Harmonizing Cybersecurity Incident Disclosure After Loper Bright

Published by The Lawfare Institute in Cooperation With

On Nov. 6, the Transportation Security Administration (TSA) proposed a new cyber rule, with the goal of preventing attacks like the 2021 Colonial Pipeline ransomware incident that caused gas station shortages up and down the East Coast. Among other requirements, the proposed rule would mandate reporting cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

TSA’s new rule may represent a marked improvement over the patchwork of unharmonized federal cybersecurity regulations that have proliferated over the past half-decade. For example, the Securities and Exchange Commission (SEC) finalized a rule last summer requiring public companies to disclose major cybersecurity breaches or incidents to the public via filing of a Form 8-K. While the rule is supposed to inform investors of cybersecurity breaches that may impact the financial status of publicly traded companies, the disclosures have not had the intended effect. Instead, misapplication of the disclosure requirement may be undercutting the higher order goal of incentivizing better cybersecurity practices within companies—which smart, harmonized government regulation could accomplish. 

The SEC rule shows that the proliferation of mandatory federal cybersecurity measures can be counterproductive. They overburden companies by requiring application of competing definitions, timelines, and standards to the same event—without providing much useful information to the public. And, in some cases, they may have the unintended consequences of encouraging over-disclosure to the detriment of U.S. national security.

Leave a Comment