The Senate Small Business and Entrepreneurship Committee on Feb. 15 voted to approve the Small Business Administration (SBA) Cyber Awareness Act (H.R. 3462), which requires SBA to issue an annual report on its cybersecurity capabilities, and notify Congress in the event of a cybersecurity breach potentially compromising sensitive information.
The House unanimously passed H.R. 3462 last November. The House version of the bill is sponsored by Reps. Jason Crow, D-Colo., and Young Kim, R-Calif. Similar legislation was introduced in the Senate by Sens. Marco Rubio, R-Fla., Jim Risch, R-Ind., and Bill Cassidy, R-La., requiring the SBA to be more proactive in protecting data and requiring greater transparency of threats and breaches that occur.
The SBA Cyber Awareness Act requires SBA to issue a report assessing the agency’s ability to combat cyber threats. The report must include details about:
- SBA’s cybersecurity infrastructure;
- SBA’s strategy to improve cybersecurity protections;
- Any equipment used by the SBA and manufactured by a company headquartered in China; and
- Any incident of cyber risk at the SBA, and the agency’s actions to deal with it.
“SBA handles the personally identifiable information of millions of small businesses – including email, citizenship status, birth dates, phone numbers, and social security numbers – which makes the agency an appealing target for cybercriminals,” said Chair Sen. Ben Cardin, D- Md., during the committee’s Feb. 15 business meeting.
Sen. Cardin explained that the legislation is increasingly important, especially after SBA’s handling of a breach that occurred in March 2020.
Unprecedented demand for SBA relief programs during the beginning of the pandemic inundated SBA’s legacy systems, leading to a glitch that led to a data breach of applicants’ personal information. On March 25, 2020, SBA discovered the breach that exposed the personal information of up to 8,000 individuals. However, it was not until April 13, that the agency sent paper notifications to affected individuals.
“We cannot let this happen again,” Sen. Cardin said.
The bill approved by the committee today would require SBA to notify Congress of future breaches, and detail who was affected, and how the breach occurred.