no information as to the root cause has been growing since the fourth quarter of 2021, to 37% of all known data compromises over that period. Researchers expressed concern that this trend is likely to continue into next year.

While lawmakers and regulators have taken up measures to enhance Americans' data protections, it remains unclear how and when affected organizations should notify the public of either cyber incidents or breaches. Cyber incidents compromise the integrity of data, while breaches result in unauthorized access to data. Currently, at least three U.S. agencies — the Federal Trade Commission, the Securities and Exchange Commission, and the Cybersecurity and Infrastructure Security Agency — potentially have at least some authority to set requirements on disclosure notifications.

"I don't envy the people that have to sort through some of these difficult implementation ideas," said Robert Sheldon, director of public policy and strategy at CrowdStrike Holdings Inc., a cybersecurity company.

Targeted rules

Congress passed a law in March requiring the Cybersecurity and Infrastructure Security Agency, or CISA, to craft rules for breach notifications. However, the law is limited to entities that own or operate critical infrastructure.

CrowdStrike's Sheldon said CISA is the best agency to create comprehensive rules because of its role in engaging with cybersecurity stakeholders, but many organizations need help from private-sector companies like CrowdStrike to implement protections.

A 451 Research survey of senior IT executives found that the majority of enterprises rely on their own security monitoring infrastructure to learn whether their hosted cloud solutions had been breached. According to the "Voice of the Enterprise: Information Security, Budgets & Outlook 2022," 54.6% of respondents said their security monitoring infrastructure is the most likely way they would learn of a breach, while 37.3% said they expected their cloud provider to disclose any breach. About 6.4% said they expected third parties, such as the FBI, to inform them.

Legislation vs. regulation

Another bill touching on reporting disclosures, the American Privacy and Data Protection Act, remains stalled in Congress as lawmakers debate whether federal omnibus privacy legislation should preempt individual state laws. If passed, the bill would direct the FTC to create a multitude of rules for protecting consumers' data, including requiring procedures "to detect, respond to, or recover from security incidents or breaches."

Meanwhile, the FTC is moving forward on a commercial surveillance rulemaking that asks when and how entities should disclose data breaches, and the SEC launched a rulemaking this year that would require public companies to disclose cyber incidents within four days of learning of the attack.

"[Those agencies] want to turn cybersecurity into an issue that the market needs to know about," said Daniel Felz, a privacy and data security attorney at law firm Alston & Bird, referring to the FTC and SEC rulemakings.

The pair of rulemakings — especially the SEC rulemaking requiring public companies to report incidents — would establish a new precedent for disclosure rules. That transparency would help affected consumers litigate when their data has been stolen, and it would aid investors in decision-making, Felz said.

Right of (in)action

While there is general support for greater cybersecurity regulation or legislation, lawmakers and business leaders remain divided on key questions surrounding the issue, said M. Kurt Alaybeyoglu, a cybersecurity and compliance services senior director at Strive Consulting. These questions include which agency or agencies would enforce any given law, how breaches would be reported and whether consumers could directly sue companies suffering attacks.

The American Privacy and Data Protection Act includes a private right of action clause, which would enable consumers to file a lawsuit if they are harmed by a platform's failure to comply with the rules laid out in the bill. Originally, the draft bill provided a four-year window before any lawsuits could be filed, giving companies time for compliance. Following complaints from Senate Commerce Committee Chair Maria Cantwell, D-Wash., that window has been narrowed to two years. Business representatives argue the provision could open the door to expensive and time-consuming nuisance lawsuits.

For now, the patchwork approach to disclosures remains. As for when Americans can expect a broad law on cyberattack reporting, Alaybeyoglu from Strive said a cyberattack more dangerous than current headline-making breaches and incidents will have to occur first.

"Until there is a tangible effect to the daily lives of Americans outside of identity-related and monetary effects, Congress will be more than willing to let this lie," Alaybeyoglu said.

451 Research is part of S&P Global Market Intelligence.